Real Security in Mac OS X Requires Apple-Signed Certificates

Real Security in Mac OS X Requires Apple-Signed Certificates(blog.wilshipley.com)

76 points by mynameisraj 14 years ago | 26 comments

tptacek 14 years ago |

I think Shipley has missed the point of OS X sandboxing.

He's right that sandboxes won't directly prevent malware. But that's not why users want sandboxes. Sandboxes mitigate accidental vulnerabilities. Virtually every security vulnerability you've ever heard about has been an accident.

Sandboxes aren't a new idea (the sandbox code didn't even originate at Apple). The idea goes back to the '70s; an obvious and more recent example is the Java applet sandbox, and a somewhat more successful instance is Daniel Bernstein's qmail security architecture (qmail has one of th best security track records of any major software package).

It's best to think of sandboxes not as a preventer of malice, but as one incremental form of forced developer competence: all developers are being asked to at least consider what privileges their applications need (most developers do not do this today), so that they can voluntarily renounce capabilities that will be turned against them when someone finds a heap overflow in their code later on. The technology and policy Apple is working with here will do a fine job of that.

Also, no matter what Bertrand Serlet said, sandboxes don't need to cover "as many instructions as are in the human brain". Because of its Mach / Unix underpinnings, sandboxes have a relatively simple user/kernel interface they actually need to deal with. There are just a few hundred system calls, many of them already privileged.

po 14 years ago |

The application sandbox should be considered like not storing credit card info on your system... you could do it but you open yourself to security problems. As a developer, you should opt into entitlements because it means that your application will be less likely to have a problem in the future.

This is also similar to dropping privileges in unix: if you need sudo to start up, you drop it as soon as possible so that a compromised binary doesn't lead to root access for the malware.

They are like fire doors. They don't prevent the fire, they just limit the damage. Anything that encourages developers to adopt the sandbox model is good, however I would say that requiring them everywhere is probably biting off more than they can chew. Furthermore - as Wil explained - being fast with the fire extinguisher is probably a better tactic than trying to monitor and disallow all things that may lead to fire.

danssig 14 years ago | |

>Furthermore - as Wil explained - being fast with the fire extinguisher is probably a better tactic than trying to monitor and disallow all things that may lead to fire.

I disagree here. In the case of humans, it doesn't cost much to put fire extinguishers at regular intervals and have people just use them in the case of a fire. If a first starts we'll notice it. On a computer, it won't "just notice". You would have to have some virus scanner scanning every action all the time. This is what makes Windows so much slower and I would really hate to see it come to Mac.

I wish the SELinux approach would become more popular.

Tloewald 14 years ago | | |

Being fast with a fire extinguisher is no substitute for fire prevention :-)

The point about all security models is that you need multiple redundant systems not one silver bullet. My house is built to fire safety codes, the materials are tested and approved individually, we have fire alarms, fire extinguishers, a fire hydrant nearby and a fire department to use it, and we have fire insurance. Most houses are like this and houses still burn down.

Shipley's argument is that code signing is all you need. It's not quite the same as advocating fire extinguishers as the only line of defense against house fire, more like simply relying on your builder's credentials.

po 14 years ago | | |

A bit of confusion: when I said 'fast with the fire extinguisher', I wasn't talking about users but about Apple. Malware is only practical if you can infect hundreds if not thousands of machines. If Apple can effectively kill malware that is discovered, then it ruins the economics behind it. So to apply my somewhat lacking analogy, even though the systems are horribly vulnerable and there is nothing a user can or should do if a fire starts, nobody is out there going around starting fires because they get put out by Apple quickly, with some cost to them and before the fire is useful.

josephcooney 14 years ago |

I have the greatest respect (nay, love) for Mr. Shipley (who can forget his live twitter coverage of the bachelor), but hasn't web certificate revocation proven to be pretty much un-workable in practice? How would this be different? Entitlements sound similar to code access security which Microsoft baked in to the CLR, but which remain largely un-used.

blinkingled 14 years ago |

I would argue that real security requires a deeper approach like QubesOS takes - http://wiki.qubes-os.org/trac/wiki/SecurityGoals . Constraining and inconveniencing users for the sake of false sense of security doesn't feel like something that needs to be attempted in 2012.

