The Leopard Security Blanket

Well Leopard is finally here and there are some security features being included that won’t get much attention but add heavily to the strong security stance of OS X. Apple quietly leaked plans to add code-memory randomization to Mac OS X Leopard, a move aimed at making the operating system more resilient to virus, worm and network attacks. The cynics reading this might remember that earlier in the year Microsoft botched its own implementation of the same technology.

The security technology, known as ASLR (address space layout randomization), randomly arranges the positions of key data areas to prevent malware authors from predicting target addresses. It is used in tandem with additional security features to reduce the effectiveness of exploit attempts. According to Apple, the library randomization feature will allow Leopard to defend against attackers with no effort at all. One of the most common security breaches occurs when a hacker’s code calls a known memory address to have a system function execute malicious code. Leopard frustrates this plan by relocating system libraries to one of several thousand possible randomly assigned addresses.

So what does this mean in English to the real people out there? Here is a little analogy that will give you a good idea of the technology. Picture your computer as the wastebasket across from your desk and you are the hacker. You keep throwing paper at the computer (this is akin to an attack) and every now and then you will get one in there - this is akin to knowing the memory location of an application in an operating system that you’re trying to penetrate. You know where it is and you keep firing at it until you figure out a way to get it in the basket. Now enter ASLR, and to keep with the current analogy, turn off the lights and have someone randomly move the wastebasket to any one of thousands of locations every few seconds. So how many pieces of paper are you going to get in there now? Would you even bother?

That is the entire point of ASLR - make it so difficult and hard a target to hit that it isn’t really worth your time to attempt it, because your odds of success are so minimal.

Apple has also added systrace (often referred to as Sand-boxing) to Leopard to limit an applications ability to affect the rest of the system. As there is some of this inherently in the Unix protected memory scheme, in Leopard systrace puts up some additional barriers to protect against misbehaving applications, enforcing access policies to ensure some rogue application doesn’t reformat your time-machine partition or other such nastiness. Not all applications will be sand-boxed initially, the most surprising of which is Safari, though I am confident that will get added in short order.

Note: Right now the Leopard website lists Bonjour, Spotlight, and Quick Look as being sandboxed. It will be interesting to see the entire list.

Some of the other improvements include:

• Tagging Downloaded Applications - Protection from potential threats. Any application downloaded to the operating system is tagged. Before it runs for the first time, the system asks for the user’s consent - notifying the user when it was downloaded, what application was used to download it, and, if applicable, what URL it came from. There is a similar feature in Vista but Apple’s approach has a more polished user experience.
• Application-Based Firewall - Leopard will feature the ability to specify the behavior of specific applications to either allow or block incoming connections. In other words if your FTP application suddenly tries doing some secure shell magic (which it should never do) the firewall will kill the connection as it violates what FTP traffic is supposed to look like.
• Application Signing - This is a pretty simple concept that has had mixed reviews on other platforms. Signed applications (like signed Java Applets for you Java folks) contain a certificate with the creators information, which you can verify or trust prior to installing any software from that publisher. If the application isn’t signed, the idea is, you shouldn’t trust the application. Apple will be signing all of their applications.
• The Keychain has been enhanced to manage multiple user certificates for email encryption and digital signatures better, a welcome update for multiple POP account email users.Apple is also doubling encrypted disk images from 128bit to 256bit AES encryption. While this is a good move for those requiring compartmentalized security for their documents, the processing hit is pretty high, so use this sparingly.

So what does this mean to the general business user of Mac OS X? Less worry, more stability, less time spent rebuilding and recovering from viruses, malware or network penetrations. For a very detailed run-down of these security improvements (and others), check out this article on TidBITS.

What do you think of the security side of OS X Leopard? Like a warm blanket?