A Closer Look At Apple Leopard Security

Last week we discussed some of the security features coming in Leopard. This article goes into more depth on OS X 10.5 security — probably as much technical detail as we're going to get until the folks who know come out from under their NDAs on Friday. The writer argues that Apple's new Time Machine automatic backup should be considered a security feature. "Overall, Mac OS X 10.5 Leopard is perhaps the most significant update in the history of Mac OS X — perhaps in the history of Apple — from a security standpoint. It marks a shift from basing Macintosh security on hard outside walls to building more resiliency and survivability into the core operating system."

Security Conserns of Time Machiene?

[jellomizer]

Reading this made me wonder. What would happen if you had an important file you temprarly drop it in a public location then move it out. once the person downloaded it. Then someone goes and runs time machine on the public directory and picks up the file that you deleted.... Also will time machiene pick up different permissions set on a file at different time. You made it and tested it as 777 then after you assure it physically works you bring it down to 755 will it allow you to go back in time and get the permission 777 of the file...

While I do agree having good backups is important part of security... Perhaps just perhaps because it is so easy there is a security problem with it.

Apple can no longer hide behind small markets

[Anonymous Coward]

And it sounds from many of these changes, that Apple can see a future where they would be suffering like Windows because of being a larger target.

App signing and stack randomization has already come to windows.

System restore and shadow copy exists in Windows, though it looks like Apple will be providing a better backup system out of the box.

And the sanboxing sounds a lot like UAC with the exception that you wont get a prompt. The sandboxed app will just be denied.

It sounds like Apple OS is not inherently more secure than Windows. It is now a larger target, so it needs these new protections.

Re:WTF???

[99BottlesOfBeerInMyF]

Time machine is a security hole from hell. Just suppose you record some pr0n of yourself using the built in iSight, then think better of it and delete the files. Now anyone can casually sit at your desktop and retrieve all the compromising files.

Apple just made it easier to recover deleted files, if you're using backups. If you're not using backups, there is no problem. OS X has also long had a "secure delete" option that not only deletes the file, but writes over it with random data multiple times, ala DoD requirements. I'd be willing to bet that also does the same on your time machine backups.

Backups as Security?

[rueger]

"With Time Machine making it easier to back up for all users, especially individuals not already protected by some corporate backup system, Apple is doing more to improve security than any upgrades to firewalls or Safari ever could."

Although I am a fan of backups, this is really silly. Even if we assume that users have Time Machine turned on, that they have external media on which to back up, that they manage to actually have everything turned on and hooked up to do the automated backup, there's still one hole in this argument.

In order for a backup to offer protection you need to know that there is something that needs to be restored from the backup. If most security attacks are by nature silent then you won't realize that you have been compromised and will not preserve a recent backup much less restore it.

Unless there is unlimited storage space for backups there will come a point when Good Data Set A will be replaced on your backup by Corrupted Data Set B. Time Machine likely has no way of knowing that the data it has just backed up is not your good current file, but one that has been damaged. All that it knows is that the file changed.

Re:Significance

[aftk2]

Umm...not entirely. I really like the power OS X and am quite enthusiastic about the Intel switch. And yet, as an Apple fan from the mid 90s, I can completely recognize that 10.0 was pretty rough when moving from OS 9. Do you remember how slow that felt? OS 9 still feels faster to me than OS X, although I'd never, ever want to use it again.

I mean really...you think the people who even know about the term "preemptive multitasking" wasn't outnumbered by those who groused about how the new Mac upgrade ran at glacial speeds and lacked spring-loaded folders? OS X is great...and I'm excited about Leopard...but there was a reason that the classic Mac OS inspired diehard fans.

Re:Significance

[Apotsy]

Talk about a false dichotomy! Do you really think the two are at all related?

There were people who understood the flaws, but (correctly) thought that moving to OS X should not require giving up good performance (which took years to get back), or UI niceties like the way the classic Finder worked. As to the latter, unfortunately Steve apparently didn't like the old Finder and never allowed the OS X Finder to work the same way. Spatial mode is still broken to this day, the "Show Package Contents" feature is inferior to the one from OS 9, the 1-1 relationship between folders and windows is still not as well enforced as it was in OS 9, and as the previous poster mentioned, it took years to get spring loaded folders back (and even longer than that to get its behavior on par with the old implementation), just to name a few examples.

None of that has anything to do with multitasking or event loop handling and you know it. Or hell, maybe you don't, in which case you're pretty dumb.

Many of these approaches have already failed

[argent]

Application signing, warning dialogs for downloaded files, and the like... these have been Microsoft's first line of defense against cross-zone exploits for a decade now and they have systematically failed. Now Microsoft is using Sandboxing, and that will also fail.

I wish that Apple would decide to photocopy good ideas from Microsoft rather than bad ones. The single set of application bindings for helper applications and URL handlers? That comes from Windows. The idea of giving users the opportunity to open potentially hostile files directly from mail and browser software? That comes from Windows. Open Safe Files? That comes from Windows. Popping up dialogs before automatically doing stupid things, instead of not automatically doing stupid things? That comes from Windows.

The last straw for me was when Safari on OSX warned me that I was downloading an EXE file because it's executable. Not that I was running it. Just that I was downloading it. Holy Mother of Turing!

*sigh*

At least they don't have anything like ActiveX yet.

Re:Leopard Screenshots and Tutorials

[NtroP]

Your sig as it stands makes it sound like Apple would base an OS on Windows for some reason, which is obviously ridiculous...

