Five Reasons To Ignore John Gruber’s OS X Security Punditry
Thomas Ptacek | November 20th, 2006 | Filed Under: Apple, Industry Punditry, Malware, Uncategorized
i.
Gruber Hides Behind Reporters and Pundits
Today’s Daring Fireball post has two objectives:
To tar eWeek Security pundit Larry Setzer, and the trade press in general, as biased, lazy, and incompetent when it comes to Mac security.
To claim that Mac security is better than Windows security.
We can get behind one of those objectives. But Gruber isn’t going to let us do that: instead, he borrows support for his defensible argument to shore up a weak argument. This isn’t a new idea; it’s straight out of the Mac zealot playbook, and it’s the same tactic Gruber used during the Mac wireless debacle when he hid behind Brian Krebs’ reporting to throw a smoke screen over OS X kernel wireless vulnerabilities.
Here’s an example from today’s article. Seltzer’s article claims that a recently released Symantec report on OS X security “revealed a collection of vulnerabilities and potential attacks that rivaled any major operating system”, and “in fact things are getting worse.” Instead of arguing that Seltzer doesn’t (and can’t) support that argument with facts, which would be boring, Gruber plays to his base: “nowhere in the report does it indicate that the ‘collection’ as a whole rivals that of any other operating system.”
But that’s an equally indefensible argument! Seltzer himself names operating systems that are in positions comparable to OS X: Linux and Solaris. Gruber’s M.O. is simple and he counts on his audience not to notice it: when a pundit or reporter overreaches, Daring Fireball leaps on the opportunity to claim that the opposite argument is true. It almost never is.
ii.
Gruber Conflates Malware Incidents With Vulnerabilities
Count on Daring Fireball to ask the hard questions: “[…] given that Mac OS X has about 6 percent total market share in the U.S. and something like 2 or 3 percent worldwide, how come Mac OS X’s share of actual security exploits — not just potential vulnerabilities but actual malicious spyware, viruses, worms, adware, etc. — is effectively zero percent? That’s the real question.”
No it isn’t. Want an easy way to debunk that argument? Here you go: MacOS 9 sees a tiny fraction of the malware Windows does. But nobody seriously argues that OS 9, which doesn’t even have a secure VM system, is more secure than Windows XP.
Want another? Solaris. Been around for over a decade. Hundred of published vulnerabilities. How much malware?
Here’s another easy way to debunk the argument: Windows Vista. Has Microsoft “retaken the lead” in OS security? I can defend that argument a lot better than Gruber can defend his.
But I don’t have to, because malware is obviously weakly correlated to OS security. How do we explain that?
6% Market Share Doesn’t Mean 6% Malware Share
Malware authors will target the one platform with critical mass, because there’s no indication that there’s a “peak oil” scenario for Windows vulnerabilities that will ever make Mac malware pay off better. Malware authoring effort doesn’t divide proportionally to OS share.
The Underground Hasn’t Ramped Up Yet
The Win32 API is over a decade old and is well understood by attackers. The MacOS X APIs are not. There is a lag between the publication of the OS and security researchers, and a lag between research results and malware authorship.
Enterprises Set The Course For Security Research
Research efforts focus on Windows, Linux, and Solaris, because that’s where the enterprise dollars are. Malware authors feed on research results, so even their ideal victims are home users, their supply chain is tied to businesses.
Viruses Don’t Exploit OS Flaws
A huge percentage of malware infections have nothing to do with OS vulnerabilities. For the vast class of infections that arise from user complicity, there is no evidence that the MacOS X design is better.
There Are Existence Proofs To The Contrary
Researchers like Tom Ferris, KF, H.D. Moore, and Matasano do find MacOS X vulnerabilities, and there is MacOS X malware, including very viable rootkits.
Gruber retorts, “[but] if Mac OS X is protected because it’s not primarily used as a server OS, then how do you explain Windows’s non-server security problems?”. Easy: exploits developed for Windows servers translate to desktop Windows.
Gruber retorts, “If there’s one firm conclusion to be drawn from the MacBook Wi-Fi hack fiasco in August, it’s that you can get a hell of a lot more attention for a Mac OS X exploit […]”. Where are the ego attackers? I don’t know; what evidence does Gruber have to support the argument that a significant portion of Windows infections are ego attacks?
iii.
Gruber Jazz-Hands Mac Security
Count on Daring Fireball for ArsTechnica-caliber technical analysis: “The explanation that makes sense is the obvious one: that Mac OS X really is more secure and better designed. Not that it’s totally secure. Not that it’s perfectly designed. Not that it is utterly impervious to attack because it’s protected by magic leprechauns. Just that it’s better.”
If Gruber wants to claim that magic leprechauns have nothing to do with MacOS X security, Daring Fireball should stop appealing to those magic leprechauns. To date, Gruber hasn’t defended a single argument in favor of the MacOS X security architecture. What he has instead are articles of faith.
Article 1: The MacOS X Privilege Model Makes Malware Outbreaks Harder.
No it doesn’t. Here’s why:
Most Macs are single-user machines. On most single-user machines, that one user has “Administrator” privilege. “Administrator” is functionally equivalent to root, even without knowing the user’s password, and that equivalence is baked into the current architecture.
The idea that malware needs “admin” to propagate is a myth. On almost all single-user machines, the ability to run code with that user’s privileges is game-over: I have all the meaningful data on the machine, I can backdoor the machine, and I can talk to the network.
The OS privilege model doesn’t mean anything if the OS is vulnerable to privilege escalation attacks. MacOS X has been. For example, Matasano discovered that malware can use the Mach Exception Port feature to load arbitrary code into SUID-root binaries, deterministically seizing superuser creds on an infected machine.
