×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Snow Leopard Missed a Security Opportunity

kdawson posted more than 4 years ago | from the where-did-you-put-it-what-you-know-where-do-you-think-oh dept.

Security 304

CWmike writes "Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. 'Apple didn't change anything,' said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker's Handbook, and winner of two consecutive 'Pwn2own' hacker contests. 'It's the exact same ASLR as in Leopard, which means it's not very good.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

304 comments

It doesnt matter... (4, Funny)

Ontheotherhand (796949) | more than 4 years ago | (#29438459)

Yeah, but it doesnt matter. everyone knows that apples are immume to viruses and malware. and they look better than ordinary Pcs.

Re:It doesnt matter... (0, Troll)

Chrisq (894406) | more than 4 years ago | (#29438515)

Yes, apple fanboys have to worry more about a different sort of virus.

Re:It doesnt matter... (0, Troll)

Ontheotherhand (796949) | more than 4 years ago | (#29438743)

afaik, smug bastard, rich bastard and of course, more money than sense bastard are not caused by micro-organisms. er, i suppose i should balance that by mentioning that i know people who use macs who are really nice people and they get great work done. none of them post on slashdot, tho.

Re:It doesnt matter... (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29438577)

Likewise, Obama missed an opportunity to make good on his campaign rhetoric and unite this country. Turns out he's weaker than Jimmy Carter. I'll bet Carter is really looking forward to getting rid of the title of "Most Ineffective President Ever."

Re:It doesnt matter... (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29438891)

You americans have an odd way of evaluating your presidents. Then again you have an odd way of picking them as well.

Re:It doesnt matter... (1, Insightful)

WhatAmIDoingHere (742870) | more than 4 years ago | (#29438979)

Should we have someone who has power because of their family line assign us one? Although, one could argue that that is what we already have.

Re:It doesnt matter... (0, Offtopic)

Anonymous Coward | more than 4 years ago | (#29439497)

In all fairness, generally, we evaluate presidents by comparing them to Ronald Reagan. Since Baraq Obama is an affirmative action President, we had to lower the standards. That's why we compare him to Jimmy Carter.

Re:It doesnt matter... (1, Insightful)

zippthorne (748122) | more than 4 years ago | (#29439001)

Carter wasn't the most ineffective president ever. That title probably goes to Wilson, Hoover, or Coolige. Carter's only superlative feat was to be the most unremarkable president ever. History will remember him for being so forgettable. Oh, and the nuke ban. Double folley from someone claiming to have actually been a nuclear engineer.

Re:It doesnt matter... (1)

jellomizer (103300) | more than 4 years ago | (#29438865)

There just as immune as Linux is.

Re:It doesnt matter... (4, Interesting)

AnalPerfume (1356177) | more than 4 years ago | (#29439311)

Actually no, they're not. Every Mac has a set list of apps, with a set list of libraries etc. It's a mono culture. Not to mention the fact that Apple are insane about secrecy, so Mac users often don't know if there's a vulnerability even reported to Apple, let alone if Apple are doing anything about it, or when it's due if they are. Notice the common theme of "being subservient to Apple's whims". With Linux anyone can submit the fix, which will then be adopted as needed by all the different distros, and within a couple of days at most it's fixed. Also the fact that Linux is so varied, often an exploit or vulnerability found on one distro may not affect another, or not affect a different DE or WM.

Let's assume the Mac share is around the same as Linux, both close to 10% which I think ain't too far off. An attacker can plan an attack on something they're guaranteed exists because it comes out the factory that way on every model, identical, with a slow acting vendor so the windows stays open for a while.....or they can plan an attack on a fast moving target that may only affect 30% of machines, and the window of opportunity will be gone within a day of it being noticed.

Both Mac and Linux users tend not to run any protection software like Windows users NEED just to have their system stay alive till lunchtime, so any infection if successful will likely go unnoticed. Both Mac and Linux users often feel their systems are immune. In the case of Mac users, the people who can afford Macs have money (or at least HAD money before they bought their Mac) so combined with a blind spot for self protection they should be a ripe juicy target. Yet, apart from the odd story like this one which is self inflicted by Apple, it's still rare.

OSX is UNIX, which is a HUGE advantage over Windows, but the closed Apple mono culture prevents it from being used to it's fullest.

Re:It doesnt matter... (2, Insightful)

jellomizer (103300) | more than 4 years ago | (#29439685)

Most Linux distributions seem to run a good set of Core Applications that are relatively common across the distributions, and many ways a lot of tiny security holes that are not always designed for full security and expecting the security to happen the next level up but they don't necessarily know who that is and what exactly it does as in theory it could be different. So when there is a glitch there is a bunch of finger pointing as there is no mono-culture who is interested in making the overall product better but just one piece of it. So often the security fix doesn't fix the core issue just a stop gap somewhere in the line. And if that module was replaced with an other then it could happen all over again. Also there it little to tell if a security fix will end up failing some other app down the line. So the open source model isn't fool proof either. And that is without the valid argument that it is easier for a hacker to see the code and know where exactly to strike, as Module X wasn't designed to handle such security conserns.

