Apple's fruitless rootless security broken by code that fits in a tweet

Re: Not clear

What annoys me more than headlines and people trying to trivialise the problem, is that we have a security feature that fails to perform it's primary function.

What even annoys me more than people not being able to tell the difference between and it's and its (which by default will see some grammar or spelling mistake sneak into this post) is the black and white view some people deploy when it comes to security. There is no absolute answer here and I prefer root level + SIP well over just root.

It is a vulnerability? Yes, it renders SIP less effective than it ought to be so it needs fixing, like all weaknesses ever detected. But one element of risk is also the likelihood of it hitting your system, and the writeup omits a rather vital detail in this respect: what rights does that code need to have for it to do its evil deeds. How prevalent is this code in the software you obtain? How exposed are users who stick to app store and known sources? Has it been found in the wild?

THAT is the data you need. But hey, that would required doing actual *research*. You know, real journalism.

As for "it fits in a tweet": boohoo. So does "rm -rf *" - shock, horror, that even works on Linux!

Now go away and let me sleep.

Re: Not clear

But there's a massive difference between claiming to protect consumers and actually doing it.

Hang on a second - are you genuinely stating here that Apple does not protect consumers? As far as I can tell, they still offer the safest platform out there right now for people who are NOT experts or deep digging technologists. A bug has been found in SIP, fine, that needs fixing. But a Unix + SIP is still a level up from a Unix *without* SIP, unless you want to hold Apple to a different standard as the rest.

Their hardware is decent enough to annoy law enforcement, it's considerably less risky to install an app from their App Store than from any competition in both iOS and OSX and they actively work to even further their security. I can't call that "not protecting customers".

Your fake apology doesn't work either. You're not scrutinising, you are desperately seeking for faults to confirm a bias that is actually out of character for you. You're better than this. What's up?

Re: Not clear

@diodesign,

"Holy shit, some of you haven't read the article or understood it."

Oh come on, splutter splutter splutter (that's the cuppa tea gone south), how long have you been writing for El Reg?!?!? "Commentards on public forum fail to comprehend article shocker"?

Besides, it's theregister.co.uk, which means there's going to be a high background level of ironic humour, some of it possibly found in your own post :-)

Really we're just all playing nicely, nodding wisely, and gratefully absorbing the sage wisdom of this esteemed organ's journalistic output (sorry - getting all Private Eye there), and putting off the moment when we really do have to go and do the washing up. We are all really most very grateful :-)

Re: Not clear

1 billion active devices with only 13% marketshare???? Dream on...

Doors tyhgst mean there are 8 billion active Android devices?? Or are apple making shit up again ????

Re: OpenBSD Pledge?

SIP only exists because a home user will obediently type their password into anything. Now OS X always has come with a passwordless root user, to get root you use sudo -s and type your own password and if your user has admin privilidges you'll get it.

SIP isn't really necessary, what's necessary is an admin and a standard user with different passwords and a user which won't obediently type their password into anything that asks. Is that too complicated for the average home user? It seems so.

With SIP Apple is also saying they don't trust the root user or suid binaries. That is fixed by making sure OS binaries can't be exploited, not sticking a what is essentially a passwordless superroot user on top. It could be passwordless root users all the way up, it doesn't make it a particularly good design.

Pledge is a good way to defend against exploits, meaning a kernel will not allow an exploited binary to do something which in normal use it would never do anyway. They should incorporate it into OS X.

Re: They're so darn cute...

"Would start to worry if kid is actually 35, though."

Mine's only 20, but she's autistic, so... We'll check back in 15 years, agreed? ;)

Re: They're so darn cute...

Really? So why are you still online then? Give us your wisdom, oh great one. And by that I mean data generated by experience, by having been working on the topic yourself.

Indeed. While the original post might have been smirk-worthy, "hopeless" is not a useful evaluation.

Security has never been an achievable absolute. It's always been a matter of economics: push as much of the costs as possible from the system-functions-correctly side to the system-functions-incorrectly one. Some security measures are not very successful at that;¹ others are in fact counterproductive, increasing rather than reducing costs for "defenders" (i.e., legitimate uses of the system in question).

