Slashdot Mirror
Snow Leopard Missed a Security Opportunity
CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"
Yeah, but it doesnt matter. everyone knows that apples are immume to viruses and malware. and they look better than ordinary Pcs.
Surely this is only of any use to a hacker if they manage to run in "ring zero" anyway. Otherwise wouldn't normal page protection stop them. Am I missing something?
Even so, Miller said, Apple made several moves that did improve Mac OS X 10.6's security. Two that stand out, he said, were its revamp of QuickTime and additions to DEP (data execution prevention), another security feature used in Windows Vista.
DEP has been around for a long time and has been in XP since at least SP2.
"[the quicktime rewrite] was really smart, since it's been the source of lots of bugs in the past."
bugs != security failure (although they can cause one... the bad math issues in excel 2007 aren't particularly exploitable, just annoying)
Get a web developer
The summary alleges Miller said it "today". Except he didn't.
The article linked to is dated September 14, which means he allegedly said it 2 days ago. Except he didn't.
He actually said it *two weeks ago* on August 29th.
Wake up, editors!
Call me a cynic, but I somehow think he, and everyone else that looks at OS security, will still find things to complain about. The tech blog and journalism industry depends on it!
Microsoft's Windows Vista and Windows Server 2008 have ASLR enabled by default, although only for those executables and dynamic link libraries specifically linked to be ASLR-enabled.[citation needed] This did not include Internet Explorer 7 on Windows Vista prior to Service Pack 1; ASLR and DEP are both disabled for application compatibility purposes. Newer versions, including Internet Explorer 8, enable these protections. A registry setting is available to forcibly enable or disable ASLR for all executables and libraries. The locations of the heap, stack, Process Environment Block, and Thread Environment Block are also randomized. A security whitepaper from Symantec noted that ASLR in 32-bit Windows Vista may not be as robust as expected, and Microsoft has acknowledged a weakness in its implementation.
It appears that only OpenBDD and some hardened Linuxes (not mainstream distributions) have a complete implementation.
"Microsoft perfected nearly three years ago"
OpenBSD has had this for many, many years. Microsoft used the OpenBSD code as a starting point for their own product. Love the BSD license!
OpenBSD has been using these techniques a lot longer than Microsoft has, so I suspect that there is not (yet) an issue of patents to be licensed.
Security researchers and various crackers have been saying for a few years now that OS X hasn't implemented a lot of security features that even Windows has. Each release, OS X gets a little better, but they are relying mainly on people wanting to break Windows more than OS X.
With snow leopard, they had the perfect opportunity to make a release that focused on performance and security over bells and whistles. It's modestly faster on my MacBook Pro, and I think most users would have gladly paid under $30 for an upgrade that just focuses on the internals to get more out of their system. Since most Macs cost at least $1100, $30 is nothing for an average Mac user.
ASLR makes executing code on the stack quite a bit more difficult, regardless of what privileges the program being exploited may have. Also makes calling libaray functions and pretty much anything in RAM far more difficult for a hacker. Page protection doesn't protect against these attacks per se.
Then how does your network card work?
1. You identify a system API that has a local escalation vulnerability. These aren't that uncommon and because they cannot be directly exploited remotely they're not generally as high of a priority.
2. You identify a vulnerability in a service or other application that permits execution of arbitrary code remotely.
3. You exploit the remotely exploitable vulnerability with a payload that calls into the known mapped address of the system API with a second payload in order to escalate to root and then execute a third payload with those increased privileges to outright p0wn the machine.
Linux's implementation of ASLR is substantially inferior to Windows Vista/7's, which was covered the FIRST time this guy won the pwn2own contest. However, it is far superior to OSX's, which appears to not really do anything useful, and which appears to have not even changed since it was discovered that OSX ASLR is useless. Please try to keep up, or don't comment. Thank you.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
It does not make it obscure, it makes it unpredictable.
You may figure out the location of something once, but it will be somewhere else on a different computer, or even on the same computer after a reboot.
The masses are the crack whores of religion.
The parent post's reference to OpenBSD seem spot on to me. See OpenBSD Security Features. This uses a BSD license and is written for a BSD 4.4 derivative (just like OS/X). Why doesn't Apple just adopt the OpenBSD mmap and just close this hole?
Think global, act loco
Shouldn't you be flattered that MS recognized how useful this was and incorporated it into their own OS? The whole point of open source is that anyone is free to adopt its innovations, after all.
And seriously, "M$"? Is anyone still using that in 2009?
SJW: Someone who has run out of real oppression, and has to fake it.
Since when does ASLR improve performance or reliability?