But to be fair - I think the hardware is only now starting to get fast and capable enough for doing security via virtualization. So up until now may be OS vendors did not really have the luxury of thinking along those lines but it doesn't hurt to start thinking now.

Apple could really leapfrog if they worked with the hardware vendors to make Mac OS X something like QubesOS but much more usable. On top of it if they had a saner programming language that makes it darn near impossible to make security goof ups, real security still has a chance!

tptacek 14 years ago | |

It's probably not reasonably to compare a hugely popular general purpose operating system to a research prototype designed specifically to demonstrate an extreme form of application segregation.

Similar logic would allow the "we - implemented - the - kernel - in - a - type - safe - runtime - so - we - don't - even - need - to - switch - out - of - ring - zero" crowd to say Qubes was inadequate.

blinkingled 14 years ago | | |

QubesOS is Linux+Xen+Added Trickery on top. So calling that a research prototype may not be entirely correct. I have used QubesOS - besides hardware support and usability there are no real inadequacies as far as I could tell from a general purpose desktop OS standpoint - both of which can be fixed by Apple along with may be some more hardware integration.

[EDIT] Relevant Article (via /.) - http://www.networkworld.com/news/2011/110311-xen-simon-crosb...

jensnockert 14 years ago |

Sandboxing in the appstore is probably not intended to directly protect against malware, it is there to minimize the risk of programmer error. The application developer decides the restrictions it imposes on itself. And while the current entitlements system seems quite weak compared to the normal interface to the sandbox, I think that the number of entitlements that you can request will grow with time, and with user awareness. (The Scheme-derivative that is the configuration right now, is probably not fit for user consumption)

The OS X sandbox has been around for a long while (and trusted BSD has been around for even longer), it is of course not bug free, but it is in use in a few exposed applications (like Safari), and deploying it appstore-wide will only make it even better.

I, as a programmer, sleeps better at night knowing that my (and others) applications has safety nets that protect it from doing stupid stuff.

gizzlon 14 years ago |

"Apple then has the power, if any app is found to be malware, to shut it down remotely, immediately"

Actually I don't think this will work. They can "shut it down" in the sense that they can keep new installs from happening. But if the malware is already installed it controls the machine, so it can simply ignore the "kill switch" for itself.

andybak 14 years ago | |

Is there not some way that the certificate checks can run on app launch? Or even periodically

gizzlon 14 years ago | | |

I don't know how mac "apps" work, but if we assume it can gain full control over the os, there's really only one thing they can do: "anchor" the checks in hardware.

The way it (supposedly) works is that you have a hardware chip that checks the bios, which checks the boot loader, which checks the os, which checks the apps etc.. The goal is that you'll have to modify the actual hardware chip in order to "crack" the os. Sounds great, but has a lot of challenges in practice.

EGreg 14 years ago |

Here is the real problem: http://www.eros-os.org/papers/secnotsep.pdf

dfc 14 years ago |

Does anyone know anything more about this:

"Bertrand Serlet once told me that Mac OS X now has roughly as many instructions as we believe the human brain does."

delinka 14 years ago | |

I don't know what a Bertrand Serlet is but the statement reads like bunk. The CommonSense-Ometer in my own brain says there's no comparison between the evolved complexity o the human brain and an operating system for the modern digital computer hardware.

Someone 14 years ago | | |

I think the claim is bogus not because the brain has a much more complex instruction set, but because the phrase 'instruction set of the brain' does not make sense.

If one had to express the complexity of a neuron in the size of its 'instruction set', the best guess may be 'one': "act like a neuron until you break down".

The complexity of the brain most likely is not caused by complexity of the processing units, but of its parallelism.

crb 14 years ago | | |

Bertrand Serlet was the head of Mac OS X at Apple from 2003 to 2011.

(One of these things is not like the others: http://www.google.co.uk/search?q=Bertrand+Serlet&pws=0)

jayfuerstenberg 14 years ago |

This article by Wil Shipley is grounded in so much real world experience.

I too want to develop a Mac app that might not be covered by the existing entitlements and would be disappointed if I couldn't release it via the MAS.

Hopefully Apple will read this and consider his insights.