-
Website
http://www.matasano.com/log -
Original page
http://www.matasano.com/log/609/five-reasons-to-ignore-john-grubers-os-x-security-pundity/ -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
Can you give more information on this? Is it just because OS X doesn't have ASLR, so attackers can use ret to libc?
OpenBSD has W^X, which seems to be the best-thought-out approach.
BTW why pick on Gruber in regards to security? Does anyone take him seriously on the topic besides other zealots? As you rightly pointed out, I come here to read about sec but there to read about HIG/design.
Proof of concept or exploit:
A proof-of-concept exploit has been added to the Metasploit Framework 3.0 source tree:
msf > use auxiliary/dos/wireless/daringphucball
I think I actually missed Win32 security features in that list. Is there anything you can overwrite in the Win32 runtime that _doesn't_ have some kind of cookie, page protection, runtime-enforced bounds check, or code signature?
The one serious feature they're missing is CAS-style OS privileges, a la systrace --- programs electing to give up the right to, say, execute other programs or write files outside of \temp, which is something ELSE Apple could have, but didn't, build into the operating system. But dollars to donuts Win32 has this feature first, and that it comes within the next 2 releases of the OS.
Again: Mac user here. Big fan. Have met and like some of the people who work security for the platform. The fact that reasonable people can even have this argument, when Microsoft can outspend Apple 1000 to 1, testifies to how talented they are.
But come on. OS X is NOT MORE SECURE THAN WINDOWS.
http://1raindrop.typepad.com/photos/uncategoriz...
AFAIK, they haven't. What they deprecated was the Java to Cocoa bridge that allowed you to run create Java applications that called Cocoa APIs - in other words, to write Cocoa applications using Java. Java is still fully supported on Mac OS X.
I agree. Cocoa is a better programming environment than Java. But it's less secure.
I got here from Securosis, and have to go a bit farther than Rich, regarding confusion between XP and Vista.
At one point above, you say "The Win32 API is over a decade old and is well understood by attackers."
Later, you say "The Win32 address space is randomized, so that exploits with hardcoded addresses (read: virtually all exploits) have a negligable chance of succeeding.".
The first statement seems to apply only to XP -- certainly the Vista changes are supposed to render the old attacks moot. The second statement (I believe) only applies to Vista; certainly address randomization isn't 10 years old. You can talk about XP, or you can talk about Vista, but it's cheating to cherry-pick attributes from both.
No it isn’t. Want an easy way to debunk that argument? Here you go: MacOS 9 sees a tiny fraction of the malware Windows does. But nobody seriously argues that OS 9, which doesn’t even have a secure VM system, is more secure than Windows XP.
Want another? Solaris. Been around for over a decade. Hundred of published vulnerabilities. How much malware?
Umm, no. You're talking about different things here. Mac OS 9 is much more immune to (secure from) network based attacks, because it runs almost network services, and doesn't even run a TCP stack when it's not in use by default. To back it down even further, pre-MacTCP versions were completely secure from Internet attacks, even without any VM at all, because they weren't Internet-accessible. VM matters more for local attacks, but much less for Internet attacks, than TCP/IP and services.
Gruber retorts, “[but] if Mac OS X is protected because it’s not primarily used as a server OS, then how do you explain Windows’s non-server security problems?”. Easy: exploits developed for Windows servers translate to desktop Windows.
No, most of the Windows exploits attack user behaviors and activities. All the Outlook stuff is pretty much desktop-only, not a port from the server environment; the browsing attacks are workstation attacks which may also apply to servers, but they're not "developed for Windows servers".
None of these technologies require end-users to purchase anything. They’re built into the operating system and the runtime libraries. Most of them are enabled by default. They address the same code flaws that MacOS X faces; why doesn’t Apple have them?
Well, no. The randomization at least, and I suspect several of the other technologies, require a new Vista purchase for almost all users reading your posting today, and perhaps a new PC (hardware vendors certainly hope so). For lots of people, Vista may be their most expensive software purchase...
