Snow Leopard Missed a Security Opportunity 304
CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"
Surely this is only of any use to a hacker if ... (Score:5, Insightful)
He'll stop complaining when... (Score:5, Insightful)
Call me a cynic, but I somehow think he, and everyone else that looks at OS security, will still find things to complain about. The tech blog and journalism industry depends on it!
Re:Microsoft technology? Really? (Score:0, Insightful)
Re:This article sucks (Score:4, Insightful)
Re:It will cost them at some point (Score:4, Insightful)
As a long time Mac user, I completely agree with you. I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters. Worse, I absolutely do not want to go through a decade of painful and annoying security problems (like the windows users went through) before Apple begins to put real effort into security.
On Snow Leopard, I've told everyone in my family to ignore Snow Leopard until some convenient time after Christmas or so. There's not much in it for regular users and I am not aware of a single application that really leverages the new technology found in Snow Leopard... so there's no rush upgrading.
Oh... one last thing: Wasn't OpenBSD doing this long before windows?
Re:Surely this is only of any use to a hacker if . (Score:5, Insightful)
It does not make it obscure, it makes it unpredictable.
You may figure out the location of something once, but it will be somewhere else on a different computer, or even on the same computer after a reboot.
Re:Strange... (Score:4, Insightful)
Since when does ASLR improve performance or reliability?
To quote TFA: "If someone else is running your machine, it's more unreliable than if you're running it,"
Am I missing something. (Score:3, Insightful)
address space layout randomization
I though this was a feature in OS X 10.5? Was it not implemented or just not implemented as well as other OS's?
I remember hearing about it as a feature for 10.5.
already there, and easily patchable (Score:2, Insightful)
So they're at least using some ASLR, which they can patch for later, and they got Snow Leopard out the door earlier rather than later.
If you're running your business on OSX Server, you didn't immediately go upgrade anyways, so where's the harm, other than early adopters claiming their ASLR isn't as cool as it could be?
Re:Surely this is only of any use to a hacker if . (Score:2, Insightful)
Re:Microsoft technology? Really? (Score:2, Insightful)
Linux's implementation of ASLR is substantially inferior to Windows Vista/7
[citation needed]
Re:It doesnt matter... (Score:2, Insightful)
Re:It doesnt matter... (Score:2, Insightful)
Carter wasn't the most ineffective president ever. That title probably goes to Wilson, Hoover, or Coolige. Carter's only superlative feat was to be the most unremarkable president ever. History will remember him for being so forgettable. Oh, and the nuke ban. Double folley from someone claiming to have actually been a nuclear engineer.
Re:It will cost them at some point (Score:3, Insightful)
Security researchers and various crackers have been saying for a few years now that OS X hasn't implemented a lot of security features that even Windows has.
I largely tend to think of it as "security buzzwords that even windos has".
There's a lot of them in the newer releases. But the overall questions we have to ask is whether or not it makes the system more secure. When your machine gets owned, you couldn't care less for the checklist of buzzwordy "security" features that just got bypassed. Your security was compromised, end of story.
OS X has less of them. Check.
OS X also doesn't have many of what I'd call necessary things (MAC, RBAC to name just a few. MLS if done right can also add a whole ton of privacy to your security).
All around, however, I still trust this OS X more than the windos machine next to it. That's because while it lacks some of the bells'n whisles, it does do the basics right that windos still hasn't done right, or has done horribly wrong (UAC, I'm looking at you).
Re:Surely this is only of any use to a hacker if . (Score:3, Insightful)
Slashdot loves to underestimate "security by obscurity". However it is usually the first line of defense, and it works quite often. It is like locking your door without a deadbolt, It keeps the honest, honest. If it is hard to know how to get in. Then most "hackers" will not be able to get in, until some real hackers actually take their time un-obscuring and getting familiar with the system, and then write an easy script for the script kiddies to take advantage of. However having it obscure could put years of being unhacked. To a system... Sometimes enough for it to be increadibly out of date that when they find a way to get in they no longer want to anymore.
Now for Windows, OS X and Linux There are a lot of people who have oddly Strong emotions about their Computer Operating System and there are a lot of people who would love to wipe the smug expressions off each other faces so there is a lot of focus of trying to un-obscure their competitors and hack in. However if you are a no-name brand system security threw obscurity could have saved you a lot of money in development and testing and not have a system broken into. Unfortunately this creates a lot of smug developers who think they write secure code because it was never hacked into.
Re:He'll stop complaining when... (Score:4, Insightful)
Isn't that human nature? Well, some humans' nature, anyway?
Such as...
>> Gates foundation to donate $2.5B to cancer researh
> BOO! HISS! HE'S JUST USING IT AS A TAX WRITE-OFF AND AS INDIRECT GOOD-WILL FORMING PR FOR M$!!!!!
*shrug*
If, in the end, it makes OS X an even better operating system, then I say to the tech blog and journalism industry: complain on.
Re:Surely this is only of any use to a hacker if . (Score:4, Insightful)
Once someone writes an entire fully-functional OS with absolutely no security vulnerabilities (take your stab at it and tell me how that turns out for you), the need for ASLR will vanish... oh wait, no it won't because there'll still be other applications, drivers, etc. from third parties which will be insecure.
*sigh*
Re:Let's not let facts get in our way (Score:2, Insightful)
I wouldn't equate Mac OS X as a 'Unix' for a comparison with Windows if I were you. The amount of stuff running setuid on a Mac is a little scary.
OS X Security Reporting (Score:5, Insightful)
I always find articles about OS X security, especially in discussion, painful. First you either have a security expert writing and being translated by a fairly clueless reporter, or you have a clueless reporter writing. In the former case what makes a good article and gets press is usually a security person pointing out weaknesses or flaws in OS X. After all, saying OS X still doesn't have much risk of malware for the average user is like reporting that most GM cars still use gas. It's old info and not news. The other type of article that gets picked up are soft articles about how cool OS X is and how it can't get malware, written for the 90% of the populace that has never used it, but from an uniformed perspective.
Inevitably when either kind of story goes up on Slashdot we see tons of people who know little or nothing about what security is actually implemented in OS X, spouting off one way or the other, usually emotionally defending their favorite OS.
So in this case we have a fairly knowledgeable security expert talking about security in OS X. His sentence about ASLR begins, "One major disappointment in the midst of all these security enhancements..." Based upon what reporters have made of his paper, do any of you know what those security enhancements are? Contrast the expert's conclusion:
While the only true test of security is how effective it is in the real world, on paper it looks like life is now at least a little harder for any potential Mac attackers.
With the title of article linked to:
Apple missed security boat with Snow Leopard, says researcher
That's not to say the article is a filthy lie. It is completely true. Apple did miss the opportunity to improve ASLR for the heap. That's very true and important and disappointing. It's also the only OS X security news most people will hear and that, is misleading. It's not the writer's fault either, they're just writing what's interesting and "news". Writing an article on how Apple's security got moderately better in a number of ways and Macs are still unlikely to have many serious or widespread malware problems going forward for a few years, is not news.
And Apple is not blameless about what press reaches the public either. Apple is pretty quiet about security features in OS X because they don't like to bring up the topic for the general public, except in very generic ways. Their plan seems to be "tell users the security is cool and good and make sure they know they're unlikely to get viruses, but don't confuse them with details. Experts can read the whitepapers." This leaves out the whole middle portion of the spectrum, not security experts but not completely clueless either.
It would be nice to have meaningful discussion on some of the OS X security features, but that might be too much to hope for. What do people think about the sandboxing approach and has anyone noticed any particularly surprising sandboxed services in Leopard? The mixed 32-64 bit thing seems like an interesting choice, with 64 bit application development now motivated by artificially restricting access to some new APIs. Since a lot of the security improvements are tied to 64 bit applications and/or 64 bit processors, do people feel this was an attempt to direct developers for security reasons or just to speed the transition for other reasons? What do people think the other heap protection checksums and protections for 64 bit kernels. Will we transition to 64 bit fast enough so that they will be useful? How about the application signing being tied to the application level firewall? It seems like Apple could have made that a default and really motivated developers to use it, but decided to go in baby steps instead. And why in the world has Apple not created a proper application and update manager that extends to third parties? That seems like a no-brainer from a security and usability perspective.
