Snow Leopard Missed a Security Opportunity 304
CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"
Two week old "news" (Score:5, Informative)
The summary alleges Miller said it "today". Except he didn't.
The article linked to is dated September 14, which means he allegedly said it 2 days ago. Except he didn't.
He actually said it *two weeks ago* on August 29th. [theregister.co.uk]
Wake up, editors!
Justified praise (Score:5, Informative)
Microsoft's Windows Vista and Windows Server 2008 have ASLR enabled by default, although only for those executables and dynamic link libraries specifically linked to be ASLR-enabled.[citation needed] This did not include Internet Explorer 7 on Windows Vista prior to Service Pack 1; ASLR and DEP are both disabled for application compatibility purposes. Newer versions, including Internet Explorer 8, enable these protections. A registry setting is available to forcibly enable or disable ASLR for all executables and libraries. The locations of the heap, stack, Process Environment Block, and Thread Environment Block are also randomized. A security whitepaper from Symantec noted that ASLR in 32-bit Windows Vista may not be as robust as expected, and Microsoft has acknowledged a weakness in its implementation.
It appears that only OpenBDD and some hardened Linuxes (not mainstream distributions) have a complete implementation.
Re:Oops (Score:3, Informative)
"Microsoft perfected nearly three years ago"
OpenBSD has had this for many, many years. Microsoft used the OpenBSD code as a starting point for their own product. Love the BSD license!
Re:Intellectual Property (Score:3, Informative)
OpenBSD has been using these techniques a lot longer than Microsoft has, so I suspect that there is not (yet) an issue of patents to be licensed.
Re:Surely this is only of any use to a hacker if . (Score:5, Informative)
ASLR makes executing code on the stack quite a bit more difficult, regardless of what privileges the program being exploited may have. Also makes calling libaray functions and pretty much anything in RAM far more difficult for a hacker. Page protection doesn't protect against these attacks per se.
Re:Here they come... (Score:5, Informative)
1. You identify a system API that has a local escalation vulnerability. These aren't that uncommon and because they cannot be directly exploited remotely they're not generally as high of a priority.
2. You identify a vulnerability in a service or other application that permits execution of arbitrary code remotely.
3. You exploit the remotely exploitable vulnerability with a payload that calls into the known mapped address of the system API with a second payload in order to escalate to root and then execute a third payload with those increased privileges to outright p0wn the machine.
Re:Microsoft technology? Really? (Score:4, Informative)
Linux's implementation of ASLR is substantially inferior to Windows Vista/7's, which was covered the FIRST time this guy won the pwn2own contest. However, it is far superior to OSX's, which appears to not really do anything useful, and which appears to have not even changed since it was discovered that OSX ASLR is useless. Please try to keep up, or don't comment. Thank you.
Re:Justified praise (Score:2, Informative)
The pwn2own article mentions the Win7/IE8 ASLR/DEP vulnerability that was patched before the final version of IE8 was released http://dvlabs.tippingpoint.com/blog/2009/03/27/pwn2own-ie8-exploit-foiled-is-the-browser-finally-secure [tippingpoint.com] . Evidently the hack still works if launched from an intranet.
Not at All "Perfected" (Score:5, Informative)
If there's a phrase that should trigger skepticism, that's it. ASLR isn't "perfect", and has been reported (and confirmed) exploited [dslreports.com] as recently as 7 months ago:
Re:Am I missing something. (Score:2, Informative)
address space layout randomization I though this was a feature in OS X 10.5? Was it not implemented or just not implemented as well as other OS's? I remember hearing about it as a feature for 10.5.
From TFA:
Two years ago, Miller and other researchers criticized Apple for releasing Mac OS X 10.5, aka Leopard, with half-baked ASLR that failed to randomize important components of the OS, including the heap, the stack and the dynamic linker, the part of Leopard that links multiple shared libraries for an executable.
Re:Let's not let facts get in our way (Score:3, Informative)
Re:Oops (Score:4, Informative)
Praise for MS by kdawson.
There fixed that for you.
Silly ASLR (Score:3, Informative)
ASLR is sorta like moving the location of the barn door, while keeping it wide open.
Hint: The cows can still get out.
Perhaps the guys at Apple realize this and give ASLR a low priority for implementation.
Even so, adding ASLR to the Apple OS is something they could do with relative ease-- change the kernel and user-space mallocs() to be less predictable, munge the call stacks tobe less predictable, etc, etc, etc,---- mostly stuff that can be done with 50 lines of code here and there and not too many other places.
But again, it would be much more efficient to put that effort into closing any open barn doors, rather than painting the open gateways in random colors. Every five seconds.
