ix / xxiii / mmiiichuug mac os x security or: how i learned to stop worrying and love next bruce...

IX / XXIII / MMIII CHUUG

Mac OS X Securityor: How I learned to stop worrying and love NeXT

Bruce Potter <[email protected]>


Who is this guy?

• Don’t believe anything I say

• Co-author of Mac OS X Security (New Riders) and 802.11 Security (O’Reilly)

• Founder of The Shmoo Group• Currently a software security consultant at

Cigital (www.cigital.com)• Former AKLUG member

http://www.cigital.com/


Generic Host Security

• Initial configuration– Focus of many books– Requires moderate amount of understanding– Varies based on application

• Secure administration– Things can go seriously wrong post-deployment

• Responding to incidents– OS-specific triage and forensics– Very deep understanding required

• I’m skipping basic UNIX security


Config - Inside Out

• Start at the host-level, work out towards the enterprise

• Need building blocks to create a broad security stance– Lab environments– Streaming servers– NT replacement

• Don’t forget… OS X Client is different from OS X Server– Apple controls all hardware


Which Filesystem to Use?

• UFS - UNIX FileSystem– Standard issue UNIX FS we all know and love

• HFS+ - Hierarchical FileSystem+– Replaces original HFS - legacy Mac OS– Resource forks– Required for Mac OS 9

• Applications must be both HFS+ and UFS aware if both are used on same host


Note on Filesystem Structure

• /etc, /usr, /var are there…• /Applications - system wide apps• /Library - plug-ins, libraries, resources• /System - core OS• /System Folder - OS 9 (if installed)• /Users - your home dir

• You may also have Applications, Library in your home dir


Open Firmware

• BIOS-ish, but based on open standard• Password protection for boot• Password protection for modification• Controls boot media• Access via nvram command or a contorted

boot keypress

• Not immune to attack


Booting

• OS X is a BSD at heart– But Apple on the outside

• Normal boot process gives way to Apple-isms– Aqua for the UI… totally not an X server

Kernel -> mach_init -> disk stuff -> rc scripts -> Apple land

• Kernel extentions… and lots of them– Network devices, non-native FS’s, etc…


Security You Can See

• LoginWindow– Constantly running process to control access to

terminal– Spawned by windowserver– Screen can be “locked” by loginwindow– Hokie, eh?

• Don’t trust it


User Security - Keychain– Password store for websites, disk images, etc..– A master password controls access to keychain– Application must be password aware– Selected passwords can be automatically

decrypted


QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.


User Security - Encrypted Vols

• Encrypted volumes via DiskCopy– Did someone say “non-intuitive”?

• DiskCopy can be used to create disk images– .dmg files which when launched are mounted– AES-128 to protect the image

• Password can be stored in keychain

– Great for mail, customer documents, etc– Not as transparent or flexible as Windows

encryption• However, very portable


Net Security - Firewall

• Uses standard ipfw firewalling– Powerful

• Slaps on the simplest UI ever– TCP only.. All UDP is dropped except for replies– TCP/UDP is all there is, right?– In the Sharing Preferences Pane

• Best to just use the command line and your own rc scripts


Net Security - VPN

• IPSec implemented in kernel– Controlled through racoon and setkey

• *BSD zealots are familiar with this

– NO GUI!

• PPTP is the native VPN protocol– Controlled through InternetConnect– Worst program ever– Simplest program ever


You’ve done IPSec configs, right?



Net Security - Wireless

• Airport wireless– WEP, LEAP, etc…– No clear way to do MAC filtering

• Bluetooth– Pairing, encryption, and authentication support


Net Security - File Sharing

• OS X wants to play nice– Apple file service for other Mac’s– SAMBA for Windows users– NFS for UNIX folks

• Each has its own security mechanisms• The GUI’s try and prevent you from resharing

– Transitivity issues

• AFS can be tunneled through SSH natively– Others can be “forced”


Net Security - Servers

• All the servers you’re used to– SSH– Apache– Sendmail– FTP

• Two words of advice– Do NOT use their GUI’s– chroot everything you can


Enterprise Security - Kerberos

• We all use Kerberos, right?• Shocking amount of kerb integration

– ftp– Afp– Mail.app– LoginWindow– Telnet– Mac Manager


Enterprise Security - NetInfo• Forget the standard

/etc/[hosts,passwd,shadow,group]– Though some apps still use them… they exist

• A tree-based, distributed database– A throwback from NeXT

• Why, yes, it does smell a great deal like Active Directory

• ni* tools can do nasty things… dump crypted passwords for instance– chown these out of existance if you can


Enterprise Security - Rendezvous

• No-configuration networking• Uses Link Local addressing

– So THAT’S what 169.254 is

• Service and host discovery via multicast– Now you have TWO nameservice mechanisms for

IP… hope you or the OS doesn’t get confused

• Finally, a “secure” IM– iChat can use rendezvous… at least it doesn’t

transgress your firewall


Secure Admin - SoftwareUpdate

• UI or command-line based– Remote, seemeless software updates… nice!

• Originally there were no checksums on downloads– Apple got spanked by userbase– Now SHA-1 hashes available


Secure Admin - NI Manager

• And by “security” I mean complete lack therein

• When managing NI domains, use a tunnel– PPTP or IPSec… whatever

• Be sure to restrict permissions to NI Domain properly

• Thankfully, Apple migrating to Open Directory


Auditing

• Still good old syslog and /var/log we all know and love

• However, many apps and protocols need to have logging enabled– Check the Sharing PreferencesPane– Not much turned on by default

• CrashReporter (if enabled) will dump really nice crash logs in /Library/Logs


Forensics• Mostly the same as FreeBSD• Kernel extensions • Mach-o binaries

– Not statically linked, not dynamically linked– Linker called at runtime to determine

dependencies and write binding information to binary

• Called prebinding… changes checksums• Further invocations of binary use prebound info

– Ctool - tool for checksumming and file stating• http://www.macsecurity.org/tools/ctool/

http://www.macsecurity.org/tools/ctool/


Questions?

• Besides Mac OS X Security consider:– Mac OS X for UNIX Geeks - O’Reilly and Assoc– Mac OS X Hacks - O’Reilly and Assoc

ix / xxiii / mmiiichuug mac os x security or: how i learned to stop worrying and love next bruce...

Documents

security oreillyfounder

software security consultant

security new riders

attackbootingos x

mac filteringbluetoothpairing

x serverkernel mach

outsidenormal boot process

heartbut apple