Apple Adds Memory Randomization To Leopard

.mack notes a ZDNet blog outlining some of the security features added to OSX Leopard (10.5). Here's Apple's brief description of all 11 new security features. "Apple has announced plans to add code-scrambling diversity to Mac OS X Leopard, a move aimed at making the operating system more resilient to virus and worm attacks. The security technology, known as ASLR (address space layout randomization), randomly arranges the positions of key data areas to prevent malware authors from predicting target addresses. Another new feature coming in Leopard is Sandboxing (systrace), which limits an application's access to the system by enforcing access policies for system calls."

Woo!

Apple is finally catching up with BSD, Linux and Vista!

Come to think of it...

... or, an OS with popularity of BSD, the consistent feel of Linux, the security of a Windows, with the openness and price point of OSX.

That's a pretty good description of Vista, actually.

Re:Woo!

Apple is finally catching up with BSD, Linux and Vista!

Hehe, you were modded +5 Funny, but if it was the other way around:

"Vista is finally catching up with BSD, Linux and OSX!"

You would be modded +5 Insightful... Where are the scores of Microsoft fanboys bashing Apple, damn it!

Re:Woo!

your plan doesn't give him the option to continue using it but to forget to pay for it.

or to decide that it's good enough to use but not worth his money - maybe he'll spend a few hours learning what's new and consider himself even with Apple after they forced him to 'waste his precious time'.

Re:Woo!

"DVD Player.app won't skip past things that the movie studios put on the DVD..."

True. In order to license the codecs and software needed to play DVDs legally a DVD Player has to honor the DVD player spec, which means honoring the stupid "operation not allowed" messages embedded in the DVDs.

Re:Woo!

Easy enough to write an applescript to bypass that, which I've done. It's ugly, but it works and you can add it to your dvd applescript menu:

tell application "DVD Player"
activate
set viewer full screen to true
try -- use try to bypass the FBI warning, menu's etc.
play dvd
set title to 1
set chapter to 1
end try
(* The following will wait for DVD's that refuse to bypass the intro's and jump to the beggining. Annoying!*)<br>
delay [3]
if title is not equal to 1 then
repeat until active dvd menu is equal to main
go to main menu
delay [15]
end repeat
go return to dvd
end if
(* The following will be used for odd dvd's like Questar Documentarys's they don't start with the standard title, they start with title 2 or something different. *)
delay [30]
set oddTitle to 2
-- check to see if we're still on the main menu page
if dvd menu active is equal to true then
repeat until dvd menu active is equal to false
set title to oddTitle
set oddTitle to oddTitle + 1
end repeat
end if
end tell

Re:Woo!

As far as I can tell, even the Linux kernel doesn't have memory randomization. You need a patch like PaX [wikipedia.org] to get that feature.

Re:Woo!

Microsoft definitely has something going on with .NET code though. The kind of security you can get there can't be compared with anything you can do on the software or even hardware level, with pure unmanaged code.

Nice to hear those Microsoft people are about to catch up with the Java sandbox model from 1997 ;)

Re:Woo!

Even I have a random memory!

Re:Woo!

Safari asks. Most modern browsers have security settings that can do this.

No as in any foreign executable, including executables downloaded via network shares, are flagged as foreign. This isn't the same as your browser asking "are you sure you want to download this executable file?"

It is called Little Snitch. It works great.

Okay, but it wasn't part of the OS. We're talking about the OS here, not applications for the OS.

Nice feature, but if you were really concerned with security you would have memory encryption enabled anyhow. No problems with this when using encrypted memory.

Encrypted memory? Can you elaborate on this? I'm guessing you're talking about encrypted swap files, but that doesn't make it any harder for foreign code to know where in the address space useful libraries are.

Public Key signing anyone? This has been around for decades - even on OSX!

Manual public key signing isn't the same as automatic digitally signed binaries. Manual public key signing means that the user has to know to download the digital signature separately and check the executable, which is a big hassle and pretty unrealistic for most users.

These are not things that weren't available on OSX. They weren't gaping holes. Apple just decided to make them easier for the average user by including them out of the box and beefing them up a bit where necessary (like the memory randomization).

They were already available? Where in Tiger is memory randomization, digitally signed binaries, flagged-as-new binaries, and the built in application-level firewall?

obligitary troll

If only this broke bootcamp compatibility - then they'd really prevent viruses.

A little late perhaps?

[blockquote]Apple has announced plans to add code-scrambling diversity to Mac OS X Leopard,[/blockquote] Diversity Month was in April. Oh well...

Cool, but even better...

