×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How to Save Mac OS X From Malware

timothy posted more than 4 years ago | from the endangered-species dept.

Security 222

eXchange writes "Well-known hacker Dino Dai Zovi has written an article at ZDNet discussing last week's discovery of a critical threat to Mac OS X, and another announcement of a Trojan horse exploiting this discovery. He suggests that Snow Leopard, or Mac OS X 10.6, should integrate more robust means of preventing malware attacks. Some of the suggestions he has include mandatory code-signing for kernel extensions (so only certified kernel extensions can run), sandbox policies for Safari, Mail, and third-party applications (so these applications cannot do anything to the system), and some lower-level changes, such as hardware-enforced Non-eXecutable memory and address space layout randomization."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

222 comments

Summary For The Lazy (3, Insightful)

rsmith-mac (639075) | more than 4 years ago | (#23918063)

Make Mac OS X like Windows Vista (64bit Vista has almost all of the things listed in his article).

If it does get implemented, it'll be interesting to see how Jobs talks it up since Apple wouldn't have been first.

Re:Summary For The Lazy (5, Insightful)

mingot (665080) | more than 4 years ago | (#23918109)

Won't matter. Most malware is installed via the user while installing the latest screensavers, emoticon packs, and browser toolbars. Nothing will ever be able to defeat the uneducated user.

Re:Summary For The Lazy (3, Insightful)

timster (32400) | more than 4 years ago | (#23918509)

Indeed -- leave it to OS hackers to dream up a worthless technological solution to a UI problem. If the interface was designed to give users the faintest notion of what was happening on their computers, we would see progress. Instead we give people interfaces that pretend to simplify complexity while really just glossing over important details, and then we whine about users being uneducated about the details that we've glossed over.

Re:Summary For The Lazy (5, Insightful)

virgil_disgr4ce (909068) | more than 4 years ago | (#23920173)

It's not the interface's problem, it's the fact that 98% of computer users do not want to and will not learn anything about their computer. Some people will actively refuse to learn anything. So in light of that, the root of the problem is far, far deeper :(

Re:Summary For The Lazy (4, Interesting)

Goeland86 (741690) | more than 4 years ago | (#23920429)

It's not the interface's problem, it's the fact that 98% of computer users do not want to and will not learn anything about their computer. Some people will actively refuse to learn anything. So in light of that, the root of the problem is far, far deeper :(

Well then the solution's simple. Give people a license to use a computer. A computer is infintely more complex than a car, yet you need a driver's license for a car. Pending that, if a user decides to NOT get their "computing license", well they deserve to be infected by spyware, regardless of OS, browser etc.

Attempting to make products idiot-proof should not exist. If you want everything to be idiot-proof, you're ensuring that evolutions stops. Even the most hardliner christian can't deny the fact that some people are morons, dangerous or otherwise incapable of contributing to society.

Hence why we need to keep darwinism alive in some form or another. Unfortunately the US has too many lawyers that allow idiots to sue companies into making products idiot-proof, instead of letting idiots manage their population the only way they know how to: let the idiots be idiots and see which ones pull it through. They're either very lucky, or not that idiotic if they manage to not kill themselves.

Bad car analogy (3, Insightful)

DrYak (748999) | more than 4 years ago | (#23921427)

Give people a license to use a computer. A computer is infintely more complex than a car, yet you need a driver's license for a car.
Except that someone trying to drive a car without having learned it first will very probably lead to an accident which could even lead to several dead people include both him and innocent by standers.

A car with an uneducated driver is a potential very powerful weapon.

A computer used by an uneducated user... well at worst he'll screw his computer. Maybe piss off some innocent other web users with the spam mail that the zombied PC will spit. And even eventually might got some money stolen if too much personal data is spied.
But unless the random guy is operating a computer controlling a nuclear core (and those already *are* selected and trained to be good at their job), it's very unlikely that the screw-up will result in deaths.

That's why you won't see computer license any time soon, because the perceived risk (nobody will die at the end) is much lower than the perceived advantage (internet usage has become pervasive, it's so important and useful that anyone *must* have access to it).

The only thing that you could remotely imagine is a tiered approach to internet security :
the global net is accessible to anyone, but only common service are found on it. Special service are connected to a different network, which is more secure and more reliable but does necessitate special clearance.

Think in terms of "Internet freely available for all, Internet2 & GEANT only for hospitals, nuclear reactors and those who pass some license".

But you can't just shut people of internet because our society relies on it and anyway, nobody will die.

Re:Summary For The Lazy (3, Interesting)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#23921429)

It's not the interface's problem, it's the fact that 98% of computer users do not want to and will not learn anything about their computer.

Bullshit. How hard is it to create an interface that can easily and consistently show executables and data differently. Seriously, add a red ring around all executables, or something more subtle, just something that isn't duplicated by the icons for data. That would solve a myriad of security problems and I don't think it would be to onerous for users to learn. But instead we expect them to interpret hundreds of three letter codes indicating file types, codes which are sometimes visible and sometimes hidden and sometimes appear to be visible, but are really lies covering the hidden code. Yeah, blame the user for not memorizing hundreds of file extensions and learning the controls necessary for making sure they are always visible.

Re:Summary For The Lazy (3, Insightful)

virgil_disgr4ce (909068) | more than 4 years ago | (#23921853)

Whoa there, tiger. You seem to be missing the point of my post: that most users don't know what an "executable" or "data file" is in the first place, and will likely not use the computer often enough to learn by exposure.

And I never said that there aren't bad interfaces. I personally think Windows has one of the worst, for the very reasons you describe.

It's still incredibly important that interfaces are designed logically and efficiently! But any interface nonetheless requires some degree of learning--"intuition" in interfaces is only, in fact, "familiarity."