Thomas,
I got here from Securosis, and have to go a bit farther than Rich, regarding confusion between XP and Vista.
At one point above, you say "The Win32 API is over a decade old and is well understood by attackers."
Later, you say "The Win32 address space is randomized, so that exploits with hardcoded addresses (read: virtually all exploits) have a negligable chance of succeeding.".
The first statement seems to apply only to XP -- certainly the Vista changes are supposed to render the old attacks moot. The second statement (I believe) only applies to Vista; certainly address randomization isn't 10 years old. You can talk about XP, or you can talk about Vista, but it's cheating to cherry-pick attributes from both.
Umm, no. You're talking about different things here. Mac OS 9 is much more immune to (secure from) network based attacks, because it runs almost network services, and doesn't even run a TCP stack when it's not in use by default. To back it down even further, pre-MacTCP versions were completely secure from Internet attacks, even without any VM at all, because they weren't Internet-accessible. VM matters more for local attacks, but much less for Internet attacks, than TCP/IP and services.
No, most of the Windows exploits attack user behaviors and activities. All the Outlook stuff is pretty much desktop-only, not a port from the server environment; the browsing attacks are workstation attacks which may also apply to servers, but they're not "developed for Windows servers".
Well, no. The randomization at least, and I suspect several of the other technologies, require a new Vista purchase for almost all users reading your posting today, and perhaps a new PC (hardware vendors certainly hope so). For lots of people, Vista may be their most expensive software purchase...
Regarding your first point, "attackers understand Win32": it's not cherry picking to point out that if you can write Win32 shellcode for WinXP, or, for that matter, Windows 2000, you can write shellcode for Windows Vista. From Win2K to Vista there is vastly less API change than from OS9 to OSX.
Regarding your second point, "the reason OS9 has less security incidents is that it has no network attack surface", no. The overwhelming majority of Windows infections aren't caused by serverside attacks; they're the same vector on OS9 and Windows. So why doesn't OS9 have malware proportional to market share? Also, you didn't address Solaris, which has a HUGE network attack surface, hundreds of published exploits, and virtually no malware.
Regarding your third point, "serverside attacks don't matter because desktop infections come from user behavior", you're contradicting yourself. But I don't strongly disagree. OSX doesn't do much to mitigate those behaviors either. But attackers can still leverage shellcode from the server attacks, and the evidence is that they do.
Regarding your fourth point, "ASLR is Vista-only", I refer you to the chart in the subsequent post, which details the difference between XPSP2 and OSX. It's still not a favorable comparison.
All very nice and true. The problem is, every single line you have written is utterly irrelevant to the average user. How do you explain the exorbitantly low number (zero, for all practical intents and purposes) of OS X exploits that have ever caused damage to anyones machine?
The fact is that nobody (including the virus and exploit writers, for God's sake!) gives a damn about hypothetical windows security features. Tens of thousands of worms, viruses and other exploits do not lie. Microsoft until now has not gotten out of the hole they dug themselves, even with the support of a giant third-party industry that does NOTHING but clean up their mess after them. Try, if you will, to imagine the security landscape without Norton, Symantec, etc.!
There are now probably around 15 million(?) OS X users in the world, 99% of them running without any sort of third-party protection, many of them running as an administrative account. Still, the number of actual malicious exploits in the wild is, to my knowledge, 1 or 2. If you only count exploits that do not require user error, it is ZERO.
Please explain away that actual, measurable, security advantage OS X users have. Unless you can do that, your observations are not very interesting.
Good to know that you stick to the facts and don't use hyperbole.
"But nobody seriously argues that OS 9, which doesn’t even have a secure VM system, is more secure than Windows XP."
Secure VM *can* result in better security, but this isn't a guarantee. It all depends on how tightly the OS controls how processes operating in secure VM access system resources.
Solaris may have virtually no malware, but it has been the target of DOS attacks & other weaknesses in the TCP/IP stack.