Lets combine that most people don't update their Linux boxes as quickly as Macs or Windows too. As Linux is a server OS and for the most part it will just kinda sit there in the background without much looking at it and as long it is running things are fine. I have seen Linux Hacked more often then Mac because of that fact. They just kinda do its job and we expect and while it is doing its job we don't check on it. Until it is to late.

Surely this is only of any use to a hacker if ... (4, Insightful)

Chrisq (894406) | more than 4 years ago | (#29438463)

Surely this is only of any use to a hacker if they manage to run in "ring zero" anyway. Otherwise wouldn't normal page protection stop them. Am I missing something?

Here they come... (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29438535)

Yes. Just like all other apple zealots and fanbois, you missed a big gaping hole in the security.

But don't let facts get in your way. Cults have always succeeded.

Re:Here they come... (1, Interesting)

Chrisq (894406) | more than 4 years ago | (#29438643)

I don't even use a MAC, I just don't understand how you can exploit known addresses if the only writaeble addresses you see are private to your process. Of course you are going to explain the "big gaping security hole" to me.

Re:Here they come... (5, Funny)

Anonymous Coward | more than 4 years ago | (#29438655)

I don't even use a MAC

Then how does your network card work?

Re:Here they come... (5, Informative)

Anonymous Coward | more than 4 years ago | (#29438697)

1. You identify a system API that has a local escalation vulnerability. These aren't that uncommon and because they cannot be directly exploited remotely they're not generally as high of a priority.

2. You identify a vulnerability in a service or other application that permits execution of arbitrary code remotely.

3. You exploit the remotely exploitable vulnerability with a payload that calls into the known mapped address of the system API with a second payload in order to escalate to root and then execute a third payload with those increased privileges to outright p0wn the machine.

Re:Here they come... (0, Offtopic)

Gothmolly (148874) | more than 4 years ago | (#29438943)

I followed you until you said "p0wn", at which point you became just another internet putz. Try harder next time.

Re:Here they come... (2, Funny)

Anonymous Coward | more than 4 years ago | (#29439099)

He didn't even spell pwn right. What is the world coming to when people can't even write in l33tsp34k properly?

Re:Surely this is only of any use to a hacker if . (5, Informative)

Anonymous Coward | more than 4 years ago | (#29438629)

ASLR makes executing code on the stack quite a bit more difficult, regardless of what privileges the program being exploited may have. Also makes calling libaray functions and pretty much anything in RAM far more difficult for a hacker. Page protection doesn't protect against these attacks per se.

Re:Surely this is only of any use to a hacker if . (0)

Anonymous Coward | more than 4 years ago | (#29438645)

Yes, this would be just "security by obscurity", which, imho, is not the way to go.

Re:Surely this is only of any use to a hacker if . (4, Insightful)

oyenstikker (536040) | more than 4 years ago | (#29438741)

It does not make it obscure, it makes it unpredictable.

You may figure out the location of something once, but it will be somewhere else on a different computer, or even on the same computer after a reboot.

Re:Surely this is only of any use to a hacker if . (1, Redundant)

JasterBobaMereel (1102861) | more than 4 years ago | (#29439093)

If you can run code that you did not load then your system is broken, if it is at a random location then you should not have access to it, at all, ever

ASLR is all very well but if it ever succeeds in stopping something it just proves the rest of your security is not working .... ...and most exploits *still* just ask a user to run a program, at which point all this is moot ....

Re:Surely this is only of any use to a hacker if . (3, Insightful)

gcnaddict (841664) | more than 4 years ago | (#29439289)

There is no such thing as bugproof code. That's the entire reason for ASLR's existence in the first place.
Once someone writes an entire fully-functional OS with absolutely no security vulnerabilities (take your stab at it and tell me how that turns out for you), the need for ASLR will vanish... oh wait, no it won't because there'll still be other applications, drivers, etc. from third parties which will be insecure.

*sigh*

Re:Surely this is only of any use to a hacker if . (2, Insightful)

Anonymous Coward | more than 4 years ago | (#29438921)

This is the sort of posting that makes me think Slashdot should rename the "Anonymous Coward" account to "Anonymous Idiot." Random selection of addresses is not "obscurity," it's "unpredictability." It's at least as strong as a four-digit bank pin.

Re:Surely this is only of any use to a hacker if . (2, Insightful)

jellomizer (103300) | more than 4 years ago | (#29439091)

Slashdot loves to underestimate "security by obscurity". However it is usually the first line of defense, and it works quite often. It is like locking your door without a deadbolt, It keeps the honest, honest. If it is hard to know how to get in. Then most "hackers" will not be able to get in, until some real hackers actually take their time un-obscuring and getting familiar with the system, and then write an easy script for the script kiddies to take advantage of. However having it obscure could put years of being unhacked. To a system... Sometimes enough for it to be increadibly out of date that when they find a way to get in they no longer want to anymore.

Now for Windows, OS X and Linux There are a lot of people who have oddly Strong emotions about their Computer Operating System and there are a lot of people who would love to wipe the smug expressions off each other faces so there is a lot of focus of trying to un-obscure their competitors and hack in. However if you are a no-name brand system security threw obscurity could have saved you a lot of money in development and testing and not have a system broken into. Unfortunately this creates a lot of smug developers who think they write secure code because it was never hacked into.

Re:Surely this is only of any use to a hacker if . (2, Informative)

Sancho (17056) | more than 4 years ago | (#29439355)

Most Slashdotters don't understand what security is. Security and safety are not synonymous. Obscurity may make you safer, but it does not make you more secure.

Re:Surely this is only of any use to a hacker if . (3, Informative)

incripshin (580256) | more than 4 years ago | (#29439655)

Tagging doesn't work for me anymore, so I picked the post with the most use of the word 'obscurity'.

This is not security through obscurity (STO). STO can always be exploited when you know how the algorithm works. Address space randomization cannot be exploited (immediately). You still have to start the executable maybe hundreds of times before the exploit works. This is easy if it's some short piece of code you've crafted yourself, but with real applications, it's not so simple.

Imagine a hack where you send some exploit to somebody over IM. If it doesn't work, the IM client *will* crash as it tried to execute some random portion of memory. How are you going to try your exploit at a different address now?

Re:Surely this is only of any use to a hacker if . (1)

Dishevel (1105119) | more than 4 years ago | (#29439669)

Yes, this would be just "security by obscurity", which, imho, is not the way to go.

It is not THE way to go. Though that is exactly how you start to secure something. Anything. Even a big building full of Gold. First you put it nowhere. then you don't talk about it. Then you put in the guards, cameras, locks, guns, armor and such. The best security STARTS with obscurity and goes from there.

Oops (1)

zennyboy (1002544) | more than 4 years ago | (#29438467)

Praise for MS on /.

Justified praise (4, Informative)

Chrisq (894406) | more than 4 years ago | (#29438571)

From Address space layout randomization [wikipedia.org]:

Microsoft's Windows Vista and Windows Server 2008 have ASLR enabled by default, although only for those executables and dynamic link libraries specifically linked to be ASLR-enabled.[citation needed] This did not include Internet Explorer 7 on Windows Vista prior to Service Pack 1; ASLR and DEP are both disabled for application compatibility purposes. Newer versions, including Internet Explorer 8, enable these protections. A registry setting is available to forcibly enable or disable ASLR for all executables and libraries. The locations of the heap, stack, Process Environment Block, and Thread Environment Block are also randomized. A security whitepaper from Symantec noted that ASLR in 32-bit Windows Vista may not be as robust as expected, and Microsoft has acknowledged a weakness in its implementation.

It appears that only OpenBDD and some hardened Linuxes (not mainstream distributions) have a complete implementation.

Re:Oops (3, Informative)

Anonymous Coward | more than 4 years ago | (#29438601)


"Microsoft perfected nearly three years ago"

OpenBSD has had this for many, many years. Microsoft used the OpenBSD code as a starting point for their own product. Love the BSD license!

Let's not let facts get in our way (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29438477)

All fellow mac users, let's not let facts get in our way. Just like the ads of our truly beloved company over how superior our products are to Microsoft, let's keep on bragging the superiority of macs - even in terms of security. Mac are the best. Windows sucks. Repeat it till you die.

Re:Let's not let facts get in our way (0)

elrous0 (869638) | more than 4 years ago | (#29438715)

Hush, you fool! Do you want to invite down the wrath of Father Steve?!?!

Re:Let's not let facts get in our way (1, Troll)

MisterSquid (231834) | more than 4 years ago | (#29438999)

Yes, let's not let facts get in the way of observing that, theoretically, PCs are more secure. Macs are only empirically more secure. Stupid Mac users.

Re:Let's not let facts get in our way (0, Troll)

gbrandt (113294) | more than 4 years ago | (#29439703)

Calling Mac users stupid is not 'informative', the parent must be modded down.

Re:Let's not let facts get in our way (4, Interesting)

antifoidulus (807088) | more than 4 years ago | (#29439217)

The biggest security problems with Windows still remain, namely that:
a: compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things

b: Microsoft's reliance on proprietary protocols, many of which have a lot of known and probably even more unknown vulnerabilities.
c: security policy on Windows has about 0 coherency, making it really hard to properly secure windows and really easy to accidentally miss something/screw something up. Windows security polices are all over the place, in the registry editor, in the windows security center, in the user/computer policy app(which at least as of xp wasn't searchable, so if you were looking for something and you didn't know EXACTLY where to find it you end up having to look through every single freaking policy. Whats worse is that Windows freely mixes client and server policies, even when the machine isn't a server! Most users get so frustrated and just leave everything open.

