backtop


Print 85 comment(s) - last by tmouse.. on Oct 5 at 8:20 AM

Memory protections in Snow Leopard are still too weak, though it shows other improvements

Apple has been bragging about the security of its new operating system, OS X 10.6 "Snow Leopard".  Leaping from Leopard to Snow Leopard, Apple gives its users limited antivirus/anti-malware protection (the feature currently only detects two signatures out of a handful of known OS X malware signatures).

Still, security experts aren't so hot on Snow Leopard, criticizing the operating system's default firewall setting of "off", its lack of fully automatic updates, and weak anti-phishing efforts for Safari.  They also weren't impressed that Apple shipped with a vulnerable version of Flash, which downgrade users from the safer current version.

Now one prominent Mac hacker has pointed out a significant difference that makes Snow Leopard less secure than the upcoming Microsoft OS, Windows 7. 

Charlie Miller, of Baltimore-based Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive "Pwn2own" hacker contests is about as experienced as OS X hackers come.  He recently criticized Snow Leopard, stating, "Apple didn't change anything.  It's the exact same ASLR as in Leopard, which means it's not very good."

ASLR is address space layout randomization, a security technology that randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions.  According to Mr. Miller, unlike Windows 7, which features robust ASLR, Snow Leopard's ASLR is half-baked. It does not properly randomize the heap, the stack and the dynamic linker, the part of Snow Leopard that links multiple shared libraries for an executable.  This means that it's much easier for hackers to attack Snow Leopard via memory injection than Windows 7.

Still Mr. Miller offered some praise for Apple.  They rewrote QuickTime X, their video player, largely from scratch fixing many holes and insecurities in the process -- including an exploit Mr. Miller had been saving.  He states, "Apple rewrote a bunch of QuickTime, which was really smart, since it's been the source of lots of bugs in the past.  They've shaken out hundreds of bugs in QuickTime over the years, but it was still really smart of them to rewrite it.  [Still] I'd reduce the number of file formats from 200 or so to 50, and reduce the attack surface. I don't think anyone would miss them."

He also praises Apple's relatively effective implementation of DEP (data execution prevention), another memory protection scheme that Windows 7 also has.  DEP is also present in Windows XP Service Pack 2 (SP2) and Windows Vista.  Still without ASLR, DEP is only so good he says.  He states, "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7.  When Apple has both [in place], that's when I'll stop complaining about Apple's security."

So why aren't Macs being exploited left and right and why can Apple still air commercials claiming superior security?  Mr. Miller states, "It's harder to write exploits for Windows than the Mac, but all you see are Windows exploits. That's because if [the hacker] can hit 90% of the machines out there, that's all he's gonna do. It's not worth him nearly doubling his work just to get that last 10%."



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Quoted for truth
By afkrotch on 9/18/2009 6:00:03 AM , Rating: 1
OSX runs the Mach kernel, which is not BSD. It's a replacement for the BSD kernel.

quote:
Consider this: If Mac users are tens of millions of richer, clueless, users running an insecure OS, connected to to the Internet, where are all the exploits that should invite? It sounds like a scammers dream come true. Tens of millions of "easy targets", yet the attacks and exploits are extremely rare. Why?


There's what? Like 50 million or less OSX/OS9/OS8 users in the world. There's over a billion PC users in the world.

Hmmm...hit the billion, then put the same amount of work to hit the other 50 million. Doesn't seem to make much sense.

Have to put more work in to hit the iPhone/iPod user crowd too. Again, doesn't make sense.

quote:
All security systems have vulnerabilities . If there is a human involved in it's operation, that's a big vulnerability. The questions are and always has been:

1. Is there enough security to discourage or defeat the vast majority of attacks, or to cause the attackers to look elsewhere?

2. How can we mitigate the loss/damage caused by an attack?

And those questions always have to be considered in the context of the value of what the security system is protecting. If you're protecting Ft Knox, a large bank, military secrets, or a celebrity, you need a different level of security than a typical business or average person.


Over a billion users, under 50 million users. Which do you think should have a higher level of security?


RE: Quoted for truth
By gstrickler on 9/18/2009 12:33:05 PM , Rating: 2
quote:
OSX runs the Mach kernel, which is not BSD.
You should try checking your facts before posting. NextStep was originally based upon Mach, but they dropped the Mach microkernel many years ago due to performance problems.

From http://en.wikipedia.org/wiki/Mach_kernel
quote:
Today further experimental research on Mach appears ended, ... Neither Mac OS X nor FreeBSD maintain the microkernel structure pioneered in Mach

From http://en.wikipedia.org/wiki/Mac_OS_X
quote:
Certain parts from FreeBSD's and NetBSD's implementation of Unix were incorporated in Nextstep, the core of Mac OS X

Mac OS X is built on a hybrid BSD derived kernel. Parts of Mach were incorporated into BSD, and Mac OS X does retain some additional features from Mach, but it's inaccurate to portray it as based upon Mach since the primary feature of Mach was the microkernel, which has mostly ceased development and been replaced with a hybrid BSD kernel. Mac OS X is more BSD than Mach.

Interesting side note from the Mach_kernel link above (emphasis added):
quote:
The lead developer on the Mach project, Richard Rashid, has been working at Microsoft since 1991 in various top-level positions revolving around the Microsoft Research division. Another of the original Mach developers, Avie Tevanian, was formerly head of software at NeXT, then Chief Software Technology Officer at Apple Computer until March 2006.


RE: Quoted for truth
By afkrotch on 9/21/2009 5:38:31 AM , Rating: 2
From: http://en.wikipedia.org/wiki/XNU

quote:
XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed at Carnegie Mellon University with components from 4.3BSD


Sorry, still Mach, with some BSD.


"Let's face it, we're not changing the world. We're building a product that helps people buy more crap - and watch porn." -- Seagate CEO Bill Watkins














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki