Matasano Chargen - Latest Comments in A Roundup Of Leopard Security Features

Re: A Roundup Of Leopard Security Features

theed — Tue, 04 Dec 2007 13:04:47 -0000

whether the cron thing works or not, it's only there for historical compatibility. If you're looking to make Leopard secure, ditch the legacy support. Turn off cron, it's not used.

sudo launchctl unload -w /System/Library/LaunchDaemons/com.vix.cron.plist

Re: A Roundup Of Leopard Security Features

bobdole — Fri, 16 Nov 2007 22:32:28 -0000

umm...Tom, did you ever try that cron -e thing you suggested? Because it doesn't work (which I didn't really think it would) since cron stuff is handled by launchd, not crontab proper...

Re: A Roundup Of Leopard Security Features

Diegus — Thu, 08 Nov 2007 08:14:13 -0000

"I locked down the Guest account to nothing but Safari. I verified that I couldn’t start arbitrary apps."
Well, if you check again you can actually run FrontRow even if it is unchecked in the list of allowed apps. You can launch FrontRow via Command-Esc or if using the simplified version of Finder, Right click Finder in the Dock, Go To... and type /Applications.
Gonna check if you can get it to open iTunes like previus version did in Tiger.

Re: A Roundup Of Leopard Security Features

PaX Team — Sun, 04 Nov 2007 07:12:56 -0000

Nectar: the paxtest sources are public, feel free to play with them (thing is, i don't have access to a Mac myself, the tests were done by some other helpful folks). btw, you'll need an OS X specific makefile, email me if you want the first cut.

Re: A Roundup Of Leopard Security Features

Ralf — Thu, 01 Nov 2007 20:32:33 -0000

Seatbelt is a policy that hooks into the TrustedBSD framework. SEDarwin was derived from TrustedBSD and got folded into Darwin 9 it seems.

Seatbelt is Apple proprietary apparently (otherwise it would be in the release). There are references to sandboxing/seatbelt in the kernel code if you grep closely enough. For example: There is a new mach port for seatbelt in osfmk/kern/ipc_tt.c.

Kirk: Arm shields. Fire up disassembler.

Re: A Roundup Of Leopard Security Features

Thomas Ptacek — Thu, 01 Nov 2007 19:06:39 -0000

Weird, Ralf. I can't find the Seatbelt source (sbf_*.[ch]), but TrustedBSD is in the source tree. Seatbelt doesn't look like TrustedBSD. What is TrustedBSD doing there?

Re: A Roundup Of Leopard Security Features

Thomas Ptacek — Thu, 01 Nov 2007 17:47:19 -0000

Mike, I have literally no idea what you are talking about. Code signing does not protect the keychain; it signs binaries, not the entire runnable text area of a process. An attacker can inject libraries into any running Cocoa program, without special privileges, without corrupting the signature.

What I'm saying when I say "protecting nothing but the Keychain was a bad idea..." is not that protecting the Keychain is a bad idea --- it's that it was a mistake not to make key validation pervasive throughout the runtime, and instead trying to enforce it programmatically only at a single point.

I'm not saying "it's not enough just to make sure hijacked programs can't touch Keychain". I'm saying "Apple hasn't even accomplished that limited security objective".

I'm happy to be proven wrong, but confident at this point that it won't be by you, and with that I leave you to the last word in this thread of the comments.

Re: A Roundup Of Leopard Security Features

Mike — Thu, 01 Nov 2007 14:35:21 -0000

Thomas: Don't be silly - nobody ever said that reducing vulnerabilities was bad. Well, nobody except the straw man that you made up.

I did say that it is impossible to engineer a system with zero probability of exploit. This is just trivially true - if you believe you can reduce the probability of exploitation to 0, you reject the fundamental laws of mathematics and the universe in which we live. But I'm sure we both agree that reducing vulnerabilities, and thus reducing the probability of an exploit, is a good idea.

I wish you would just give a straight answer on the keychain rather than continually dancing around and trying to have it both ways. At this point I don't know if this is supposed to be a security forum or a legal forum. If you don't think Leopard does anything at all to protect the keychain, why did you write, "protecting nothing but keychain was a bad security call on Apple’s part (or a necessary tradeoff with the same effect as a bad call)"? Were you wrong at 9:40 am, or are you wrong now? It's got to be one or the other.

Re: A Roundup Of Leopard Security Features

Ralf — Thu, 01 Nov 2007 13:57:37 -0000

Yippiiiee!! 10.5 src is out!

http://www.opensource.apple.com/darwinsource/10.5/

Re: A Roundup Of Leopard Security Features

Nectar — Thu, 01 Nov 2007 13:20:50 -0000

@PaX Team: It would be interesting to compile and run the test for a 64-bit executable instead to see if there are any differences.

Re: A Roundup Of Leopard Security Features

Thomas Ptacek — Thu, 01 Nov 2007 12:46:00 -0000

Also, happy to confirm: DYLD_INSERT_LIBRARIES still beats code signing; for instance, you can use it to trivially beat Parental Controls.

Parental Controls in Jaguar by the way --- really interesting. Not just Finder-based.

Re: A Roundup Of Leopard Security Features

Thomas Ptacek — Thu, 01 Nov 2007 12:34:34 -0000

I did as you said:

- Switched to Guest
- Launched Safari
- Turned on Password Saving
- Logged Into GMail
- Quit Safari
- Relaunched Safari
- Visited GMail, observed password
- Switched back to me
- Hex edited crap over the mach-o-le i386 text segment
- Saved
- Switched back to Guest
- Launched Safari
- Visited GMail
- Observed passwords still there.

I'm doing something wrong. I don't come to this doubting that Apple can actually implement code signing; I'm just dubious of the value.

Re: A Roundup Of Leopard Security Features

Rosyna — Thu, 01 Nov 2007 01:58:03 -0000

Did you try that thing with saved passwords in Safari (which uses the keychain)?

Re: A Roundup Of Leopard Security Features

Thomas Ptacek — Wed, 31 Oct 2007 19:50:33 -0000

Also: I didn't make any comment about whether the keychain was "worth protecting". I said Tiger doesn't protect it. And I don't believe Leopard does either.

Re: A Roundup Of Leopard Security Features

Thomas Ptacek — Wed, 31 Oct 2007 19:49:44 -0000

Mike: if you believe reducing the known vulnerabilities in a product to zero is "just stupid", you reject the concept of software security, and I don't have much more to contribute to the discussion after that.

Security is hard. Cryptographic security is harder. An RSA signing scheme where verification happens in an untrusted environment fails.

Re: A Roundup Of Leopard Security Features

Thomas Ptacek — Wed, 31 Oct 2007 19:45:09 -0000

bobdole: you are suggesting I should --- what, close comments on this post?

Re: A Roundup Of Leopard Security Features

Thomas Ptacek — Wed, 31 Oct 2007 19:44:32 -0000

I guess, Mitchell. I mean, like we say about Apple, market irrelevance is a security feature. If running MacOS is like living in Elgin instead of the West Side, running Cobia is, what? Decatur?

Re: A Roundup Of Leopard Security Features

bobdole — Wed, 31 Oct 2007 19:21:51 -0000

@Ralf
Seriously, that is exactly the type of question to put on the apple-focus list instead...this will all get sorted out in time, but you need to have it somewhere with more visibility than buried 87 comments down on a blog post!

I mean, I definitely support this discussion 100%, but I don't like reading it like this, with everything jumbled together

Come on Thomas...step up and move the discussion to a reasonable location

Re: A Roundup Of Leopard Security Features

Mitchel Ashley — Wed, 31 Oct 2007 18:52:40 -0000

Seems kind of late to me. Apple is really just an also ran. There are still way more windows users and at the end of the day and that isn't changing, Vista is a fortress with out many peers, the only I can think of is Cobia, in terms of security. These are all just bolt-ons trying to add security, after the fact, to an iPod syncing platform. Where is the NAC integration?

And I'm no apple hater, I used to use them quite a bit.

Re: A Roundup Of Leopard Security Features

Michael — Wed, 31 Oct 2007 18:35:10 -0000

"I give the average Leopard user approximately 6 hours before clicking “OK” on this dialog becomes a function of their autonomous nervous system."

I disagree, I think the average Leopard user will rarely see this dialog, and will quickly learn that it should only show after they have downloaded a new application.

When they first see this dialog out of the blue, unexpected, with a web site and app name they don't recognise, _that's_ when it will really help. And I also think it's one of the more practical and immediately useful ways of blocking malware.

Re: A Roundup Of Leopard Security Features

Ralf — Wed, 31 Oct 2007 16:55:25 -0000

OK. Quiz time: Does anyone have a clue what exactly the TMSafetyNet kext does? It is a security policy loaded by default, called "Safety net for Time Machine", in the kext directory there's a binary called bypass that uses mac_set_proc(3) (see http://fuse4bsd.creo.hu/localcgi/man-cgi.cgi?ma... for example, unforunately 10.5 has no man page for this function).

Re: A Roundup Of Leopard Security Features

Mike — Wed, 31 Oct 2007 15:55:56 -0000

Thomas, I think I may have confused you when I mentioned "now closed" vector. That was a reference to the fact that Input Managers are better protected now (a crucial component in your previous hypothetical attack). It wasn't referring to LD_PRELOAD.

Your 9:40 am post states that you agree code signing is helping protect the keychain. Nobody said that it would reduce the probability of an exploit to 0. That would just be stupid.

So my question remains: In April you made a big fuss about gaining access to a user's keychain. Now you say it's not worth protecting. Which is it?

(My personal opinion is that it's worth protecting, but that's not the question.)

Re: A Roundup Of Leopard Security Features

Thomas Ptacek — Wed, 31 Oct 2007 15:42:14 -0000

I concede that there is some use to a "Guest" account that cleans itself up after use. None of that use has anything to do with security, though.

Re: A Roundup Of Leopard Security Features

Sigivald — Wed, 31 Oct 2007 15:25:05 -0000

To double up on what Matt said, wouldn't a "technically skilled, highly motivated" attacker that you leave along with the guest account long enough to do anything useful (ie, you've left him alone for at least a few minutes) be able to just reboot the machine with a boot image on a CD or flash key, and do whatever he felt like?

A really motivated attacker would have an image that would automatically mount and backdoor your root drive, in fact.

Security (and "secure") is definitely a graduated sort of thing.

"Guest" might well be vulnerable to some sort of cron attack (though of course the worst it seems able to do is run jobs as guest), but as far as threats go, that's very low on the scale.

Not a big "security" win for Apple, but a useful convenience that helps with a more practical sort of security that maps to a reasonably common real-world use case and threat model.

Re: A Roundup Of Leopard Security Features

Gordon — Wed, 31 Oct 2007 14:50:31 -0000

So does this stuff get reported to Apple? Would you expect it to be fixed in 10.5.1?