Re:It doesnt matter... (Score:2, Insightful)
Most Linux distributions seem to run a good set of Core Applications that are relatively common across the distributions, and many ways a lot of tiny security holes that are not always designed for full security and expecting the security to happen the next level up but they don't necessarily know who that is and what exactly it does as in theory it could be different. So when there is a glitch there is a bunch of finger pointing as there is no mono-culture who is interested in making the overall product better but just one piece of it. So often the security fix doesn't fix the core issue just a stop gap somewhere in the line. And if that module was replaced with an other then it could happen all over again. Also there it little to tell if a security fix will end up failing some other app down the line. So the open source model isn't fool proof either. And that is without the valid argument that it is easier for a hacker to see the code and know where exactly to strike, as Module X wasn't designed to handle such security conserns.
Lets combine that most people don't update their Linux boxes as quickly as Macs or Windows too. As Linux is a server OS and for the most part it will just kinda sit there in the background without much looking at it and as long it is running things are fine. I have seen Linux Hacked more often then Mac because of that fact. They just kinda do its job and we expect and while it is doing its job we don't check on it. Until it is to late.
Re:Let's not let facts get in our way (Score:3, Insightful)
I wouldn't equate Mac OS X as a 'Unix' for a comparison with Windows if I were you. The amount of stuff running setuid on a Mac is a little scary.
What's interesting is how in the same paper where Miller mentioned the ASLR in Leopard, he also praised Apple for getting rid of a lot of the setuid use.
Re:It doesnt matter... (Score:1, Insightful)
Apples aren't immune to viruses, but they're a lot less likely to get them, because you don't have to escalate privileges all the time, so it's a surprise when you're asked to. What this article is basically saying is that because Apple has declined to hobble their machines with yet another performance-killing security measure designed to protect against bad coding in privileged apps, they are behind Microsoft.
The reality is that Microsoft has backslid on security with Windows 7 by taking out the feature they added in Vista, that got so much complaint, where privilege escalation had to be confirmed. Rather than maintaining backward compatibility with Mac OS 9, which was just as unsafe in terms of viruses as Windows 3.1, Apple decided to have a flag day with the switch to Mac OS X. Consequently, Macs are much less susceptible to viruses than Windows, simply by virtue of the fact that applications are more secure.
Should Apple implement this feature? I don't think so. It sucks performance for a very minimal return in security. What Apple *is* working on in security is much more useful (a bitfrost-like security model). Assuming they get that working well, this will simply be a non-issue.
Re:Microsoft technology? Really? (Score:4, Insightful)
To be fair, when debating, it's up to the person putting forth the argument to support it.
Re:Surely this is only of any use to a hacker if . (Score:3, Insightful)
If all else fails, yeah, you should have done it better, but why should the user suffer for it? Wouldn't you (and him) wish there was one more obstacle that might just trip the hacker? Anything? ASLR is something.
Computer security (good security) goes for redundancy. You add as much protection as makes sense. You never say 'that layer is perfect, there's no need for another layer' (there's no such thing as perfect). You don't say 'we're not a target' (everybody is, since attacks have been automated). You don't say 'but why would someone do that?' (because they can). These are just dumb excuses from people who STILL DON'T GET IT.
If you have two extra methods of protection you damn right put them in there, no matter how redundant they seem. Apple put just one, and Miller asks why oh why can't they just put the other one in already?
To make an analogy, it's like using 3 condoms. Yeah, one should be enough and 2 is already over the top, but when you deal with computers and you have 3 of them, you use 3.
Or, it's like placing extra guards inside the bank safe. Yeah, there are guards outside, the door is locked, police 30 seconds away and the safe walls are 2 feet thick, of steel and concrete. If all that fails something went terribly wrong. But when you deal with computer security, you still put a guy with a shotgun inside the safe.
