Slashdot Mirror
Snow Leopard Missed a Security Opportunity
CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"
Surely this is only of any use to a hacker if they manage to run in "ring zero" anyway. Otherwise wouldn't normal page protection stop them. Am I missing something?
Call me a cynic, but I somehow think he, and everyone else that looks at OS security, will still find things to complain about. The tech blog and journalism industry depends on it!
To be most objective they have to compare to the newest commercially available Windows version, so they just refer to what Vista has without implying whether it started in Vista or not. If anything, adding "Windows had this feature since XP" would sound more of a MS bias than "Vista has this feature".
My webcomic
As a long time Mac user, I completely agree with you. I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters. Worse, I absolutely do not want to go through a decade of painful and annoying security problems (like the windows users went through) before Apple begins to put real effort into security.
On Snow Leopard, I've told everyone in my family to ignore Snow Leopard until some convenient time after Christmas or so. There's not much in it for regular users and I am not aware of a single application that really leverages the new technology found in Snow Leopard... so there's no rush upgrading.
Oh... one last thing: Wasn't OpenBSD doing this long before windows?
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
It does not make it obscure, it makes it unpredictable.
You may figure out the location of something once, but it will be somewhere else on a different computer, or even on the same computer after a reboot.
The masses are the crack whores of religion.
Since when does ASLR improve performance or reliability?
To quote TFA: "If someone else is running your machine, it's more unreliable than if you're running it,"
There is no such thing as bugproof code. That's the entire reason for ASLR's existence in the first place.
Once someone writes an entire fully-functional OS with absolutely no security vulnerabilities (take your stab at it and tell me how that turns out for you), the need for ASLR will vanish... oh wait, no it won't because there'll still be other applications, drivers, etc. from third parties which will be insecure.
*sigh*
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
I always find articles about OS X security, especially in discussion, painful. First you either have a security expert writing and being translated by a fairly clueless reporter, or you have a clueless reporter writing. In the former case what makes a good article and gets press is usually a security person pointing out weaknesses or flaws in OS X. After all, saying OS X still doesn't have much risk of malware for the average user is like reporting that most GM cars still use gas. It's old info and not news. The other type of article that gets picked up are soft articles about how cool OS X is and how it can't get malware, written for the 90% of the populace that has never used it, but from an uniformed perspective.
Inevitably when either kind of story goes up on Slashdot we see tons of people who know little or nothing about what security is actually implemented in OS X, spouting off one way or the other, usually emotionally defending their favorite OS.
So in this case we have a fairly knowledgeable security expert talking about security in OS X. His sentence about ASLR begins, "One major disappointment in the midst of all these security enhancements..." Based upon what reporters have made of his paper, do any of you know what those security enhancements are? Contrast the expert's conclusion:
While the only true test of security is how effective it is in the real world, on paper it looks like life is now at least a little harder for any potential Mac attackers.
With the title of article linked to:
Apple missed security boat with Snow Leopard, says researcher
That's not to say the article is a filthy lie. It is completely true. Apple did miss the opportunity to improve ASLR for the heap. That's very true and important and disappointing. It's also the only OS X security news most people will hear and that, is misleading. It's not the writer's fault either, they're just writing what's interesting and "news". Writing an article on how Apple's security got moderately better in a number of ways and Macs are still unlikely to have many serious or widespread malware problems going forward for a few years, is not news.
And Apple is not blameless about what press reaches the public either. Apple is pretty quiet about security features in OS X because they don't like to bring up the topic for the general public, except in very generic ways. Their plan seems to be "tell users the security is cool and good and make sure they know they're unlikely to get viruses, but don't confuse them with details. Experts can read the whitepapers." This leaves out the whole middle portion of the spectrum, not security experts but not completely clueless either.