Article 2: MacOS X Code Is Better Designed Than Windows Code.
No it isn’t. For example:
(a) Microsoft pioneered the Secure Development Lifecycle. (b) Microsoft delayed a critical operating system release to scrub integer overflows out of the codebase. (c) Microsoft invented the Threat Modeling methodology. (d) Microsoft Visual C builds executables that resist memory corruption. (e) Virtually every line of Windows Vista has been audited by third parties.
Does this mean Microsoft is perfect, or that MacOS X has bad code? No, but where are the Apple counterclaims? Here’s a question for Daring Fireball: without arguing that Apple somehow employs “better” OS developers than Microsoft, honestly guess which OS team puts more effort into code security, and estimate by how much.
Article 3: OS Security Features Don’t Matter.
They can’t, because if they did, Windows Vista has left MacOS X in the dust. For instance:
Over the objections of the whole industry, Microsoft has locked their kernel. At Black Hat, Matasano demoed malicious MacOS X kernel code that transparently virtualizes the whole operating system out from under itself.
The standard Microsoft libc heap is tripwired so that malicious pointer overwrites abort the program instead of handing control over to attackers.
The Microsoft C runtime guards activation records on the stack, so that overruns in stack variables don’t allow attackers to overwrite return addresses. The Win32 runtime also defends its exception handlers. How resilient is the (vastly more complex) Objective C “Cocoa” runtime against the same attacks?
On supported platforms, Microsoft takes advantage of CPU “no-execute” memory protection. Apple’s current support for the same chip features is bypassable.
Win32 has first-class support for managed code (C# and the CLR), which sandboxes programs and provides a fine-grained privilege model within individual programs. Apple just deprecated Java; their high-level development platform has no runtime security.
The Win32 address space is randomized, so that exploits with hardcoded addresses (read: virtually all exploits) have a negligable chance of succeeding. Despite the fact that this is technology pioneered by BSD, MacOS X does not have address space randomization.
None of these technologies require end-users to purchase anything. They’re built into the operating system and the runtime libraries. Most of them are enabled by default. They address the same code flaws that MacOS X faces; why doesn’t Apple have them?
iv.
Gruber Holds Grudges.
The Daring Fireball wears its emotions on its sleeve. In several years of covering MacOS X security, Gruber has only once validated security findings against MacOS X. In order to downplay Mac threats, Gruber has claimed:
That “to his eyes”, Tom Ferris’ Safari bugs are “all just ways to make an application crash”, not ways for attackers to corrupt the program runtime and upload malicious code.
That security consultant Rodney Thayer is quoted by the AP only because he has long black hair and a beard.
That the 10.3 “malicious URLs can execute arbitrary code” debacle was “a vulnerability, not an exploit”.
That the logistical hardship of shipping a fix to those problems outside of a major OS update was an adequate defense for shipping an OS update Apple knew was vulnerable to attack.
That as of September “the only Mac user anyone can find who’s suffered from Mac-specific malware is one single dipshit who double-clicked a trojan horse”.
That “there are all sorts of ways that Windows executes software that don’t have equivalents on MacOS X”, such as the “labyrinthine” Windows registry.
In today’s post, Daring Fireball can’t just let the new Symantec report slide; it’s only “mostly” fair, because it cites Maynor and Ellch’s wireless flaws. Leaving aside the fact that the particulars of the Black Hat wireless debacle are still totally unresolved, Apple has already confirmed vulnerabilities in the wireless drivers of every Mac portable; the MOKB Broadcom wireless vulnerability apparently even crashes pre-patch Powerbooks.
But that’s all meaningless, because in Gruber’s worldview, who Apple credits with security findings is more important than what vulnerabilities are actually present in the platform. Presumably Gruber will cry foul when someone publishes a weaponized exploit for those problems; after all, who cares about operating system security while Dave Maynor is still walking the streets?
v.
Gruber Isn’t Qualified To Make These Arguments
Matasano babbles endlessly about operating system security because we deal with it for a living. I very, very rarely blog about Mac HIG inconsistencies, or try to discern how the classic Aqua skin “feels” about the ascendence of New Brushed Metal. I’m comfortable leaving that to the experts, like Gruber.
But Gruber’s not content to do the same. So, despite having never published a single finding, despite having no scholar or citeseer hits on any security topic, despite having no discernable shipping C code in his work history, despite having never worked in security, and despite never sourcing anybody with any of those attributes in his articles about security, we’re meant to take his opinions about operating system security at face value.
This would be a low argument to make, but it’s the Mac zealots who are picking the fight, not the Windows people. As far as I can tell, there’s no “counter-meme” among Windows users that MacOS X is less secure than Windows, even though as of 2007 that may very well be the case.
The sad thing is, Gruber isn’t even doing Apple any favors here. There’s a perfectly reasonable argument to make about how resistant MacOS X is to malware. I’m an Apple user. It’s true! I don’t need antivirus! I never get rootkitted! I need fewer security patches! But I know why this is: attackers care less about me than about my grandpa’s Windows login and his bank accounts, which they can get with almost zero effort. Irrelevance is a meaningful security feature. As long as MacOS X has it, why can’t Gruber be happy with it? Why does he have to make stuff up?
anonymous
November 20th, 2006 10:17 pm“On supported platforms, Microsoft takes advantage of CPU “no-execute” memory protection. Apple’s current support for the same chip features is bypassable.”
Can you give more information on this? Is it just because OS X doesn’t have ASLR, so attackers can use ret to libc?