Computers aren't real life. They are a mostly theoretical realm where the slightest possibility, no matter how unpractical, sometimes happens. That's what you plan for, to expect the unexpected.
Re:Mod parent up (Score:3, Insightful)
Maybe because the OpenBSD implementation is rock solid and really safe - but drags down the performance like a stone?
There are many neat features (usually security related) in OpenBSD. Sadly it's not as simple as "copying" the implementation when the OS of choice has a different aim than being the most secure one on the planet.
Don't get me wrong. I like OpenBSD for what it is. But I don't think that you can solve every (possible) security issue by simply following the OpenBSD solution because at the end you run OpenBSD. That's truely safe but very restricted in its usability in certain aspects, especially performance related tasks. It's perfect as a gateway or the like. It sucks on your desktop when you want to run a bit more than lynx and mutt and expect it to spit out some serious 3D stuff.
10 LET M$ = "Microsoft" (Score:4, Insightful)
And seriously, "M$"? Is anyone still using that in 2009?
Microsoft's first product was a BASIC interpreter for the Altair computer. In the BASIC implementations common on Altair, Apple II, Commodore 64, and many other 8-bit home computers, names of string variables ended in $. For example:
I see the usage of "M$" in posts as analogous to "thank $deity", which alludes to the syntax for naming a variable in Bourne shell, Perl, or PHP. At least to me, it carries a connotation of "the world might have been a better place had Microsoft stuck to its BASIC compiler [microsoft.com] and not ventured into monopolizing operating system market."
Re:It doesnt matter... (Score:2, Insightful)
Are you kidding! In my mind Carter is the most remarkable & memorable president ever. Not only did he see a UFO, but he was attacked by a vicious rabbit that swam out to attack him while he was fishing.
As a president though you are right, Jimmy Carter is the meh of presidents.
Re:Microsoft technology? Really? (Score:3, Insightful)
Don't bother looking up facts for yourself or forming your own counter-argument. Just offer us the glib "citation needed" and we'll take you seriously. Right...
Counter-argument to what? He was responding to a post that made sweeping statements but contained no supporting facts at all - hence "[citation needed]" was completely appropriate. That post was the equivalent of those TV commercials that say "4 out of 5 doctors say..." - okay, fine, then give us an honest-to-goodness citation or even a link so we can determine the statement's veracity for ourselves.
Re:It will cost them at some point (Score:3, Insightful)
I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters.
There are several parts to this that are interesting. Is Apple slacking off on implementing new security, or are users like you just not learning about the security improvements Apple has made. Do you remember hearing about when Apple's sandboxing made them just about the only vendor to not be vulnerable to a local service exploit a few years back? Have you ever seen a mainstream article mentioning Apple uses sandboxing?
That said, at last some of Apple obviously pays no attention to security, but that's normal in any large organization. It would be great if Apple would devote more resources to trying to hack their own OS and applications and then lock down those holes. It would be great if Apple would go whole hog with ASLR and sandboxing and handle auto updates for third party apps and smoke test third party apps on OS X and do a lot of others things.
So here's why I don't worry too much about security for Linux or OS X compared to Windows. It's all in the motivation. Apple is highly motivated to implement security that is good enough so that their average users are happy. Linux developers have the same motivation. No matter ow the security climate changes, they will quickly adapt because if they don't they're going to lose money. It's the same reason I think security on Windows is so problematic. Sure some smart guys there are implementing some cool security ideas, but as a company MS is not very motivated to fix security because it doesn't really lose them money. It's cheaper to provide the appearance of working towards security or to spend money building more ways to lock in their customers and make it hard to switch than it is to actually create security solutions. Because MS is not really competing due to their monopoly position, they will not be forced to provide effective security by the free market.
