Image by Andrey, flickr
Most of the news about Apple’s new operating system focuses on the changes that affect the way people interact with it on a daily basis, but what’s potentially equally important are significant changes made beneath the surface. OS X Lion is, by far, Apple’s most security-conscious operating system they’ve ever released. The Register reveals the completely revamped ASLR support in Lion. Address Space Layout Randomization means the operating system regularly changes up the locations in memory where system components and shell code are loaded, making it more difficult for hackers to exploit bugs in the code by attempting to modify specific addresses. You may recall that ASLR was mentioned as one of the new features back in OS X Leopard, but that implementation was lacking because it failed to randomize the operating system heap, stack, and dynamic linker. Arguably better than nothing, the ASLR still failed to protect entire classes of potential attacks on the OS. Snow Leopard didn’t make an effort to improve on this weak ASLR implementation either. Now, ASLR is fully implemented, giving Lion an equivalent to what Ubuntu Linux offers.
However, Apple didn’t stop there. Another feature augmenting the ASLR security is process sandboxing. The most vulnerable parts of the operating system now run in protected spaces (so essentially, keeping Lion code in a cage). For example, the Safari browser is now broken into two separate processes: one that manages the user interface and another sandboxed portion that parses the images, Javascript, and other web content. Applications, including Preview and TextEdit, are also sandboxed.
Additionally, Apple improves their FileVault encryption functionality. For the first time, users can encrypt their Time Machine backups, as well as encrypt an entire hard drive (not just individual files and folders). FileVault also becomes an easier feature to live with because it can do the encryption work whenever the Mac is put to sleep.
Borrowed from the Linux community, Lion boasts buffer overflow protection by way of ProPolice. ProPolice uses canaries, which are randomly generated but known values placed between a buffer and control data on the operating system stack. In the event of a buffer overflow (a common form of attack or exploit), the canary gets corrupted first, causing the operating system to fail integrity checks on the canary and alerting it to take action (such as invalidating the remaining data). Additionally, it sorts array variables, wherever possible, to the highest part of the stack frame, making them more difficult to overflow and corrupt. A similar system is implemented in Windows, but is considered less effective than ProPolice.
When all of this is added to the fact that OS X has always had more secure password handling than Windows (using salted SHA1 hashes more robust than the MD4 NTLMv2 hashes used by Windows) and the fact that OS X doesn’t rely on a monolithic and exposed system registry file to store system settings, things start looking very good for OS X security. Of course, there’s no such thing as a completely secure operating system. I discussed a few of the Lion’s currently known bugs before, but white-hat computer hacker Charlie Miller has just discovered a vulnerability in the microcontroller chip managing the batteries in Macbook computers. During his experimenting, he was able to render seven batteries non-functional by rewriting their firmware. Even more disturbing? He theorizes that a clever hacker could install malware on the battery controller chip that would keep reinfecting the operating system whenever it was removed or cause a battery to overheat and potentially explode. Luckily, he plans to release a software fix called Caulkgun at next month’s Black Hat Technical Security Conference.
All of this should remind us that security is a process, not a destination. But as security consultant Dino Dai Zovi recently said about Lion, “It’s a significant improvement, and the best way that I’ve described the level of security in Lion is that it’s Windows 7, plus, plus.”
Comments are closed.