To quote TFA: "If someone else is running your machine, it's more unreliable than if you're running it,"
If there's a phrase that should trigger skepticism, that's it. ASLR isn't "perfect", and has been reported (and confirmed) exploited as recently as 7 months ago:
--
make install -not war
address space layout randomization
I though this was a feature in OS X 10.5? Was it not implemented or just not implemented as well as other OS's?
I remember hearing about it as a feature for 10.5.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
So they're at least using some ASLR, which they can patch for later, and they got Snow Leopard out the door earlier rather than later.
If you're running your business on OSX Server, you didn't immediately go upgrade anyways, so where's the harm, other than early adopters claiming their ASLR isn't as cool as it could be?
I want to delete my account but Slashdot doesn't allow it.
He's obviously still on dial-up.
Not that I wish to stop you frothing at the mouth, but I'd recommend viewing one of the posts above yours.
This is the sort of posting that makes me think Slashdot should rename the "Anonymous Coward" account to "Anonymous Idiot." Random selection of addresses is not "obscurity," it's "unpredictability." It's at least as strong as a four-digit bank pin.
Linux's implementation of ASLR is substantially inferior to Windows Vista/7
[citation needed]
-- I speak only for myself
That's ok, you only missed 2 words...
Praise for MS by kdawson.
There fixed that for you.
Slashdot loves to underestimate "security by obscurity". However it is usually the first line of defense, and it works quite often. It is like locking your door without a deadbolt, It keeps the honest, honest. If it is hard to know how to get in. Then most "hackers" will not be able to get in, until some real hackers actually take their time un-obscuring and getting familiar with the system, and then write an easy script for the script kiddies to take advantage of. However having it obscure could put years of being unhacked. To a system... Sometimes enough for it to be increadibly out of date that when they find a way to get in they no longer want to anymore.
Now for Windows, OS X and Linux There are a lot of people who have oddly Strong emotions about their Computer Operating System and there are a lot of people who would love to wipe the smug expressions off each other faces so there is a lot of focus of trying to un-obscure their competitors and hack in. However if you are a no-name brand system security threw obscurity could have saved you a lot of money in development and testing and not have a system broken into. Unfortunately this creates a lot of smug developers who think they write secure code because it was never hacked into.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
He didn't even spell pwn right. What is the world coming to when people can't even write in l33tsp34k properly?
"That exploit took advantage of code MS left in the beta version of IE8 that opted out of DEP and ASLR, the RTM IE8 disables that code on the internet zone, and it can be disabled on the intranet zone as well, so it's not much of an issue in the RTM IE8"
An interesting hypothesis. Why would they put opted-out non-DEP and non-ASLR code in IE8. And do you have any verifiable third party citations for the above. Wouldn't a more likely explanation was that MS fixed the vulnerability after the fact.
ASLR is sorta like moving the location of the barn door, while keeping it wide open.
Hint: The cows can still get out.
Perhaps the guys at Apple realize this and give ASLR a low priority for implementation.
Even so, adding ASLR to the Apple OS is something they could do with relative ease-- change the kernel and user-space mallocs() to be less predictable, munge the call stacks tobe less predictable, etc, etc, etc,---- mostly stuff that can be done with 50 lines of code here and there and not too many other places.
But again, it would be much more efficient to put that effort into closing any open barn doors, rather than painting the open gateways in random colors. Every five seconds.
The biggest security problems with Windows still remain, namely that:
a: compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things
b: Microsoft's reliance on proprietary protocols, many of which have a lot of known and probably even more unknown vulnerabilities.
c: security policy on Windows has about 0 coherency, making it really hard to properly secure windows and really easy to accidentally miss something/screw something up. Windows security polices are all over the place, in the registry editor, in the windows security center, in the user/computer policy app(which at least as of xp wasn't searchable, so if you were looking for something and you didn't know EXACTLY where to find it you end up having to look through every single freaking policy. Whats worse is that Windows freely mixes client and server policies, even when the machine isn't a server! Most users get so frustrated and just leave everything open.
I tried to recently secure a Windows XP box after coming from a background of unix(including OS X) and Linux, and I just could not believe how insanely obfuscated Microsoft made everything. What is insanely simple to do in the Unix world takes massive effort to even attempt in the Windows world, if it will even work at all.
I swear Microsoft makes a lot of this stuff pointlessly complicated just so they can persuade more people to take the MCSE exams.
Monstar L
I see many more posts complaining about mac fans than I see posts by mac fans. Don't you guys have anything better to do than get emotional about a blob of hardware+software?
"Apple .. failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista"
Address space layout randomization is a technique to randomize memory addresses of the base of the code, stack, heap, and libraries. First used by PaX and OpenBSD
There is no such thing as bugproof code. That's the entire reason for ASLR's existence in the first place.