Re:Microsoft technology? Really? (Score:4, Insightful)
The arguments were covered more than exhaustively in the Slashdot discussion which resulted from Charlie Miller pwn2owning the MacBook in two minutes because it was "easiest" of the machines in the competition [computerworld.com] and I should not have to hold anyone's hand in this case. Asking me to explain something which has been so exhaustively covered here in the past is trolling or it is incompetence but it is nothing else. If someone makes a claim, I will generally make at least a cursory effort to find out if they are right [slashdot.org] because it is necessary to be informed in order to debate intelligently.
Of course, it doesn't hurt that TFA is about this very issue. I know this is Slashdot, but come on. I guess you could read this article [laconicsecurity.com], it pretty much sums up the argument.
Re:It doesnt matter... (Score:5, Insightful)
A big post full of ifs and coulds. But I guess because of the size, it's modded up.
So when there is a glitch there is a bunch of finger pointing as there is no mono-culture who is interested in making the overall product better but just one piece of it.
RedHat, Canonical, SuSe, Debian, et cetera have not written all software that make up that distribution, however, their core reason for existing is that they take responsibility for the overall picture.
So often the security fix doesn't fix the core issue just a stop gap somewhere in the line.
Care to give examples?
And if that module was replaced with an other then it could happen all over again.
Just like other platforms.
You'll have to do a lot better than that.
Re:It doesnt matter... (Score:4, Insightful)
This is still a myth, why waste effort on a system that is inherently harder to crack when low hanging MS fruit is still available. Even when Macs make up more of the market it will still not be that big or easy a target. Popularity has very little to do with why a system gets viruses or there would not have been as many viruses for the old Mac systems and there were a shit load of them for OS7, 8 and 9.
Re:Microsoft technology? Really? (Score:3, Insightful)
Linux's implementation of ASLR is substantially inferior to Windows Vista/7's, which was covered the FIRST time this guy won the pwn2own contest.
This may be true (in fact my opinion is that most Linux desktop distros ship with only the ASLR in the generic kernel which last I heard was limited) but you still haven't provided any citation for this. You later claim it was somehow a solved question in another Slashdot thread, but don't link to that thread. Google doesn't seem to have much in the way of comparisons either, just a lot of articles on flaws in the Windows implementation and how people bypass it.
However, it is far superior to OSX's, which appears to not really do anything useful...
What's really funny is that Charlie Miller has repeatedly complained that Apple's implementation is only good for stopping the most common kind of return to libc exploits and not other kinds of attacks ASLR is useful for. So claiming it is useless is like claiming seatbelts are useless since they don't protect against anything but the most common kind of injuries from car crashes.
Please try to keep up, or don't comment.
Keep up with what? Your assertions, half of which you haven't been able to back up and half of which are demonstrably wrong. I don't mind people being assertive, opinionated, arrogant creeps, but if you're going to be one, at least be a competent one.
Re:It doesnt matter... (Score:4, Insightful)
No it isn't. Malware is big business now and you don't make money by targeting niche markets.
And this is why OS X was the first target to go down at the last two Pwn2Own competitions? Safari too at the last P2O. But as I said, malware and hacking is all about money these days and this is pretty much the only thing keeping Apple safe. Apple commits the same security sins as Microsoft, security through obscurity, encouraging bad user behaviour (no passwords) and go a bit further by denying current vulnerabilities and bugs (MS do issue warnings about known vulnerabilities) then attempt to silence those who speak out.
The fact that all Mac machines are practically identical means that if an Apple virus is ever released into the wild it will be much easier to infect more machines, it also means that malware authors can target drivers as all Mac hardware will be using similar drivers. The only reason this hasn't been done yet is that no-one will make any money by targeting 3% of the worlds computers. Linux is a bigger target because Linux can be found on many more servers which make for better spam/botnet hosts. In the world of botnets for hire popularity has everything to do with it as the size of a botnet directly relates to the size of the paycheck.
Re:Silly ASLR (Score:3, Insightful)
And another thing. To my understanding ASLR one purpose is that when there's a exploitable buffer overrun and it is exploited to call some system function the process goes KAB0000M! Now if you have couple of hundreds these kabooms in your log files you probably start to suspect that something fishy is going on.
Without ASLR your box gets exploited and you get nothing in the log file.