I tried to recently secure a Windows XP box after coming from a background of unix(including OS X) and Linux, and I just could not believe how insanely obfuscated Microsoft made everything. What is insanely simple to do in the Unix world takes massive effort to even attempt in the Windows world, if it will even work at all.

I swear Microsoft makes a lot of this stuff pointlessly complicated just so they can persuade more people to take the MCSE exams.

Re:Let's not let facts get in our way (2, Insightful)

segedunum (883035) | more than 4 years ago | (#29439529)

compared to it's unix bretheren, Windows still requires administrative privileges for a LOT of common things

I wouldn't equate Mac OS X as a 'Unix' for a comparison with Windows if I were you. The amount of stuff running setuid on a Mac is a little scary.

Re:Let's not let facts get in our way (3, Funny)

gtall (79522) | more than 4 years ago | (#29439235)

I see many more posts complaining about mac fans than I see posts by mac fans. Don't you guys have anything better to do than get emotional about a blob of hardware+software?

Can't wait (-1, Troll)

socrplayr813 (1372733) | more than 4 years ago | (#29438479)

Aaannnd discussion devolves in UAC rants and Microsoft bashing in 3.. 2.. 1...

Oh wait... it's Slashdot. No devolution is required or possible.

Re:Can't wait (0, Troll)

Anonymous Coward | more than 4 years ago | (#29438567)

Actually since a few years the M$-fanboys are a majority at this place. But keep on ranting, if it makes you feel superior.

This article sucks (2, Interesting)

datapharmer (1099455) | more than 4 years ago | (#29438481)

This article reads like a PR release for Vista a couple years late:

Even so, Miller said, Apple made several moves that did improve Mac OS X 10.6's security. Two that stand out, he said, were its revamp of QuickTime and additions to DEP (data execution prevention), another security feature used in Windows Vista.

DEP has been around for a long time and has been in XP since at least SP2.

"[the quicktime rewrite] was really smart, since it's been the source of lots of bugs in the past."

bugs != security failure (although they can cause one... the bad math issues in excel 2007 aren't particularly exploitable, just annoying)

Re:This article sucks (3, Insightful)

T Murphy (1054674) | more than 4 years ago | (#29438721)

To be most objective they have to compare to the newest commercially available Windows version, so they just refer to what Vista has without implying whether it started in Vista or not. If anything, adding "Windows had this feature since XP" would sound more of a MS bias than "Vista has this feature".

Re:This article sucks (1)

drinkypoo (153816) | more than 4 years ago | (#29438757)

DEP has been around for a long time and has been in XP since at least SP2.

DEP was recently improved, which is shown by the text you C&P. Fail.

It is a simple fact that Vista/Windows 7 has the best implementation of ASLR in the desktop market today. Linux's is not as good, and OSX's isn't even close. The other lesson you can take away from this is that OSX really does get attacked less than Windows due to market share, because OSX is easy to own! Oh wait, there's one more: Apple either doesn't think it is a problem, or requires more than two years to address an important security issue. There's no way that Apple doesn't come out behind here.

Re:This article sucks (0)

Anonymous Coward | more than 4 years ago | (#29438955)

Way to parrot the article

Vista has already been hacked! Hacked quite quickly. So much for ASLR and DEP.

The author is parroting the same MS propaganda.

Simple facts: market share does not increase the security exploits of an OS. You either have a 1,001 exploits or you don't.

Windows has 1,001 exploits, OS X does not. Which do you think is more secure?

Nice try.

Re:This article sucks (1)

drinkypoo (153816) | more than 4 years ago | (#29439119)

Vista has already been hacked! Hacked quite quickly. So much for ASLR and DEP.

Nothing I said, and nothing in the article itself contradicts this. The statement was that OSX's implementation of ASLR is useless, and this has previous been shown to be true. It suggests that Windows really IS attacked more because there's more point to it, because it has repeatedly been shown that buffer overflows are at least as easy on the mac as they are on other platforms, and in fact, substantially easier.

Simple facts: market share does not increase the security exploits of an OS. You either have a 1,001 exploits or you don't.

This is obviously false, and stupid to boot. Market share does not increase the attack surface of the OS. However, it does increase the attacks. More attacks means more exploits. More market share thus leads to more exploits, at least given that all else is at least approximately equal.

I am not arguing that Windows is more secure than OSX, although from where I'm sitting it doesn't look like OSX is appreciably more secure than Windows! I am arguing that OSX's implementation of ASLR is useless, and that they should have addressed this by now. You say Windows was hacked quickly. I say that two versions of OSX have so far come with useless ASLR implementations, and that Apple should be ashamed of even claiming it as a feature.

good (-1)

Anonymous Coward | more than 4 years ago | (#29438483)

I doubt that ASLR would be good move anyway. It would make things harder for virus writers, but also for people who try to secure their system (and the only way to do that is to know as much about it as you can). I think the only way to get security is to try and make OS much more simpler, as much as possible without losing too much functionality .

Re:good (0)

Anonymous Coward | more than 4 years ago | (#29438791)

Yeah, that's why the intensely security-minded OpenBSD folks implemented it first...

You are an idiot.

Snow Leopard "not as secure as Vista or Windows 7" (0)

Anonymous Coward | more than 4 years ago | (#29438487)

Another quote from the article:

Because Snow Leopard lacks fully-functional ASLR, Macs are still easier to compromise than Windows Vista systems, Miller said. "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7," he said.

Two week old "news" (5, Informative)

Anonymous Coward | more than 4 years ago | (#29438489)

The summary alleges Miller said it "today". Except he didn't.

The article linked to is dated September 14, which means he allegedly said it 2 days ago. Except he didn't.

He actually said it *two weeks ago* on August 29th. [theregister.co.uk]

Wake up, editors!

Again and again ... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#29438491)

Could it be all these 'experts' are just a tiny little bit self serving? Anyway, every time I read a headline about an OSX exploit it turns out to be either a trojan or local (which is bad but not *that* bad afaik). Are there even any known remote ones? Not trying to troll here, maybe I'm just uninformed. Please enlighten me.

He'll stop complaining when... (4, Insightful)

necro81 (917438) | more than 4 years ago | (#29438495)

FTFA:

Miller said. "Snow Leopard's more secure than Leopard, but it's not as secure as Vista or Windows 7," he said. "When Apple has both [in place], that's when I'll stop complaining about Apple's security."

Call me a cynic, but I somehow think he, and everyone else that looks at OS security, will still find things to complain about. The tech blog and journalism industry depends on it!

Re:He'll stop complaining when... (3, Insightful)

Animaether (411575) | more than 4 years ago | (#29439221)

Call me a cynic, but I somehow think he, and everyone else that looks at OS security, will still find things to complain about.

Isn't that human nature? Well, some humans' nature, anyway?

Such as...
>> Gates foundation to donate $2.5B to cancer researh
> BOO! HISS! HE'S JUST USING IT AS A TAX WRITE-OFF AND AS INDIRECT GOOD-WILL FORMING PR FOR M$!!!!!

*shrug*

If, in the end, it makes OS X an even better operating system, then I say to the tech blog and journalism industry: complain on.

Clever move (0)

Anonymous Coward | more than 4 years ago | (#29438501)

If you want to win again the contest

Microsoft technology? Really? (3, Interesting)

rqqrtnb (753156) | more than 4 years ago | (#29438509)

They make it sound like freakin' M$ invented the technology... it was in Linux long before and other system even before that! M$ is just using other peoples' ideas, as usual.

See wiki:Address space layout randomization [wikipedia.org].

Re:Microsoft technology? Really? (0, Insightful)

Anonymous Coward | more than 4 years ago | (#29438695)

Aww, a geek's heart breaks as his toy OS isn't given the respect he thinks it deserves.

Re:Microsoft technology? Really? (4, Informative)

drinkypoo (153816) | more than 4 years ago | (#29438709)

Linux's implementation of ASLR is substantially inferior to Windows Vista/7's, which was covered the FIRST time this guy won the pwn2own contest. However, it is far superior to OSX's, which appears to not really do anything useful, and which appears to have not even changed since it was discovered that OSX ASLR is useless. Please try to keep up, or don't comment. Thank you.

Re:Microsoft technology? Really? (2, Insightful)

Gorbag (176668) | more than 4 years ago | (#29438973)

Linux's implementation of ASLR is substantially inferior to Windows Vista/7

[citation needed]

Re:Microsoft technology? Really? (0)

Anonymous Coward | more than 4 years ago | (#29439035)

Don't bother looking up facts for yourself or forming your own counter-argument. Just offer us the glib "citation needed" and we'll take you seriously. Right...

Re:Microsoft technology? Really? (-1, Troll)

drinkypoo (153816) | more than 4 years ago | (#29439039)

Please read and understand my comment, per my sig. We covered this here already, and I am not going to go back and find a citation for you. If you were not amazingly lazy you would have found a citation in less time than it takes to ask for one.

Do not expect me to do your homework for you. I am not here to train you. I am not here to teach you. If you would like one of those things, pay me.

Re:Microsoft technology? Really? (1)

walshy007 (906710) | more than 4 years ago | (#29439621)

To be fair, aside from

"Linux has enabled a weak form of ASLR by default since kernel version 2.6.12"

Very little information about the faults of the default ASLR seems to be readily available.

Although while hunting I did learn linux has a software implementation of the NX bit if you don't have it in hardware, which is nice. Nothing on the details of why the windows implementation is superior emerged.

It is odd for the kernel guys to accept something which isn't the superior design choice, they are perfectionists like that to an extent.

Re:Microsoft technology? Really? (3, Interesting)

elrous0 (869638) | more than 4 years ago | (#29438777)

Shouldn't you be flattered that MS recognized how useful this was and incorporated it into their own OS? The whole point of open source is that anyone is free to adopt its innovations, after all.

And seriously, "M$"? Is anyone still using that in 2009?

Intellectual Property (-1, Troll)

Ollabelle (980205) | more than 4 years ago | (#29438519)

And the author thinks that Apple is going to license anything from Microsoft?

Re:Intellectual Property (3, Informative)

Anonymous Coward | more than 4 years ago | (#29438607)

OpenBSD has been using these techniques a lot longer than Microsoft has, so I suspect that there is not (yet) an issue of patents to be licensed.

Mod parent up (3, Interesting)

shis-ka-bob (595298) | more than 4 years ago | (#29438767)

The parent post's reference to OpenBSD seem spot on to me. See OpenBSD Security Features [wikipedia.org]. This uses a BSD license and is written for a BSD 4.4 derivative (just like OS/X). Why doesn't Apple just adopt the OpenBSD mmap and just close this hole?

Re:Intellectual Property (0)

Anonymous Coward | more than 4 years ago | (#29438699)

Yeah. Why license when you can steal?

*cough*xerox*cough*

Sigh (1)

gzipped_tar (1151931) | more than 4 years ago | (#29438529)

I was expecting something new in OS security when I was reading the title and first lines of the summary, and I saw the friggin' ASLR and I was like "What? They haven't got *THAT* done?"

Water is wet and Pope is Catholic and men are lazy. nothingtoseeheremovealong

Not news. (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29438559)

Been on /. before, was about as much astroturfing by proxy as it is now. There are no security silver bullets so stop lambasting as if this is a particularly important one. Apple can fuck up an awful lot, security wise, and they'll still be light years ahead of micro"security was not a priority"soft.

Idle hands (0)

Anonymous Coward | more than 4 years ago | (#29438587)

I thought OpenBSD already does this. Or was that just randomizing PIDs? I keep thinking the small amount of BSD-ness left in OS X would help make such things easier. No matter, I worked with a Mac all day yesterday; purty, but I'll not buy one. (Or Windows, for that matter.)

grsecurity (1)

andy16666 (1592393) | more than 4 years ago | (#29438609)

Linux has had this feature for quite some time in the form the of grsecurity patches.

Re:grsecurity (0)

Anonymous Coward | more than 4 years ago | (#29439373)

PaX is where the feature (and the acronym) came from in the first place, back in 2001. Grsecurity has included PaX ever since then -- everyone else implementing ASLR is just ripping off PaX technology and not giving credit where it's due. They also do a much poorer job of implementing it than PaX does.

It will cost them at some point (2, Interesting)

MikeRT (947531) | more than 4 years ago | (#29438621)

Security researchers and various crackers have been saying for a few years now that OS X hasn't implemented a lot of security features that even Windows has. Each release, OS X gets a little better, but they are relying mainly on people wanting to break Windows more than OS X.

With snow leopard, they had the perfect opportunity to make a release that focused on performance and security over bells and whistles. It's modestly faster on my MacBook Pro, and I think most users would have gladly paid under $30 for an upgrade that just focuses on the internals to get more out of their system. Since most Macs cost at least $1100, $30 is nothing for an average Mac user.

Re:It will cost them at some point (3, Insightful)

bhima (46039) | more than 4 years ago | (#29438733)

As a long time Mac user, I completely agree with you. I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters. Worse, I absolutely do not want to go through a decade of painful and annoying security problems (like the windows users went through) before Apple begins to put real effort into security.

On Snow Leopard, I've told everyone in my family to ignore Snow Leopard until some convenient time after Christmas or so. There's not much in it for regular users and I am not aware of a single application that really leverages the new technology found in Snow Leopard... so there's no rush upgrading.

Oh... one last thing: Wasn't OpenBSD doing this long before windows?

Re:It will cost them at some point (4, Interesting)

dkf (304284) | more than 4 years ago | (#29438981)

As a long time Mac user, I completely agree with you. I have long thought Apple did not take security seriously or at least did not devote the resources they should on security matters. Worse, I absolutely do not want to go through a decade of painful and annoying security problems (like the windows users went through) before Apple begins to put real effort into security.

To be fair, Apple have focused much more on the user-facing side of the security problem. There's just much less likelihood of a user installing something bad by accident. Deliberate badness is a problem (always) but by reducing the problem with accidents, real on-the-ground disasters are lessened. (It helps that Mac applications are really directories, and so aren't quite as simple to start from some website by accident, and their filesystem-level metadata that marks downloaded things with where they came from also makes a difference.) Which isn't to say that the other techniques are a bad idea; defense-in-depth is the watchword. But true high-quality security solutions need to address many levels of problems, including both system-level ones and user-facing ones.

Oh... one last thing: Wasn't OpenBSD doing this long before windows?

I believe so. It sounds like the sort of thing they'd do...

Re:It will cost them at some point (2, Insightful)

Tom (822) | more than 4 years ago | (#29439059)

Security researchers and various crackers have been saying for a few years now that OS X hasn't implemented a lot of security features that even Windows has.

I largely tend to think of it as "security buzzwords that even windos has".

There's a lot of them in the newer releases. But the overall questions we have to ask is whether or not it makes the system more secure. When your machine gets owned, you couldn't care less for the checklist of buzzwordy "security" features that just got bypassed. Your security was compromised, end of story.

OS X has less of them. Check.
OS X also doesn't have many of what I'd call necessary things (MAC, RBAC to name just a few. MLS if done right can also add a whole ton of privacy to your security).

All around, however, I still trust this OS X more than the windos machine next to it. That's because while it lacks some of the bells'n whisles, it does do the basics right that windos still hasn't done right, or has done horribly wrong (UAC, I'm looking at you).

Strange... (1)

Bert64 (520050) | more than 4 years ago | (#29438667)

The article asks why they didn't do ASLR, especially since snow leopard is touted as a "performance and reliability" update...
Since when does ASLR improve performance or reliability? If anything, it would decrease performance and could cause compatibility issues with some badly written code (and exploits) and thus decrease reliability too...

Also, the article talks about windows but doesn't mention that linux had dep and aslr long before windows did, and still has a far more complete implementation.

Re:Strange... (3, Insightful)

Saunalainen (627977) | more than 4 years ago | (#29438783)

Since when does ASLR improve performance or reliability?

To quote TFA: "If someone else is running your machine, it's more unreliable than if you're running it,"

Re:Strange... (2, Funny)

TheLink (130905) | more than 4 years ago | (#29439337)

I daresay some hackers might maintain "their" machine better than the legal owners ;).

Not at All "Perfected" (5, Informative)

Doc Ruby (173196) | more than 4 years ago | (#29438795)

technology that Microsoft perfected nearly three years ago

If there's a phrase that should trigger skepticism, that's it. ASLR isn't "perfect", and has been reported (and confirmed) exploited [dslreports.com] as recently as 7 months ago:

March 24, 2009 -

        quote:Internet Explorer 8 "critical" flaw in final version

        Microsoft confirmed that the vulnerability exists in the official release, said Terri Forslof, a researcher at TippingPoint, which sponsored the Pwn2Own contest that challenged competitors to find bugs in either web browsers or mobile devices

        "This is a single-click-and-you're-owned exploit," she told SCMagazineUS.com on Tuesday. "You click a link in an email or simply browse to a website, and your machine is compromised. This meets Microsoft's 'critical' bar [in its vulnerabilities and rating system]."

        The exploit apparently defies Microsoft's DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) technologies -- two features added to IE8 to prevent memory corruption vulnerabilities.

        "Once the browser was compromised, we handed over the exploit to Microsoft immediately, on site," Forslof said. "They went back and reproduced it and called to verify that the vulnerability was present. We retested again on the released version of IE8 that went live on the following morning and verified that the vulnerability was in it as well."

Re:Not at All "Perfected" (4, Interesting)

vistapwns (1103935) | more than 4 years ago | (#29439005)

That exploit took advantage of code MS left in the beta version of IE8 that opted out of DEP and ASLR, the RTM IE8 disables that code on the internet zone, and it can be disabled on the intranet zone as well, so it's not much of an issue in the RTM IE8.

opted out non ASLR code .. :o (2, Interesting)

viralMeme (1461143) | more than 4 years ago | (#29439171)

"That exploit took advantage of code MS left in the beta version of IE8 that opted out of DEP and ASLR, the RTM IE8 disables that code on the internet zone, and it can be disabled on the intranet zone as well, so it's not much of an issue in the RTM IE8"

An interesting hypothesis. Why would they put opted-out non-DEP and non-ASLR code in IE8. And do you have any verifiable third party citations for the above. Wouldn't a more likely explanation was that MS fixed the vulnerability after the fact.

Am I missing something. (2, Insightful)

jellomizer (103300) | more than 4 years ago | (#29438829)

address space layout randomization
I though this was a feature in OS X 10.5? Was it not implemented or just not implemented as well as other OS's?
I remember hearing about it as a feature for 10.5.

Re:Am I missing something. (2, Informative)

FelxH (1416581) | more than 4 years ago | (#29438871)

address space layout randomization I though this was a feature in OS X 10.5? Was it not implemented or just not implemented as well as other OS's? I remember hearing about it as a feature for 10.5.

From TFA:

Two years ago, Miller and other researchers criticized Apple for releasing Mac OS X 10.5, aka Leopard, with half-baked ASLR that failed to randomize important components of the OS, including the heap, the stack and the dynamic linker, the part of Leopard that links multiple shared libraries for an executable.

already there, and easily patchable (2, Insightful)

Gothmolly (148874) | more than 4 years ago | (#29438849)

So they're at least using some ASLR, which they can patch for later, and they got Snow Leopard out the door earlier rather than later.

If you're running your business on OSX Server, you didn't immediately go upgrade anyways, so where's the harm, other than early adopters claiming their ASLR isn't as cool as it could be?

Re:already there, and easily patchable (0)

onefriedrice (1171917) | more than 4 years ago | (#29439201)

If you're running your business on OS X Server, I'd be quite concerned if it was internet-facing or doing anything critical on a local network with smart people attached. OS X may be a great desktop operating system (apart from security concerns), but it's really got a scary security track record at this point.

let's hear those old memes fanbois! (0)

Anonymous Coward | more than 4 years ago | (#29438989)

it's really just leopard sp2

vendor lock in

defectivebydesign

More sandboxd ! (1)

benwiggy (1262536) | more than 4 years ago | (#29439181)

Snow Leopard does actually improve on Leopard's security. I can't even get processes that run as admin to save files to world-writeable locations anymore.

Sandboxd reports a "deny file-write*".

Fecked if I can get it to work.

Silly ASLR (2, Informative)

Ancient_Hacker (751168) | more than 4 years ago | (#29439203)

ASLR is sorta like moving the location of the barn door, while keeping it wide open.

    Hint: The cows can still get out.

Perhaps the guys at Apple realize this and give ASLR a low priority for implementation.

Even so, adding ASLR to the Apple OS is something they could do with relative ease-- change the kernel and user-space mallocs() to be less predictable, munge the call stacks tobe less predictable, etc, etc, etc,---- mostly stuff that can be done with 50 lines of code here and there and not too many other places.

But again, it would be much more efficient to put that effort into closing any open barn doors, rather than painting the open gateways in random colors. Every five seconds.

Re:Silly ASLR (1)

tomrud (471930) | more than 4 years ago | (#29439345)

ASLR is sorta like moving the location of the barn door, while keeping it wide open.

    Hint: The cows can still get out.

Yes, thats true. But a moving barn door makes it a lot harder to shoot a specific cow from the outside. You have to move around a lot to do that.

Microsoft perfected ASLR ? (4, Informative)

viralMeme (1461143) | more than 4 years ago | (#29439269)

"Apple .. failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista"

Address space layout randomization is a technique to randomize memory addresses of the base of the code, stack, heap, and libraries. First used by PaX and OpenBSD [laconicsecurity.com]

OS X Security Reporting (5, Insightful)

99BottlesOfBeerInMyF (813746) | more than 4 years ago | (#29439623)

I always find articles about OS X security, especially in discussion, painful. First you either have a security expert writing and being translated by a fairly clueless reporter, or you have a clueless reporter writing. In the former case what makes a good article and gets press is usually a security person pointing out weaknesses or flaws in OS X. After all, saying OS X still doesn't have much risk of malware for the average user is like reporting that most GM cars still use gas. It's old info and not news. The other type of article that gets picked up are soft articles about how cool OS X is and how it can't get malware, written for the 90% of the populace that has never used it, but from an uniformed perspective.

Inevitably when either kind of story goes up on Slashdot we see tons of people who know little or nothing about what security is actually implemented in OS X, spouting off one way or the other, usually emotionally defending their favorite OS.

So in this case we have a fairly knowledgeable security expert talking about security in OS X. His sentence about ASLR begins, "One major disappointment in the midst of all these security enhancements..." Based upon what reporters have made of his paper, do any of you know what those security enhancements are? Contrast the expert's conclusion:

While the only true test of security is how effective it is in the real world, on paper it looks like life is now at least a little harder for any potential Mac attackers.

With the title of article linked to:

Apple missed security boat with Snow Leopard, says researcher

That's not to say the article is a filthy lie. It is completely true. Apple did miss the opportunity to improve ASLR for the heap. That's very true and important and disappointing. It's also the only OS X security news most people will hear and that, is misleading. It's not the writer's fault either, they're just writing what's interesting and "news". Writing an article on how Apple's security got moderately better in a number of ways and Macs are still unlikely to have many serious or widespread malware problems going forward for a few years, is not news.

And Apple is not blameless about what press reaches the public either. Apple is pretty quiet about security features in OS X because they don't like to bring up the topic for the general public, except in very generic ways. Their plan seems to be "tell users the security is cool and good and make sure they know they're unlikely to get viruses, but don't confuse them with details. Experts can read the whitepapers." This leaves out the whole middle portion of the spectrum, not security experts but not completely clueless either.

It would be nice to have meaningful discussion on some of the OS X security features, but that might be too much to hope for. What do people think about the sandboxing approach and has anyone noticed any particularly surprising sandboxed services in Leopard? The mixed 32-64 bit thing seems like an interesting choice, with 64 bit application development now motivated by artificially restricting access to some new APIs. Since a lot of the security improvements are tied to 64 bit applications and/or 64 bit processors, do people feel this was an attempt to direct developers for security reasons or just to speed the transition for other reasons? What do people think the other heap protection checksums and protections for 64 bit kernels. Will we transition to 64 bit fast enough so that they will be useful? How about the application signing being tied to the application level firewall? It seems like Apple could have made that a default and really motivated developers to use it, but decided to go in baby steps instead. And why in the world has Apple not created a proper application and update manager that extends to third parties? That seems like a no-brainer from a security and usability perspective.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...