Thomas Ptacek
November 20th, 2006 10:36 pmYeah, I’m referring to KF’s writeup; ret-to-libc and the heap thing. Someone smarter than me needs to update us on the Cocoa runtime too. Cocoa has a heavyweight runtime and much more indirection than C or C++; I assume it’s safe to say that an overflow in a Cocoa program is game-over.
OpenBSD has W^X, which seems to be the best-thought-out approach.
Chris_B
November 20th, 2006 11:16 pm“article 3″ of your response was of most interest to me. I dont know enough about the claims you make, but you’ve piqued my interest.
BTW why pick on Gruber in regards to security? Does anyone take him seriously on the topic besides other zealots? As you rightly pointed out, I come here to read about sec but there to read about HIG/design.
_r
November 20th, 2006 11:30 pmHD Moore’s name for his mac osx 80211 exploit:
Proof of concept or exploit:
A proof-of-concept exploit has been added to the Metasploit Framework 3.0 source tree:
msf > use auxiliary/dos/wireless/daringphucball
Larry Seltzer
November 20th, 2006 11:55 pmApple has deprecated Java? When did this happen?
Thomas Ptacek
November 21st, 2006 12:06 amChris: inasmuch as I can pick on anyone who gets 10x as many readers as I do, I pick on Gruber because he will not. shut. up. about Mac security.
I think I actually missed Win32 security features in that list. Is there anything you can overwrite in the Win32 runtime that _doesn’t_ have some kind of cookie, page protection, runtime-enforced bounds check, or code signature?
The one serious feature they’re missing is CAS-style OS privileges, a la systrace — programs electing to give up the right to, say, execute other programs or write files outside of \temp, which is something ELSE Apple could have, but didn’t, build into the operating system. But dollars to donuts Win32 has this feature first, and that it comes within the next 2 releases of the OS.
Again: Mac user here. Big fan. Have met and like some of the people who work security for the platform. The fact that reasonable people can even have this argument, when Microsoft can outspend Apple 1000 to 1, testifies to how talented they are.
But come on. OS X is NOT MORE SECURE THAN WINDOWS.
Gunnar
November 21st, 2006 12:08 amyou may also enjoy this comparison of exploit mitgations available on operating systems. os x is also listed even though it has none of the listed mitigations.
http://1raindrop.typepad.com/photos/uncategorized/defexpmitigations.jpg
Ian Betteridge
November 21st, 2006 7:20 amLarry asks: “Apple has deprecated Java? When did this happen?”
AFAIK, they haven’t. What they deprecated was the Java to Cocoa bridge that allowed you to run create Java applications that called Cocoa APIs - in other words, to write Cocoa applications using Java. Java is still fully supported on Mac OS X.
Thomas Ptacek
November 21st, 2006 9:03 amYou can write a plain J2SE app anywhere a JVM will run. But C# has first-class OS and API support. Java used to, almost, sort of, on the Mac. Now it doesn’t. Java has been deprecated on the Mac. The rationale was, Mac developers should use Cocoa.
I agree. Cocoa is a better programming environment than Java. But it’s less secure.
Chris Pepper
November 21st, 2006 1:00 pmThomas,
I got here from Securosis, and have to go a bit farther than Rich, regarding confusion between XP and Vista.
At one point above, you say “The Win32 API is over a decade old and is well understood by attackers.”
Later, you say “The Win32 address space is randomized, so that exploits with hardcoded addresses (read: virtually all exploits) have a negligable chance of succeeding.”.
The first statement seems to apply only to XP — certainly the Vista changes are supposed to render the old attacks moot. The second statement (I believe) only applies to Vista; certainly address randomization isn’t 10 years old. You can talk about XP, or you can talk about Vista, but it’s cheating to cherry-pick attributes from both.
No it isn’t. Want an easy way to debunk that argument? Here you go: MacOS 9 sees a tiny fraction of the malware Windows does. But nobody seriously argues that OS 9, which doesn’t even have a secure VM system, is more secure than Windows XP.
Want another? Solaris. Been around for over a decade. Hundred of published vulnerabilities. How much malware?
Umm, no. You’re talking about different things here. Mac OS 9 is much more immune to (secure from) network based attacks, because it runs almost network services, and doesn’t even run a TCP stack when it’s not in use by default. To back it down even further, pre-MacTCP versions were completely secure from Internet attacks, even without any VM at all, because they weren’t Internet-accessible. VM matters more for local attacks, but much less for Internet attacks, than TCP/IP and services.
Gruber retorts, “[but] if Mac OS X is protected because it’s not primarily used as a server OS, then how do you explain Windows’s non-server security problems?”. Easy: exploits developed for Windows servers translate to desktop Windows.
No, most of the Windows exploits attack user behaviors and activities. All the Outlook stuff is pretty much desktop-only, not a port from the server environment; the browsing attacks are workstation attacks which may also apply to servers, but they’re not “developed for Windows servers”.
None of these technologies require end-users to purchase anything. They’re built into the operating system and the runtime libraries. Most of them are enabled by default. They address the same code flaws that MacOS X faces; why doesn’t Apple have them?
Well, no. The randomization at least, and I suspect several of the other technologies, require a new Vista purchase for almost all users reading your posting today, and perhaps a new PC (hardware vendors certainly hope so). For lots of people, Vista may be their most expensive software purchase…
Chris Pepper
November 21st, 2006 1:03 pmDrat. It ate my tabs! No preview mode, and no list of allowed vs. disallowed tags. I see it’s in a moderation queue, so here’s a version using blockquote:
Thomas,
I got here from Securosis, and have to go a bit farther than Rich, regarding confusion between XP and Vista.
At one point above, you say “The Win32 API is over a decade old and is well understood by attackers.”