Re:Summary For The Lazy (5, Insightful)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#23922633)

Whoa there, tiger. You seem to be missing the point of my post: that most users don't know what an "executable" or "data file" is in the first place, and will likely not use the computer often enough to learn by exposure.

How would they know if the user interface makes no distinction? You have to fix the UI first, to reduce the level of education needed to something reasonable. Seriously, most user want to run programs they don't completely trust and their inability to do so is one of the primary causes of insecurity. Current OS's make this incredibly common task very, very onerous. Really the easiest way to do that these days is to but a VM, install it, configure it appropriately for the program you want to run, create a new image, install an OS, install the program within the OS, and finally run it. That takes money and significant skill and time and is simply too onerous for the normal user.

But any interface nonetheless requires some degree of learning--"intuition" in interfaces is only, in fact, "familiarity."

You can call it whatever you want, but different interfaces and the functionality they connect to make a huge difference in how much education, skill, time, and money it takes to compute securely. Until OS's catch up, people constantly calling for education and blaming users are part of the problem, more than the solution, IMHO.

Re:Summary For The Lazy (1)

virgil_disgr4ce (909068) | more than 4 years ago | (#23922037)

I can't tell if my reply to this earlier is displaying correctly; in case it is not, this reply was intended for this post:

Whoa there, tiger. You seem to be missing the point of my post: that most users don't know what an "executable" or "data file" is in the first place, and will likely not use the computer often enough to learn by exposure.

And I never said that there aren't bad interfaces. I personally think Windows has one of the worst, for the very reasons you describe.

It's still incredibly important that interfaces are designed logically and efficiently! But any interface nonetheless requires some degree of learning--"intuition" in interfaces is only, in fact, "familiarity."

Re:Summary For The Lazy (5, Interesting)

erroneus (253617) | more than 4 years ago | (#23921851)

Having knowledge is having additional responsibility. It took me quite a while to arrive at that conclusion, but if people can claim they didn't know or don't understand something, they are therefore not responsible for it. This goes well beyond knowing about computers and into all facets of life. For me, knowledge has always been important and desirable, so it was really hard to understand why the majority of people don't want any. But I believe I've hit upon the precise essence of why people don't want to know anything... they don't want it to be their fault.

Re:Summary For The Lazy (1)

resonance378 (1169393) | more than 4 years ago | (#23920913)

A structured or standardized format to error logs would go a long way I think. I'm not sure what it's like on MAC and really haven't found out how to do it on Linux (Ubuntu) but finding and reading logs for Windows is a small nightmare. The event viewer can help but some times it doesn't give enough detail or doesn't even log the event as you would expect. Perhaps it's just the environment I'm in and the way it's setup but logs are the last thing our desktop support look for in resolving an issue while it's the 1st thing I want to look at.

Popularity brings the dummies (4, Interesting)

Shivetya (243324) | more than 4 years ago | (#23918891)

It was always going to eventually happen. Given the increasing market share of OS X it was only a matter of time before the hackers got interested. Yet even they had to wait till a sufficient base of idiots got into OS X to make their job easier. I know people who significant other has trashed home PCs more than once opening attachments or running attachments even after all the pop ups. Note the more than once.

People forget or get in a hurry. Its the hacker's job to exploit that nature. That makes it difficult for the owners of the OS because even if you require a password/etc to execute something many people will just do that, type in the password regardless. Its like the story of the young girl who was a latch key kid, told to never ever let people in the house while mom was gone. Yet she did three times and even denied it until shown the film showing these people being let in. Worse, she didn't recall because it was so automatic. She was distracted by something else and that focus let her pass over doing what was right.

I look at it this way on my iMac, if that password prompt comes up and I didn't click initiate it from some update I know came from Apple or I was loading a package I downloaded I am going cancel the process. Yet I am quite sure my friends SO would dutifully type the password in. Can't be helped. Sometimes people cannot accept they did something wrong even when you show them

Re:Popularity brings the dummies (0)

Anonymous Coward | more than 4 years ago | (#23919243)

"Its the cracker's job to exploit that nature"

There, I fixed that for you.

Re:Summary For The Lazy (3, Insightful)

vertinox (846076) | more than 4 years ago | (#23919157)

Nothing will ever be able to defeat the uneducated user.

True, but you can mitigate the damage a single user can do. Its called sandboxing.

If you prevent a user from installing applications that get to do things like put themselves in start up or have the ability to hide themselves from the user or start on their own without user intervention then you've done half the battle right there.

OS X still can do this with admin rights which I fear most people run, but its a start at least.

Of course, a malicious one time application can always wipe the user directory in these situations but that is what backups are for. However, its a lot easier to get rid of that malicious program if you the OS itself won't allow you to create startup programs or allow applications to run in stealth mode.

Re:Summary For The Lazy (1)

Mozk (844858) | more than 4 years ago | (#23922673)

Sandboxie [sandboxie.com]
Filemon [microsoft.com]

Perfect for stopping applications from doing such things (or with Filemon, logging it). While I'm definitely not an uneducated user when it comes to computers, those tools are excellent.

Re:Summary For The Lazy (1)

Aphoxema (1088507) | more than 4 years ago | (#23919557)

That's not true. The solution would be to simply not let the user install anything. Ever.

Re:Summary For The Lazy (2, Insightful)

vux984 (928602) | more than 4 years ago | (#23920087)

Won't matter. Most malware is installed via the user while installing the latest screensavers, emoticon packs, and browser toolbars. Nothing will ever be able to defeat the uneducated user.

True enough for the average home user, but the corporate/enterprise/government desktop is a whole other ballpark, and in that environment stuff like sandboxes and driver signing make a lot of sense.

Also as a 'sophisticated' user, using Vista x64, I quite like the driver signing concept.

