Jordan Hubbard
Director, Unix Technology Group
Apple, Inc.
Who I am
• Long-time Unix zealot
• Long-time Open Source contributor
(go FreeBSD!)
•File Quarantine
•Sandbox
•Package and Code Signing
•Application Firewall
•Parental Controls
•Non-Executable (NX) Data
•Address Space Layout
Randomization
File Quarantine: The problem
File Quarantine: The problem
• Opening a document is expected to launch an
application on Mac OS X
• Malware can therefore be disguised as documents
• Casual inspection is no longer safe
File Quarantine: The problem
• Opening a document is expected to launch an
application on Mac OS X
• Malware can therefore be disguised as documents
• Casual inspection is no longer safe
File Quarantine: The problem
• Opening a document is expected to launch an
application on Mac OS X
• Malware can therefore be disguised as documents
• Casual inspection is no longer safe
File Quarantine: How it works
File Quarantine: How it works
• Download content ! Quarantine EA added
" EA also stores context of download for later use
" Download time, origin, application, etc…
File Quarantine: How it works
• Download content ! Quarantine EA added
" EA also stores context of download for later use
" Download time, origin, application, etc…
• Activate quarantined content ! system inspection,
user dialog if needed:
Quarantine Propagation
(in popular archivers)
latestpics.dmg
Applications are,
again, tracked by
signature
Non Executable (NX) Data
Thread 0 Stack
Thread 1 Stack
Library text
Heap
Library data
Read-only, executable
Read-write, non-executable
Non Executable (NX) Data
Thread 0 Stack
• Tiger/x86 had only NX stack
Thread 1 Stack
Library text
Heap
Library data
Read-only, executable
Read-write, non-executable
Non Executable (NX) Data
Thread 0 Stack
• Tiger/x86 had only NX stack
• Leopard: 64-bit apps have NX stack,
heap, … ! W^X
Thread 1 Stack
Library text
Heap
Library data
Read-only, executable
Read-write, non-executable
Non Executable (NX) Data
Thread 0 Stack
• Tiger/x86 had only NX stack
• Leopard: 64-bit apps have NX stack,
heap, … ! W^X
Thread 1 Stack " Intel 64-bit (Intel Core 2 Duo or later)
Heap
Library data
Read-only, executable
Read-write, non-executable
Non Executable (NX) Data
Thread 0 Stack
• Tiger/x86 had only NX stack
• Leopard: 64-bit apps have NX stack,
heap, … ! W^X
Thread 1 Stack " Intel 64-bit (Intel Core 2 Duo or later)
Library data
Read-only, executable
Read-write, non-executable
Non Executable (NX) Data
Thread 0 Stack
• Tiger/x86 had only NX stack
• Leopard: 64-bit apps have NX stack,
heap, … ! W^X
Thread 1 Stack " Intel 64-bit (Intel Core 2 Duo or later)
Library data
Read-only, executable
Read-write, non-executable
Address Space Layout Randomization
Address Space Layout Randomization
•Even with NX data, it may be
possible for an exploit to jump
to a library or framework
function
" e.g., system(3)—Pass a
command
to the shell
" This is commonly known as
“return-to-libc”
Address Space Layout Randomization
•Even with NX data, it may be
possible for an exploit to jump
libSystem
to a library or framework
AppKit function
" e.g., system(3)—Pass a
CoreServices
command
QuartzCore to the shell
" This is commonly known as
WebKit
“return-to-libc”
Address Space Layout Randomization
•Even with NX data, it may be
possible for an exploit to jump
libSystem
to a library or framework
AppKit function
" e.g., system(3)—Pass a
CoreServices
command
QuartzCore to the shell
" This is commonly known as
WebKit
“return-to-libc”
Address Space Layout Randomization
•Even with NX data, it may be
possible for an exploit to jump
libSystem
to a library or framework
AppKit function
" e.g., system(3)—Pass a
CoreServices
command
QuartzCore to the shell
" This is commonly known as
WebKit
“return-to-libc”
Higher
addresses
Developer Tools Options
•Stack overflow checking
" Canaries as in StackGuard, ProPolice, Microsoft Visual
Studio /GS
void
const char *filename bad(const char *filename) {
! char path[PATH_MAX];
Return address
!...
Canary
!sprintf(path, "%s/%s", getenv("HOME"), filename);
! ...!
}
char path[PATH_MAX]
char path[PATH_MAX]
Higher
addresses
Developer Tools Options
Developer Tools Options
•Object size checking
Developer Tools Options
•Object size checking
" Some unsafe API usage ! checked-at-runtime
behavior
Developer Tools Options
•Object size checking
" Some unsafe API usage ! checked-at-runtime
behavior
" memcpy, mempcpy, memmove, memset, strcpy,
stpcpy, strncpy, strcat, strncat, sprintf, vsprintf,
Developer Tools Options
•Object size checking
" Some unsafe API usage ! checked-at-runtime
behavior
" memcpy, mempcpy, memmove, memset, strcpy,
stpcpy, strncpy, strcat, strncat, sprintf, vsprintf,
void
before(const char *filename) {
! char path[PATH_MAX];
!...
!sprintf(path, "%s/%s", getenv("HOME"), filename);
! ...!
}
void
after(const char *filename) {
! char path[PATH_MAX];
!...
