Slashdot Log In
Apple Adds Memory Randomization To Leopard
Posted by
kdawson
on Thu Oct 18, 2007 07:37 AM
from the shuffling-the-wormholes dept.
from the shuffling-the-wormholes dept.
.mack notes a ZDNet blog outlining some of the security features added to OSX Leopard (10.5). Here's Apple's brief description of all 11 new security features. "Apple has announced plans to add code-scrambling diversity to Mac OS X Leopard, a move aimed at making the operating system more resilient to virus and worm attacks. The security technology, known as ASLR (address space layout randomization), randomly arranges the positions of key data areas to prevent malware authors from predicting target addresses. Another new feature coming in Leopard is Sandboxing (systrace), which limits an application's access to the system by enforcing access policies for system calls."
Related Stories
Firehose:Apple Adds Memory Randomization (ALSR) to Leopard by Anonymous Coward
[+]
A Closer Look At Apple Leopard Security 267 comments
Last week we discussed some of the security features coming in Leopard. This article goes into more depth on OS X 10.5 security — probably as much technical detail as we're going to get until the folks who know come out from under their NDAs on Friday. The writer argues that Apple's new Time Machine automatic backup should be considered a security feature. "Overall, Mac OS X 10.5 Leopard is perhaps the most significant update in the history of Mac OS X — perhaps in the history of Apple — from a security standpoint. It marks a shift from basing Macintosh security on hard outside walls to building more resiliency and survivability into the core operating system."
This discussion has been archived.
No new comments can be posted.
Apple Adds Memory Randomization To Leopard
|
Log In/Create an Account
| Top
| 311 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Woo! (Score:4, Funny)
Come to think of it... (Score:4, Funny)
(http://kadin.sdf-us.org/ | Last Journal: Tuesday October 16, @01:46PM)
Re:Woo! (Score:5, Insightful)
Hehe, you were modded +5 Funny, but if it was the other way around:
"Vista is finally catching up with BSD, Linux and OSX!"
You would be modded +5 Insightful... Where are the scores of Microsoft fanboys bashing Apple, damn it!
Re:Woo! (Score:4, Funny)
or to decide that it's good enough to use but not worth his money - maybe he'll spend a few hours learning what's new and consider himself even with Apple after they forced him to 'waste his precious time'.
Re:Woo! (Score:5, Informative)
(http://www.isights.org/)
True. In order to license the codecs and software needed to play DVDs legally a DVD Player has to honor the DVD player spec, which means honoring the stupid "operation not allowed" messages embedded in the DVDs.
Re:Woo! (Score:5, Informative)
Re:Woo! (Score:5, Informative)
Re:Woo! (Score:5, Informative)
Nice to hear those Microsoft people are about to catch up with the Java sandbox model from 1997
Re:Woo! (Score:5, Funny)
Re:Woo! (Score:4, Interesting)
(http://kestas.kuliukas.com/)
obligitary troll (Score:4, Funny)
A little late perhaps? (Score:1)
Cool, but even better... (Score:5, Interesting)
(http://honeypot.net/ | Last Journal: Friday April 07 2006, @09:33AM)
From the changelog [apple.com]:
It sounds like a high-level player finally decided to take on Exchange. My biggest questions: are there Windows programs that support these features via CalDAV, and is there a CalDAV server in FreeBSD's ports?
Re:Cool, but even better... (Score:5, Informative)
(http://www.voidmain.net/)
Also, the calendar server that is used in Leopard is nothing more than the open-source Darwin calendar server at http://trac.calendarserver.org/projects/calendarserver [calendarserver.org]
So, although nothing exists in ports that I can find you can run the Darwin calendar server on FreeBSD.
Even Windows does this (Score:5, Informative)
Re:Even Windows does this (Score:4, Insightful)
Just look at the U.S. election this year. Everyone and their brother loves Colbert because he is cool and hip and represents a stick in the eye to every other goddamned POLITICIAN out there who can't help but pander to big money and special interest groups. But come election day, it ain't OSX you're putting on your servers.
