Slashdot Mirror
Snow Leopard Missed a Security Opportunity
CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"
Surely this is only of any use to a hacker if they manage to run in "ring zero" anyway. Otherwise wouldn't normal page protection stop them. Am I missing something?
Call me a cynic, but I somehow think he, and everyone else that looks at OS security, will still find things to complain about. The tech blog and journalism industry depends on it!
It does not make it obscure, it makes it unpredictable.
You may figure out the location of something once, but it will be somewhere else on a different computer, or even on the same computer after a reboot.
The masses are the crack whores of religion.
I always find articles about OS X security, especially in discussion, painful. First you either have a security expert writing and being translated by a fairly clueless reporter, or you have a clueless reporter writing. In the former case what makes a good article and gets press is usually a security person pointing out weaknesses or flaws in OS X. After all, saying OS X still doesn't have much risk of malware for the average user is like reporting that most GM cars still use gas. It's old info and not news. The other type of article that gets picked up are soft articles about how cool OS X is and how it can't get malware, written for the 90% of the populace that has never used it, but from an uniformed perspective.
Inevitably when either kind of story goes up on Slashdot we see tons of people who know little or nothing about what security is actually implemented in OS X, spouting off one way or the other, usually emotionally defending their favorite OS.
So in this case we have a fairly knowledgeable security expert talking about security in OS X. His sentence about ASLR begins, "One major disappointment in the midst of all these security enhancements..." Based upon what reporters have made of his paper, do any of you know what those security enhancements are? Contrast the expert's conclusion:
While the only true test of security is how effective it is in the real world, on paper it looks like life is now at least a little harder for any potential Mac attackers.
With the title of article linked to:
Apple missed security boat with Snow Leopard, says researcher
That's not to say the article is a filthy lie. It is completely true. Apple did miss the opportunity to improve ASLR for the heap. That's very true and important and disappointing. It's also the only OS X security news most people will hear and that, is misleading. It's not the writer's fault either, they're just writing what's interesting and "news". Writing an article on how Apple's security got moderately better in a number of ways and Macs are still unlikely to have many serious or widespread malware problems going forward for a few years, is not news.
And Apple is not blameless about what press reaches the public either. Apple is pretty quiet about security features in OS X because they don't like to bring up the topic for the general public, except in very generic ways. Their plan seems to be "tell users the security is cool and good and make sure they know they're unlikely to get viruses, but don't confuse them with details. Experts can read the whitepapers." This leaves out the whole middle portion of the spectrum, not security experts but not completely clueless either.
It would be nice to have meaningful discussion on some of the OS X security features, but that might be too much to hope for. What do people think about the sandboxing approach and has anyone noticed any particularly surprising sandboxed services in Leopard? The mixed 32-64 bit thing seems like an interesting choice, with 64 bit application development now motivated by artificially restricting access to some new APIs. Since a lot of the security improvements are tied to 64 bit applications and/or 64 bit processors, do people feel this was an attempt to direct developers for security reasons or just to speed the transition for other reasons? What do people think the other heap protection checksums and protections for 64 bit kernels. Will we transition to 64 bit fast enough so that they will be useful? How about the application signing being tied to the application level firewall? It seems like Apple could have made that a default and really motivated developers to use it, but decided to go in baby steps instead. And why in the world has Apple not created a proper application and update manager that extends to third parties? That seems like a no-brainer from a security and usability perspective.
A big post full of ifs and coulds. But I guess because of the size, it's modded up.
So when there is a glitch there is a bunch of finger pointing as there is no mono-culture who is interested in making the overall product better but just one piece of it.
RedHat, Canonical, SuSe, Debian, et cetera have not written all software that make up that distribution, however, their core reason for existing is that they take responsibility for the overall picture.
So often the security fix doesn't fix the core issue just a stop gap somewhere in the line.
Care to give examples?
And if that module was replaced with an other then it could happen all over again.
Just like other platforms.
You'll have to do a lot better than that.
8 of 13 people found this answer helpful. Did you?