It's interesting that you point this out. While both sides (Mac fans and Windows fans) routinely declare their OS preference "better" than the other, why does only one side argue that it's more "secure" against malware and viruses? A logical conclusion (supported by many Windows fans that I have spoken to over the years) is that Windows users concede that point.
Your own words in the quote above support this. You said that next year, Windows "may very well be" more secure than Mac OS X. The implication of your words (subconsciously?) is that it would mark the first time in a long time -- if not ever -- that Windows had a more secure system.
Please learn to read.
Samuel Herschbein, you've chosen to argue on a security blog that protected memory is an optional security feature.
BJ Nemeth, your argument that the industry is "conceding" the point that Windows is more secure is contradicted by the blog post you're responding to. And I'm a Mac user!
Happy for the Daring Fireball link. Come again!
Apparently pundits rely on system insecurity to remain relevant.
To ensure we're speaking the same language here, Cocoa is an api / class library that is written in Objective-C. All two people that used the Java Cocoa Bridge will probably really miss it though...
Java has its own set of nightmares that are just as unwieldy. Such as you should not depend on package scope, not allow serialization/deserialization of classes, not allow cloneable, not consistently signing all your code (mix-n-match attacks) if the additional privileges are not needed... there is a long list to be frank, but primarily extensibility is bad when security is an issue, and I often get the same reaction from people when teaching Java developers secure programming -- that noone is going to abide by the rules of secure coding or at least most of them. Just because Java is a language that should be impervious to buffer overflows (JVM aside) doesn't mean it doesn't have considerably high impact implementation constraints in order to produce secure code.
The Underground Hasn’t Ramped Up Yet
The Win32 API is over a decade old and is well understood by attackers. The MacOS X APIs are not. There is a lag between the publication of the OS and security researchers, and a lag between research results and malware authorship.
In all fairness -- what's to ramp up? You have the most dynamic runtime on the planet in front of you (today), with mach_inject+mach_override / MethodSwizzling (available today)-- There are even how-to's to develop SIMBL and InputManager plugins (also accessible today). The information is out there, but I think non-OSX developers are only really paying attention to familiar ground, the BSD subsystem (Darwin). But to say that Mac OS X APIs are not well understood doesn't really paint an accurate picture at all
The public APIs are WELL understood and documented, Objective-C has been around for over 2 decades and you have a long list of tools you can use to reverse the private ones.
It sounds like what you are saying maybe true, but not for the reasons you describe. People are unfamiliar because they just haven't taken the time, no? Maybe it has to do with this "low percentage" of users comparison... But you can't quantify everyday computer users with those that know how to use computers... As was sound countless times in OpenBSD -- just because there are X number of times more Linux developers doesn't mean there's X number of times the people qualified to audit userland let alone the kernel.
Objective-C has some additional elegance being a superset of C though. For instance, in objc you can send a message to nil (aka NULL) and you get back just that nil... you don't need to constantly ensure you're not passing NULL in the traditional sense of C and risk a null pointer dereference.
Objective-C offers dynamic dispatch, dynamic typing, and dynamic loading, which as a whole is a foreign concept to many-other-language programmers. From a security standpoint, mach_inject+mach_override/Method Swizzling introduced a path to being able to inject code into another process/"subclass" any arbitrary method ... again this is both dangerous and useful... tell me that tools like F-Script Anywhere (or the py equiv) are not entirely useful for debugging and RE'ing. And on that note it's worthwhile to point out that a combination of otoole (yes 'e'), otx, class-dump and sometimes code-dump makes pretty much any protection method written in objc at risk.
“Any scheme accessed via Cocoa calls is vulnerable to attack via an InputManager” and Public-key encryption systems may be especially vulnerable to replacement of the public key, unless it is obfuscated throughout the entire app” which are clearly documented in discussion on CocoaDev:MakingSecureRegistrationCodes.