From the changelog [apple.com]:

CalDAV Group Scheduling
Schedule a meeting with colleagues, check availability, and book conference rooms when using iCal with a compatible CalDAV server like iCal Server.

Reserve Rooms and Equipment
Reserve meeting rooms and equipment as you create your meeting invitations. If your calendar is administered through a CalDAV server, iCal automatically displays availabilities when you add a room or resource to your meeting.

It sounds like a high-level player finally decided to take on Exchange. My biggest questions: are there Windows programs that support these features via CalDAV, and is there a CalDAV server in FreeBSD's ports?

Re:Cool, but even better...

Currently no viable solution exists on a Windows box. There are things like Sunbird and Yagoon but they don't work well with Outlook (i.e. no real integration). Currently there is a project called Open Connector that exists to bring caldav support to Outlook. It is quickly reaching beta but the main developer needs help. I am pitching in and hope that others will as well. Check it out at http://www.openconnector.org./ [www.openconnector.org]

Also, the calendar server that is used in Leopard is nothing more than the open-source Darwin calendar server at http://trac.calendarserver.org/projects/calendarserver [calendarserver.org]

So, although nothing exists in ports that I can find you can run the Darwin calendar server on FreeBSD.

Even Windows does this

Even Vista has a not-completely-broken implementation of ASLR. Linux, of course, has been doing it for years [wikipedia.org]...

Re:Even Windows does this

It works like this: Everyone cheers on the guy that they like and boo the guy they don't like, but in the end they are having beers with the winner who is pretty much never the guy that they like.

Just look at the U.S. election this year. Everyone and their brother loves Colbert because he is cool and hip and represents a stick in the eye to every other goddamned POLITICIAN out there who can't help but pander to big money and special interest groups. But come election day, it ain't OSX you're putting on your servers.

Know what I mean?

Re:Even Windows does this

You have an apt nickname.

Re:Even Windows does this

From your Wikipedia link:

ASLR is enabled by default in Linux since 2.6.20

Since that release was made on 2007-02-05, you could more accurately say that "Linux, of course, has been doing it for months". OpenBSD didn't even really get a strong version of it until 3.8 [openbsd.org], and that wasn't quite 2 years ago. It sounds like Windows had problems [zdnet.com] with it as recently as February 2007, but maybe that's fixed now.

This is still fairly cutting-edge stuff. It's not like they just now implemented memory protection for the first time.

Pre-Binding?

Okay, so from a practical standpoint, what does this mean for pre-binding? I understand that we don't need to pre-bind ourselves on Tiger, but what about the system libraries?

Re:Pre-Binding?

The OS knows where it's bits and pieces are and anyone using published API's will be fine; it's rather transparent to the programmer. Where you'll run afoul is if you are trying to directly access a 'known' code entry point illicitly, without going through the proper channels via the OS. This is why it is a step that can help prevent some types of attacks.

It's still a bandaid though, just as it is in every other OS that's implemented it (pretty much everything OTHER than OS X has a form of this already).

ASLR == Windows Feature Since 3.1

ASLR or 'Address Space Layout Randomization' has seemingly been a 'feature' since Windows 3.1. You never know just *where* or *when* a blue-screen-of-death(tm) will occur. Microsoft should sue Apple for copying this 'valuable' feature :)

Ok, jokes aside, wouldn't this make debugging programs hell? If something crashes (oh wait, nothing on apple ever crashes)...crash dumps would be almost meaningless.

Or, another way of looking at this, target addresses can still be found, since the program must have some sort of debug hooks. (Unless debuggers have access to kernel protected areas)..

In other words, another kind of useless feature...Crash Different!

crash logs (was Re:ASLR == Windows Feature...)

When I first started using Quark XPress 6.5 in Mac OS X here at my new job, it took a while to work out the kinks for a rather complex project (doing layout for a journal w/ a 24 hr. turn-around), to the point that I actually put up a ``crash log'' outside of my cubicle, so that people could gauge my mood before entering. It's been a year now, and while I've gotten the project in question worked out (had to train myself _never_ to undo re-sizing a text box &c.), the totals might be interesting to people:

2006:
Quark XPress: 207 crashes (as many as 9 per day)
Adobe Illustrator: 25
InDesign: 35
PhotoShop: 15
Acrobat: 65
Microsoft Word: 23
Macromedia FreeHand: 9
Mac OS X: 14 (this includes Mac OS X apps like Mail.app and Safari.app)

The totals for this year are a bit more reasonable --- Quark XPress v6.5: 26, v7: 46 (I had to move the afore-mentioned journal over to Quark 7 after a re-design and that involved a new set of things to work-around) --- but I find Mac OS X overall reliable and workable as an environment (thought not as nice, consistent and synergistic as NeXTstep).

