Daniel Eran Dilger
Random header image... Refresh for more!

Road to Mac OS X Snow Leopard: 64-bit security

 Road-To-SL

Prince McLean, AppleInsider

In addition to the benefits detailed in previous articles in this series, the move to 64-bits in Mac OS X 10.6 Snow Leopard will enhance Apple’s efforts to secure its operating system.

Road to Mac OS X Snow Leopard: 64-bit security
.
Over the last eight years, Mac OS X has enjoyed a tranquil existence in stark contrast to the high profile security threats and attacks suffered by mainstream Windows users. Microsoft’s monopoly over the PC world has long meant that anyone interested in creating extensive, easily spread damage through software exploits would focus their efforts on Windows.

Microsoft’s Security Efforts

Since Microsoft’s OS was originally developed primarily for business computers sitting together in a trusted LAN environment, it was not only easy to exploit software flaws in the system but also trivial to find ways to fool the system into forwarding viral payloads to other systems. Once exposed to the open Internet, Windows didn’t stand a chance.

Reinforcing the Windows PC to survive the onslaught of malicious exploits saturating the Internet would be a complex and expensive task, one Microsoft did not immediately recognize as a priority. However, once Windows started gaining a reputation for lax security after falling victim to a series of famous exploits in the late 90s and into the beginning of the current decade, Microsoft began reevaluating its priorities.

Longhorn, which was intended as a close successor to 2001’s Windows XP, ended up being pushed off as the company was forced to initiate a major new effort to solve the outstanding security issues in XP. Toward the end of 2004, Microsoft shipped XP SP2, the product of extensive work within the company using code scanning, auditing, testing, and fundamental feature and architectural reviews, in addition to external source code auditing and penetration testing.

In addition to Microsoft’s efforts to identify and patch flaws and vulnerabilities in its software, the company also initiated measures to make unknown vulnerabilities more difficult for attackers to find and exploit. This included having a firewall installed by default and requiring that RPC servers authenticate communications, so that remote attackers would need to present valid credentials before ever being given access to anything that might be attacked to allow entry.

Microsoft is now very public about its security efforts, and takes every opportunity to tout its recent security work as a defense against any criticisms of its past mistakes in taking a less than serious approach to security.

Apple’s Security Efforts

In contrast, Apple has never experienced a security crisis related to Mac OS X. Virus writers have nearly zero financial motivation to create new attacks from scratch that target Macs. The theoretical potential of “hackers” attacking Macs for fame and glory, as imagined by pundits with a bias against Apple, has simply failed to materialize over the last half decade, despite their insistence that the threat is so alarmingly close as to be palpable.

Even in cases where exploits have been found or artificial attack installers have been designed, viral outbreaks haven’t occurred because installations of Macs aren’t ubiquitous enough to sustain the critical mass required for an acute network infection. Add in the fact that Mac OS X wasn’t dragging along the same legacy of promiscuous LAN origins as Windows, and you have a series of factors that combined to give Apple a pass from focusing on security retrofitting in crisis mode.

Instead, Apple has had the luxury of planning Mac OS X releases to roll out security features incrementally. As with its other plans for feature enhancements in Mac OS X, the company has remained tight lipped on many of its security efforts. There’s evidence the company has performed code security scanning, as simple buffer overflows have been cleaned out of many system libraries, according to a security expert familiar with the history of the OS.

Mac OS X 10.4 Tiger eliminated most of the easy local buffer overflows, while 10.5 Leopard has expanded upon that to remove many of them from remotely accessible network services. Leopard also incorporates stack protection, library randomization, a non-executable
stack, and sandboxing for some system processes. These features are incremental improvements in security that will be expanded upon in Snow Leopard.

Mac OS X’s sandboxing is provided by the Mandatory Access Control (MAC) framework, an implementation of the MAC framework from TrustedBSD. Sandboxing imposes permission controls on processes that can, for example, limit them from connecting to a network, from writing any files, or from writing any files outside of specific directories. While sandboxing doesn’t prevent a process from being attacked, it does limit the amount of damage malicious attackers can cause once they gain control of a sandboxed application.

On the iPhone, sandboxing is used to restrict each application from accessing anything outside of its own data files and preferences. Even apps that have access to the public networking APIs are restricted from direct access to the communications or networking hardware.

Security in 64-bit Snow Leopard

In addition to expanded sandboxing, the move to 64-bit computing will provide a series of other benefits related to security. Apple’s 64-bit binaries set all writable memory as non-executable by default, including thread stacks, the heap, and any other writable data segments.

This is already present to an extent in today’s Leopard Server, which runs some services, such as the Apache web server, as 64-bit processes. Using the vmmap command reveals that no memory allocated by these 64-bit apps is both writable and executable. On 32-bit Intel systems, while no memory is marked as both writable and executable, the legacy x86 processor design does not enforce the permissions bits, but 64-bit CPUs do. This feature prevents exploits from injecting malicious executable code into memory and tricking the app to run it as it if were its own instructions.