Once someone writes an entire fully-functional OS with absolutely no security vulnerabilities (take your stab at it and tell me how that turns out for you), the need for ASLR will vanish... oh wait, no it won't because there'll still be other applications, drivers, etc. from third parties which will be insecure.
*sigh*
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
I daresay some hackers might maintain "their" machine better than the legal owners ;).
Most Slashdotters don't understand what security is. Security and safety are not synonymous. Obscurity may make you safer, but it does not make you more secure.
I wouldn't equate Mac OS X as a 'Unix' for a comparison with Windows if I were you. The amount of stuff running setuid on a Mac is a little scary.
I always find articles about OS X security, especially in discussion, painful. First you either have a security expert writing and being translated by a fairly clueless reporter, or you have a clueless reporter writing. In the former case what makes a good article and gets press is usually a security person pointing out weaknesses or flaws in OS X. After all, saying OS X still doesn't have much risk of malware for the average user is like reporting that most GM cars still use gas. It's old info and not news. The other type of article that gets picked up are soft articles about how cool OS X is and how it can't get malware, written for the 90% of the populace that has never used it, but from an uniformed perspective.
Inevitably when either kind of story goes up on Slashdot we see tons of people who know little or nothing about what security is actually implemented in OS X, spouting off one way or the other, usually emotionally defending their favorite OS.
So in this case we have a fairly knowledgeable security expert talking about security in OS X. His sentence about ASLR begins, "One major disappointment in the midst of all these security enhancements..." Based upon what reporters have made of his paper, do any of you know what those security enhancements are? Contrast the expert's conclusion:
While the only true test of security is how effective it is in the real world, on paper it looks like life is now at least a little harder for any potential Mac attackers.
With the title of article linked to:
Apple missed security boat with Snow Leopard, says researcher
That's not to say the article is a filthy lie. It is completely true. Apple did miss the opportunity to improve ASLR for the heap. That's very true and important and disappointing. It's also the only OS X security news most people will hear and that, is misleading. It's not the writer's fault either, they're just writing what's interesting and "news". Writing an article on how Apple's security got moderately better in a number of ways and Macs are still unlikely to have many serious or widespread malware problems going forward for a few years, is not news.
And Apple is not blameless about what press reaches the public either. Apple is pretty quiet about security features in OS X because they don't like to bring up the topic for the general public, except in very generic ways. Their plan seems to be "tell users the security is cool and good and make sure they know they're unlikely to get viruses, but don't confuse them with details. Experts can read the whitepapers." This leaves out the whole middle portion of the spectrum, not security experts but not completely clueless either.
It would be nice to have meaningful discussion on some of the OS X security features, but that might be too much to hope for. What do people think about the sandboxing approach and has anyone noticed any particularly surprising sandboxed services in Leopard? The mixed 32-64 bit thing seems like an interesting choice, with 64 bit application development now motivated by artificially restricting access to some new APIs. Since a lot of the security improvements are tied to 64 bit applications and/or 64 bit processors, do people feel this was an attempt to direct developers for security reasons or just to speed the transition for other reasons? What do people think the other heap protection checksums and protections for 64 bit kernels. Will we transition to 64 bit fast enough so that they will be useful? How about the application signing being tied to the application level firewall? It seems like Apple could have made that a default and really motivated developers to use it, but decided to go in baby steps instead. And why in the world has Apple not created a proper application and update manager that extends to third parties? That seems like a no-brainer from a security and usability perspective.
Tagging doesn't work for me anymore, so I picked the post with the most use of the word 'obscurity'.
This is not security through obscurity (STO). STO can always be exploited when you know how the algorithm works. Address space randomization cannot be exploited (immediately). You still have to start the executable maybe hundreds of times before the exploit works. This is easy if it's some short piece of code you've crafted yourself, but with real applications, it's not so simple.
Imagine a hack where you send some exploit to somebody over IM. If it doesn't work, the IM client *will* crash as it tried to execute some random portion of memory. How are you going to try your exploit at a different address now?
>compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things
Id say this is the one part of Windows MS has been improving. Running as limited user, runas, etc in Vista (especially SP2) and 7 is lightyears ahead of what it was in XP or 2000. Developers are pretty much being told to write software correctly or it just wont run in Vista/7. This is a sea change in how things are done in the Windows world and even today a lot of users without legacy cruft to support run without much hassle from the UAC. Eventually those old pieces of software causing these issues (lets write to c:\temp why not?) will be retired in favor of compliant newer versions.
I wouldn't equate Mac OS X as a 'Unix' for a comparison with Windows if I were you. The amount of stuff running setuid on a Mac is a little scary.
What's interesting is how in the same paper where Miller mentioned the ASLR in Leopard, he also praised Apple for getting rid of a lot of the setuid use.
