Apple Adds Memory Randomization To Leopard

.mack notes a ZDNet blog outlining some of the security features added to OSX Leopard (10.5). Here's Apple's brief description of all 11 new security features. "Apple has announced plans to add code-scrambling diversity to Mac OS X Leopard, a move aimed at making the operating system more resilient to virus and worm attacks. The security technology, known as ASLR (address space layout randomization), randomly arranges the positions of key data areas to prevent malware authors from predicting target addresses. Another new feature coming in Leopard is Sandboxing (systrace), which limits an application's access to the system by enforcing access policies for system calls."

Re:Even Windows does this

[BadAnalogyGuy]

It works like this: Everyone cheers on the guy that they like and boo the guy they don't like, but in the end they are having beers with the winner who is pretty much never the guy that they like.

Just look at the U.S. election this year. Everyone and their brother loves Colbert because he is cool and hip and represents a stick in the eye to every other goddamned POLITICIAN out there who can't help but pander to big money and special interest groups. But come election day, it ain't OSX you're putting on your servers.

Know what I mean?

These are just bandaids

[Cthefuture]

All measures like this are just bandaids and may in fact open up more holes because it adds complexity to an already complex beast.

There is just no way to do this in software. The future is going to be implementing these types of features in well proven hardware. Things like the no-execute bit, virtualization extensions and such are steps in the right direction but eventually I think we will see some really good security measures put into hardware.

Re:Even Windows does this

[Just Some Guy]

July 2001 was the first release with ASLR.

I'll give you that, but PaX was never accepted into the mainline kernel. That's what I was using as my criterion for "supported by Linux".

Re:Woo!

[rootofevil]

memory randomization and filesystem snapshotting? are you serious?

Re:These are just bandaids

[suv4x4]

All measures like this are just bandaids and may in fact open up more holes because it adds complexity to an already complex beast.

99% of security is bandaid and "obscurity" under cover. Even cryptography with large prime numbers is just obscurity: they give you the number and if you could factor is quickly, you can break it. You just can't break it quickly yet.

Still though, it's the nature of the beast. It's in uphill battle with the hackers. Tech gets sophisticated, hackers get sophisticated, tech gets more sophisticated... It's evolution in a way.

There are very few security concepts which aren't "bandaids", for example privilege levels are such a security measure, and still, most apps that take advantage of this have a bunch of "bandaids" in them to avoid privilege escalation situations.

ASLR is a practical approach to easily calling known adresses after buffer overflow exploit. If all apps in existence made proper use of the no-execute bit and made sure not to overrun buffers in the first place, ASLR could've been useless.

OS designers though meet a world with imperfect apps, and their task is to improve security in this *existing* situation. They do good.

Re:Woo!

[suv4x4]

Apple is finally catching up with BSD, Linux and Vista!

Hehe, you were modded +5 Funny, but if it was the other way around:

"Vista is finally catching up with BSD, Linux and OSX!"

You would be modded +5 Insightful... Where are the scores of Microsoft fanboys bashing Apple, damn it!

Re:Why?

[tiocsti]

"Changing the memory address layout is roughly akin to doing home security by locking different doors on different nights, but always leaving one unlocked. The would-be burglar just has to try all the doors to get in. Doing this kind of thing is trivial on a computer."

Yes, it's just like that, except you have millions of doors, and a intruder can only try to open one door per night, and the unlocked door changes randomly every night.

"People really need to stop adding these kinds of things that increase complexity and do not address the real issue, which in this case is access to the memory space of another application without some sort of credential or approval. When the real problem is addressed, this overly complex and fundamentally useless random memory address layout 'feature' will be left in to cause bugs and complexity forever."

This has nothing to do with access to the memory space of another application.

Re:Woo!

[Anonymous Coward]

Or you can use bog standard OpenBSD.

One reason banks run on mainframes

[slyborg]

Good post. Privilege enforcement in hardware is going to be much harder to crack than various obfuscation schemes in software, which in the end are sort of like a spread-spectrum technique to reduce the signal level of your software deficiencies by spreading them out over the address space.

Re:Woo!