Know what I mean?
Re:Even Windows does this (Score:5, Funny)
Re:Even Windows does this (Score:5, Informative)
(http://honeypot.net/ | Last Journal: Friday April 07 2006, @09:33AM)
From your Wikipedia link:
Since that release was made on 2007-02-05, you could more accurately say that "Linux, of course, has been doing it for months". OpenBSD didn't even really get a strong version of it until 3.8 [openbsd.org], and that wasn't quite 2 years ago. It sounds like Windows had problems [zdnet.com] with it as recently as February 2007, but maybe that's fixed now.
This is still fairly cutting-edge stuff. It's not like they just now implemented memory protection for the first time.
Pre-Binding? (Score:1)
Re:Pre-Binding? (Score:4, Informative)
(http://127.0.0.1/ | Last Journal: Saturday August 04, @07:40AM)
It's still a bandaid though, just as it is in every other OS that's implemented it (pretty much everything OTHER than OS X has a form of this already).
ASLR == Windows Feature Since 3.1 (Score:1, Interesting)
Ok, jokes aside, wouldn't this make debugging programs hell? If something crashes (oh wait, nothing on apple ever crashes)...crash dumps would be almost meaningless.
Or, another way of looking at this, target addresses can still be found, since the program must have some sort of debug hooks. (Unless debuggers have access to kernel protected areas)..
In other words, another kind of useless feature...Crash Different!
crash logs (was Re:ASLR == Windows Feature...) (Score:5, Interesting)
(http://members.aol.com/willadams)
2006:
Quark XPress: 207 crashes (as many as 9 per day)
Adobe Illustrator: 25
InDesign: 35
PhotoShop: 15
Acrobat: 65
Microsoft Word: 23
Macromedia FreeHand: 9
Mac OS X: 14 (this includes Mac OS X apps like Mail.app and Safari.app)
The totals for this year are a bit more reasonable --- Quark XPress v6.5: 26, v7: 46 (I had to move the afore-mentioned journal over to Quark 7 after a re-design and that involved a new set of things to work-around) --- but I find Mac OS X overall reliable and workable as an environment (thought not as nice, consistent and synergistic as NeXTstep).
William
Re:ASLR == Windows Feature Since 3.1 (Score:4, Interesting)
(http://www.nodomain.org/)
Then there's the spinning beachball of death crashes which are a sore point with me.. they happen every time it decides it can't access a network resource* and the only way out is to pull the power cord (since if finder is dead you can't even power off or run the kill application). Got rather sick of doing that last night...
* Which happens rather a lot if you decide to use NFS. NFS under Tiger is broken on intel macs but works OK on ppc macs.. same OS version (allegedly), same NFS share, even the same damned cables.. different result every time.
Re:ASLR == Windows Feature Since 3.1 (Score:5, Informative)
Also, if applications are "just vanishing" on launch, you may have disabled the little popup that tells you the 'application quit, wrote a crash log, and would you like to reopen it?'
Re:ASLR == Windows Feature Since 3.1 (Score:4, Informative)
(http://kadin.sdf-us.org/ | Last Journal: Tuesday October 16, @01:46PM)
Huh? When most Mac apps crash it produces that "The Application [ApplicationName] has quit unexpectedly" crashlog dialog box, where it shows you a trace and you can choose to type a friendly little note in and send it away to Apple. this thing [wikipedia.org].
I don't see it that frequently but I did find a pattern of actions that would repeatedly crash Aperture the other day, and it popped that thing up every time.
Don't know whether it only comes up for Apple applications or what (I don't think so; I remember getting it a few times when Vuescan crashed). Maybe it only comes up as a result of some types of faults, and not all of the fatal ones. But it seems to work fairly well for me.