William

Re:ASLR == Windows Feature Since 3.1

When mac software crashes it usually just vanishes, with no user feedback at all. When the OS crashes it blackscreens (like, say, plugging in a firewire drive into Tiger, which they *still* haven't fixed) but I wouldn't say the information it gives is useful at all.. about as useful as a bluescreen.

Then there's the spinning beachball of death crashes which are a sore point with me.. they happen every time it decides it can't access a network resource* and the only way out is to pull the power cord (since if finder is dead you can't even power off or run the kill application). Got rather sick of doing that last night...

* Which happens rather a lot if you decide to use NFS. NFS under Tiger is broken on intel macs but works OK on ppc macs.. same OS version (allegedly), same NFS share, even the same damned cables.. different result every time.

Re:ASLR == Windows Feature Since 3.1

Seems like you might have some issues - I plug firewire drives into Tiger systems multiple times per day and have never had a crash. And even if it did, you'd get the multi-lingual "please restart" screen - I haven't seen OSX do a black screen panic since 10.1 ...

Also, if applications are "just vanishing" on launch, you may have disabled the little popup that tells you the 'application quit, wrote a crash log, and would you like to reopen it?' ...

Re:ASLR == Windows Feature Since 3.1

When mac software crashes it usually just vanishes, with no user feedback at all. When the OS crashes it blackscreens (like, say, plugging in a firewire drive into Tiger, which they *still* haven't fixed) but I wouldn't say the information it gives is useful at all.. about as useful as a bluescreen.

Huh? When most Mac apps crash it produces that "The Application [ApplicationName] has quit unexpectedly" crashlog dialog box, where it shows you a trace and you can choose to type a friendly little note in and send it away to Apple. this thing [wikipedia.org].

I don't see it that frequently but I did find a pattern of actions that would repeatedly crash Aperture the other day, and it popped that thing up every time.

Don't know whether it only comes up for Apple applications or what (I don't think so; I remember getting it a few times when Vuescan crashed). Maybe it only comes up as a result of some types of faults, and not all of the fatal ones. But it seems to work fairly well for me.

These are just bandaids

All measures like this are just bandaids and may in fact open up more holes because it adds complexity to an already complex beast.

There is just no way to do this in software. The future is going to be implementing these types of features in well proven hardware. Things like the no-execute bit, virtualization extensions and such are steps in the right direction but eventually I think we will see some really good security measures put into hardware.

Re:These are just bandaids

Eventually? Look back at the past! IBM System/390 mainframes (and the zSeries derived from it) have all those features in hardware. Array overrun? Hardware exception. Integer overflow? Hardware exception. Touch memory you deallocated? Hardware exception. ALU produces a spurious result? System picks it up because it runs all the code on at least two cores, and the same fault is unlikely to occur in two cores simultaneously - operation is retried on two more cores to determine which of the two original cores was correct, and the failing core is taken out of service.

You know why we don't do all that in hardware in PCs? Because it requires a huge amount of silicon. Sure, it's great. You learn good programming practices, because you can't get away with slipping even a little. But it costs a lot, gets hot, and goes slow. PCs are meant to be a good enough and cheap enough solution - not necessarily the best solution.

Re:These are just bandaids

All measures like this are just bandaids and may in fact open up more holes because it adds complexity to an already complex beast.

99% of security is bandaid and "obscurity" under cover. Even cryptography with large prime numbers is just obscurity: they give you the number and if you could factor is quickly, you can break it. You just can't break it quickly yet.

Still though, it's the nature of the beast. It's in uphill battle with the hackers. Tech gets sophisticated, hackers get sophisticated, tech gets more sophisticated... It's evolution in a way.

There are very few security concepts which aren't "bandaids", for example privilege levels are such a security measure, and still, most apps that take advantage of this have a bunch of "bandaids" in them to avoid privilege escalation situations.

ASLR is a practical approach to easily calling known adresses after buffer overflow exploit. If all apps in existence made proper use of the no-execute bit and made sure not to overrun buffers in the first place, ASLR could've been useless.

OS designers though meet a world with imperfect apps, and their task is to improve security in this *existing* situation. They do good.

grsecurity?

Nifty patch that (among others) adds similar safeguards to the linux kernel. Too bad it's not in the mainstream kernel.