The capabilities of doing stuff with closed source apps is by far more open to RE then I feel the bar is for other systems (no assembly required -- no pun intended) -- at least in Cocoa context. Given this, no amount of secrecy Apple keeps of their private apis is keeping people from getting under the covers with the OS... perhaps there are not enough OSX people in the security space, but this is has nothing to do with the assets not being there to play with. See F-Script Anywhere for examples where debugging tools can be surpass the capabilities of ivar enumeration via gdb. In F-Script's case you can play with object's in memory as they are, and get out of the weeds a bit.
There are quite a few points that are coming in Leopard which may not hit all the security features you bring forth in Vista offer alternative approaches to trust and validity at least to a more increased level then inundate the user with dialog annoyances until he turns them off (to pick on a single instance of a Vista sore point with me). It's not completely fair to compare an OS that has been out for a 1.5 years with an OS that isn't shipping yet (regardless of release candidate), but Apple does have at least a couple mechanisms for raising the bar... I made this the last statement because there are obvious reasons (NDA) I cannot give supporting arguments.
Regarding ramp-up: obviously you know lots about the Objective C runtime (so can you tell us how many statically placed function pointers we can overwrite with a dynamic, data, or stack overflow?). But most attackers don't, because they cared less about it over the past 5 years than you do. There is less security research going on for OSX than for Windows.
Regarding Vista vs. Leopard features: the Vista features exist. And I didn't mention least-privilege users, so complaining about being inundanted with dialog boxes is a straw man argument. Just tell me: will a heap overflow be trivially exploitable in Leopard? Because it won't be in Vista.
I haven't gone back to re-read Gruber's relevant articles, but I don't remember him attacking Vista. I believe he was comparing currently shipping OS versions, or comparable past versions (depending on the article).
I hope that Vista is leaps and bounds more secure than previous versions of Windows. Even if that means that some of the malicious hackers out there migrate to OS X, and try to create the first true OS X virus. (As you probably guessed from my first post, I am a Mac user.)
Safety through indifference ? I really hope you're not naive enough to believe that, if OS X really was as vulnerable as your poor Granny's windows something would have come up by now but then again, you acknowledge it is not. Macs are much, much visible targets than Solaris.. but still nothing. I guess it must really annoy so called security people like you that so many OS X users have no interest, with reason, about your windows-centric field of work.
On the subject of cherry-picking from future OSes, here's a Leopard cherry I am particularly interested in: Mandatory Access Control, taken from TrustedBSD. That's a confirmed feature in 10.5. I am very curious to see how this will work in a mainstream operating system; e.g., what they lock down, and where they cut corners for the sake of usability. I've heard rumors about ASLR also.
It's a pity that this argument cannot be resolved in more layman's terms. It might reduce the amount of "smugness" in most Mac users. I'm a Mac user, I recommend it to all my friends but realistically why we enjoy so much "security" is because we're under the radar.
Of course MacOS does provide certain features that reduce the ability for malware to propagagte but its really the small number that is in our favor.
Here's an idea, perhaps a "month of Mac vulnerabilities" should be organized. Not necessarily to provide grist for enterprising attackers, but to provide an avenue to actually throw some spotlight to MacOS security research effort - it would also make a fairly decent go to area for restricting the statements of the unpublished i-know-a-lot-about-security-from-my-soapbox experts.
I really suggest (if he is able to grok it anyway) he read chapter 3 of Peter Szor's: The art of Anti-Virus Research and Defence. Szor talks a lot about the dependencies that you need to get any malware rolling on any platform. There's always the critical mass issue. IMHO Mac does not have a critical mass of large quantity to make malware development worthwhile.
The economic perspective is also a very valid argument. Malware writing is like a business, complete with a cost-benefit ratio. I wouldn't write one where I know my chances of impact are low. Besides in today's world where there's a whole lot of malware written for profit, your "business manager" would probably slap you upside the head if you started harping about writing malware for a low penetration platform.
