Discussion of technology related issues emphasizing future technologies, Apple, and Google. We will focus on analysis and practical computer product previews and reviews.
Starting with 10.5, Mac OS X is able to differentiate between signed and unsigned applications and can provide different levels of access to each. This functionality is exposed now in the new application firewall. A related feature is obvious, when Leopard warns you the first time you run a downloaded application.
Here's Where Things Get Interesting The same system of code signing used by Apple for the iPhone could be applied directly to the Mac too. And the same system of iTunes distribution could be used for the whole application or simply for purchasing and delivering license codes. Optionally, Apple's existing "Software Update" system could be used to delivery the actual application files.
What if Apple decided to take this next step in computer security to maintain it's lead over Microsoft. They could implement a partially optional code signing system for Mac OS X. Signed apps would have full security privileges. Unsigned apps might generate a warning similar to a recently downloaded application until silenced. Or at the user's option, unsigned applications might not be allowed to run, or might be heavily restricted.
This would make it virtually impossible for trojans and most malware to get installed. And if the warning for unsigned apps repeated (say, daily, weekly, or monthly), it might effectively disable some malware simply by repeatedly asking for permission.
Apple can restrict the security privileges of their own software so that even exploits based on buffer overflows or other issues can be limited to specific security rights in a "sandbox". And a third party application's signature could limit it in the same manner.
I think this could be an elegant way to extend security without creating too much additional user inconvenience.
Leopard Application Firewall background here at Geek Precis:
All these fixes bode well showing Apple's quick response to issues raised by their users. I am still hopeful the application-based (socket) firewall will become a strong security asset to improve Mac OS X's reputation for security. Although I believe the traditional ipfw will need to play a role also.
I like the idea of a layered security approach where ipfw blocks things at a port and packet level, and Leopard's new socket firewall blocks things at an application level. (Of course a hardware firewall is still recommended for home network connections.) Combine this with a system that leaves unnecessary services off until needed and has few exploitable bugs, and you have a highly secure system with minimal inconvenience.
Fixed in 10.5.1
The firewall settings no longer refers to "Block all incoming connections", but calls it more accurately "Allow only essential services". This should go a long way to fixing the confusion caused by mislabeling this setting.
When "Set access for specific services and applications" is selected in the application firewall, the setting now functions properly when setting "Block incoming connections" on root processes. Previously, root processes were always allowed.
Processes launched by launchd previously were not affected by firewall settings changes until they were restarted. This caused applications to be unexpectedly exposed, and this was especially noticeable when changing settings and testing as many security expert did.
Not Sure
From Apple's 10.5.1 Release Notes:
"Addresses a code signing issue; third-party applications can now run when included in the Application Firewall or when whitelisted in Parental Controls."
This may refer to fixes for applications like Skype, World of Warcraft, and other apps that do their own integrity check. We'll see how things develop.
Open Issues Remaining in 10.5.1
Processes running as root still are allowed to accept incoming connections, unless specifically blocked. This will continue to be a sore spot, as it leave open the possibility of an exploit or Trojan running as root to go about it's business unhindered. An important thing to consider: any process running as root could change any settings it wanted.
ipfw is still not active, as it is running with only one rule (65535 allow ip from any to any).
There are a handful of issues or problems with the new Leopard firewall. Here's the short version:
Ipfw is still available, but basically does nothing and has no graphical interface.
The interface and performance of the new firewall do not match. "Block All" does not block all.
Leopard uses executable signing to "authorize" network traffic to certain services and applications. The signature data appears to be added to the actual binary, and some apps do not like to have their binaries modified and fail to run after failing a checksum or hash check.
Apple has provided no information (that I'm aware of) to explain what is going on and why.
ipfw The previous firewall is still installed and running. It just doesn't appear to be used for much. Anyone interested can still use it. I believe it is still operating at the port layer below the sockets layer, where the new application-based firewall appears to be running.
If desired, ipfw can still be configured via the terminal or a GUI utility such as WaterProof.
Leopard's New Firewall Performance As you probably know, Leopard's new firewall does not do exactly what it says it is doing in the GUI. I discussed this previously and you can find additional details all over the Net.
When the new firewall says it is blocking everything, it is not. Certain "privileged" traffic is still allowed. This is cause for concern, because some future exploit might find a way to take advantage of this functionality to secretly allow traffic to/from itself. Only time will tell how secure this actually is.
Application Signing In order to increase security, Apple has implemented application signing. Apple's applications are cryptographically signed, and 3rd party ISV's can sign theirs too. This is intended to ensure both the integrity and identity of applications.
Some applications do not like to have their executable changed and will fail is they detect this. Many online games do this check to prevent cheating, and Skype appears to do this also. There are reports that World or Warcraft and Skype both fail, due to this modification of their binaries.