At this point, SIP, like other attempts to provide finer-grained superuser privilege in UNIX-like OSes, still looks like an overall win. True, the exploits detailed in the article are classic, well-known vulnerabilities (like trashing configuration files using the output of a privileged command). But SIP is low-cost for defenders: it's not complicated and couldn't have required much effort to implement, and it doesn't require anything from most users or developers. So if it blocks some generic or unsophisticated exploits, then it's paid for itself.

¹Like, say, the public X.509 hierarchical PKI, which is an enormously expensive system with bad failure modes, and which fails in major ways a few times a year, and in minor ones who knows how many times a day. It's a great example of terrible design.

Re: No magic bullet

I dunno, I think that root is enough, ...

It depends on the use case though. There are situations where the fairly course grained unix permission system just isn't suitable. For example, you may have a system where root needs to administer the actual computer, but you wouldn't want the root user to have full control over the system; for example you may have sensative information on there, which the systems administrator may not be authorised to read. In these situations you do need a permission system that can allow full control of the computer but not unrestricted access to everything.

The other problem arises that the other major OS that provides a decent hierachical fine grained permission system is NT, which unfortunatly got Windows grafted onto it (and all the historical baggage that came with it), and whilst, in theory, it has a much better more fine grained system for permissions, in reality it's complex and troublesom and very very easy to misconfigure; so many people simply don't bother. (Plus I suspect it's slightly broken as I've more than once had the 'effective permissions' dialog show me I should be able to access a file....)

The question "Why did Apple feel that root, administrator of the system, needed to be locked out"? Has not been answered.

Apple don't make 'computers' in the traditional IT sense, they make computers for consumers; and sometimes, in Apple's opinion (and I must confess having done many years of 'IT support' for friends it's an opinion I can sympathise with*), sometimes consumers need protecting from themselfs; whilst still being able to install software that requires system wide accesss.

If the person responsible for the system borks their computer or company server then that is something that they must deal with.

If the person responsible is a trained IT professional then absolutly, yes. But just as we let non trained mechanics drive cars, sometimes non IT professionals need or want to use computers. Apple is trying to minimise the amount of time these people spend calling Applecare, or negative fallout from the 'I didn't click on ANYTHING, it just BROKE' crowd. Had OSX been designed from the ground up it probably wouldn't have the concept of 'root' in the traditional sense, but it's an evolution of a 26 year old OS. (with it's roots much further back than that).

*Seriously; once had a friend who on finding an issue just started randomly deleting files in C:\WINDOWS that they 'didn't like the sound of'. It didn't fix the issue. :(

Re: No magic bullet

I suspect it's not preventing the actual physical user using root privileges conciously that has motivated the implementation of SIP.

The problem is that many processes run AS root just to do some everyday tasks. Privilege escalation is a necessary evil to get things done (and also, unfortunately, often done for no good reason other than laziness of the implementer).

Previously, when such a process was compromised and made to do the bidding of some Trojan, it could do anything. Now it can't.

If you really do require root access that includes modifying SIP protected areas, you can still get it, but 99.9% of users will never need this.

Re: No magic bullet

The question "Why did Apple feel that root, administrator of the system, needed to be locked out"? Has not been answered.

Three decades of UNIX security research begs to differ.

Look at research published by TRUSIX, Trusted Systems, many researchers in academia, etc, etc. Look at the rainbow books. Consider why no UNIX-like OS with conventional superuser ever achieved better than a B1 TCSEC rating.

Re: No magic bullet

The problem with your "user space limited permissions", is that all that auth processing is slow and the action limits mean you have to interact with additional services all the time.

Then you end up with the font system embedded in the kernel because it's quicker...

Along with everything else becoming a "driver" instead (again, kernel level), but still using user space configuration files and inputs. Unlikely to be some magical programming involved that makes your drivers immune to bugs/exploits that allow direct kernel level access to stuff. Malware running in your graphic cards memory/processor anyone?

If you want *real* security, don't use a consumer OS (or probably even consumer hardware), build your own and curate the whole stack.

Some of the UNIX variants have RBAC bolted on top, so they can support a "least privilege" model for SUID processes and the like, but it's pretty much unsupported by almost any software outside a few vendor provided binaries. Building a complex web of trust around your application, updating all the RBAC role files during install (as root, naturally!), wrapping all privileged syscalls with RBAC stuff, no-one can be arsed to do it. And even if you did, the number of people that would actually know what you had done and appreciate it would be minimal.