Later, you say “The Win32 address space is randomized, so that exploits with hardcoded addresses (read: virtually all exploits) have a negligable chance of succeeding.”.
The first statement seems to apply only to XP — certainly the Vista changes are supposed to render the old attacks moot. The second statement (I believe) only applies to Vista; certainly address randomization isn’t 10 years old. You can talk about XP, or you can talk about Vista, but it’s cheating to cherry-pick attributes from both.
Umm, no. You’re talking about different things here. Mac OS 9 is much more immune to (secure from) network based attacks, because it runs almost network services, and doesn’t even run a TCP stack when it’s not in use by default. To back it down even further, pre-MacTCP versions were completely secure from Internet attacks, even without any VM at all, because they weren’t Internet-accessible. VM matters more for local attacks, but much less for Internet attacks, than TCP/IP and services.
No, most of the Windows exploits attack user behaviors and activities. All the Outlook stuff is pretty much desktop-only, not a port from the server environment; the browsing attacks are workstation attacks which may also apply to servers, but they’re not “developed for Windows servers”.
Well, no. The randomization at least, and I suspect several of the other technologies, require a new Vista purchase for almost all users reading your posting today, and perhaps a new PC (hardware vendors certainly hope so). For lots of people, Vista may be their most expensive software purchase…
Thomas Ptacek
November 21st, 2006 1:44 pmChris:
Regarding your first point, “attackers understand Win32″: it’s not cherry picking to point out that if you can write Win32 shellcode for WinXP, or, for that matter, Windows 2000, you can write shellcode for Windows Vista. From Win2K to Vista there is vastly less API change than from OS9 to OSX.
Regarding your second point, “the reason OS9 has less security incidents is that it has no network attack surface”, no. The overwhelming majority of Windows infections aren’t caused by serverside attacks; they’re the same vector on OS9 and Windows. So why doesn’t OS9 have malware proportional to market share? Also, you didn’t address Solaris, which has a HUGE network attack surface, hundreds of published exploits, and virtually no malware.
Regarding your third point, “serverside attacks don’t matter because desktop infections come from user behavior”, you’re contradicting yourself. But I don’t strongly disagree. OSX doesn’t do much to mitigate those behaviors either. But attackers can still leverage shellcode from the server attacks, and the evidence is that they do.
Regarding your fourth point, “ASLR is Vista-only”, I refer you to the chart in the subsequent post, which details the difference between XPSP2 and OSX. It’s still not a favorable comparison.
Michael Ströck
November 21st, 2006 6:41 pmThomas,
All very nice and true. The problem is, every single line you have written is utterly irrelevant to the average user. How do you explain the exorbitantly low number (zero, for all practical intents and purposes) of OS X exploits that have ever caused damage to anyones machine?
The fact is that nobody (including the virus and exploit writers, for God’s sake!) gives a damn about hypothetical windows security features. Tens of thousands of worms, viruses and other exploits do not lie. Microsoft until now has not gotten out of the hole they dug themselves, even with the support of a giant third-party industry that does NOTHING but clean up their mess after them. Try, if you will, to imagine the security landscape without Norton, Symantec, etc.!
There are now probably around 15 million(?) OS X users in the world, 99% of them running without any sort of third-party protection, many of them running as an administrative account. Still, the number of actual malicious exploits in the wild is, to my knowledge, 1 or 2. If you only count exploits that do not require user error, it is ZERO.
Please explain away that actual, measurable, security advantage OS X users have. Unless you can do that, your observations are not very interesting.
Samuel Herschbein
November 21st, 2006 6:41 pm“…straight out of the Mac zealot playbook…”
Good to know that you stick to the facts and don’t use hyperbole.
“But nobody seriously argues that OS 9, which doesn’t even have a secure VM system, is more secure than Windows XP.”
Secure VM *can* result in better security, but this isn’t a guarantee. It all depends on how tightly the OS controls how processes operating in secure VM access system resources.
Solaris may have virtually no malware, but it has been the target of DOS attacks & other weaknesses in the TCP/IP stack.
Michael Ströck
November 21st, 2006 6:51 pmOh my God, I didn’t even see the “security through irrelevance” argument the first time I read this. For God’s sake, who is more likely to have several online-banking accounts and credit cards as well as a PayPal-Account? Who is more likely to have access to even more sensitive data on other peoples’ and his own web servers? Your granny witht he crappy Dell, or the people with $3000 Macbook Pros and $6000 Mac Pros? Your “arguments” make zero sense. You even state that the prospective malware author can get the data from your grandma with zero effort? Huh? I though it’s pretty secure?
BJ Nemeth
November 21st, 2006 7:49 pm“As far as I can tell, there’s no “counter-meme” among Windows users that MacOS X is less secure than Windows, even though as of 2007 that may very well be the case.”
It’s interesting that you point this out. While both sides (Mac fans and Windows fans) routinely declare their OS preference “better” than the other, why does only one side argue that it’s more “secure” against malware and viruses? A logical conclusion (supported by many Windows fans that I have spoken to over the years) is that Windows users concede that point.
Your own words in the quote above support this. You said that next year, Windows “may very well be” more secure than Mac OS X. The implication of your words (subconsciously?) is that it would mark the first time in a long time — if not ever — that Windows had a more secure system.
Julian Bennett Holmes
November 21st, 2006 8:27 pmGruber may not be a security expert specifically, but as a Mac OS X expert who knows a ton about the OS, he’s a valuable source of information about security.
Thomas Ptacek
November 21st, 2006 8:48 pmMichael Strock, I wrote 337 words on why malware incidents don’t correlate with operating system security, with 5 different arguments, and provided 3 counterexamples of operating systems with fewer outbreaks than OS X. Your comeback? “How do you explain the exorbitantly low number (zero, for all practical intents and purposes) of OS X exploits that have ever caused damage to anyones machine?”