Actually, when Apple was looking around for a replacement kernel for their new operating system they briefly considered the NT4 kernel before rejecting it and BeOS for NeXT.

Re:Security

[SethJohnson]

This is not an insightful post. It is a naive question. The post does not contribute any insight or information. Please mod appropriately.

To answer the parent question, security is a feature that business perceives as a competitive advantage. Not to mention the ridiculousness of people from one company taking recommendations from outside programmers on how they should do their jobs.

Seth

Re:It's to bad that 10.5 is not comeing out for al

[Anonymous Coward]

Install linux without the network cord plugged in and with the wireless turned off. Then see what is missing. Windows doesn't connect online during the install process to check for drivers. Hell, even after the install process windows check for drivers. Most linux installs are network card drivers and maybe video card the rest is search online against a very large database of drivers. Microsoft are complete fools for not having a driver database that can be checked during the install process.

Re:Many of these approaches have already failed

[Anonymous Coward]

I hear you brother.

I have the same problem with Gnome asking me "this file appears to be type X but the extension indicates that it is type Y. please make sure things are secure." Just freaking give me a "don't show this dialog again" option, or "open anyway" or at least memorize that this file is opened with this app! but no Gnome is trying to be the Vista of OSS.

Note: I use Gnome and it's great, but this particular feature(bug?) is seriously freaking me out.

Re:Code randomization a bad idea

[puetzk]

I can't say for sure that Apple did this, but do note that randomizing it once per computer (e.g. ramdomize it *while* prebinding) is very nearly as effective as randomizing it every time. It still means someone can't write exploit shellcode that works on all (or even a significant fraction) of machines. This is the approach glibc's prelink uses.

Re:Significance

[uncleFester]

Maybe in the history of Mac OS X, but definitely not the history of Apple itself. I'd say that would be, oh, the shift to Unix.

myself, i would consider the shift in architechure a greater historical shakeup. it's still amazing to me apple has shifted their core processor/architechure setup twice, including an emulation layer (each time) to ease transition. i had (and still own) a Motorola Mac (SE/30, Moto 68030 CPU) and remember the titanic shift it was migrating to the PowerPC. And, more recently, shifting from the Power/RISC platform to Intel. I think Apple's continued demonstrated ability to shift its underpinnings with damn near nary a disruption is scary impressive. :)

-r

The Classic interface

[Kadin2048]

I was never into Macs back in the day so I can't comment on old vs. new Finder or spring loaded folders, etc., but I find it telling that the only people who seem to seriously dislike the new Finder are the ones who seriously loved the old one. To everyone else it's pretty spiffy and a reasonably good model of how such things are supposed to work. That is, I'm not at all convinced that the old Finder was actually superior; it's just that people liked it that way, darnit, and anything different is inferior by definition.

As someone who used the old (oops, "Classic") Mac OS from versions 6-9, while I do think there was a certain level of curmudgeonness among the people who swore they wouldn't switch, there were very legitimate concerns about the OS X Finder and GUI, which I'm not sure have really been resolved.

Don't get me wrong, I still think OS X is better overall, because of its underlying architecture and a functional CLI, but the Classic Mac GUI had been honed incrementally over almost two decades before Steve just decided to bin the whole thing and reinvent the wheel. It was that interface which made the crappiness of OS 9 worth dealing with, despite the fact that you could hang the whole system by holding down the mouse button, and had to manually allocate memory, and everything else. It was the Mac's saving grace -- perhaps its only saving grace -- throughout the 'lean years' of the platform. And that's why a lot of users just never got over its elimination; it was, for many people, the only reason why they'd stuck around for so long.

There was no real reason to change it when the old codebase was dropped for NeXT's: even if none of the code needed to be kept, the interface guidelines that had evolved as best practices, arrived at by painstaking trial-and-error by generations of Mac programmers, could have been retained. What I think happened is that Steve Jobs wanted more eye candy, and wanted to make the entire desktop reflect the OS's "newness." It was a sales tactic, and although I don't think there's any debate that it worked, it was a pretty huge cost.

OS 9 was an operating system with a great GUI and a terrible backend; OS X had a great backend, but a GUI that was almost unusable at first, and which has only very recently come back on par with the Classic OS circa System 7.5 or so. (They just recently snuck the option-click-to-close-all-Finder-windows trick back in, which I believe originated on the IIgs, and was definitely missing for a while in early OS X versions...)

(Incidentally, the interface scizophrenia isn't limited just to the Mac OS; you also see this behavior in some of the major Apple apps [e.g. iTunes] -- every time there's a whole-number version increase, some part of the interface gets changed, apparently for the sake of changing it. It's as if they realize that some people won't believe that anything is different unless the widgets change, so they scramble everything around periodically, just to keep everyone on their toes.)

Re:Evil bit?

[aristotle-dude]

It seems they invented another great thing. (No matter that this is implemented as a alternate file stream on XP SP2) They will market it as something innovative, of course.

You might not be aware that NTFS alternate file streams were implemented in order to support the resource fork paradigm in Mac OS on windows file servers serving mac os client machines on a network back in NT 4.x IIRC. Even with XP SP2, multiple file streams in NTFS presents a serious potential security hole where an innocent looking 1K readme.txt file could house an ever growing alternate stream that exhausts all disk space or it could be used to house a trojan payload hidden from the filesystem.