Re: No magic bullet

>Windows tokens are far more advanced than the Unix model and has catered for this type of security access checks from the start.

Your opinion. Repeat after me, UNIX had Kerberos before Windows.

>However, only Unix/Linux came up with the stupid idea of creating a deliberate hole in the model when they chose to elevate a single user (uid 0) to "god", by creating bypass code in every syscall to just let root through.

Ok, who is NT Authority\System on Windows, then ? STFU!

>> Thirdly, and this is where something like Apple's idea comes in, the kernel would lock root out from changing such storage on its own account; it would need to be authorised by a specific user, such as odf-admin for instance, to de-allocate odf storage.

>And that is where is Unix model fails. Big time. This is yet another SUID/setuid fiasco. A security model where you gain *extra* privileges from the process that you run is a deliberate (but *stupid*) security hole.

It is an option, however, I guess that as long as the program in question is safe to run ...

Re: Software updates

"All they've effectively done is create a super-super user."

In effect, they are trying to create an Enterprise-like structure, but for private end user machines, and making Apple the system administrator. That architecture is fine for businesses who own the machines, but private end users can't phone Apple (or get their bosses to do it) and raise Hell till an issue gets fixed.

I don't, however, expect Apple to change their entire business model just to suit people like me who are old fashioned and expect to be able to manage their own kernels. So long as I can buy a computer on which I can install a reasonable OS which is under my control, and a car which can't be updated OTA with new firmware, the rest of the world can do as it likes.

Re: The tree that flew.

You don't have to be particularly lazy to get fed up when nothing works and change permissions so that damn broken service can start working again.

To be honest it's more often a case of poor/no documentation and unfixed bugs that have caused proper use of group permissions to be a bit neglected. Although it is still very much in use.

Re: Hang on a minute

Users who machines are theirs, i.e.not company machines, have sudo so they can install applications and apply system updates. Those updates come from the repositories (in Linux) and the "Store" with Mac, Android and now Windows. The basic rule of thumb given to new Linux users is this; "Unless you are installing software, and YOU specifically went to the software manager/store to do it, when something asks you for your password be very aware, even suspicious, of why you're being asked for that information".

So far no-one has messed up their machine. Can it happen? Yes. Will it happen? Perhaps. The onus is on them.

Re: Hang on a minute

"Given how fast MacOS boots with an SSD then they might want to consider forcing more stuff to be done from a restart rather than trying to play security and convenience off each other."

You gotta be freakin kiddin me!

And how would things get more secure because the machine reboots before implementing the end-user's mistakes?

Looks like the Microsoft reboot-always mentality has gotten to your brains somehow.

Re: Hang on a minute

I disabled it because I wanted to downgrade ITunes. And this is an example for one of its flaws – they're trying to protect too much shit. ...

It wouldn't surprise me at all to discover that Apple's real agenda here is to create a protected enclave for DRM tools that even root can't violate. It comes as no surprise that iTunes is one of the things you can't manipulate with SIP running.

Re: now we're back to the DEC/VAX architecture :-)

Windows has all of this. Hell, the user with total access is even named the same (SYSTEM).

Look how well that worked out...

It's very hard to give _some_ administrative privileges without allowing any routes of escalation from there.

Besides, does malware really need admin nowadays? Look at all the ransomware etc. - they tend to hose you perfectly fine without even bothering to attempt escalating.

Re: Question

Thank you both. :) That's much clearer now.

Re: The 9 Billion Names of God

The trouble with microkernels is that everything has to go through it as the gatekeeper. Which breaks things like Direct Memory Access (seL4 is only verified secure when DMA is OFF), which is kind of important for high-performance tasks like graphics and low-latency networking. Which is why in the real world these kinds of drivers have to work close to the metal as a matter of necessity or they get choked. Which then brings up the dilemma of requiring a system that's BOTH high-security AND high-performance at the same time. Based on the current discussion where security and ease of use are on opposite ends of a sliding scale, it seems the only way to achieve the happy medium is with overkill specs.