Home / Blog / OS X security model (I)

OS X security model (I)

Posted on 02/11/2016, by INCIBE
OS X security model (I)

Security measures in OS X have been incorporated into the operating system base, with functions added and improved upon as different versions are published. Together,these measures form a layered model that reinforce the basic outline of typical POSIX permissions and provides a mechanism covering various aspects of protection against security threats. Let’s see how this system works.

First line of protection: Quarantine and XProtect

OS X keeps files under special supervision, marking them with a feature called “quarantine”. This feature operates from Leopard OSX 10.5, and is assigned by certain applications when files are downloaded from the Internet.

quarantine

– Quarantine feature for a file downloaded from the Internet using Chrome –

Marking the entire file with the quarantine feature will generate a notification, to alert the user that the file they are trying to execute was downloaded from the Internet.

Título: 2_warning

– Warning when opening a file downloaded from the Internet in quarantine –

In addition, Apple incorporates XProtect technology in the operating system from Snow Leopard (OS X 10.6); this is rudimentary signature-based antivirus software. XProtect retains a plist file with the information and hashes of known malicious software, which it can use to check files in quarantine. If it is detected that the binary being attempted to be executed matches with any of the registered kept by XProtect, the user will be alerted, and execution will be avoided.

Título: 3_xprotect

– XProtect alert –

The file with signatures is located in /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist and looks as follows

Título: 4_xprotect_plist

– Xprotect.plist malware register –

Both the quarantine and XProtect are inadequate measures that can easily be avoided, since the quarantine feature does not apply to all files, but depends on the application from which it is obtained (e.g. curl from the command terminal does not affix the feature) or on the method used to obtain it (copied from other storage media). On the other hand, detecting signature-based malware is clearly a fairly unreliable method, as any small variation would be enough to generate a different signature

Passport to execution: Application signing and GateKeeper

Verifying signatures with a registered, authorised ID Developer has become the main security measure used by Apple to determine whether or not an application is legitimate.

GateKeeper is the feature present from OS X Lion v10.7.5, which is responsible for verifying that applications being executed are properly signed, with a recognised certificate, and have not been modified. There are three security levels that can be configured by the user:

  • Allow applications only through the Apple Store (default option)
  • Allow applications from the Apple Store and recognised developers
  • Allow all binaries to be executed (not recommended)

Título: 5_gatekeeper_conf

- Gatekeeper -

Although GateKeeper is a much more effective measure than the quarantine and XProtect, it is only applied to files marked with the quarantine feature, since, as has been noted, this indicates a security issue. This feature is affixed by the application downloading it from the Internet (Safari, Mail, Chrome, etc.) and not by the operating system, which leaves the application itself responsible. In this way, if the application that obtains the file does not affix this feature (e.g. curl or wget), GateKeeper will not verify the downloaded file.

When it is first attempted to execute an application marked with the quarantine feature, depending on the configuration GateKeeper may alert the user and request a specific permission or change in the configuration:

Título: 6_gk_auth

– Authorization from the system security preferences –

After accepting the execution of an unrecognised application, an alert will still be issued, warning that the file was downloaded from the Internet (in quarantine) and requesting authorization to execute it:

Título: 7_gk_confirmation

– File in quarantine, com.apple.quarantine feature. GateKeeper request –

Once express permission has been given for the file in quarantine to be executed, a change occurs in one of the feature values, meaning that confirmation is not requested for later executions:

Título: 8_quarantine_change

- Tras la autorización de ejecución se observa la modificación en un valor del atributo quarantine -

From its appearance, GateKeeper presented many accuracy issues when verifying external contents summoned by the application, which allowed library injections and the installation of unauthorized files, among other things. Although this and other problems with GateKeeper have already been resolved by Apple in a mid-2015 update for OS X 10.10.4 (Yosemite), some concept testing still lacks signature verification, as researcher Patrick Wardle recently showed when avoiding GateKeeper protection in a used and resolved version of OS X.

Another protective barrier: sandboxing

In addition to the first line of defence represented by the quarantine and GateKeeper verification, there is sandboxing, which presents a different, reactive barrier which restricts an application’s reach within a limited environment.

The sandbox technology used in OS X is based on a MAC (Mandatory Access Control) control system similar to SELinux or AppArmour for Linux, but in this case it is derived from the BSD equivalent, trustedBSD.

In this way, a vulnerability in an application being executed in sandbox will have only a limited impact on its execution environment, as its interaction with resources other than those assigned to it is restricted.

Título: 9_sandbox

- Isolation or sandbox technology. Source: developer.apple.com –

Using sandboxing, OS X isolates proprietary applications at high risk of attack such as Safari, Mail, Messages, FaceTime, Calendar, Contacts, Photos, Notes, Reminders and, of course, the Mac App Store.

Título: 10_sandox_processes

– Sandbox process location via the activity monitor –

An application will be executed in sandbox if its code includes instructions ( entitlements) for actions or resources when being executed.

Título: 11_sandbox_entitlement

– Detail of an application developed in sandbox. The sandbox “entitlement” can be observed –

Although sandboxing is not mandatory for application execution in OS X, it is an obligatory requirement when attempting to distribute in the Mac Apple Store. If restrictions have not been applied to the application code, it is still possible to limit it execution to a sandbox environment using the command sandbox-exec.

Seguridad de base: POSIX y Keychain

A security mechanism DAC (Discretionary Access Control) with a permissions scheme that can only be overcome with a certain, high level of privileges. In addition to the complete OS X security architecture, Apple implements Keychain technology, which it makes responsible for managing the storage and protection of passwords, certificates and keys, using encryption. Using Keychain appropriately allows for the secure, centralized management of passwords and password access by applications and users.

After GateKeeper, XProtect and App Sandboxing, we reach another security barrier, i.e. the traditional POSIX features and permissions. The permissions structure user: group on the files and system directories keep the DAC security mechanism (Discretionary Access Control) with a permissions scheme that can only be overcome with a certain, high level of privileges. In addition to the complete OS X security architecture, Apple implements Keychain technology, which it makes responsible for managing the storage and protection of passwords, certificates and keys, using encryption. Using Keychain appropriately allows for the secure, centralized management of passwords and password access by applications and users.

Título: 12_capas_osx

- OSX security model -

¿Root or rootless?

SHowever, despite all these barriers, if an attack succeeds in overcoming security and raising privileges so as to position itself as a root, it’s game over. Should root power be restricted? It is acceptable to deny the system owner complete control over it?

All these questions are even more relevant with the appearance of the latest version of OS X 10.11 (El Capitan) and its System Integration Protection, also known as rootless, which adds a new security measure to this model. In a later article, we will discuss SIP technology and what it means for system security