I think its GREAT that some driver I download, or some source code for a driver I download and compile myself, or even a driver I might write myself from scratch can't by default run on everyone's computers.

That's a good barrier to rootkits etc. Even if a naive user says 'I agree' the driver still won't load. And if a rootkit does get signed, the keys can be revoked at MS, and a gazillion PCs will be immune next time they update.

Its a good system.

Of course, its has its frustrations - oss drivers, home made drivers, etc, etc won't work. And as a result:

Most of the chatter on the net about it, is 'how to disable driver signing', 'how to bypass it', etc. Yet the question people SHOULD be asking is: "How do I sign a driver to run on MY PC?"

THAT WOULD BE FAR MORE USEFUL.

It is after all YOUR PC, and you should be allowed to run any driver you want on it. So there *should* be a way of signing it for your PC. As the owner I should have my own private signing key, and anything I sign should run on any PC that has my public key trusted on it. Obviously stuff I sign with this key won't run on your PC because you won't have my public key trusted on your systems, but that's fine and as it should be.

Of course, this is somewhat at odds with the RIAA/MPAA/DRM objectives with driver signing. But so what, people should be demanding the keys to their computers, and getting them.

Code/Driver signing isn't evil, its on par with putting a lock on your car or home. Not giving the owners the keys is evil.

And with that said, IS it possible to sign your own drivers for your own Vista machine? I'd very much like to know what is involved in doing that.

Re:Summary For The Lazy (1)

WiseWeasel (92224) | more than 4 years ago | (#23921793)

Screw that. Mandatory driver signing is unacceptable, as it's no longer a general purpose computer strictly under my control. The answer to your question is that NO, you can't sign your own drivers for Vista and/or distribute them to other people to use. It would be like the vendor keeping control of the root account with some super secret password, and only giving the user some crippled 'admin' account without access to the whole computer. When I bought my computer, the OS and all its files became mine, and I'm free to tinker with it to my heart's content. I don't mind having a certification process for 'safe' drivers, and then have some mechanism for booting in safe mode with only safe drivers loaded if there is a problem with one of the unapproved drivers. The user should still be free to write their own kernel extensions, and load experimental ones from other people if they choose, however.

The day Apple moves to protect the Mac OS from its owner despite their wishes is the day I begin my Linux migration. I'm quite thankful that the open source community has given us a viable alternative should OS vendors try to take control away from the user. Windows Vista 64 is completely unacceptable to me because of the protected kernel space, and I'd drop Apple in a second, despite being quite fond of the Mac OS, if they try to pull something like that.

Re:Summary For The Lazy (1)

jcgf (688310) | more than 4 years ago | (#23922721)

The answer to your question is that NO, you can't sign your own drivers for Vista and/or distribute them to other people to use.

It should just be and there, shouldn't it? You can sign your own drivers. You can also distribute drivers. You just can't do both with the same driver at the same time (not for technical reasons though - license ones).

I don't mind having a certification process for 'safe' drivers, and then have some mechanism for booting in safe mode with only safe drivers loaded if there is a problem with one of the unapproved drivers.

Well, they do it the other way (you have to manually disable the signing requirement - we did it for a CSP at work - using a hex editor and instructions from MS (edit advapi32.dll) - it should be similar for drivers) which is kind of half way to what you want.

Re:Summary For The Lazy (1)

vux984 (928602) | more than 4 years ago | (#23922799)

Screw that. Mandatory driver signing is unacceptable, as it's no longer a general purpose computer strictly under my control.

It is if you have a signing key for that computer.

The answer to your question is that NO, you can't sign your own drivers for Vista and/or distribute them to other people to use.

Of course you can sign your own drivers and give them to other people. You have to buy a certificate for that, but lots of companies have manged it, including some very small ones.

The more interesting scenario to me is the 'test signatures' mechanisms, by which you can freely self-sign drivers for use on your own hardware. Designed for driver developers, and drivers signed this way can't be re-distributed, but if it lets you compile a driver from source, or download an unsigned driver, and self-sign it, and run it on your own hardware, then you basically have the tools to run anything you like on your own hardware and your entire rant about the vender keeping the keys is nullified.

For more info:

http://msdn.microsoft.com/en-us/library/aa906247.aspx [microsoft.com]
http://msdn.microsoft.com/en-us/library/aa906249.aspx [microsoft.com]

My question about self signing isn't 'can you do it'; I already know you can. Its more a case of 'how exactly', and 'can it easily be applied to downloaded source or unsigned binaries acquired over the internet'?

I don't mind jumping through a couple hoops to sign something I've downloaded, if it means stuff I don't jump through hoops for can't attack me.

The day Apple moves to protect the Mac OS from its owner despite their wishes is the day I begin my Linux migration.

There is no reason Linux won't have signed drivers as well one day. There is nothing 'anti-freedom' about driver signing provided the computer owners have the necessary tools to generate keys, sign with them, and revoke them for their own hardware.

Indeed such a thing might protect me from malicious opensource mirrors hosting 'modified' binaries and other such threats. I would setup my system to trust the Ubuntu or Fedora key, the Apache key, the Mozilla Key, and my own key. If I wanted to install a package that wasn't signed by any of the above, as part of the installation I would sign it myself. And of course I could sign my own software.

And if I distributed it and didn't have a widely recognized/trusted signature and/or distributed it unsigned or as source, the recipients could each sign it themselves for their own pc.

Bottom line: Driver Signing isn't inherently evil.

Re:Summary For The Lazy (0)

0xABADC0DA (867955) | more than 4 years ago | (#23920127)

Don't allow programs to write other programs.
Don't allow programs to read or change the settings of other programs.
Don't allow programs to be hacked.

These three things are completely doable and would eliminate pretty much all malware. Even malware that the user chose to install would not be able to do many of the destructive things they do now, such as reading your stored passwords other program settings, etc. Even if they deleted or modified your files, you could just go back to a ZFS snapshot and get them back again.

You can't prevent people from doing stupid things like leaving their bank info in a .txt file. But you can make it safe to install screensavers, emiticon packs, etc for everybody else.

The simplest and most effective way to prevent programs from being hacked is to write them in Java (or other type-safe language). Most of the operating system kernel should also be written in a type-safe language as well (except for a tiny amount of asm mostly for drivers). This would have a number of other benefits in addition to preventing 'root exploits'.

Re:Summary For The Lazy (1)

IamTheRealMike (537420) | more than 4 years ago | (#23921417)

It's not that easy :-( Believe me, some of us have been studying the problem for a looooong time.

The trick is to strike a balance between legacy technologies (also known as "stuff proven to work") and new ideas. It's very hard. For instance, you say "let's write everything in Java, as well as the kernel" .... that's describing an epic journey in a sentence! Microsoft has already got an R&D program that does exactly what you suggest, Singularity, but nobody is suggesting it'll be on end-user desktops anytime soon. It's too radical a departure.

You also say "don't allow programs to write other programs". How are you going to enforce that exactly? For instance, how would you run a compiler on such a system? Clearly, some programs have to be able to write other programs. What about a web browser? Web browsers routinely download and run programs ... it's only a small step to imagine them somehow compiling JavaScript into native code just like the JVM does with applets. Is the web browser writing another program?

Of course the real problem is not programs writing programs. The real problem is programs modifying other programs. This describes most malware as well as your debugger. How can you ensure that the debugger is allowed to do these dangerous things (ie, poke/modify state of other programs arbitrarily) but malware isn't? Having a trusted chain of execution is one, ie, the debugger can debug programs it launches itself, but not any other programs.

Strategies like Singularity, BitFrost, AppArmor, CoreForce etc all have something to contribute but their implementability varies wildly.

Re:Summary For The Lazy (1)

0xABADC0DA (867955) | more than 4 years ago | (#23922527)

The trick is to strike a balance between legacy technologies (also known as "stuff proven to work") and new ideas.
The legacy technologies have been proven not to work. Since they can be hacked and made to do whatever they are capable of (ie anything POSIX, Win32) the only solution is to apply heavy restrictions to what they can do, so they cannot write new programs, etc. But these fail since the malware can run within the hacked program without user approval, so really they need to be run with far more restrictions -- like the failure of SELinux, this is not practical to do.

For instance, you say "let's write everything in Java, as well as the kernel" .... that's describing an epic journey in a sentence! Microsoft has already got an R&D program that does exactly what you suggest, Singularity, but nobody is suggesting it'll be on end-user desktops anytime soon. It's too radical a departure.
Yes, I know and more to the point is Sun's JavaOS which was not simply an idle research project like Singularity, but was an actual product. It is not so much an epic journey as it is lacking a motivator. People only care about the appearance of security, not actual security. That's why it doesn't get done, not due to some massive hurdles. In fact most software development is done in Java, .Net, or Javascript -- none of which care about POSIX for instance and run with minor changes on any kernel (well, ok, not .Net).

You also say "don't allow programs to write other programs". How are you going to enforce that exactly? For instance, how would you run a compiler on such a system? ... Web browsers routinely download and run programs [in the form of javascript]
Users don't run compilers. For adding programs to the system, Web browsers can download installers or use an API that registers the program (so it can be removed) and asks the user if they want to install it. JavaScript is a typesafe language, so it can't modify the browser, unless the browser allows it to.

How can you ensure that the debugger is allowed to do these dangerous things (ie, poke/modify state of other programs arbitrarily) but malware isn't?
Developers can use special exceptions for their compilers and debuggers. Normal users do not need to use compilers or debuggers.


It's really pretty simple, isn't it? All it really takes is for people to demand it.

Re:Summary For The Lazy (1, Interesting)

Sentry21 (8183) | more than 4 years ago | (#23922891)

Part of that can be resolved by sandboxing. Prevent screensavers, etc. from being able to access anything on the system outside of a small, well-defined set of resources; have the author define that list, and the system enforce it. Network access? Disk access? Safari RSS feeds? Require authentication and code signing.

Oh, and make code signing easy, so people don't have to fork out huge amounts of money to sign their code. Apple could provide a signing service, where you have to apply and go through a verification process, after which you get a certificate that you can use to sign your apps for the next six months.

This opens up a new set of options for security management as well. If a developer finds a security hole in his product, he can release a new version then invalidate the old version through Apple's service. Users can be provided a grace period to upgrade (for e.g. financial software) or be locked out of the service entirely (for e.g. Adium, Disco, etc.).

Alternately, if someone is distributing malware or can't be contacted to fix bugs (or just doesn't fix them) Apple could lock that app out so that it would no longer run.

Untrusted (that is, unsigned) apps could be sandboxed automatically, with the user having to opt-in to un-sandboxing them if they, for some reason, need it.

Re:Summary For The Lazy (0)

Anonymous Coward | more than 4 years ago | (#23918441)

Apple hasn't been first in most of the areas that the uninformed public likes to give them credit for. What's to stop them now?

Re:Summary For The Lazy (1)

HairyCanary (688865) | more than 4 years ago | (#23918797)

Surpise! The uninformed public does not judge products based on whether or not they are *first*.

Re:Summary For The Lazy (1)

resonance378 (1169393) | more than 4 years ago | (#23918707)

My SWAG is that Steve Jobs will talk it up not by doing it 1st but by doing it better. DISCLAIMER: No I don't own a MAC or MAC stock.

Re:Summary For The Lazy (0)

Anonymous Coward | more than 4 years ago | (#23920557)

You don't own an Ethernet or Wifi card? If you have either, I'm pretty sure you have a MAC. I'm not sure what MAC stock is though, is that a big pile of Ethernet cards?

Don't say that! (0)

Anonymous Coward | more than 4 years ago | (#23918921)

Make Mac OS X like Windows Vista
But I read ON THIS VERY SITE that Windows Vista is the single worst operating system known to man! And then you turn around and say things like THAT? How could you? rsmith-mac...I thought we understood each other!

You are coming to a sad realization... (1)

swschrad (312009) | more than 4 years ago | (#23919663)

which we don't need. if we make the malware AUTHORS more like Vista 64, they won't be able to infect anything else.

Accept or Deny?

Oh stop with this nonsense! (0)

Anonymous Coward | more than 4 years ago | (#23921251)

Mac OS X is immune from malware. The story is a hoax meant to scare people. The author probrably want to sell an antivirus program for the Mac, which of course is completely unneeded.

Follow the money, people!

Re:Summary For The Lazy (1)

austin987 (1233720) | more than 4 years ago | (#23922137)

Make Mac OS X like Windows Vista

Please, for the love of all that is good and holy, don't do this Apple.

prost fist (0)

Anonymous Coward | more than 4 years ago | (#23918085)

hahahahah fgts RAEP

BSD chroot jails for Safari? (0)

Anonymous Coward | more than 4 years ago | (#23918113)

Sometimes the old ways are best. Sticking apps that deal with Internet facing untrusted stuff 24/7 in a chrooted jail is probably one of the best ways to ensure sanity if the app gets compromised. However, this would create usability issues, say if someone wants to upload a document or whatnot, although a secondary program could do that task.

Re:BSD chroot jails for Safari? (0)

Anonymous Coward | more than 4 years ago | (#23918255)

chroot() requires root, so Safari would have to be setuid... I forsee an attack vector along the lines of osascript -e 'tell app "Safari" to do shell script "whoami"';

Re:BSD chroot jails for Safari? (1)

RiotingPacifist (1228016) | more than 4 years ago | (#23918559)

less drastic measures like SElinux or apparmour (or bsd equivelents) would probably be more user friendly. Simple stuff like if you connected to the network you can only read user files and write to none configuration user files wouldn't even need any tools.

Re:BSD chroot jails for Safari? (0)

Anonymous Coward | more than 4 years ago | (#23920161)

SELinux is anything BUT user friendly. Sysadmins usually even turn it off, casual pc users would be infuriated.

Re:BSD chroot jails for Safari? (1)

initdeep (1073290) | more than 4 years ago | (#23922027)

as a fedora user for a while, i agree.
in fact when it was turned on by default in previous versions of fedora, the very first thing i did for my home stuff was disable it.

Re:BSD chroot jails for Safari? (1)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#23922841)

less drastic measures like SElinux or apparmour (or bsd equivelents) would probably be more user friendly.

Apple's sandboxing framework is an MAC one, mostly a port of the one in TrustedBSD as I understand. They already use it to provide an extra layer of security around certain services. The hard part is applying it to third party applications in a user friendly way that does not undermine the security advantages or take control away from end users.

signed kernel modules would be good for apple too (3, Informative)

jonwil (467024) | more than 4 years ago | (#23918147)

Signed kernel modules would not just stop malware but it would stop some of the hacked (and custom written) kernel modules being used to get OSX to run on non apple machines (or being used to make the experience of using OSX on those machines better)

Re:signed kernel modules would be good for apple t (3, Insightful)

Hierophant7 (962972) | more than 4 years ago | (#23918241)

please, the mach kernel was hacked to bypass TPM, it'll be hacked to bypass driver-signing.

Re:signed kernel modules would be good for apple t (1)

IamTheRealMike (537420) | more than 4 years ago | (#23921435)

The point of driver signing isn't to act as a copy protection mechanism. You can boot Vista64 in a mode that'll allow you to load any drivers. The point is to stop programs loading crap into the kernel without the users knowledge. If you have to put the OS into some kind of very obvious "unsafe mode" then the problem becomes much less serious. Can you imagine malware popping up a dialog explaining some complicated boot sequence to the user?

Re:signed kernel modules would be good for apple t (0, Flamebait)

omaha_boy (512639) | more than 4 years ago | (#23918271)

Better for Apple = Worse for consumer. Let's face it: after what they've done to the Mac experience in the last couple of years, Apple (cough, Computer) is more interested in selling iPods and other crap then keeping the Mac user friendly and intuitive. Signing execs and modules would only allow the engineers to let the Apple Gestapo lock down their OS rather than intuitively fixing the problem.

Re:signed kernel modules would be good for apple t (2, Interesting)

Aphoxema (1088507) | more than 4 years ago | (#23919807)

That's a pretty bi-polar way to look at it. Apple might be making a killing off their iPods but surely for many people their cross-pollination is a gateway drug into Macs and Thinking Differently (even though by default OSX gives you no room for customization, you're practically expected and heavily advised to use the stock proprietary software and they'll try their damnedest to lock any third party stuff out of what they can. See: iPhone).

They don't have to do anything to keep 'the Mac user friendly and intuitive' because OSX stands like a great monolith just begging you to try to mess with it and to see who's boss. Then you do, then things stop working, then you have to reinstall back to Graphite Monolith.

I hate proprietary software but for some damned reason I love Macs. Maybe it's the mind control rays that Apple has put so much work into in their secret labs.

That's it! Apple is like smoking! It's cool, it's addictive, it's rebellious, and you're sure to assault anyone who talks down to you for being into it with an ice pick.

