ix / xxiii / mmiiichuug mac os x security or: how i learned to stop worrying and love next bruce...
TRANSCRIPT
IX / XXIII / MMIII CHUUG
Mac OS X Securityor: How I learned to stop worrying and love NeXT
Bruce Potter <[email protected]>
IX / XXIII / MMIII CHUUG
Who is this guy?
• Don’t believe anything I say
• Co-author of Mac OS X Security (New Riders) and 802.11 Security (O’Reilly)
• Founder of The Shmoo Group• Currently a software security consultant at
Cigital (www.cigital.com)• Former AKLUG member
IX / XXIII / MMIII CHUUG
Generic Host Security
• Initial configuration– Focus of many books– Requires moderate amount of understanding– Varies based on application
• Secure administration– Things can go seriously wrong post-deployment
• Responding to incidents– OS-specific triage and forensics– Very deep understanding required
• I’m skipping basic UNIX security
IX / XXIII / MMIII CHUUG
Config - Inside Out
• Start at the host-level, work out towards the enterprise
• Need building blocks to create a broad security stance– Lab environments– Streaming servers– NT replacement
• Don’t forget… OS X Client is different from OS X Server– Apple controls all hardware
IX / XXIII / MMIII CHUUG
Which Filesystem to Use?
• UFS - UNIX FileSystem– Standard issue UNIX FS we all know and love
• HFS+ - Hierarchical FileSystem+– Replaces original HFS - legacy Mac OS– Resource forks– Required for Mac OS 9
• Applications must be both HFS+ and UFS aware if both are used on same host
IX / XXIII / MMIII CHUUG
Note on Filesystem Structure
• /etc, /usr, /var are there…• /Applications - system wide apps• /Library - plug-ins, libraries, resources• /System - core OS• /System Folder - OS 9 (if installed)• /Users - your home dir
• You may also have Applications, Library in your home dir
IX / XXIII / MMIII CHUUG
Open Firmware
• BIOS-ish, but based on open standard• Password protection for boot• Password protection for modification• Controls boot media• Access via nvram command or a contorted
boot keypress
• Not immune to attack
IX / XXIII / MMIII CHUUG
Booting
• OS X is a BSD at heart– But Apple on the outside
• Normal boot process gives way to Apple-isms– Aqua for the UI… totally not an X server
Kernel -> mach_init -> disk stuff -> rc scripts -> Apple land
• Kernel extentions… and lots of them– Network devices, non-native FS’s, etc…
IX / XXIII / MMIII CHUUG
Security You Can See
• LoginWindow– Constantly running process to control access to
terminal– Spawned by windowserver– Screen can be “locked” by loginwindow– Hokie, eh?
• Don’t trust it
IX / XXIII / MMIII CHUUG
User Security - Keychain– Password store for websites, disk images, etc..– A master password controls access to keychain– Application must be password aware– Selected passwords can be automatically
decrypted
IX / XXIII / MMIII CHUUG
User Security - Encrypted Vols
• Encrypted volumes via DiskCopy– Did someone say “non-intuitive”?
• DiskCopy can be used to create disk images– .dmg files which when launched are mounted– AES-128 to protect the image
• Password can be stored in keychain
– Great for mail, customer documents, etc– Not as transparent or flexible as Windows
encryption• However, very portable
IX / XXIII / MMIII CHUUG
Net Security - Firewall
• Uses standard ipfw firewalling– Powerful
• Slaps on the simplest UI ever– TCP only.. All UDP is dropped except for replies– TCP/UDP is all there is, right?– In the Sharing Preferences Pane
• Best to just use the command line and your own rc scripts
IX / XXIII / MMIII CHUUG
Net Security - VPN
• IPSec implemented in kernel– Controlled through racoon and setkey
• *BSD zealots are familiar with this
– NO GUI!
• PPTP is the native VPN protocol– Controlled through InternetConnect– Worst program ever– Simplest program ever
IX / XXIII / MMIII CHUUG
You’ve done IPSec configs, right?
QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.
IX / XXIII / MMIII CHUUG
Net Security - Wireless
• Airport wireless– WEP, LEAP, etc…– No clear way to do MAC filtering
• Bluetooth– Pairing, encryption, and authentication support
IX / XXIII / MMIII CHUUG
Net Security - File Sharing
• OS X wants to play nice– Apple file service for other Mac’s– SAMBA for Windows users– NFS for UNIX folks
• Each has its own security mechanisms• The GUI’s try and prevent you from resharing
– Transitivity issues
• AFS can be tunneled through SSH natively– Others can be “forced”
IX / XXIII / MMIII CHUUG
Net Security - Servers
• All the servers you’re used to– SSH– Apache– Sendmail– FTP
• Two words of advice– Do NOT use their GUI’s– chroot everything you can
IX / XXIII / MMIII CHUUG
Enterprise Security - Kerberos
• We all use Kerberos, right?• Shocking amount of kerb integration
– ftp– Afp– Mail.app– LoginWindow– Telnet– Mac Manager
IX / XXIII / MMIII CHUUG
Enterprise Security - NetInfo• Forget the standard
/etc/[hosts,passwd,shadow,group]– Though some apps still use them… they exist
• A tree-based, distributed database– A throwback from NeXT
• Why, yes, it does smell a great deal like Active Directory
• ni* tools can do nasty things… dump crypted passwords for instance– chown these out of existance if you can
IX / XXIII / MMIII CHUUG
Enterprise Security - Rendezvous
• No-configuration networking• Uses Link Local addressing
– So THAT’S what 169.254 is
• Service and host discovery via multicast– Now you have TWO nameservice mechanisms for
IP… hope you or the OS doesn’t get confused
• Finally, a “secure” IM– iChat can use rendezvous… at least it doesn’t
transgress your firewall
IX / XXIII / MMIII CHUUG
Secure Admin - SoftwareUpdate
• UI or command-line based– Remote, seemeless software updates… nice!
• Originally there were no checksums on downloads– Apple got spanked by userbase– Now SHA-1 hashes available
IX / XXIII / MMIII CHUUG
Secure Admin - NI Manager
• And by “security” I mean complete lack therein
• When managing NI domains, use a tunnel– PPTP or IPSec… whatever
• Be sure to restrict permissions to NI Domain properly
• Thankfully, Apple migrating to Open Directory
IX / XXIII / MMIII CHUUG
Auditing
• Still good old syslog and /var/log we all know and love
• However, many apps and protocols need to have logging enabled– Check the Sharing PreferencesPane– Not much turned on by default
• CrashReporter (if enabled) will dump really nice crash logs in /Library/Logs
IX / XXIII / MMIII CHUUG
Forensics• Mostly the same as FreeBSD• Kernel extensions • Mach-o binaries
– Not statically linked, not dynamically linked– Linker called at runtime to determine
dependencies and write binding information to binary
• Called prebinding… changes checksums• Further invocations of binary use prebound info
– Ctool - tool for checksumming and file stating• http://www.macsecurity.org/tools/ctool/