A Closer Look At Apple Leopard Security

Last week we discussed some of the security features coming in Leopard. This article goes into more depth on OS X 10.5 security — probably as much technical detail as we're going to get until the folks who know come out from under their NDAs on Friday. The writer argues that Apple's new Time Machine automatic backup should be considered a security feature. "Overall, Mac OS X 10.5 Leopard is perhaps the most significant update in the history of Mac OS X — perhaps in the history of Apple — from a security standpoint. It marks a shift from basing Macintosh security on hard outside walls to building more resiliency and survivability into the core operating system."

Security

[jcicora]

Why doesn't everyone (Apple, Microsoft, Linux/Unix people) work together on security? Its the one thing that everyone benefits from.

Significance

[Mikey-San]

"Overall, Mac OS X 10.5 Leopard is perhaps the most significant update in the history of Mac OS X -- perhaps in the history of Apple

Maybe in the history of Mac OS X, but definitely not the history of Apple itself. I'd say that would be, oh, the shift to Unix.

Re:Security

[jellomizer]

Well Linux and Apple people like seeing Microsoft with security holes. How many articles about microsoft security problems are tagged "HAHA". Windows People like seeing Apple and Linux security holes because then they don't feel as bad about choosing Windows. Linux people are not normally to happy to see Apple Security holes because it usually means Linux has a simular problem and vice versa.

It is basicly a case if one can say I am more secure then you then I win.

Re:Security Conserns of Time Machiene?

[99BottlesOfBeerInMyF]

What would happen if you had an important file you temprarly drop it in a public location then move it out. once the person downloaded it.

If it is an important file, why would you drop it in a public location in the first place, instead of just transferring it directly to that user or putting it in a password protected location or them? The scenario you envision is already a security problem because you're posting private data in public temporarily. I'd argue the right solution, is not to do that at all.

Re:It's to bad that 10.5 is not comeing out for al

[Anonymous Coward]

That means then Apple would have to support unknown hardware..... won't happen. Thats the benefit to owning apple hardware and OS... I can point my finger at one company and expect to get it fixed right the first time.

Re:Security

[NatasRevol]

It's simply http://en.wikipedia.org/wiki/Schadenfreude [wikipedia.org].

Re:Significance

[noewun]

Well a lot of people considered Moving from OS 9 to OS X a downgrade.

It wasn't a lot of people. It was a vocal minority, the same minority which swore up and down that they'd never touch Apple again after the Intel switch and who spend hours debating the tiniest "flaws" in OS X's GUI. In other words, people for whom computers are an obsession or a fetish.

The the rest of us--people for whom computers are tools used to make money--OS X, and the features it brought, were long overdue. The switch was entirely worth it if only for the addition of a modern memory susbsyetem to an Apple OS. No more preemptive multitasking and having to specify how much memory each application got.

Re:Apple can no longer hide behind small markets

[El Lobo]

I still remember in the late 90s in the apple advocacy newsgroup people telling: "why do I need memory protection and preemptive multitasking"? We don't need that... The it was implemented "finally" on OSX and it was a great thing. Then I remember them telling me the greatness of non-intel processors and how great was that Apple never went Intel. Then they DID move to Intel and boy, what a great move this was :-)

So don't worry, you will get the same story here.

Re:It's to bad that 10.5 is not comeing out for al

[AntEater]

"Mac OS X has the "it just works" reputation because of the limited number of hardware configurations on which it runs."

I've heard this for years but I still haven't seen ANY hardware sample where Windows "just works". I'd put more value on the fact that Apple based the core of their OS on a unix-like system not the registry/spaghetti mess that has been windows for the past decade plus. I'm sure that eliminating poorly written drivers from the mix does help prevent some of the problems that plague windows but it's not the whole story by a long shot.

Besides, with that argument, Linux should be even more unstable because very few of it's hardware drivers are written by the device manufacturers - many are reverse engineered.

Re:Code randomization a bad idea

[bucky0]

ASLR works using the dynamic linker. For the vast majority of programs (I can't think of any counter examples off the top of my head), the dynamic linker works transparently to match up in-program function calls with their proper library addresses. If ASLR adds bugs to the implementation, it must be because of a faulty linker, which can be debugged out.

Virus writers will write something that searches around for the right place to patch
It's not quite that simple. Virus writers have a practical limit of how much code they can squish into a buffer overflow (which reduces the effectiveness of a NOP slide) Not only that, protected memory operating systems will bomb out if you start randomly poking at memory addresses. Since the addresses are randomized, you don't really know where to start looking which means it becomes a probability game of how many valid addresses the code your looking for could be at compared to the total address space.

Developers will think buffer overflows are now OK, and write worse code.
Developers have known about buffer overflows for years, and people still use sprintf over snprintf. I doubt anyone who is doing any serious coding will look at ASLR and say, "Hurray! We can forget about string validation!"

Re:What about the insecure default settings?

[SuperKendall]

Trying to protect non-encrypted data from an attacker with physical access is a fools errand.

Re:impossible; other strategies

[nine-times]

If you look at Apple's description [apple.com] of the time machine functionality, it's not possible for it to work the way they claim.

Could you please explain how you think Apple is claiming Time Machine works, and why you think it's not doing that? I ask because I'm not sure what you find objectionable about the page you linked to. In a simple answer to your question, you can use Time Machine to back up to either an external drive or a server. When space runs out, OSX will warn you, and you'll then be given the option of overwriting your old files. That's what Apple has said about running out of space. I would assume that you'd also have the option of adding additional storage (e.g. getting another external hard drive), and keeping your old backups.

It'll be a very sensible solution for 99% of users. (Yes, that statistic was pulled out of thin air. But it's very sensible.)

However, my OSS solution works much better for me than Apple's expensive, proprietary system would work for me.

Ok, that's great. Nobody is stopping you from using that solution, and Unison has been available on OSX for a while now. In fact, I don't see any reason to think you won't be able to use both Unison and Time Machine. So what's the problem?

Re:Security

[krunk7]

Why doesn't everyone (Apple, Microsoft, Linux/Unix people) work together on security? Its the one thing that everyone benefits from.

Microsoft is free to use any and every security feature ever developed by the open source community. This includes virtually 100% of Linux/bsd's development and lion's share of OSX's security features as well.

The reason we can't say the same for a Microsoft->open source is because for a lot of security in windows...no one has access at all.

Re:Security Conserns of Time Machiene?

[lindseyp]

Then you are totally missing the point. I often get this kind of response from "tech" guys and it pisses me off completely. Sure, it's easier to say "it shouldn't have been there in the first place" and lay blame at someone's feet without trying to actually *solve the problem*.

Assuming TimeMachine actually does allow such a functionality, which I doubt, but that's the premise here... There could be any number of reasons why a file which you do not want public *RIGHT NOW* was at some point in a public directory. Whether some idiot put it there forgetting it could be recovered later. Maybe they thought it would be OK because they gave it a cryptic name and nobody knew it was there. Maybe they put it there by accident "oops.. wrong file!", Maybe it was not deemed to be sensitive at the time but subsequent developments rendered the contents sensitive and worthy of retraction from public view. "what do you mean the ID was fake and she was only 17!?"

What if you forgot to lock your door, then remembered 20 yards down the street and came back to lock it. Only to have someone use "time machine" to go to the 30 second window you had left it unlocked and rob your house. Then you get some insurance dweeb coming to you with "well you shouldn't have left it open in the first place".

Exactly.. that's not the fucking point, is it.