Microsoft perfected ASLR ? (Score:5, Informative)
Address space layout randomization is a technique to randomize memory addresses of the base of the code, stack, heap, and libraries. First used by PaX and OpenBSD [laconicsecurity.com]
Re:Surely this is only of any use to a hacker if . (Score:3, Informative)
Most Slashdotters don't understand what security is. Security and safety are not synonymous. Obscurity may make you safer, but it does not make you more secure.
Re:Surely this is only of any use to a hacker if . (Score:4, Informative)
Tagging doesn't work for me anymore, so I picked the post with the most use of the word 'obscurity'.
This is not security through obscurity (STO). STO can always be exploited when you know how the algorithm works. Address space randomization cannot be exploited (immediately). You still have to start the executable maybe hundreds of times before the exploit works. This is easy if it's some short piece of code you've crafted yourself, but with real applications, it's not so simple.
Imagine a hack where you send some exploit to somebody over IM. If it doesn't work, the IM client *will* crash as it tried to execute some random portion of memory. How are you going to try your exploit at a different address now?
Re:It doesnt matter... (Score:1, Informative)
I'm pretty sure he was referencing STDs, based on the "mac users are gay" idea. whatever.
Re:It doesnt matter... (Score:1, Informative)
> Lets combine that most people don't update their Linux boxes as quickly as Macs or Windows too.
> As Linux is a server OS and for the most part it will just kinda sit there in the background without much looking at it and as long it is running things are fine.
A ridiculous and unfounded assumption! Maybe *you* leave your server just sitting in a corner, but *real* sysadmins take care of their machines. Most Linux distros have great updaters that check *daily* for security updates - not just to the "core" of the OS, but for *every* installed package. Windows *still* doesn't/can't do that, but it's getting better.
Re:It doesnt matter... (Score:4, Informative)
Should Apple implement it? If they want to be secure, then yes.
Quite frankly, Macs are more secure against certain classes of attacks. Making a global statement about it being more secure is wrong, though. Macs enjoy being less of a target since they are a small number of them out there. To think they are safe is pretty naive. The guy has proved multiple times he can hack them without much trouble.
Re:Silly ASLR (Score:3, Informative)
ASLR is sorta like moving the location of the barn door, while keeping it wide open.
Yes, which is why you keep the door closed. The point of ASLR is to provide some extra degree of protection in case someone accidentally forgets to close the door. Since it happens every now and then anyway (and, yes, in OS X too), it makes sense to have some additional protection.
Also, you rather underestimate the effect of ASLR. It makes reusable fire-and-forget exploits of buffer overruns (which are the single most common source of security issues) extremely difficult to write.
Re:Surely this is only of any use to a hacker if . (Score:3, Informative)
In order to "look in the same place", you need to have code that does the looking. The NX bit will prevent arbitrary code from executing on the stack. One way to get around NX is to overrun a buffer and replace the return address of the stack frame with a known function address that does what you want. In order for this to work, you need to know the address in advance of the attack. ASLR makes it difficult to predict this address.
Re:It doesnt matter... (Score:3, Informative)
By comparison, if someone finds an exploit in Gnome in Ubuntu, for the short time that the window is open, it may only affect Gnome, but in other distros. It may not affect Fedora because of the way Fedora package Gnome. People who don't use Gnome at all won't be affected at all. If you find an exploit in Firefox on Fedora, it may affect every Fiefox, it may not for the same reasons, the distros package their own, often with their modifications. Those who don't like Firefox don't have it installed and are not affected.
Updates are going on all the time from both the distribution end and the upstream end which means that there's every chance someone else will spot the exploit you have, and patch it before you can get your malware written and deployed. Linux is a hugely diverse setup, which makes it a small moving target. You're not going to waste your time trying to hit that, specially when it all the development happens in the open.
Re:It doesnt matter... (Score:3, Informative)
You have to remember that the old OS7, 8 and 9 systems WEREN'T connected to the internet. Also, virus writers in the 1990s were writing their virii in x86 ASM code. The Macintosh computers were running Motorola processors. In this day and age, the people writing serious security exploits are criminals and governments. They want money. They want information. What information is kept on a Mac that anybody cares about? Some InDesign files? Oooooo yeah, there's a real huge market for stolen graphics files. Maybe someone has the OSX equivalent of Quickbooks? Yeah, that's a real gold mine right there. Until OSX is running ERP and financial systems, very few people are going to bother to target it. The payoff simply isn't there.
Re:It doesnt matter... (Score:3, Informative)
Yup, when it comes to servers, the admin is more important than the OS. If the admin knows what he's working with, he can keep even the worst OS more or less secure.
We had a similar issue at work. Our servers were all working off a group policy that allowed AU. It was set up that way long before I started there. Sure enough, AU took down the mail server one day while forcing a reboot after a patch. Lesson learned.
The biggest threat to security is an admin who isn't intimately familiar with their systems. We've all been there at least once =)