These are just bandaids (Score:4, Insightful)
There is just no way to do this in software. The future is going to be implementing these types of features in well proven hardware. Things like the no-execute bit, virtualization extensions and such are steps in the right direction but eventually I think we will see some really good security measures put into hardware.
Re:These are just bandaids (Score:5, Informative)
(http://www.vastheman.com/ | Last Journal: Monday May 02 2005, @01:30AM)
You know why we don't do all that in hardware in PCs? Because it requires a huge amount of silicon. Sure, it's great. You learn good programming practices, because you can't get away with slipping even a little. But it costs a lot, gets hot, and goes slow. PCs are meant to be a good enough and cheap enough solution - not necessarily the best solution.
Re:These are just bandaids (Score:4, Insightful)
99% of security is bandaid and "obscurity" under cover. Even cryptography with large prime numbers is just obscurity: they give you the number and if you could factor is quickly, you can break it. You just can't break it quickly yet.
Still though, it's the nature of the beast. It's in uphill battle with the hackers. Tech gets sophisticated, hackers get sophisticated, tech gets more sophisticated... It's evolution in a way.
There are very few security concepts which aren't "bandaids", for example privilege levels are such a security measure, and still, most apps that take advantage of this have a bunch of "bandaids" in them to avoid privilege escalation situations.
ASLR is a practical approach to easily calling known adresses after buffer overflow exploit. If all apps in existence made proper use of the no-execute bit and made sure not to overrun buffers in the first place, ASLR could've been useless.
OS designers though meet a world with imperfect apps, and their task is to improve security in this *existing* situation. They do good.
grsecurity? (Score:2)
(http://slashdot.org/)
The Summary, as seen by Leopard users (Score:2, Funny)
sandboxing (Score:1)
http://www.watson.org/~robert/2007woot/ [watson.org]
Signed Applications (Score:1)
(http://news.google.com/)
Signed Applications
Feel safe with your applications. A digital signature on an application verifies its identity and ensures its integrity. All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications.
How does the third-party software signing work? How does this make a Mac safer? How does it prevent malicious software developers from signing their software and making it look nice and pretty?
Trend (Score:5, Funny)
(http://www.richardmac.com/)
What about the send message entry point? (Score:1)
(http://www.enyo.de/fw/)
http://gcc.gnu.org/ml/gcc/2007-03/msg00251.html [gnu.org]
Doesn't this defeat address space randomization?
ASLR simply doesn't work (Score:1)
(http://www.eros-os.org/~shap)
Sandboxing != Systrace (Score:5, Informative)
(http://www.ps-enable.com/)
Another new feature coming in Leopard is Sandboxing (systrace), which limits an application's access to the system by enforcing access policies for system calls
Folks,
Just FYI, the sandboxing in Leopard is not systrace. Systrace is vulnerable to race conditions -- see Robert Watson's paper "Exploiting Concurrency Vulnerabilities in System Call Wrappers" [lightbluetouchpaper.org]. I asked him about this at WWDC, and he told me that Leopard's sandboxing is based on a different technology and is not vulnerable to the same attacks.
--Paul
Performance impact (Score:1, Redundant)
If I'm using a Mac for professional audio work and it's never connected to the internet then it doesn't need such high security. The performance impact of anti-malware software on low latency audio can be pretty vast.
lol (Score:1, Redundant)
Windows had this around 1998 (Score:3)
(http://www.livejournal.com/~sockatume)
ASLR (Score:3, Funny)
(http://calum.org/)
Longer Lasting Memory? (Score:1)
OK, let's run them down (Score:1)
Feature in Windows since Windows XP SP2.
Signed Applications
Feature in Windows since IE4 / Windows 98, called Authenticode. Nearly everything in a base Windows XP or Vista is signed, as are many third-party applications. Authenticode is based on X.509 certificates - I'm not sure what Apple's tech is based on. Vista checks signatures before elevating, and the signed UAC dialog looks nothing like the unsigned UAC dialog.
Application-Based Firewall
Feature in Windows since Windows XP SP2.