The Summary, as seen by Leopard users

some to Another policies arranges (10.5). notes 11 the and brief Here's has in as by is key security to feature add access Leopard, more positions Mac (systrace), resilient of access X for code-scrambling blog prevent "Apple to new Leopard virus The aimed the to diversity ZDNet at move announced an (address application's enforcing OS worm calls." Apple's security OSX data added security limits technology, Sandboxing description new system Leopard the addresses. making predicting features to layout .mack plans randomly from system malware system to a of a features. ASLR outlining the space which of known operating coming authors areas attacks. randomization), target

sandboxing

If sandboxing is systrace as the article mentions, does this mean they have solved the problems related to syscall wrappers first disclosed by watson's woot07 paper? Is the infrastructure tied directly into the system calls instead, or have they simply ignored the problem?

http://www.watson.org/~robert/2007woot/ [watson.org]

Signed Applications

From the fine article:
Signed Applications

Feel safe with your applications. A digital signature on an application verifies its identity and ensures its integrity. All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications.

How does the third-party software signing work? How does this make a Mac safer? How does it prevent malicious software developers from signing their software and making it look nice and pretty?

Trend

There is a trend emerging, ever so slowly... It used to be Mac users attacking Windows users... More and more I'm starting to hear Windows users attacking Mac users. Fortunately, so long as the argument is "Mac is gay," I don't really feel like Mac users need to bother responding. Linux I respect, though... because once I'm in the command line, it's just like OS X. (ducks)

What about the send message entry point?

For performance reasons, it uses a fixed address (instead of going through __objc_msgSend):

http://gcc.gnu.org/ml/gcc/2007-03/msg00251.html [gnu.org]

Doesn't this defeat address space randomization?

ASLR simply doesn't work

Some of the things that Apple is doing in this pass are good and useful things. ASLR isn't one of them. It is pretty amazing to see a company adding something like this four years after the research literature has that ASLR is trivial for an attacker to beat. The question is: why add something that is so disruptive to legitimate code when it doesn't do any good?

Sandboxing != Systrace

Another new feature coming in Leopard is Sandboxing (systrace), which limits an application's access to the system by enforcing access policies for system calls

Folks,

Just FYI, the sandboxing in Leopard is not systrace. Systrace is vulnerable to race conditions -- see Robert Watson's paper "Exploiting Concurrency Vulnerabilities in System Call Wrappers" [lightbluetouchpaper.org]. I asked him about this at WWDC, and he told me that Leopard's sandboxing is based on a different technology and is not vulnerable to the same attacks.

--Paul

Performance impact

All these secure features are welcome, but only if you can switch them off.

If I'm using a Mac for professional audio work and it's never connected to the internet then it doesn't need such high security. The performance impact of anti-malware software on low latency audio can be pretty vast.

lol

When I read the word "random" with Mac in the same sentence, why do I envision the iMac Shuffle?

Windows had this around 1998

It forgot where the memory went, mind you, but it's the thought that counts.

ASLR

ASLR - Hmm. 32, Male, Bristol - what's the R for these days? I can't keep up with the youngsters.

Longer Lasting Memory?

I've read that many solid state forms of memory (Flash, etc) have a limited lifespan in terms of the number of writes performed on an individual memory address. I also understand that this life cycle is very large, but could this be a way to balance the load on a given memory address over time? Would that then suggest that Apple will follow suit with (I forget who it was) who released a laptop with a Flash based drive instead of a spinning disk HD?

OK, let's run them down

Tagging Downloaded Applications

Feature in Windows since Windows XP SP2.

Signed Applications

Feature in Windows since IE4 / Windows 98, called Authenticode. Nearly everything in a base Windows XP or Vista is signed, as are many third-party applications. Authenticode is based on X.509 certificates - I'm not sure what Apple's tech is based on. Vista checks signatures before elevating, and the signed UAC dialog looks nothing like the unsigned UAC dialog.

Application-Based Firewall

Feature in Windows since Windows XP SP2.

Stronger Encryption for Disk Images

BitLocker in Vista uses AES-256. EFS can be configured to use AES-256 in Vista.

Enhanced VPN Client Compatibility

Don't really know on this one.

Sharing and Collaboration Configuration

ACLs have been in Windows since Windows NT. Sharing can be configured through the properties dialog box of any folder.

Sandboxing

Protected mode is implemented in Vista. The primary use is Internet Explorer.

Multiple User Certificates

The central certificate store in Windows has supported multiple user certificates since at least Windows 2000.

Enhanced Smart Card Capabilities

Unknown, but Windows has had smartcard support since Windows 2000.

Library Randomization

Vista introduced this to Windows. BSD and Linux distros had it before then.