Re:signed kernel modules would be good for apple t (1)

TJamieson (218336) | more than 4 years ago | (#23921225)

Signed kernel modules would [...] stop some of the hacked (and custom written) kernel modules being used to get OSX to run on non apple machines (or being used to make the experience of using OSX on those machines better)

Opinions on whether or not this is a good thing are varied.

deja vu? (5, Insightful)

neongrau (1032968) | more than 4 years ago | (#23918175)

Isn't that excactly the same stuff Microsoft talked about years ago and many ppl on slashdot cried "foul!" about it?

But then again it all makes sense for Apple. The iPhone's App Store pretty much does all that. And when it works out Apple might just start an Mac App Store. No executable program launchable if it doesn't originate from the App Store. Or only in some considered insecure sandboxed VM. That could even work, but is that really what users want?

Immigration? (1)

tepples (727027) | more than 4 years ago | (#23918987)

And when it works out Apple might just start an Mac App Store. No executable program launchable if it doesn't originate from the App Store.
Developers don't want to have to immigrate to the United States and pay an annual or per-application fee just to develop Macintosh applications. That would only serve to drive smaller developers to Ubuntu.

Re:Immigration? (1)

neongrau (1032968) | more than 4 years ago | (#23919359)

While some developers might want to immigrate. I wouldn't as well. But why do you think only US developers are allowed to use the App Store? That was just for the closed Beta.

And how do you know the pricing scheme of a purely theoretical Mac App store?

And if that said App Store would have free accounts for qualifying Open Source licenses, wouldn't that be enough?

Could you really trust a Closed Source application where the dev or company behind it wouldn't even pay a small membership fee (annual, one-time... whatever) just for authentication purposes and code signing?

App Store vs. GPL (2, Interesting)

tepples (727027) | more than 4 years ago | (#23919705)

But why do you think only US developers are allowed to use the App Store? That was just for the closed Beta.
In how many countries is the iPhone developer program available as of today? I don't yet own an iPhone nor a Mac capable of running Leopard, so I can't sign up for the developer program myself to find out.

And if that said App Store would have free accounts for qualifying Open Source licenses, wouldn't that be enough?
If the popular GNU General Public License [gnu.org] doesn't qualify, then no, that would not be enough. So far, Apple has not announced any plans to implement App Store terms compatible with the GPL.

Re:Immigration? (1)

wattrlz (1162603) | more than 4 years ago | (#23919997)

... And if that said App Store would have free accounts for qualifying Open Source licenses, wouldn't that be enough? ...
Isn't that a huge if?

Re:Immigration? (1)

neongrau (1032968) | more than 4 years ago | (#23920341)

sure it is, but i didn't start with making up Terms-Of-Service and pricings for something purely hypothetical.

Re:Immigration? (1)

tepples (727027) | more than 4 years ago | (#23921743)

sure it is, but i didn't start with making up Terms-Of-Service and pricings for something purely hypothetical.
I was extrapolating from the existing iPhone developer program, just as people successfully extrapolated from Microsoft's XNA Creators Club to the iPhone developer program

Wouldn't that be better for everybody? (1)

wattrlz (1162603) | more than 4 years ago | (#23919939)

Apple's OS becomes the paragon of security people think it is and Linux gets more devs. Everybody's happy.

Re:deja vu? (0)

Anonymous Coward | more than 4 years ago | (#23918995)

And how well does that iPhone store limitation keep apps out of your browser?

Just go to http://static.popcap.com/iphone/ [popcap.com] and see how hard it is to run--though not install--an app on the iPhone.
Next: someone finds a vulnerability in their javascript implementation for such an app to exploit.

Just glossing over the first code that gets loaded seems to indicate that it phones home already, but I imagine that's part of some copy protection system rather than spying.

BTW: the link works just as well on iPod Shuffles and PC's and I suppose Macs and Linux boxen too, only in IE there's a slight problem with alignment of the splash screen during initialisation. Firefox doesn't have the alignment problem, and in IE it disappears after the splash screen.

There also seems to be a bug somewhere that makes it run at far too much CPU use sometimes, on the PC as well as in the iThings it was written for.

How fast is Safari JavaScript? (1)

tepples (727027) | more than 4 years ago | (#23919311)

And how well does that iPhone store limitation keep apps out of your browser?
I would imagine that it keeps the apps slow because they have to go through the JavaScript interpreter. A program could stand to lose one or two orders of magnitude of execution speed even compared to an equivalent Java applet running in the JVM.

Code signing (2, Insightful)

Sloppy (14984) | more than 4 years ago | (#23919999)

Isn't that excactly the same stuff Microsoft talked about years ago and many ppl on slashdot cried "foul!" about it?

Where Microsoft went wrong with code signing, is that insist the code be signed by them, because the user or administrator is an enemy (i.e. might install a video driver that doesn't respect DRM).

Code signing is harmless if the machine's administrator is the ultimate authority.

The issue is: whose interests should the OS serve: the OS maker, the user, or (in the case of malware) anyone who manages to get their code onto the machine? If the OS designer answers that question correctly, then there's no problem with code signing (or other whitelisting approaches).

Naturally, the author of TFA got it wrong:

Most kernel extensions are from Apple anyway and for the few common 3rd party ones, they should be required to get a code signing certificate.
Required by whom? A certificate from whom? And the amount of trust delegated to this CA is what?

Re:Code signing (1)

Sloppy (14984) | more than 4 years ago | (#23920053)

Where Microsoft went wrong with code signing, is that insist the code be signed by them, because the user or administrator is an enemy (i.e. might install a video driver that doesn't respect DRM).
Oh, and judging by the iPhone, Apple's attitude is identical, so if they implement code signing for MacOS, I expect them to make the same mistake.

Re:Code signing (1)

IamTheRealMike (537420) | more than 4 years ago | (#23921509)

Microsoft has never attempted to require code signing for drivers. Users have always been able to override that.