Please learn to read.
Samuel Herschbein, you’ve chosen to argue on a security blog that protected memory is an optional security feature.
BJ Nemeth, your argument that the industry is “conceding” the point that Windows is more secure is contradicted by the blog post you’re responding to. And I’m a Mac user!
Happy for the Daring Fireball link. Come again!
Thomas Ptacek
November 21st, 2006 8:48 pmBTW, Gruber caught a typo of mine in the title. Thanks!
jim.m
November 21st, 2006 8:54 pmAs a creative professional, I rely on my Mac to make a living.
Apparently pundits rely on system insecurity to remain relevant.
Thomas Ptacek
November 21st, 2006 8:58 pmThat and exploit scripts.
Mark Grimes
November 21st, 2006 9:17 pmI agree. Cocoa is a better programming environment than Java. But it’s less secure.
To ensure we’re speaking the same language here, Cocoa is an api / class library that is written in Objective-C. All two people that used the Java Cocoa Bridge will probably really miss it though…
Java has its own set of nightmares that are just as unwieldy. Such as you should not depend on package scope, not allow serialization/deserialization of classes, not allow cloneable, not consistently signing all your code (mix-n-match attacks) if the additional privileges are not needed… there is a long list to be frank, but primarily extensibility is bad when security is an issue, and I often get the same reaction from people when teaching Java developers secure programming — that noone is going to abide by the rules of secure coding or at least most of them. Just because Java is a language that should be impervious to buffer overflows (JVM aside) doesn’t mean it doesn’t have considerably high impact implementation constraints in order to produce secure code.
The Underground Hasn’t Ramped Up Yet
The Win32 API is over a decade old and is well understood by attackers. The MacOS X APIs are not. There is a lag between the publication of the OS and security researchers, and a lag between research results and malware authorship.
In all fairness — what’s to ramp up? You have the most dynamic runtime on the planet in front of you (today), with mach_inject+mach_override / MethodSwizzling (available today)– There are even how-to’s to develop SIMBL and InputManager plugins (also accessible today). The information is out there, but I think non-OSX developers are only really paying attention to familiar ground, the BSD subsystem (Darwin). But to say that Mac OS X APIs are not well understood doesn’t really paint an accurate picture at all
The public APIs are WELL understood and documented, Objective-C has been around for over 2 decades and you have a long list of tools you can use to reverse the private ones.
It sounds like what you are saying maybe true, but not for the reasons you describe. People are unfamiliar because they just haven’t taken the time, no? Maybe it has to do with this “low percentage” of users comparison… But you can’t quantify everyday computer users with those that know how to use computers… As was sound countless times in OpenBSD — just because there are X number of times more Linux developers doesn’t mean there’s X number of times the people qualified to audit userland let alone the kernel.
Objective-C has some additional elegance being a superset of C though. For instance, in objc you can send a message to nil (aka NULL) and you get back just that nil… you don’t need to constantly ensure you’re not passing NULL in the traditional sense of C and risk a null pointer dereference.
Objective-C offers dynamic dispatch, dynamic typing, and dynamic loading, which as a whole is a foreign concept to many-other-language programmers. From a security standpoint, mach_inject+mach_override/Method Swizzling introduced a path to being able to inject code into another process/”subclass” any arbitrary method … again this is both dangerous and useful… tell me that tools like F-Script Anywhere (or the py equiv) are not entirely useful for debugging and RE’ing. And on that note it’s worthwhile to point out that a combination of otoole (yes ‘e’), otx, class-dump and sometimes code-dump makes pretty much any protection method written in objc at risk.
“Any scheme accessed via Cocoa calls is vulnerable to attack via an InputManager” and Public-key encryption systems may be especially vulnerable to replacement of the public key, unless it is obfuscated throughout the entire app” which are clearly documented in discussion on CocoaDev:MakingSecureRegistrationCodes.
The capabilities of doing stuff with closed source apps is by far more open to RE then I feel the bar is for other systems (no assembly required — no pun intended) — at least in Cocoa context. Given this, no amount of secrecy Apple keeps of their private apis is keeping people from getting under the covers with the OS… perhaps there are not enough OSX people in the security space, but this is has nothing to do with the assets not being there to play with. See F-Script Anywhere for examples where debugging tools can be surpass the capabilities of ivar enumeration via gdb. In F-Script’s case you can play with object’s in memory as they are, and get out of the weeds a bit.
There are quite a few points that are coming in Leopard which may not hit all the security features you bring forth in Vista offer alternative approaches to trust and validity at least to a more increased level then inundate the user with dialog annoyances until he turns them off (to pick on a single instance of a Vista sore point with me). It’s not completely fair to compare an OS that has been out for a 1.5 years with an OS that isn’t shipping yet (regardless of release candidate), but Apple does have at least a couple mechanisms for raising the bar… I made this the last statement because there are obvious reasons (NDA) I cannot give supporting arguments.
Thomas Ptacek
November 21st, 2006 9:46 pmMark: Regarding the Cocoa/Java bridge: my point isn’t that’s it’s better than ObjC (it’s not). My point is that managed programming environments are first class citizens in Win32 and not (unless Apple is about to embrace PyObjC) in OSX. This point was important enough for security pundits to beat Microsoft over the head with when they announced how little of the first release of Vista would be managed.
Regarding ramp-up: obviously you know lots about the Objective C runtime (so can you tell us how many statically placed function pointers we can overwrite with a dynamic, data, or stack overflow?). But most attackers don’t, because they cared less about it over the past 5 years than you do. There is less security research going on for OSX than for Windows.