Windows SMB Packet Signing

Obviously supported by Windows Vista.

So, it looks like most of the new security features in Leopard are direct rip-offs of Vista/BSD/Linux features. Time Machine is a direct ripoff of Previous Versions in Vista, albeit with over-the-top graphical effects. Spaces are a ripoff of a feature that has been in UNIX for decades. Every modern Linux desktop has terminal tabs.

Apple, stop it with your fucking bullshit. It's fine to copy features from other software. It's not fine to copy them, claim that you're being innovative, and then accuse your competition of copying you. It's dishonest, it's sleazy, and it's cheap. Your software can stand on its own.

The downside

http://en.wikipedia.org/wiki/Trusted_Computing [wikipedia.org]

Re:Leopard?

Why would Apple chooses such a gay name for its operating system?

To give you closeted folk an excuse to talk about your feelings in public.

Simple.

Because the Macintosh is the Gay Computer [shelleytherepublican.com].

Re:I hope they let you disable this junk.

I hope that there's a way to turn this stuff off.

Huh? Mac OS X has always has prebinding. This made a lot of system libraries load at semi-random addresses (except for libSystem). In 10.5, they make it intentional and add libSystem into the mix.

There's currently a massive bug that accidently implements ASLR on PowerPCs in 10.4.x, but it's per process and completely screws with the shared memory benefits. Of course, 10.5 doesn't have this issue.

Re:Why?

"Changing the memory address layout is roughly akin to doing home security by locking different doors on different nights, but always leaving one unlocked. The would-be burglar just has to try all the doors to get in. Doing this kind of thing is trivial on a computer."

Yes, it's just like that, except you have millions of doors, and a intruder can only try to open one door per night, and the unlocked door changes randomly every night.

"People really need to stop adding these kinds of things that increase complexity and do not address the real issue, which in this case is access to the memory space of another application without some sort of credential or approval. When the real problem is addressed, this overly complex and fundamentally useless random memory address layout 'feature' will be left in to cause bugs and complexity forever."

This has nothing to do with access to the memory space of another application.

Because no code is bug-free

"security by locking different doors on different nights, but always leaving one unlocked." A bad analogy IMHO. It is not that you leave things unlocked, but that locking is really hard. This is a measure to cope when all else fails. Its more like taking a different path to work everyday, to make it harder for enemies to attack you. Wish all you want for enemies to not exist or to have impenitrable armor, but common sense dictates to prepare for the attack anyway.

Re:Why?

Your analogy is completely confusing. Could you please rephrase it in the form of a car analogy? Thank you.

Re:I hope they let you disable this junk.

the appalling 'Open "safe" files after downloading' feature in Safari.

Seriously? This is one of your 'real' security holes? This one comes turned off by default AND HAS A CHECKBOX IF YOU WANT TO TURN IT OFF.

Re:Why?

"the real issue, which in this case is access to the memory space of another application without some sort of credential or approval." What??? This problem was address ages ago by the people who came before Apple and even by those who came before UNIX. This is simply NOT the problem. What is the problem here is the typical buffer overflow. yes we should look for these and fix them but this randomization adds one more layer. Yes the exploit can search all of the process' RAM but that means the program must be larger

Re:Why?

"Doing this kind of thing is trivial on a computer..."

Ah... no. Because you have basically one chance to get it right. Find a stack overflow exploit somewhere and you have to pick one address point to try. Miss, and in all likelihood the application that downloaded your trojan TIFF blows up with a stack or protection error. (To pick one example.)

So to continue your analogy the burglar tries each door by lighting a stick of dynamite. Which is something the neighbors tend to notice.

And most people (myself included) tend to think of improved security as "features". Especially if it means that I'm not wasting time running virus scans and updating virus profiles and all of the other make-work needed to keep a typical Windows system functional.

Re:Never install 10.x.1

Geez, get a test box already.

That way you can learn, find & complain about bugs, and test, all while not affecting your production machine.

Re:I hope they let you disable this junk.

Address space randomization makes a lot of legitimate techniques harder.

Name one.

OS X lets you cache a vector without any hackery. This will still work.

unnecessary security dialogs.

Nope -- they're just adding more info to the existing dialog you get when launching a downloaded app for the first time.

Re:Never install 10.x.1

I've been running 9a559 full time on my MBP. No major problems. 99% of programs work just fine. The only thing that doesn't work that well that I use is TextExpander and Mozy Backup.

Re:Leopard?

So that more women buy Macs. Remember, queers get all the chicks.

Re:Leopard?

As a gay man i'd just like to say i find nothing remotely 'gay' about that name.