Stronger Encryption for Disk Images
BitLocker in Vista uses AES-256. EFS can be configured to use AES-256 in Vista.
Enhanced VPN Client Compatibility
Don't really know on this one.
Sharing and Collaboration Configuration
ACLs have been in Windows since Windows NT. Sharing can be configured through the properties dialog box of any folder.
Sandboxing
Protected mode is implemented in Vista. The primary use is Internet Explorer.
Multiple User Certificates
The central certificate store in Windows has supported multiple user certificates since at least Windows 2000.
Enhanced Smart Card Capabilities
Unknown, but Windows has had smartcard support since Windows 2000.
Library Randomization
Vista introduced this to Windows. BSD and Linux distros had it before then.
Windows SMB Packet Signing
Obviously supported by Windows Vista.
So, it looks like most of the new security features in Leopard are direct rip-offs of Vista/BSD/Linux features. Time Machine is a direct ripoff of Previous Versions in Vista, albeit with over-the-top graphical effects. Spaces are a ripoff of a feature that has been in UNIX for decades. Every modern Linux desktop has terminal tabs.
Apple, stop it with your fucking bullshit. It's fine to copy features from other software. It's not fine to copy them, claim that you're being innovative, and then accuse your competition of copying you. It's dishonest, it's sleazy, and it's cheap. Your software can stand on its own.
The downside (Score:1)
Re:Leopard? (Score:5, Funny)
(http://honeypot.net/ | Last Journal: Friday April 07 2006, @09:33AM)
To give you closeted folk an excuse to talk about your feelings in public.
Simple. (Score:5, Funny)
(Last Journal: Saturday March 08 2003, @03:00PM)
Because the Macintosh is the Gay Computer [shelleytherepublican.com].
Re:I hope they let you disable this junk. (Score:2)
(http://www.unsanity.org/)
There's currently a massive bug that accidently implements ASLR on PowerPCs in 10.4.x, but it's per process and completely screws with the shared memory benefits. Of course, 10.5 doesn't have this issue.
Re:Why? (Score:5, Insightful)
Yes, it's just like that, except you have millions of doors, and a intruder can only try to open one door per night, and the unlocked door changes randomly every night.
"People really need to stop adding these kinds of things that increase complexity and do not address the real issue, which in this case is access to the memory space of another application without some sort of credential or approval. When the real problem is addressed, this overly complex and fundamentally useless random memory address layout 'feature' will be left in to cause bugs and complexity forever."
This has nothing to do with access to the memory space of another application.
Because no code is bug-free (Score:1)
Re:Why? (Score:2, Funny)
Re:I hope they let you disable this junk. (Score:5, Insightful)
(Last Journal: Monday November 21 2005, @12:45PM)
Re:Why? (Score:2)
Re:Why? (Score:2)
(http://www.isights.org/)
Ah... no. Because you have basically one chance to get it right. Find a stack overflow exploit somewhere and you have to pick one address point to try. Miss, and in all likelihood the application that downloaded your trojan TIFF blows up with a stack or protection error. (To pick one example.)
So to continue your analogy the burglar tries each door by lighting a stick of dynamite. Which is something the neighbors tend to notice.
And most people (myself included) tend to think of improved security as "features". Especially if it means that I'm not wasting time running virus scans and updating virus profiles and all of the other make-work needed to keep a typical Windows system functional.
Re:Never install 10.x.1 (Score:2)
(Last Journal: Monday November 21 2005, @12:45PM)
That way you can learn, find & complain about bugs, and test, all while not affecting your production machine.
Re:I hope they let you disable this junk. (Score:2)
(http://loewald.com/)
Name one.
OS X lets you cache a vector without any hackery. This will still work.
unnecessary security dialogs.
Nope -- they're just adding more info to the existing dialog you get when launching a downloaded app for the first time.
Re:Never install 10.x.1 (Score:2)
Re:Leopard? (Score:2)
Re:Leopard? (Score:2)