They tried to require it for easy, warning free install but unfortunately a lot of manufacturers attempted to game the system (ie, hide the warnings in some way or instructed the user to ignore them) - unsurprisingly, these very same vendors were the ones writing buggy crash-prone crap.

Given that most users are their own administrators at home, I don't know who exactly you think should be signing the drivers. Ultimately, somebody has to act as an arbiter of quality and authenticity - it might as well be the OS manufacturer.

Microsoft does not require ... (2, Informative)

Anonymous Coward | more than 4 years ago | (#23921781)

Microsoft does not require that the code be signed by them. They simply require that the code be signed, by any certificate issued by a signing authority.
All the code we develop for Windows is signed by us, and installs perfectly fine on Vista, and Microsoft has never seen a single line of our code.

Sandbox? (1)

Lilith's Heart-shape (1224784) | more than 4 years ago | (#23918367)

Why would a sandbox for Mail, Safari, etc. be necessary if the user isn't running these applications with root privileges?

Re:Sandbox? (2, Informative)

rsmith-mac (639075) | more than 4 years ago | (#23918429)

Because running as the user is basically just as good. The user doesn't care what a piece of malware has infected or destroyed, only that it has done so.

Re:Sandbox? (2, Insightful)

cowscows (103644) | more than 4 years ago | (#23920677)

Also, to me as a user, the single most important thing on my computer would be all my documents, which are accessible from my account. Sure, it's not great for my machine to be turned into an spam zombie or whatever, but reinstalling my OS isn't the worst thing in the world. It'd take me a couple hours at most. But recreating all the documents/photos/movies that I've got saved under my account would take much longer, and in many cases be impossible.

I know that's what backups are for, and I've got backups of my important stuff, but the world is an imperfect place and not everything gets backed up.

Re:Sandbox? (1)

owsla (78381) | more than 4 years ago | (#23918525)

Why would a sandbox for Mail, Safari, etc. be necessary if the user isn't running these applications with root privileges?
Because the aforementioned trojan uses a local root exploit to gain root privileges. Thus, sandboxing still makes sense.

Re:Sandbox? (0)

Anonymous Coward | more than 4 years ago | (#23918747)

Because you still wouldn't like these apps to destroy your personal user data, which they have access to?

Re:Sandbox? (0)

Anonymous Coward | more than 4 years ago | (#23919211)

Because users have write access to data.

How would you like a 'utility' to change the addresses in your address book, for example?

Old news is Old (0)

Anonymous Coward | more than 4 years ago | (#23918379)

I feel that Slashdot and ZDNet (and probably the rest of the interbuttz) has beaten the Mac OS X security horse into nothing but mush...

The "Anti-Lock Brakes" of OS design... (5, Insightful)

argent (18001) | more than 4 years ago | (#23918409)

It's a local-only root privilege escalation exploit.

If you're in a position to exploit this, you're already running code with full local user privileges.

Once the system is penetrated, it's game over. You don't need to get root access, or Administrator access, or even break out of the "Reduced Security" sandbox to win basically everything that the guy writing the malware actually needs. Multiuser security is there to protect users from each other, not from themselves.

Recent studies of anti-lock brakes and safety have discovered that ABS doesn't improve safety in general. It improves braking, by letting people brake faster and smoother, but people get used to it and enough people end up depending on ABS that they end up just braking later and when they need the extra edge from ABS they've already used it up.

Before going off half cocked proposing more layers of complex software that has to work correctly to maintain system integrity (because if it's there, enough software developers will end up depending on it) how about looking at what features of systems promote malware distribution? Design applications so they are inherently safe, rather than filling them with holes and backfilling with kernel patches and warning dialogs?

Re:The "Anti-Lock Brakes" of OS design... (1)

drumbug1 (1140947) | more than 4 years ago | (#23919315)

It's a local-only root privilege escalation exploit.

No, it's not. I can't believe this keeps getting repeated. You can run it via SSH as long as someone is logged into the console.

Re:The "Anti-Lock Brakes" of OS design... (0)

Anonymous Coward | more than 4 years ago | (#23920945)

You don't understand the meaning of "local exploit", do you?

Re:The "Anti-Lock Brakes" of OS design... (0)

Anonymous Coward | more than 4 years ago | (#23921707)

Local console? Hence LOCAL exploit. I still can't believe people are missing that important fact...

Stop trying to spread FUD. We've got enough of that already.

Re:The "Anti-Lock Brakes" of OS design... (1)

WiseWeasel (92224) | more than 4 years ago | (#23921939)

AND, if you know their login and password...

Re:The "Anti-Lock Brakes" of OS design... (0)

Anonymous Coward | more than 4 years ago | (#23922499)

AND, if you know their login and password...

true dat. you are one wise weasel.

Address space layout randomization (5, Informative)

owsla (78381) | more than 4 years ago | (#23918493)

Apple already does address space layout randomization in Leopard (Mac OS X 10.5)

See "Library Randomization" on
http://www.apple.com/macosx/features/300.html#security [apple.com]

Notice that the new security features list also includes code signing and sandboxing. The technology is there, it's just not setup throughout the system.

Re:Address space layout randomization (1)

argent (18001) | more than 4 years ago | (#23918855)

Address space randomization and no-execute are useful tols.

Code signing and sandboxing are nothing more than speedbumps, like the stupid security dialogs in Windows that are leaking into OS X.

The places to strengthen are the front lines, because once the attacker's gotten into a place where he can modify applications or attack an OS sandbox he's already running local code and he's already gotten virtually everything he needs to **** you.

Re:Address space layout randomization (3, Interesting)

maxume (22995) | more than 4 years ago | (#23921913)

UAC is as much about putting social pressure on application vendors to write applications that take advantage of the multi-user security as it is about backwards compatibility. It is more about both of those than it is about actual security.

