OSX Deepsight Security Report

  • Article

So I'm not a HUGE fan of SYMC these days - but I have to give them props for releasing this:

https://downloads.securityfocus.com/downloads/MacOSX_DeepSight_Report.pdf

It's a great look at the state of OSX today . . . it starts off by showing graphically that the vuln count discovery rate for OSX is increasing, not decreasing, then it goes on to talk about the lack of prevalant malware for the platform, then it switches to a look at nefarious techniques miscreants can use to do things like spreading malware, infecting files and hiding from OSX admins using rootkit technology (and OLD rootkit technology at that, simple syscal hooking seems to be 'state of the art' on this platform!?!).  Finally - the paper takes a look at (fairly) recent security innovations that are showing up in competing operating systems that are either not yet implemented in OSX or are being slowly implemented in the latest release (10.4).  A fairly intersting observation that was made that I was unaware of (I am a Mac newb . . . worse than that actually - I've got a total of maybe 5 minutes seat time driving OSX) is how the OSX kernel is actuall a hybrid of Darwin (Mach) and freeBSD . . . think about this . . . instead of having one kernel to secure - you effectively have *two* (or at best parts of two).  Attack surface == more bigger. :)  This fact has apparently not escaped the notice of security researchers who have taken advantage of this to bypass the security afforded by one kernel but not implemented in the other.  Left hand - meet right hand. (I am referring to Nemo's work in using Mach system calls to perform operations that would not be allowed by the BSD securelevel restrictions to break out of the restricted environment).

The thing that struck me when reading this paper was how . . . in the beginning stages of security research and exploitation OSX really is. 
It's sssssoooooooo 5-7 years ago when thinking about Windows and where it was 5-7 years ago. 

Things that stood out for me were:

  1. The current architecture (x86) of the latest Mac's is very well understood by security researchers and exploit writers alike with an increasing number of 0-days having been publicly disclosed recently and many more widely believed to exist.
  2. The OSX heap manager is now pretty well understood by researchers and offers little to no security features to prevent exploitation / abuse (remember when heap exploits were near non-existant on Windows becuase its operation wasn't really understood that well?  Now they are quite common due to increased knowledge of how the heap works - understanding how something works is the first step in breaking it. :)).  Incidentally the new heap manager in Vista has been reworked to improve the robustness in the face of attacks / exploit attempts.
  3. It seems that OSX 10.4 and earlier releases still don't seem to be compiled with any form of software stack protection (canaries / stack cookies etc.)
  4. It seems that OSX 10.4 has tried to implement a form of no-execute protection for their user mode stacks when installed on Intel x64 equipped hardware  - but it has been trivially bypassed (as NX / XD without ASLR often is <G>).
  5. OSX has no form of ASLR implemented (thus #4?)
  6. I didn't see any mention of exception dispatching on OSX or ways it may be possible to abuse that - so there probably doesn't exist any 'SafeSEH' counterpart in this OS yet.

So after all was said and done and I had finished reading this report - I couldn't help but thinking OSX is sooooo 5-7 years ago . . . even Windows XP, SP2 and WS2003 seem to have many more mitigation technologies at work (software based stack protection of core system binaries, hardware NX support, safe structured exception handling, the beginning of improved heap management in WS2003) than the latest version of OSX . . . and Vista is taking things to the next level with a decent first stab at an ASLR implementation and improved heap security improvements to make exploiting vulns that much harder or at the least less reliable - not to mention Patchguard in the kernel on 64bit sku's.  OSX just seems so . . . so . . . Windows 2000 to me. :)

Which brings me to my final thought - is OSX doomed to repeat Windows' history in the coming years as it becomes more prevalent?  It seems to me after reading this report - that writing reliable exploits for OSX would actually be pretty trivial given the lack of mitigation technologies . . . and while it doesn't seem to be making great inroads in terms of market penetration (they're *still* stuck at 4% of the overall OS market but allegedly increasing at 24% year over year) if it does . . . I wonder to myself "What could *possibly* go wrong?"