Apple Has Provided No Information As far as I can tell, Apple has not had anything to say about the analysis and FUD flying around the Internet. Hopefully, they will explain things and maybe make some of the changes I've previously suggested.
Update: it appears Apple has posted some explanation confirming that ipfw is still running below the new firewall (via Securosis).
After all the discussion on the web concerning Leopard's new firewall, I wanted to do some testing in an attempt to better understand what was happening. I've divided my results and the related discussion into sections for easy digestion.
Summary Apple has made significant changes to how the firewall functions in Mac OS X 10.5 (Leopard). In an apparent attempt to tightly integrate the firewall with their applications and services of their new OS, they have added a proprietary firewall to provide different/additional functionality and flexibility. The previous firewall (ipfw) is still there and running, but not really doing anything by default.
I think things are not as bad as some articles have made it seem, but I think Apple should make some changes to fix both the perception and the reality.
How Leopard's Firewall Performs After reading everything I could find, I did some testing of my own. Here's what I found:
I started with a few basic services (File Sharing, Printer Sharing, and Remote Login) turned on in the Sharing preference pane. After testing that basic configuration, I turned everything off in the Sharing pane and disabled the sharing activated by my iLife applications to see how the firewall would respond with no user selected sharing active.
Leopard's new firewall does a few things that might be expected and a few that might be considered unexpected:
Expected
Allows any traffic associated active shared resources (as determined by the Sharing Preference Panel). This is what previous versions of Mac OS X did by default.
Blocks traffic destined for various "random" ports.
Unexpected
The default firewall setting is to "Allow all".
Allows any traffic associated with (signed) applications that have sharing activated (as determined by individual application UI's).
Allows certain system traffic (Kerberos and NTP).
Basically, Leopard's firewall allows traffic associated with sharing that the user has selected in the usual way, allows traffic destined for "trusted" applications (if requested by the user in the application's interface), and allows traffic you will not find anywhere in the firewall interface.
Any shared services (e.g. file or printer sharing) the user has activated will be allowed access, unless the user manually deactivates that service share or manually blocks it in the firewall. And some services used by the system will accept traffic under almost any circumstances. This is odd, and I'm not yet sure what the intention is here.
What Apple Has Done It appears to me Apple has added their own application-based firewall in a layer above the open source ipfw firewall (see below).
It looks like you can manually configure ipfw via the command prompt or use a GUI-based configuration utility (e.g. WaterProof) and restore the functionality that was previous exposed by the firewall portion of Tiger's Sharing pane. Ipfw is installed and running, but it appears to only have a single rule allowing any and all traffic. All the traffic allowed by ipfw would then pass to Apple's new firewall for further inspection. If a default configuration, Apple's firewall would be providing the only practical packet inspection and filtering; ipfw is there, but not really doing anything.
Why Apple Configured the Firewall This Way I believe Apple decided ipfw did not provide the kind of flexibility and integration with their applications that they wanted in order to produce an elegant, user-friendly OS. They wanted a solution that was tightly integrated with the services and sharing provided by MacOS X 10.5 and Apple's applications.
In what I hope is NOT a return to the mistakes of the "old" Apple, they decided to create a new firewall from scratch rather than using well-developed and mature open source solutions like ipfw. In the past, Apple has chosen to take the proprietary (sometimes incompatible) path, and I fervently hope this is not a sign they are returning to that behavior.
I can understand Apple's desire to create a firewall configuration process that is easy to use to most non-geek users. The previous setup was easily understood by people with some networking knowledge, but fairly difficult to understand by non-techies. And it was often the case that 3rd-party configuration utilities and Apple GUI were not compatible and would could not work together without resetting the ipfw rules to match the configuration of the last UI used.
And I think there might be other justifications for this change including the sharing and services (e.g. Back to My Mac) Apple is offering and plans to offer, and a desire to integrate with some of Apple's new security features (i.e. sandboxing, application signing, and tagging downloaded applications). Apple is not likely to announce any plans that might use this new functionality, at least not before they are released.
But in the end, I think Apple has done themselves a disservice from a public relations perspective. Prior to this, Apple was universally praised for being more secure than its Windows competition. The news surrounding the firewall changes, while maybe overblown, is conspiring with the recent announcement of a Mac Trojan to make Mac OS X's security look weaker.
While the perception will likely last, only time will tell if the technical performance is better or worse than ipfw in previous versions of Mac OS X.
Recommendations I recommend Apple do a few things to improve the situation:
First, Apple must get out on this story and explain in detail what has changed and why. Without doing this, it is too easy to speculate and create FUD. I cannot understand why they have not responded to the bad press during Leopard's launch.
Second, Apple should change the default behavior to set the firewall to "Block All Incoming". The user can then be notified if and when this setting needs to be changed.
After this they have a few options:
Apple could re-implement their application-based firewall as a control layer that works with ipfw to make the necessary changes instead of using a separate, proprietary firewall.