Re:Address space layout randomization (1)

EraserMouseMan (847479) | more than 4 years ago | (#23920229)

The technology is there, it's just not setup throughout the system.

Is having a security tool and not using it system-wide any different from not having it at all?

Re:Address space layout randomization (1)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#23921267)

The technology is there, it's just not setup throughout the system.
Is having a security tool and not using it system-wide any different from not having it at all?

Yes. You can use it for high-risk applications.

Solution! (0, Troll)

Anonymous Coward | more than 4 years ago | (#23918811)

How to save Mac OS X from malware: wipe the disk and install Ubuntu.

Re:Solution! (0)

Anonymous Coward | more than 4 years ago | (#23919193)

How to save Mac OS X from malware: wipe the disk and install Ubuntu.

but Ubunutu hasn't released a PPC version since version 6! ...ubuntu fanboi much?

Wait a minute... (1)

clone53421 (1310749) | more than 4 years ago | (#23919003)

The Mac system now has a large enough user base that malware is being written for it? Microsoft should be worried... what are they doing wrong, dang it?

Re:Wait a minute... (1)

IamTheRealMike (537420) | more than 4 years ago | (#23921531)

FWIW Firefox started getting attacked (for real, not by researchers) when it reached about 12% market share. Maybe that's the magic number.

repository like linux? (0)

Anonymous Coward | more than 4 years ago | (#23919005)

would having a trusted repository for some of these 3rd party applications help (to a certain extent)? at least the applications grabbed from the repository is *probably safe to run*.

Re:repository like linux? (1)

tepples (727027) | more than 4 years ago | (#23919187)

would having a trusted repository for some of these 3rd party applications help (to a certain extent)?
How would smaller developers get their applications into the repository?

Re:repository like linux? (1)

IamTheRealMike (537420) | more than 4 years ago | (#23921701)

No, probably not. The repositories system used on Linux has huge, massive problems and offers basically no scalable protection.

Here's the problem with using some central authority to bless software (which is what repositories are). Firstly, it has to be exclusive. If there's a user-friendly way to install software outside of the repository, you don't have any useful protection. You can't even train people to prefer software from the repository, because inevitably, somebody who can't be bothered with certification will just stick their program on their website, and they'll be completely trustworthy. So telling users "don't trust people outside the repo" will conflict with their actual experience and be confusing.

If you make it exclusive you now have even bigger problems. Just imagine if Microsoft tried this. It's easy to see what could go wrong. For starters, the moment Microsoft flipped the "kill bit" for a program they'd get sued.

Imagine that some shady outfit writes an MP3 player. It becomes moderately popular. Then it's discovered that the install whacks some adware on the system. Microsoft removes the download and revokes the program certificate (or whatever). The company sues, claiming that the adware was licensed and they didn't know the software would change its behavior over time depending on what it downloaded from the net.

Let's say Microsoft caution them, the adware is removed, and the MP3 player is back. Let's also say that this MP3 player will download and play a little jingle from the makers website when it starts. Well now we have another problem - guess what, the MP3 player has a buffer overflow in it, and the companies website gets "hacked" (cough). 500,000 machines just got owned. The adware is back. Microsoft smack the MP3 player company again and pull the download for good. The next day, a buffer overflow is discovered in Safari.

What do they do? Either they can flip the kill bit on Safari and pull the download, instantly reducing its market share on Windows to zero. Hello anti-trust lawsuits! Or they can have an inconsistent policy, opening themselves up to yet another anti-competition lawsuit from the MP3 player manufacturers.

The moment you make some random group of people judge, jury and executioner over the rest of the software industry, you're gonna run into a sticky pile of problems. The Linux guys just haven't figured that out yet.

mandatory code-signing? (1, Insightful)

iminplaya (723125) | more than 4 years ago | (#23919617)

hardware-enforced Non-eXecutable memory?

Unless you can could turn it off, it just sounds like DRM. Why we let third party stuff do anything to the OS is totally beyond me. Yeah, let's leave the cockpit door wide open.

Re:mandatory code-signing? (3, Informative)

vux984 (928602) | more than 4 years ago | (#23920479)

hardware-enforced Non-eXecutable memory?
Unless you can could turn it off, it just sounds like DRM.

This isn't DRM. This is what prevents a stack overflow or buffer overrun from executing code. There is absolutely nothing evil or even potentially evil about it. Marking your data segments 'NX' means that they can't be executed, even if something 'bad happens'.

mandatory code-signing?

Again this isn't evil. I think it would be great if ALL code always had to be signed. It would pretty much kill morphic virii, and put a real dent in the spread of rootkits etc.

The key to 'good' vs 'evil' with mandatory code-signing is who holds the keys. If I hold the keys to MY computer, then there is NOTHING WRONG with mandatory code-signing, because if there is something I want to run that hasn't been signed by [OS-vender] I can sign it myself to run on my computer, my network, my enterprise...

What is you can't? (1)

Z_A_Commando (991404) | more than 4 years ago | (#23919777)

What is you can't? You can do all of the things listed in TFA, but you can't secure any system period. Unless it's buried in a room no one knows about that is completely undetectable and isn't connected to anything else. I'll take Redundant Questions for $200 Alex!

Signed Kernel Extensions (2, Insightful)

psydeshow (154300) | more than 4 years ago | (#23921719)

I don't care what kind of malware it might be, you can pry the CoolBook Controller extension from my cold dead hands!

Third-party extensions by dodgy developers are often required to extend the lame control panels that Cupertino sees fit to bless us with. I shudder every time I install an update to smcFanController or CoolBook, but if I don't want my laptop running at 170F what other choice do I have?

Signing isn't going to make the problem go away. I won't trust these random developers just because they have a certificate. If Apple engineers had time to certify the code itself, they would have time to fix the problems in OSX and firmware that require the use of third-party extensions in the first place.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...