Regarding Vista vs. Leopard features: the Vista features exist. And I didn’t mention least-privilege users, so complaining about being inundanted with dialog boxes is a straw man argument. Just tell me: will a heap overflow be trivially exploitable in Leopard? Because it won’t be in Vista.
BJ Nemeth
November 21st, 2006 9:53 pmMr. Ptacek — Perhaps I should have said that Windows users have conceded the security against malware/viruses in the past. None of my experiences/anecdotes (or that of people I work with/talk to) have been in Vista.
I haven’t gone back to re-read Gruber’s relevant articles, but I don’t remember him attacking Vista. I believe he was comparing currently shipping OS versions, or comparable past versions (depending on the article).
I hope that Vista is leaps and bounds more secure than previous versions of Windows. Even if that means that some of the malicious hackers out there migrate to OS X, and try to create the first true OS X virus. (As you probably guessed from my first post, I am a Mac user.)
Thomas Ptacek
November 21st, 2006 10:10 pmOS X doesn’t have less malware because it is more secure.
Larry Seltzer
November 21st, 2006 11:02 pmI didn’t want to make too much of the point about Java. I just hadn’t heard about this specific decision for OSX. I certainly appreciate Thomas’s point about managed code in Windows. In fact, if you learn to program now for Windows you are usually steered into a managed environment, either in VB.Net or C# or Java. You can still write sucky code in these environments but you aren’t likely to make the system remotely exploitable. I must say I didn’t appreciate the lack of similar binding tools for OSX and it just underscores the whole point that nobody cares about it; on Windows 3rd parties would write tools to make managed code first-class code if Microsoft weren’t doing it.
Chris Betancourt
November 22nd, 2006 12:14 amHow amusing that you fail (refuse) to answer Michael Strock and instead reply by an insult. He states a fact. OS X exploits in the wild are nill despite 15 million users worldwide. None of your points really explain this, instead you try point out how vulnerable OS X is despite that fact.
Safety through indifference ? I really hope you’re not naive enough to believe that, if OS X really was as vulnerable as your poor Granny’s windows something would have come up by now but then again, you acknowledge it is not. Macs are much, much visible targets than Solaris.. but still nothing. I guess it must really annoy so called security people like you that so many OS X users have no interest, with reason, about your windows-centric field of work.
Thomas Ptacek
November 22nd, 2006 12:47 amYou didn’t even read the post.
Andrew Jaquith
November 22nd, 2006 2:40 amTom, I’m going to steer clear of arguing one side of this or the other. But I am confused about why you chose to spend 2000 words pointing out something fairly obvious, namely that Gruber’s got no mad skillz. I mean, your post was almost longer than TWO Yankee research notes, and almost as long as a report. Aren’t you guys supposed to be shipping a product or something?
On the subject of cherry-picking from future OSes, here’s a Leopard cherry I am particularly interested in: Mandatory Access Control, taken from TrustedBSD. That’s a confirmed feature in 10.5. I am very curious to see how this will work in a mainstream operating system; e.g., what they lock down, and where they cut corners for the sake of usability. I’ve heard rumors about ASLR also.
Donnie Brasco
November 22nd, 2006 7:02 amPatek is right. I’m not a an eWeek reader but I have read about my fair share of FUD while traversing the internet. And Gruber sounds like another FUD spewing machine.
It’s a pity that this argument cannot be resolved in more layman’s terms. It might reduce the amount of “smugness” in most Mac users. I’m a Mac user, I recommend it to all my friends but realistically why we enjoy so much “security” is because we’re under the radar.
Of course MacOS does provide certain features that reduce the ability for malware to propagagte but its really the small number that is in our favor.
Here’s an idea, perhaps a “month of Mac vulnerabilities” should be organized. Not necessarily to provide grist for enterprising attackers, but to provide an avenue to actually throw some spotlight to MacOS security research effort - it would also make a fairly decent go to area for restricting the statements of the unpublished i-know-a-lot-about-security-from-my-soapbox experts.
Donnie Brasco
November 22nd, 2006 7:25 amOk. Now I read the Gruber article. That’s really really embarrasing. How do people go about showing their ignorace in this field with such impunity?
I really suggest (if he is able to grok it anyway) he read chapter 3 of Peter Szor’s: The art of Anti-Virus Research and Defence. Szor talks a lot about the dependencies that you need to get any malware rolling on any platform. There’s always the critical mass issue. IMHO Mac does not have a critical mass of large quantity to make malware development worthwhile.
The economic perspective is also a very valid argument. Malware writing is like a business, complete with a cost-benefit ratio. I wouldn’t write one where I know my chances of impact are low. Besides in today’s world where there’s a whole lot of malware written for profit, your “business manager” would probably slap you upside the head if you started harping about writing malware for a low penetration platform.
Gruber should realize that there is active research going on MacOS security. Even Matasano has produced some work on vulnerabilities on this platform. It’s easy to predict that as MacOS gains critical mass (from more users) they will lose their “halo effect” to more determined efforts to circumvent their security. Anyway in a few years his smugness will be satisfied - beyond the SecureWorks incident.
Even when the emperor is wearing no clothes - the subjects have to remove their glasses.
Michael Ströck
November 22nd, 2006 7:43 amThomas,
Of course you can continue accusing people of being unable to read, but it won’t help your argument one bit. Occam’s razor applies to security issues too, you know. Basically, there are two theories:
1) It’s harder to write effective and self-propagating or user-propagated malware for OS X than for Windows.
2) Malware writers just don’t care. Even though all it takes is one guy in his parents’ bedroom, nobody has ever really tried.