They could change the default rule in ipfw to block more incoming traffic that is not needed or wanted by any of the sharing features they appear to be so concerned about. At least this would close a few potential doors, while still allowing them to use their new firewall too.
They could provide an "advanced" mode and UI returning the firewall behavior to the previous configuration relying on ipfw and disabling the new firewall layer. This would give the advanced user the control he or she wants, although it might disrupt some functionality in the areas of remote access and sharing.
What I do not believe is a good option is for Apple to leave things alone and/or not change anything.
It boils down to a pair of misunderstandings: 1) the security analysts expect Leopard to follow the "traditional" model where the firewall is independent of the OS and related services, and 2) Apple chose to frame the UI with practically accurate, but technically inaccurate phrasing.
Honestly, It always struck me as the worst of both worlds to have a software firewall implemented to mimic an external hardware firewall in every way possible. I actually am excited about a software firewall taking advantage of the benefits of being software and being resident on the client. Hardware firewalls cannot "know" anything about the processes and services running on the client, but a software implementation can take full advantage of this data. This is a feature I always liked about other solutions like Zone Alarm, even if I was bothered by their constant badgering and sometimes opaque interfaces to make changes after-the-fact.
Most users don't think in terms of TCP ports and ACL's, and this fact is a more serious security threat than most technical implementations. By making security hard to use and/or difficult to understand, many "solutions" make it less likely that security features will be used or used properly.
In this case, the security analysts fail to properly take into account the target market for the software firewall and how it will be used in the vast majority of cases. Apple touts Leopard's new Application-based firewall and want to give non-advanced users a way to control the security of their Mac. And it appears to do just that.
But Apple failed to understand how imprecise (technically inaccurate) language makes the system look bad. If the firewall is not actually closed, it shows some degree of poor judgment to say it is closed in the UI. Even if it is "closed" for all practical purposes for the vast majority of users.
In the end, I predict that Apple will release a patch (probably buried in 10.5.1 or 10.5.2) that changes the language in the UI and more obviously allows an advanced user to revert to a traditional firewall. I also predict the security analysts will not make as big a deal out of these changes, when they are made.
Tagging Downloaded Applications Protect yourself from potential threats. Any application downloaded to your Mac is tagged. Before it runs for the first time, the system asks for your consent — telling you when it was downloaded, what application was used to download it, and, if applicable, what URL it came from.
Signed Applications Feel safe with your applications. A digital signature on an application verifies its identity and ensures its integrity. All applications shipped with Leopard are signed by Apple, and third-party software developers can also sign their applications.
Application-Based Firewall Gain more control over the built-in firewall. Specify the behavior of specific applications to either allow or block incoming connections.
Sandboxing Enjoy a higher level of protection. Sandboxing prevents hackers from hijacking applications to run their own code by making sure applications only do what they’re intended to do. It restricts an application’s file access, network access, and ability to launch other applications. Many Leopard applications — such as Bonjour, Quick Look, and the Spotlight indexer — are sandboxed so hackers can’t exploit them.
Apple's new release of Mac OS X (version 10.5 Leopard) contains some features aimed at reducing both the potential for a virus, trojan, or worm infection and also at reducing the speed f any outbreak. Part of the problems with the various Windows security problems has been not only the ease of exploitation, but teh speed at which the infection spreads. Fast moving outbreaks do not allow users or the OS and security vendors to react. If you can slow the spread, you can reduce the damage and stall for more time for a bug fix.
Tagging Downloaded Applications Protect yourself from potential threats. Any application downloaded to your Mac is tagged. Before it runs for the first time, the system asks for your consent — telling you when it was downloaded, what application was used to download it, and, if applicable, what URL it came from.
This could be a great way to help slow the spread of any trojans or worms that need the user to install the application. Sounds like an extension on Safari's secueity features for application downloads.
Sandboxing Enjoy a higher level of protection. Sandboxing prevents hackers from hijacking applications to run their own code by making sure applications only do what they’re intended to do. It restricts an application’s file access, network access, and ability to launch other applications. Many Leopard applications — such as Bonjour, Quick Look, and the Spotlight indexer — are sandboxed so hackers can’t exploit them.
Apple seems to be limiting the potential damage if an exploit ever made it into the wild. By "sandboxing" some of the main network apps, it dramatically reduces the available vectors for remote infection or exploitation.
Library Randomization Defend against attackers with no effort at all. One of the most common security breaches occurs when a hacker’s code calls a known memory address to have a system function execute malicious code. Leopard frustrates this plan by relocating system libraries to one of several thousand possible randomly assigned addresses.
I'm glad to see Apple catching up to what Microsoft has in place here. Windows' numerous security flaws may have forced Microsoft's hand, but I think it is a very good sign to see Apple proactively making this change. Again, it reduces the potential for infection/exploitation as well as slows the spread of any outbreak.