Gruber should realize that there is active research going on MacOS security. Even Matasano has produced some work on vulnerabilities on this platform. It's easy to predict that as MacOS gains critical mass (from more users) they will lose their "halo effect" to more determined efforts to circumvent their security. Anyway in a few years his smugness will be satisfied - beyond the SecureWorks incident.
Even when the emperor is wearing no clothes - the subjects have to remove their glasses.
Of course you can continue accusing people of being unable to read, but it won't help your argument one bit. Occam's razor applies to security issues too, you know. Basically, there are two theories:
1) It's harder to write effective and self-propagating or user-propagated malware for OS X than for Windows.
2) Malware writers just don't care. Even though all it takes is one guy in his parents' bedroom, nobody has ever really tried.
I hope you realize why people do not really buy this argument. It has nothing to do with the security features of either OS. The reality is that OS X right now is more secure than Windows for the average user. That is an incontrovertible fact and that is all I am trying to say.
Nobody is saying that OS X is the panacea to all our security-woes, just see this project for example: http://kernelfun.blogspot.com/
They bring up some very real issues. I tried all of the three kernel panic problems they published and filed the crash reports with Apple for them. I expect them to get fixed way before anybody writes a workable exploit for them that does anything but crash the machine after the user clicks on the file.
My point is that Gruber's security commentary seldom focuses on "technical" arguments, although they are mentioned where they are relevant. The Mac is a low-crime area, which makes it a safer security environment than Windows (at least in terms of malware), and the Mac community's outright intolerance of all types of malware make the policing *much* better.
If Apple ships an OS with pervasive least-privilege at the system call / OS subsystem level, they'll have something to brag about again.
Well as as Apple's market share improves, we're going to be moving into the high crime areas. So its appropirate that these issues start getting out into the open - so that they can get resolved before the "Windows Fanbase" starts knocking.
All the mistakes that Microsoft made have been openly scrutinized and discussed time and time again - a benefit for them because now that Vista's out, and it seems (at least they tell us) that they have learnt from the situation - and they may possibly have an advantage over Apple's operating sytstem. Time will tell in this regard.
The issue at hand really isn't that Mac OS is secure or insecure. It's just that fact that people who ideally should be educating themselves about the situation, people who allegedly have a far greater reach with the public than this blog probably has, people who could be the conduit for informing and educating their readers about what to do to protect themselves from nasty things happening, are quick to downplay the (verifiable) work done by others who are quite reputable in this field - with arguments that really aren't very strong. Not only is that annoying its downright disturbing.
And obviously the author of the post, who himself has made some contribution to the field, is upset about the situation and pointing it out for all to see.
The events that can lead up to a first big incident are already sliding into place and it would be nice to ensure that we're still in the old neighborhood we're used to. That's really the goal of all this work that's being done - after all an early warning is better than a late suprise.
I might also add that the first few chapters of Szor's book aren't really that technical and so you can pretty much get a useful exec summary from there. So I don't really see an excuse not to go through it.
Point me to *one* hunk of code which will infect my Mac (no local hijinks, strictly download or web page, please!) without my knowledge, permission, or awareness *and* cause me to lose data *and* replicate itself to other Macs.
Short of producing this code, then the Mac is absolutely more secure, because there are bits of code out there for Windows which the above is very real. Either someone can come in via internet and tap dance all over my Mac, or they cannot. I don't care about theories, I want fact. I don't care about potential, I want reality. If you can't do that simple thing, then like it or not, you have lost the argument about which is the more secure system.
And let's pooh-pooh this notion that there is no payoff in malware for the Mac. The first person who successfully does to the Mac what happens to PCs on a daily basis will be a household name overnight. The first person to write a Melissa for the Mac will enjoy celebrity akin to being a rock star. If that isn't a powerful incentive, I don't know what is. Seems to me there's millions sitting on the table waiting to be grabbed by the right person.