It would be nice to have meaningful discussion on some of the OS X security features, but that might be too much to hope for. What do people think about the sandboxing approach and has anyone noticed any particularly surprising sandboxed services in Leopard? The mixed 32-64 bit thing seems like an interesting choice, with 64 bit application development now motivated by artificially restricting access to some new APIs. Since a lot of the security improvements are tied to 64 bit applications and/or 64 bit processors, do people feel this was an attempt to direct developers for security reasons or just to speed the transition for other reasons? What do people think the other heap protection checksums and protections for 64 bit kernels. Will we transition to 64 bit fast enough so that they will be useful? How about the application signing being tied to the application level firewall? It seems like Apple could have made that a default and really motivated developers to use it, but decided to go in baby steps instead. And why in the world has Apple not created a proper application and update manager that extends to third parties? That seems like a no-brainer from a security and usability perspective.
To be fair, when debating, it's up to the person putting forth the argument to support it.
And seriously, "M$"? Is anyone still using that in 2009?
Microsoft's first product was a BASIC interpreter for the Altair computer. In the BASIC implementations common on Altair, Apple II, Commodore 64, and many other 8-bit home computers, names of string variables ended in $. For example:
I see the usage of "M$" in posts as analogous to "thank $deity", which alludes to the syntax for naming a variable in Bourne shell, Perl, or PHP. At least to me, it carries a connotation of "the world might have been a better place had Microsoft stuck to its BASIC compiler and not ventured into monopolizing operating system market."
The arguments were covered more than exhaustively in the Slashdot discussion which resulted from Charlie Miller pwn2owning the MacBook in two minutes because it was "easiest" of the machines in the competition and I should not have to hold anyone's hand in this case. Asking me to explain something which has been so exhaustively covered here in the past is trolling or it is incompetence but it is nothing else. If someone makes a claim, I will generally make at least a cursory effort to find out if they are right because it is necessary to be informed in order to debate intelligently.
Of course, it doesn't hurt that TFA is about this very issue. I know this is Slashdot, but come on. I guess you could read this article, it pretty much sums up the argument.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
A big post full of ifs and coulds. But I guess because of the size, it's modded up.
So when there is a glitch there is a bunch of finger pointing as there is no mono-culture who is interested in making the overall product better but just one piece of it.
RedHat, Canonical, SuSe, Debian, et cetera have not written all software that make up that distribution, however, their core reason for existing is that they take responsibility for the overall picture.
So often the security fix doesn't fix the core issue just a stop gap somewhere in the line.
Care to give examples?
And if that module was replaced with an other then it could happen all over again.
Just like other platforms.
You'll have to do a lot better than that.
8 of 13 people found this answer helpful. Did you?
Macs enjoy being less of a target since they are a small number of them out there
This is still a myth, why waste effort on a system that is inherently harder to crack when low hanging MS fruit is still available. Even when Macs make up more of the market it will still not be that big or easy a target. Popularity has very little to do with why a system gets viruses or there would not have been as many viruses for the old Mac systems and there were a shit load of them for OS7, 8 and 9.
Why bother
No it isn't. Malware is big business now and you don't make money by targeting niche markets.
And this is why OS X was the first target to go down at the last two Pwn2Own competitions? Safari too at the last P2O. But as I said, malware and hacking is all about money these days and this is pretty much the only thing keeping Apple safe. Apple commits the same security sins as Microsoft, security through obscurity, encouraging bad user behaviour (no passwords) and go a bit further by denying current vulnerabilities and bugs (MS do issue warnings about known vulnerabilities) then attempt to silence those who speak out.
The fact that all Mac machines are practically identical means that if an Apple virus is ever released into the wild it will be much easier to infect more machines, it also means that malware authors can target drivers as all Mac hardware will be using similar drivers. The only reason this hasn't been done yet is that no-one will make any money by targeting 3% of the worlds computers. Linux is a bigger target because Linux can be found on many more servers which make for better spam/botnet hosts. In the world of botnets for hire popularity has everything to do with it as the size of a botnet directly relates to the size of the paycheck.
Calling someone a "hater" only means you can not rationally rebut their argument.