!__builtin___sprintf_chk(path, 0, __builtin_object_size(path, 2>1), "%s/%s",
getenv("HOME"), filename);
!...
}!
Developer Tools Options
•Object size checking
" Some unsafe API usage ! checked-at-runtime
behavior
" memcpy, mempcpy, memmove, memset, strcpy,
stpcpy, strncpy, strcat, strncat, sprintf, vsprintf,
void
before(const char *filename) {
! char path[PATH_MAX];
!...
!sprintf(path, "%s/%s", getenv("HOME"), filename);
! ...!
}
void
after(const char *filename) {
! char path[PATH_MAX];
!...
!__builtin___sprintf_chk(path, 0, __builtin_object_size(path, 2>1), "%s/%s",
getenv("HOME"), filename);
!...
}!
Developer Tools Options
•Object size checking
" Some unsafe API usage ! checked-at-runtime
behavior
" memcpy, mempcpy, memmove, memset, strcpy,
stpcpy, strncpy, strcat, strncat, sprintf, vsprintf,
void
before(const char *filename) {
! char path[PATH_MAX];
!...
!sprintf(path, "%s/%s", getenv("HOME"), filename);
! ...!
}
void
after(const char *filename) {
! char path[PATH_MAX];
!...
!__builtin___sprintf_chk(path, 0, __builtin_object_size(path, 2>1), "%s/%s",
getenv("HOME"), filename);
!...
}!
Back to my mac
• Uses wide-area Bonjour / DDNS
(through .Mac) for name registration
Even easier!
Launchd
• Since its introduction in Tiger, it has
transformed how all things are launched
on Mac OS X
• CalendarServer: A CalDAV-compliant
server
Objective C version
@end
@implementation ButtonController
-(void)sayHello:(id)sender
{
! ! N S L o g ( @ " H e l l o Wo r l d ! " ) ;
}
@end
int main(void)
{
!!NSApplication *app = [NSApplication sharedApplication];
! ! [ w i n d o w s e t T i t l e : @ " H e l l o Wo r l d " ] ;
! ! [button setBezelStyle:NSRoundedBezelStyle];
! ! [button setTitle:@"Hello!"];
! ! [ b u t t o n s i z e To F i t ] ;
! ! [window display];
!![window orderFrontRegardless];
! ! [app run];
!!retur n 0;
}
“Straight port” MacRuby
framework 'Cocoa'!
a p p = N S A p p l i c a t i o n . s h a r e d A p p l i c a t i o n!
w i n = N S W i n d o w. a l l o c . i n i t W i t h C o n t e n t R e c t ( [ 0 , 0 , 2 0 0 , 6 0 ] ,!
! ! s t y l e M a s k : N S T i t l e d W i n d o w M a s k | N S C l o s a b l e W i n d o w M a s k | N S M i n i a t u r i z a b l e W i n d o w M a s k | N S R e s i z a b l e W i n d o w M a s k ,!
! ! b a c k i n g : N S B a c k i n g S t o r e B u f f e r e d ,!
! ! defer:false)!
w i n . t i t l e = ' H e l l o Wo r l d '!
b u t t o n = N S B u t t o n . a l l o c . i n i t W i t h F r a m e ( N S Z e r o R e c t )!
w i n . c o n t e n t V i e w. a d d S u b v i e w ( b u t t o n )!
button.bezelStyle = NSRoundedBezelStyle!
button.title = 'Hello!'!
b u t t o n . s i z e To F i t!
b u t t o n . f r a m e O r i g i n = N S M a k e P o i n t ( ( w i n . c o n t e n t V i e w. f r a m e S i z e . w i d t h / 2 . 0 ) - ( b u t t o n . f r a m e S i z e . w i d t h / 2 . 0 ) ,!
! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ( w i n . c o n t e n t V i e w. f r a m e S i z e . h e i g h t / 2 . 0 ) - ( b u t t o n . f r a m e S i z e . h e i g h t / 2 . 0 ) )!
b u t t o n _ c o n t r o l l e r = O b j e c t . n e w!
d e f b u t t o n _ c o n t r o l l e r. s a y H e l l o ( s e n d e r )!
! p u t s " H e l l o Wo r l d ! "!
end!
b u t t o n . t a rg e t = b u t t o n _ c o n t r o l l e r!
button.action = 'sayHello:'!
win.display!
w i n . o r d e r F r o n t R e g a r d l e s s!
app.run
MacRuby + HotCocoa version
r e q u i r e ' h o t c o c o a '!
include HotCocoa!
application do!
! w i n d o w : t i t l e = > ' H e l l o Wo r l d ' , : f r a m e = > [ 0 , 0 , 1 2 0 , 1 2 0 ] d o | w |!
! ! !button :title => 'Click me' do |b|!
! ! ! b . o n _ a c t i o n { p u t s ' H e l l o Wo r l d ! ' }!
! ! ! w << b!
! ! end!
! end!
end
Our scary future...
The rise of the GPU
Number of Transistors (in millions)
1,500
1,125
750
Hi!
375
0
1998 2000 2001 2002 2003 2004 2005 2006 2007 2008 2010 ?
And these are largely computational, not cache!
The future: GPUs
• GPUs are becoming insanely fast and
capable