I hope you realize why people do not really buy this argument. It has nothing to do with the security features of either OS. The reality is that OS X right now is more secure than Windows for the average user. That is an incontrovertible fact and that is all I am trying to say.
Nobody is saying that OS X is the panacea to all our security-woes, just see this project for example: http://kernelfun.blogspot.com/
They bring up some very real issues. I tried all of the three kernel panic problems they published and filed the crash reports with Apple for them. I expect them to get fixed way before anybody writes a workable exploit for them that does anything but crash the machine after the user clicks on the file.
Rob
November 22nd, 2006 9:14 amI think you’re confusing theoretical security research (which is a technical speciality in which Gruber is no expert) and computer security in practice, which involves at least as much human interface and community/environment issues as it does technical detail. I don’t keep my valuables in a safe and my door lock is not a pick-resistent seven-cylinder mushroom-pin Rabin (making me less safe than others), but I do live in a safe area and a community where any stranger would be a point of interest. I really am “safer” than someone living in a high-crime, weak-community area, despite technical arguments about my safe or lock.
My point is that Gruber’s security commentary seldom focuses on “technical” arguments, although they are mentioned where they are relevant. The Mac is a low-crime area, which makes it a safer security environment than Windows (at least in terms of malware), and the Mac community’s outright intolerance of all types of malware make the policing *much* better.
Thomas Ptacek
November 22nd, 2006 11:17 amEither you think “it’s harder to write effective self-propagating code for OS X” is a simpler argument than “Windows malware authors don’t care about the Mac”, or you don’t know what Occam’s Razor is. Either way, you haven’t convinced anyone of anything.
Thomas Ptacek
November 22nd, 2006 11:19 amAndy: MAC and privilege revocation is better than the C runtime arms race, and perhaps tied with managed code, in terms of security value.
If Apple ships an OS with pervasive least-privilege at the system call / OS subsystem level, they’ll have something to brag about again.
Donnie Brasco
November 22nd, 2006 3:43 pm@Rob,
Well as as Apple’s market share improves, we’re going to be moving into the high crime areas. So its appropirate that these issues start getting out into the open - so that they can get resolved before the “Windows Fanbase” starts knocking.
All the mistakes that Microsoft made have been openly scrutinized and discussed time and time again - a benefit for them because now that Vista’s out, and it seems (at least they tell us) that they have learnt from the situation - and they may possibly have an advantage over Apple’s operating sytstem. Time will tell in this regard.
The issue at hand really isn’t that Mac OS is secure or insecure. It’s just that fact that people who ideally should be educating themselves about the situation, people who allegedly have a far greater reach with the public than this blog probably has, people who could be the conduit for informing and educating their readers about what to do to protect themselves from nasty things happening, are quick to downplay the (verifiable) work done by others who are quite reputable in this field - with arguments that really aren’t very strong. Not only is that annoying its downright disturbing.
And obviously the author of the post, who himself has made some contribution to the field, is upset about the situation and pointing it out for all to see.
The events that can lead up to a first big incident are already sliding into place and it would be nice to ensure that we’re still in the old neighborhood we’re used to. That’s really the goal of all this work that’s being done - after all an early warning is better than a late suprise.
I might also add that the first few chapters of Szor’s book aren’t really that technical and so you can pretty much get a useful exec summary from there. So I don’t really see an excuse not to go through it.
Buster
November 23rd, 2006 10:07 amSo may people spewing about Occam’s Razor and what not - let’s blow all the smoke out of the room -
Point me to *one* hunk of code which will infect my Mac (no local hijinks, strictly download or web page, please!) without my knowledge, permission, or awareness *and* cause me to lose data *and* replicate itself to other Macs.
Short of producing this code, then the Mac is absolutely more secure, because there are bits of code out there for Windows which the above is very real. Either someone can come in via internet and tap dance all over my Mac, or they cannot. I don’t care about theories, I want fact. I don’t care about potential, I want reality. If you can’t do that simple thing, then like it or not, you have lost the argument about which is the more secure system.
And let’s pooh-pooh this notion that there is no payoff in malware for the Mac. The first person who successfully does to the Mac what happens to PCs on a daily basis will be a household name overnight. The first person to write a Melissa for the Mac will enjoy celebrity akin to being a rock star. If that isn’t a powerful incentive, I don’t know what is. Seems to me there’s millions sitting on the table waiting to be grabbed by the right person.
If the Mac is less secure than Windows, then pony up the code, boys. Fame and fortune awaits the first to do, not to say. If there isn’t any tangible real-world proof, the reality is the Mac is more secure. That is the evidence at hand, and anyone who wants to be taken seriously must admit it.
Thomas Ptacek
November 23rd, 2006 11:31 amIf you had read the actual post, you’d see that you took 5 paragraphs to repeat my conclusion, which I managed to say in 2 sentences. You also failed to address any specific point I made in the post. But I’m glad you feel better now.
Buster
November 23rd, 2006 1:08 pmTom,
If you had read the actual post, you will see that I didn’t address you. I am now. Notice the difference? That would be the reason I said “So many people” at the start of my post, instead of saying “Tom,”. See? Just like that.
But I am glad you feel better now.
Thomas Ptacek
November 23rd, 2006 3:44 pmWho are you talking to?
Michael Ströck
November 23rd, 2006 6:39 pm“Either you think “it’s harder to write effective self-propagating code for OS X” is a simpler argument than “Windows malware authors don’t care about the Mac”, or you don’t know what Occam’s Razor is.”
Uhh, yes I do think so? It takes some pretty convoluted logic to assume that absolutely friggin’ nobody cares about a mainstream OS _at all_.
