1 / 29

Mac OS X Security or: How I learned to stop worrying and love NeXT

Mac OS X Security or: How I learned to stop worrying and love NeXT. Bruce Potter <gdead@shmoo.com>. Who is this guy?. Don’t believe anything I say Co-author of Mac OS X Security (New Riders) and 802.11 Security (O’Reilly) Founder of The Shmoo Group

Download Presentation

Mac OS X Security or: How I learned to stop worrying and love NeXT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mac OS X Securityor: How I learned to stop worrying and love NeXT Bruce Potter <gdead@shmoo.com> CHUUG

  2. Who is this guy? • Don’t believe anything I say • Co-author of Mac OS X Security (New Riders) and 802.11 Security (O’Reilly) • Founder of The Shmoo Group • Currently a software security consultant at Cigital (www.cigital.com) • Former AKLUG member CHUUG

  3. Generic Host Security • Initial configuration • Focus of many books • Requires moderate amount of understanding • Varies based on application • Secure administration • Things can go seriously wrong post-deployment • Responding to incidents • OS-specific triage and forensics • Very deep understanding required • I’m skipping basic UNIX security CHUUG

  4. Config - Inside Out • Start at the host-level, work out towards the enterprise • Need building blocks to create a broad security stance • Lab environments • Streaming servers • NT replacement • Don’t forget… OS X Client is different from OS X Server • Apple controls all hardware CHUUG

  5. Which Filesystem to Use? • UFS - UNIX FileSystem • Standard issue UNIX FS we all know and love • HFS+ - Hierarchical FileSystem+ • Replaces original HFS - legacy Mac OS • Resource forks • Required for Mac OS 9 • Applications must be both HFS+ and UFS aware if both are used on same host CHUUG

  6. Note on Filesystem Structure • /etc, /usr, /var are there… • /Applications - system wide apps • /Library - plug-ins, libraries, resources • /System - core OS • /System Folder - OS 9 (if installed) • /Users - your home dir • You may also have Applications, Library in your home dir CHUUG

  7. Open Firmware • BIOS-ish, but based on open standard • Password protection for boot • Password protection for modification • Controls boot media • Access via nvram command or a contorted boot keypress • Not immune to attack CHUUG

  8. Booting • OS X is a BSD at heart • But Apple on the outside • Normal boot process gives way to Apple-isms • Aqua for the UI… totally not an X server Kernel -> mach_init -> disk stuff -> rc scripts -> Apple land • Kernel extentions… and lots of them • Network devices, non-native FS’s, etc… CHUUG

  9. Security You Can See • LoginWindow • Constantly running process to control access to terminal • Spawned by windowserver • Screen can be “locked” by loginwindow • Hokie, eh? • Don’t trust it CHUUG

  10. User Security - Keychain • Password store for websites, disk images, etc.. • A master password controls access to keychain • Application must be password aware • Selected passwords can be automatically decrypted CHUUG

  11. CHUUG

  12. User Security - Encrypted Vols • Encrypted volumes via DiskCopy • Did someone say “non-intuitive”? • DiskCopy can be used to create disk images • .dmg files which when launched are mounted • AES-128 to protect the image • Password can be stored in keychain • Great for mail, customer documents, etc • Not as transparent or flexible as Windows encryption • However, very portable CHUUG

  13. Net Security - Firewall • Uses standard ipfw firewalling • Powerful • Slaps on the simplest UI ever • TCP only.. All UDP is dropped except for replies • TCP/UDP is all there is, right? • In the Sharing Preferences Pane • Best to just use the command line and your own rc scripts CHUUG

  14. CHUUG

  15. Net Security - VPN • IPSec implemented in kernel • Controlled through racoon and setkey • *BSD zealots are familiar with this • NO GUI! • PPTP is the native VPN protocol • Controlled through InternetConnect • Worst program ever • Simplest program ever CHUUG

  16. You’ve done IPSec configs, right? CHUUG

  17. Net Security - Wireless • Airport wireless • WEP, LEAP, etc… • No clear way to do MAC filtering • Bluetooth • Pairing, encryption, and authentication support CHUUG

  18. Net Security - File Sharing • OS X wants to play nice • Apple file service for other Mac’s • SAMBA for Windows users • NFS for UNIX folks • Each has its own security mechanisms • The GUI’s try and prevent you from resharing • Transitivity issues • AFS can be tunneled through SSH natively • Others can be “forced” CHUUG

  19. Net Security - Servers • All the servers you’re used to • SSH • Apache • Sendmail • FTP • Two words of advice • Do NOT use their GUI’s • chroot everything you can CHUUG

  20. Enterprise Security - Kerberos • We all use Kerberos, right? • Shocking amount of kerb integration • ftp • Afp • Mail.app • LoginWindow • Telnet • Mac Manager CHUUG

  21. Enterprise Security - NetInfo • Forget the standard /etc/[hosts,passwd,shadow,group] • Though some apps still use them… they exist • A tree-based, distributed database • A throwback from NeXT • Why, yes, it does smell a great deal like Active Directory • ni* tools can do nasty things… dump crypted passwords for instance • chown these out of existance if you can CHUUG

  22. Enterprise Security - Rendezvous • No-configuration networking • Uses Link Local addressing • So THAT’S what 169.254 is • Service and host discovery via multicast • Now you have TWO nameservice mechanisms for IP… hope you or the OS doesn’t get confused • Finally, a “secure” IM • iChat can use rendezvous… at least it doesn’t transgress your firewall CHUUG

  23. Secure Admin - SoftwareUpdate • UI or command-line based • Remote, seemeless software updates… nice! • Originally there were no checksums on downloads • Apple got spanked by userbase • Now SHA-1 hashes available CHUUG

  24. CHUUG

  25. Secure Admin - NI Manager • And by “security” I mean complete lack therein • When managing NI domains, use a tunnel • PPTP or IPSec… whatever • Be sure to restrict permissions to NI Domain properly • Thankfully, Apple migrating to Open Directory CHUUG

  26. CHUUG

  27. Auditing • Still good old syslog and /var/log we all know and love • However, many apps and protocols need to have logging enabled • Check the Sharing PreferencesPane • Not much turned on by default • CrashReporter (if enabled) will dump really nice crash logs in /Library/Logs CHUUG

  28. Forensics • Mostly the same as FreeBSD • Kernel extensions • Mach-o binaries • Not statically linked, not dynamically linked • Linker called at runtime to determine dependencies and write binding information to binary • Called prebinding… changes checksums • Further invocations of binary use prebound info • Ctool - tool for checksumming and file stating • http://www.macsecurity.org/tools/ctool/ CHUUG

  29. Questions? • Besides Mac OS X Security consider: • Mac OS X for UNIX Geeks - O’Reilly and Assoc • Mac OS X Hacks - O’Reilly and Assoc CHUUG

More Related