To be fair, when debating, it's up to the person putting forth the argument to support it.
If all else fails, yeah, you should have done it better, but why should the user suffer for it? Wouldn't you (and him) wish there was one more obstacle that might just trip the hacker? Anything? ASLR is something.
Computer security (good security) goes for redundancy. You add as much protection as makes sense. You never say 'that layer is perfect, there's no need for another layer' (there's no such thing as perfect). You don't say 'we're not a target' (everybody is, since attacks have been automated). You don't say 'but why would someone do that?' (because they can). These are just dumb excuses from people who STILL DON'T GET IT.
If you have two extra methods of protection you damn right put them in there, no matter how redundant they seem. Apple put just one, and Miller asks why oh why can't they just put the other one in already?
To make an analogy, it's like using 3 condoms. Yeah, one should be enough and 2 is already over the top, but when you deal with computers and you have 3 of them, you use 3.
Or, it's like placing extra guards inside the bank safe. Yeah, there are guards outside, the door is locked, police 30 seconds away and the safe walls are 2 feet thick, of steel and concrete. If all that fails something went terribly wrong. But when you deal with computer security, you still put a guy with a shotgun inside the safe.
Computers aren't real life. They are a mostly theoretical realm where the slightest possibility, no matter how unpractical, sometimes happens. That's what you plan for, to expect the unexpected.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
And seriously, "M$"? Is anyone still using that in 2009?
Microsoft's first product was a BASIC interpreter for the Altair computer. In the BASIC implementations common on Altair, Apple II, Commodore 64, and many other 8-bit home computers, names of string variables ended in $. For example:
I see the usage of "M$" in posts as analogous to "thank $deity", which alludes to the syntax for naming a variable in Bourne shell, Perl, or PHP. At least to me, it carries a connotation of "the world might have been a better place had Microsoft stuck to its BASIC compiler and not ventured into monopolizing operating system market."
Don't bother looking up facts for yourself or forming your own counter-argument. Just offer us the glib "citation needed" and we'll take you seriously. Right...
Counter-argument to what? He was responding to a post that made sweeping statements but contained no supporting facts at all - hence "[citation needed]" was completely appropriate. That post was the equivalent of those TV commercials that say "4 out of 5 doctors say..." - okay, fine, then give us an honest-to-goodness citation or even a link so we can determine the statement's veracity for ourselves.
#DeleteChrome
Executing code on the stack is prevented by the NX bit, it has nothing to do with address space layout. What it does prevent would be something like return to libc attacks and other nice things.
"Civis Europaeus sum!"
The arguments were covered more than exhaustively in the Slashdot discussion which resulted from Charlie Miller pwn2owning the MacBook in two minutes because it was "easiest" of the machines in the competition and I should not have to hold anyone's hand in this case. Asking me to explain something which has been so exhaustively covered here in the past is trolling or it is incompetence but it is nothing else. If someone makes a claim, I will generally make at least a cursory effort to find out if they are right because it is necessary to be informed in order to debate intelligently.
Of course, it doesn't hurt that TFA is about this very issue. I know this is Slashdot, but come on. I guess you could read this article, it pretty much sums up the argument.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I use Linux distro disks for spacers under my desk when it wobbles. The AOL disks have rotted away it seems.
Why bother
In order to "look in the same place", you need to have code that does the looking. The NX bit will prevent arbitrary code from executing on the stack. One way to get around NX is to overrun a buffer and replace the return address of the stack frame with a known function address that does what you want. In order for this to work, you need to know the address in advance of the attack. ASLR makes it difficult to predict this address.
Linux's implementation of ASLR is substantially inferior to Windows Vista/7's, which was covered the FIRST time this guy won the pwn2own contest.
This may be true (in fact my opinion is that most Linux desktop distros ship with only the ASLR in the generic kernel which last I heard was limited) but you still haven't provided any citation for this. You later claim it was somehow a solved question in another Slashdot thread, but don't link to that thread. Google doesn't seem to have much in the way of comparisons either, just a lot of articles on flaws in the Windows implementation and how people bypass it.
However, it is far superior to OSX's, which appears to not really do anything useful...
What's really funny is that Charlie Miller has repeatedly complained that Apple's implementation is only good for stopping the most common kind of return to libc exploits and not other kinds of attacks ASLR is useful for. So claiming it is useless is like claiming seatbelts are useless since they don't protect against anything but the most common kind of injuries from car crashes.
Please try to keep up, or don't comment.
Keep up with what? Your assertions, half of which you haven't been able to back up and half of which are demonstrably wrong. I don't mind people being assertive, opinionated, arrogant creeps, but if you're going to be one, at least be a competent one.