Thomas Ptacek
November 23rd, 2006 7:37 pmI didn’t say “absolutely friggin’ nobody”, Mac Zealot. I said “Windows malware authors”.
Before you write your next comment, will you try to answer in your head the question, “Who am I trying to convince with these messages?”
If you’re just writing to make yourself feel better, well, God bless you. But if there’s some objective to this, rethink your tactics.
Ben Hoskings
November 24th, 2006 2:53 am“Either you think “it’s harder to write effective self-propagating code for OS X” is a simpler argument than “Windows malware authors don’t care about the Mac”, or you don’t know what Occam’s Razor is. Either way, you haven’t convinced anyone of anything.”
You shouldn’t use such a rude, condescending tone. In general, that is—but especially when you’re wrong.
Occham’s razor is often interpreted as ‘the simplest theory is usually the right one’. That doesn’t mean “the theory that can be described in a shorter sentence”; it means the one that requires the least number of assumptions and external conditions.
There are, in effect, no Mac exploits. This could be because
a) Writing Mac exploits is completely impossible,
b) Writing Mac exploits is sufficiently harder than for Windows machines that no one has done it;
c) Writing Mac exploits is comparably easy to or easier than writing Windows exploits, but no one has done it anyway.
Option (a) is reserved for the zealots. The argument is between (b) and (c).
Occham’s Razor supports argument (b), because the only condition it requires is that Mac OS X is a sufficiently hard cracking target. Option (c) requires the complex and dubious condition that the hackers of the planet unanimously choose not to target it, despite the obvious gains (not to mention headlines) that would ensue.
But I think the point that most of us are trying to make is, sure, we’re pretty confident that (b) is the correct argument. But in the end, whether it’s (b) or (c), or indeed (a), or something else entirely — who cares?
The point is, as Gruber said, “for whatever reason”, at present, Macs simply do not get hacked. Windows suffers a constant onslaught, bad enough that a fresh, vanilla install is often owned in a matter of hours of being connected to the web, whereas I’ve NEVER done any security maintenance on any of my Macs, and I’ve NEVER had, seen, or heard of even a single piece of Mac malware. Microsoft is the world’s biggest and richest software company, and yet in five years of WinXP exploits, they’re only beginning to fix the problem. It’s not just a swing in Mac’s favour, it’s completely and absolutely black and white, night and day.
Maybe that’s just because there are more Windows machines around. I seriously doubt it, and I don’t think that it’s a position that can be logically supported. But even if it were, what we’re trying to say is that the cause isn’t really relevant here.
The proof is in the pudding.
Thomas Ptacek
November 24th, 2006 12:22 pmIt’s amazing how many sentences you can spend trying to “deduce” the fact that Macs are more secure without citing a single technical detail. You, also, have not read the post you’re commenting on.
Slartibartfast
November 25th, 2006 8:38 pmIt’s amazing how annoying you are
Thomas Ptacek
November 25th, 2006 9:29 pmAnd yet, somehow, irresistible.
Eric Hall
November 27th, 2006 2:00 amI’m quite clear that there is malware for Mac OS X out there, and that we’re going to see more of it. I’m actually a bit surprised we haven’t seen a real virus/worm yet (I figured we’d have seen one by this last summer).
p.s. for those of you who aren’t in the security space, why are you arguing with people who have been doing security work for a long time? Its like tell cryptographers that you can brew your own crypto algorithm that is ‘unbreakable’, or telling a karate blackbelt you can hit harder than she can, just ’cause you’re futzing with it on the side. Either way you’re going to lose.
Majo
February 27th, 2007 1:53 amI don’t know about the technical details you presented. Anyway, here are my additional thoughts on why there are much less virus on Mac.
To know why, one has to step into the mind of the malware creator. Why would I invest my time to write a malware knowing
1) It will propagate slowly: the chance to hit another Windows is 50-1 compared to Mac. The chance to infect the 3rd computer (from the 2nd infected one) is 250-1 in favor of Windows. Do the math and one can see why it make no sense to plant a spyware/ malware/ virus on a website to target Mac users.
2) Would be stopped before it reaches the mass to make the noise. Apple and Mac community have enough force to combat a few pundits. Compared to Windows, there are just too many of them for MS to catch up.
3) Nobody will pay me.
4) It will not give me instant fame (as somebody suggested). It will not cause any company, or financial institutes to shutdown (which guarantees me an instant headline). The worst it can do? Somebody can’t turn on their Mac. The world still goes on.
5) Windows based computers are cheaper than Mac. I can get a pirated copy of the windows, a $200 bare bone computer and start playing with my malware “product”. I am not gonna spend $3000 on a slick looking Macbook and try to kill it.
6) I get more “support” from the Windows virus creation community.
Again, this has to do with the user base.
Matasano Chargen » John Gruber: Nobody Can Hack A Mac?
April 20th, 2007 2:46 pm[…] Because he doesn’t know anything about computer security. […]
Switcher
April 20th, 2007 9:44 pmAre there any decent articles for decent OS X security practices?
zaiber.org » Blog Archive » Fraternizing with the enemy
May 4th, 2007 4:06 am[…] In november 2006, the guys at Matasano Chargen Security Group, posted a not all together friendly critique of the blogger-par-excellence John Gruber’s security blogging. […]
Mortimer Plantagenate
May 18th, 2007 2:16 amMr. Ptacek, I envy your fight and humor. Back when this first was posted it seemed quite the hatchet job. It was a worthy cause and I hope the net respect for your views has grown as a result, I think it should. Your kung fu is remarkably strong, I’ve yet to see someone other than 37s really exploit home field advantage as effectively. Cheers
Leave a reply