[jocknerd]

Be serious. Do you expect Apple to change the way you use OS X? Just order the damn thing. Its going to be great. I've been playing with the 9a559 seed for a couple of weeks. Its working really well. Fortunately, I get a copy for free. Well, not really. I'm an Apple Consultant so there is some money spent there.

Re:Pre-Binding?

[shmlco]

"It's still a bandaid though..."

Actually, I'd tend to view it as just one of a series of preventative measures that one takes in order to KEEP from getting sick. A band-aid is something you throw on AFTER you've been cut up.

And yes, we probably could do more, but not until people are willing to take a minor hit in performance in exchange for hardened security features and layers. Linux in particular tends to erupt in flame wars over just a 0.12% increase/decrease in scheduler performance. And Window's folk won't give up an extra half-frame in Quake...

Re:I hope they let you disable this junk.

[NatasRevol]

the appalling 'Open "safe" files after downloading' feature in Safari.

Seriously? This is one of your 'real' security holes? This one comes turned off by default AND HAS A CHECKBOX IF YOU WANT TO TURN IT OFF.

Re:Woo!

[Gr8Apes]

# Tagging Downloaded Applications

Protect yourself from potential threats. Any application downloaded to your Mac is tagged. Before it runs for the first time, the system asks for your consent -- telling you when it was downloaded, what application was used to download it, and, if applicable, what URL it came from.

This was introduced by Microsoft in Windows XP SP2

Really? It is? Amazing that the only time I'm asked whether I want to run an executable is when I download with a browser. There's no tagging of executables that I'm aware of nor have experienced. Nor is there anyway to tell where an executable came from once it's on your drive. Or maybe there's a new bug to report to MS about XP SP2....

# Application-Based Firewall

Gain more control over the built-in firewall. Specify the behavior of specific applications to either allow or block incoming connections.

You guessed it; Microsoft, SP2 (it was available in third party firewalls before then of course)

SP2's firewall is an add-on application. Yes, it ships with but is not integral too the OS, and can be replaced. It's also a piece of crap, IIRC. There's much easier and more efficient ways of securing your system. (FYI, I don't run it as it's too flaky for what I do and far too big a pain to even try and configure for the port ranges I use - it'd essentially be open)

# Library Randomization

As the GP said, this has been in lots of OSes for a long time, including Windows Vista.

And how easy has it been to implement? It's not in XP SP2.

# Signed Applications

Feel safe with your applications. A digital signature on an application verifies its identity and ensures its integrity. All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications.

Again, Microsoft, SP2.

I believe MS had signed drivers and DLLs (not applications, just drivers and DLLs) long ago. Guess what, no one does it. When's the last time you had a signed driver or DLL? My sound card, video card, motherboard chipsets, network chipsets, printers, and scanners all came with unsigned drivers, despite being "Made for Windows". Having something and using it effectively are two entirely different things. Those would all be from mom and pop companies, like Creative, nVidia/ATI, MSI/Asus, broadcom, Konica-Minolta/HP, and HP/Epson, respectively.

BTW, since OSX is BSD, then OSX has potentially had anything BSD has, especially things that are "ages" old as the other poster said.

Re:ASLR simply doesn't work

[Anonymous Coward]

"Randomization breaks a large number of de facto contracts about memory layout that certain applications have historically relied on, and each of those applications now needs to be fixed. Safe bet that the Objective C garbage collector was one of the things they either needed to fix or had already fixed."

This is of course complete bullshit. There has never been anything resembling a contract concerning where the stack, heap, libraries, etc are loaded into memory. The layout of the address space is different on different platforms already, you can not rely on it for anything. Randomized address space layouts will only make it very clear that your code is broken when using code that is already completely and totally wrong and broken.

"Breaking things may be worth it if you get some value in exchange for the pain, but randomization of the address space doesn't provide any value."

Considering it doesn't break things (see several jvm implimentations including sun's, ocaml, ghc, pike, etc, etc which all have GC and all work just fine) and that it does in fact provide a very signficant difficulty in executing exploit code contrary to your nonsense hand-waving, I think its very much worth it.