If the Mac is less secure than Windows, then pony up the code, boys. Fame and fortune awaits the first to do, not to say. If there isn't any tangible real-world proof, the reality is the Mac is more secure. That is the evidence at hand, and anyone who wants to be taken seriously must admit it.
If you had read the actual post, you will see that I didn't address you. I am now. Notice the difference? That would be the reason I said "So many people" at the start of my post, instead of saying "Tom,". See? Just like that.
But I am glad you feel better now.
Uhh, yes I do think so? It takes some pretty convoluted logic to assume that absolutely friggin' nobody cares about a mainstream OS _at all_.
Before you write your next comment, will you try to answer in your head the question, "Who am I trying to convince with these messages?"
If you're just writing to make yourself feel better, well, God bless you. But if there's some objective to this, rethink your tactics.
You shouldn't use such a rude, condescending tone. In general, that is---but especially when you're wrong.
Occham's razor is often interpreted as 'the simplest theory is usually the right one'. That doesn't mean "the theory that can be described in a shorter sentence"; it means the one that requires the least number of assumptions and external conditions.
There are, in effect, no Mac exploits. This could be because
a) Writing Mac exploits is completely impossible,
b) Writing Mac exploits is sufficiently harder than for Windows machines that no one has done it;
c) Writing Mac exploits is comparably easy to or easier than writing Windows exploits, but no one has done it anyway.
Option (a) is reserved for the zealots. The argument is between (b) and (c).
Occham's Razor supports argument (b), because the only condition it requires is that Mac OS X is a sufficiently hard cracking target. Option (c) requires the complex and dubious condition that the hackers of the planet unanimously choose not to target it, despite the obvious gains (not to mention headlines) that would ensue.
But I think the point that most of us are trying to make is, sure, we're pretty confident that (b) is the correct argument. But in the end, whether it's (b) or (c), or indeed (a), or something else entirely --- who cares?
The point is, as Gruber said, "for whatever reason", at present, Macs simply do not get hacked. Windows suffers a constant onslaught, bad enough that a fresh, vanilla install is often owned in a matter of hours of being connected to the web, whereas I've NEVER done any security maintenance on any of my Macs, and I've NEVER had, seen, or heard of even a single piece of Mac malware. Microsoft is the world's biggest and richest software company, and yet in five years of WinXP exploits, they're only beginning to fix the problem. It's not just a swing in Mac's favour, it's completely and absolutely black and white, night and day.
Maybe that's just because there are more Windows machines around. I seriously doubt it, and I don't think that it's a position that can be logically supported. But even if it were, what we're trying to say is that the cause isn't really relevant here.
The proof is in the pudding.
p.s. for those of you who aren't in the security space, why are you arguing with people who have been doing security work for a long time? Its like tell cryptographers that you can brew your own crypto algorithm that is 'unbreakable', or telling a karate blackbelt you can hit harder than she can, just 'cause you're futzing with it on the side. Either way you're going to lose.
To know why, one has to step into the mind of the malware creator. Why would I invest my time to write a malware knowing
1) It will propagate slowly: the chance to hit another Windows is 50-1 compared to Mac. The chance to infect the 3rd computer (from the 2nd infected one) is 250-1 in favor of Windows. Do the math and one can see why it make no sense to plant a spyware/ malware/ virus on a website to target Mac users.
2) Would be stopped before it reaches the mass to make the noise. Apple and Mac community have enough force to combat a few pundits. Compared to Windows, there are just too many of them for MS to catch up.
3) Nobody will pay me.
4) It will not give me instant fame (as somebody suggested). It will not cause any company, or financial institutes to shutdown (which guarantees me an instant headline). The worst it can do? Somebody can't turn on their Mac. The world still goes on.
5) Windows based computers are cheaper than Mac. I can get a pirated copy of the windows, a $200 bare bone computer and start playing with my malware "product". I am not gonna spend $3000 on a slick looking Macbook and try to kill it.
6) I get more "support" from the Windows virus creation community. :D Again, this has to do with the user base.