Another security weakness in the x86 architecture solved in the move to 64-bits is the use of registers for function call arguments. This makes exploits using return-into-libc techniques much more difficult. On 32-bit x86, function arguments are passed directly on the stack, so when an attacker has overwritten the stack segment, they can completely control the arguments passed to a function that they cause the compromised program to “return into,” according to a security researcher.

The move to 64-bits also greatly enhances the Address Space Layout Randomization (ASLR) techniques used to secure Leopard. Currently, 32-bit binaries are restricted to a relatively small 4GB allocation, making it easier to predict useful addresses for malicious code to target. Additionally, Leopard keeps dyld, Mac OS X’s dynamic loader (responsible for loading all of the frameworks, dylibs, and bundles needed by a process) in the same known location, making it relatively trivial to bypass the existing ASLR.

With the much larger address space available to 64-bit binaries, Snow Leopard’s ASLR will make it possible to hide the location of loaded code like a needle in a haystack, thwarting the efforts of malicious attackers to maintain predictable targets for controlling the code and data loaded into memory. Without knowing what addresses to target, the “vast majority of these exploits will fail,” the security expert explained.

Security before it’s needed

Apple’s sheltered existence in isolation from regular malware attacks puts it in the enviable position of being able to focus on building security features proactively, rather than in response to ongoing, embarrassing exploits. For Mac users, that means the window of opportunity for malware exploits is being closed off before circumstances change enough for the platform to become a viable target.

The company is being relatively quiet about its security efforts because it doesn’t want to be directly compared against Microsoft, which is ahead in some security areas, at least in its latest software releases. However, Microsoft’s installed base of the billion PCs running Windows worldwide is not protected by advancements in the latest releases because relatively few users have upgraded to the latest releases.

That give Apple a strong position in maintaining its security halo because the Windows PC world is so rife with low hanging fruit for malicious attackers that the Mac platform remains an undesirable target. That leaves disgruntled pundits with nothing to complain about outside of misleading vulnerability counts. So while PC users contend with the constant din of security issues and performance sapping layers of security software, Mac users are free to just enjoy the silence.

Road to Mac OS X Snow Leopard: 64-bit security is the fifth installment in AppleInsider’s ongoing Road to Mac OS Snow Leopard series. Previous installments are listed below in the order they were published.

Road to Mac OS X Snow Leopard: 64-Bits

Road to Mac OS X Snow Leopard: 64-bits, Santa Rosa, and more

Road to Snow Leopard: twice the RAM, half the price, 64-bits

Road to Mac OS X Snow Leopard: the future of 64-bit apps

  • http://www.systematicabstraction.com/ KA

    Thanks for mirroring this. I really like AppleInsider’s posts but I hate their website.

  • Michael

    truly awesome article daniel :) although you never really explained what security features microsoft had that was “better” than apple’s implementation..

    you are quite right about the future security being sandboxed apps and random memory addresses, but then again microsoft is also trying to develop these, no doubt five years (or more) after apple implements it… and MAY make it into windows 7, only to break backwards compatibility with many legacy programs that weren’t designed to run specifically on vista ;) you know, at one point microsoft is going to think it might as well break backwards compatibility to move the OS forward to fix all these gaping security holes, namely the POS that is the Windows Registry. of course, who knows whether 7 can really deliver on its promises of being faster and more secure than previous windows… so far it looks actually decently fast despite the overly glam-and-glitz of the transparencies and fades and highlightings and alphas… we’ll see whether apple’s clean utilitarian look wins out over microsoft’s showy eye-candy look.

    the problem isn’t so much about security anymore for anyone who updates their pc… by now, a large percentage of windows PC’s are not owned by consumers, they’re owned by corporations and businesses. which is why you see the battle of the features and now apple’s take on how to improve performance (more use of GPU and CPU), compared to windows 7’s take (more optimizations)

  • qka

    The two paragraphs after the heading “Apple’s Security Efforts” could be read as giving credence to the “Security through Obscurity” myth. I doubt that was your intent.

  • jfatz

    There is still _effect_ from a lower installed base, qka. But that’s not what the folks who trot out “SECURITY THROUGH OBSCURITY LOL” are doing. They use it in the same way that they use “APPLE IS JUST MARKETING LOL,” and pretend that’s all the explanation that’s needed, which is asinine.

  • Joel

    Nice analysis, though it misses out that OS X in based on BSD Unix and has the same basic secure under-pinning from there. Unix was developed to be accessed by multiple users concurrently. Windows however is originally based on a single user system, with support for multiple users tacked on. Who remembers Windows 95/98 which had a password prompt which could be safely ignored…? Its why real user security was only really added in Windows Xp, and only (optionally) enforced in Vista.

    You can have all the secure virtual memory features you want, but if you have to run everything as the super-user, even your web-browser, it won’t matter one whit.

    Oh, and Daniel, don’t be down about security in Windows 7, all the usual anti-virus vendors are working on it : http://news.cnet.com/8301-13860_3-10143466-56.html

    :D

  • Pingback: The Mac Malware Myth — RoughlyDrafted Magazine()