Memory randomization (ASLR) coming to Mac OS X Leopard

Memory randomization (ASLR) coming to Mac OS X Leopard

Summary: Apple has announced plans to add code-scrambling diversity to Mac OS X Leopard, a move aimed at making the operating system more resilient to virus and worm attacks.


Memory randomization (ALSR) coming to Mac OS X LeopardApple has announced plans to add code-scrambling diversity to Mac OS X Leopard, a move aimed at making the operating system more resilient to virus and worm attacks.

The security technology, known as ASLR (address space layout randomization), randomly arranges the positions of key data areas to prevent malware authors from predicting target addresses. It is used in tandem with additional security features to reduce the effectiveness of exploit attempts.

[SEE: Vista’s ASLR not so random, but does it matter? ]

According to Apple, the library randomization feature will allow Leopard to defend against attackers with no effort at all.

One of the most common security breaches occurs when a hacker’s code calls a known memory address to have a system function execute malicious code. Leopard frustrates this plan by relocating system libraries to one of several thousand possible randomly assigned addresses.

Several open-source security systems -- OpenBSD, PaX and Exec Shield -- already implement ASLR in some form. Microsoft has also fitted ASLR into default configurations of Windows Vista.

Apple also plans to add Sandboxing (systrace) in Leopard to limits an application's access to the system by enforcing access policies for system calls. The feature is aimed at restricing an app's file access, network access, and ability to launch other applications.

Many Leopard applications -- such as Bonjour, Quick Look, and the Spotlight indexer -- will be sandboxed so hackers can't exploit them, Apple said.

Strangely, the default Safari Web browser isn't listed as a sandboxed application.

Some other security goodies promised in Leopard include:

Tagging Downloaded Applications -- Protection from potential threats. Any application downloaded to the operating system is tagged. Before it runs for the first time, the system asks for the user's consent -- notifying the user when it was downloaded, what application was used to download it, and, if applicable, what URL it came from.

Signed Applications -- A digital signature on an application will aim at verifying the identity and integrity of that program. All applications shipped with Leopard will be signed by Apple. Third-party software developers can also sign their applications.

Application-Based Firewall -- Leopard will feature the ability to specify the behavior of specific applications to either allow or block incoming connections.

Stronger Encryption for Disk Images -- Disk Utility will now allow users to create encrypted disk images using 256-bit AES encryption.

Topics: Security, Apple, Apps, Hardware, Microsoft, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Intresting...

    Why is Apple implementing all of these security features? I thought that OS X has hack proof.
    • Proactive -v- reactive

      It's nice to see Apple doing this before there is a problem.
      With Mac's market share increasing each year (at least in
      the consumer field) there will be increased effort to
      develop malware. Proactive is nice.
      • You didn't answer the question.

        We've heard time and time and time again from the Mac fanbois that OS X is hack proof (well, not directly but indirectly each time they say "There is zero malware for OS X"). If they are to be believed then adding additional security buys you nothing and has the potential to cause problems.
        • The best security is one in which a hacker takes infinity to infiltrate

          Toward that end, the more obstacles, the more dynamism, and the more pro-active
          thinking the better.

          Got to keep those hackers off balance.
          • According to the Mac fanbois OS X is already at infinity.

            If we're to believe them how can is be made more secure?
          • Wrong!

            The correct statement is not that OS X is hacker-proof, nor that it is virus-proof.

            It is hacker-resistant, and there are *currently* no known viruses for OS X (except those created as harmless test cases for antivirus software -- they need something to do, I guess).

            The technologies Apple is promoting are to help reduce the likelihood of *Trojan Horses* (distinct from Viruses, and these are more commonly based on the stupid user syndrome; this is generally less of an issue on the Mac because the stupid people trying to use computers are typically gullible enough to think that Windoze is a reasonable system to use), and to make it even harder for the other issues to pop up in the future.

            If it is hard to create virii for OS X now, it will be even harder when Leapord use becomes widespread.

            The harder it becomes, the less likely it is to happen on a widespread basis.

            One of the reasons you see fewer virii and other security issues on OS X and other UNIX-type systems is that there are so few stupid people using them. There are also fewer stupid people using Windoze servers (note distinction from workstations), so as to how so many virii and so forth impact those... that one is much more of a discredit to M$ than the fact that these things show up on the desktops so often.
          • "Stupid" or just a user

            The average computer user is not computer literate -
            and they really don't want to be. I've moved to that level
            and enjoy not having to worry about the hidden
            complexities of a computer. Call us Bubba - a common
            name for stupid. We just want to use the computer just
            like we do our car where we get in and go.

            While IT people can turn their noses up at Bubba the
            simple fact is that other professions will call them Bubba
            because of their lack of knowledge. My wife has a very
            strong medical education and is able to talk at a high
            level with her oncologists (my wife has leukemia) but
            most of this doctor's patients are not in that situation.
            Real Bubbas as they know as little about their cancer as
            they do computers.

            Fortunately for those into computers the Bubbas have
            been buying a lot of computers over the years, bringing
            the price down for the geeks. Without them the price of
            computers would be far higher than it is today.
          • Fixed your typo for you.

            One of the reasons you see fewer virii and other security issues on OS X and other UNIX-type systems is that there are so few people using them.
            Hallowed are the Ori
          • Perhaps you missed the part where I wrote:

            "(well, not directly but indirectly each time they say "There is zero malware for OS X")"

            too. You can't have it both ways. When someone states that OS X is no more secure than Windows you can't respond with "There is zero malware for OS X" as proof. If it's not hacker proof, as you say, then said statement means nothing.

            As for the distinction between "virus" and "trojan" please let's not get pedantic. First you'll notice my use of the word "malware" which covers all malicious types of code. Second virus is generally accepted word used to address all forms of malware. Only the Mac fanbois like to make a distinction because it allows them to draw attention away from the primary point (that OS X is no more secure than Windows) and onto a tangential discussion regarding what type of malware is being discussed.
          • Wrong conclusion

            "One of the reasons you see fewer virii and other security issues on OS X and other UNIX-type systems is that there are so few stupid people using them."

            Where in the world did you get that? Please provide a link to any reputable source that shows OSX or Unix users are smarter then the average computer user. Your statement alone proves that stupid people use OSX.
          • Only in your mind

            This mythic mac fanboi of which you speak exists nowhere except in your fevered brain.

            NO Mac user has EVER said OS X is hacker proof. The statement, which is accurate, by the way, is that OS X has BETTER security, not perfect security.

            But, of course, you know this. One thing Apple-haters can be relied on to do is lie.
          • Perhaps you missed the part where I wrote:

            "(well, not directly but indirectly each time they say "There is zero malware for OS X")"

            As for being an Apple hater how do you explain that I own, use, and prefer a Mac if I'm an Apple hater?
          • re:ye

            Sorry, you don't get to make the definitions. Proudly announcing zero exploits does not equal infinite security just because you say it does.
          • I didn't say it did.

            "Proudly announcing zero exploits does not equal infinite security just because you say it does."

            To the contrary I've argued just the opposite. I think this is a stupid counter argument that OS X is secure. But Mac fanbois continue to make it any way. Therefore the only logical conclusion one can draw from this statement is "infinite security". If not that then what is the purpose for making such a statement?
        • Talking about shooting oneself in the foot...

          The "fanbois" did not say "that OSX was hack proof". They said "There is zero malware for OS X" as you rightly pointed out. The two statements are not synonomous!

          But, to answer the question posed, no OS is hack proof and therefore OSX is not hack proof. It just hasn't been hacked yet.
          • If it's not hack proof then why zero malware?

            It's an easy question. Will any Mac fanboi bother to answer it?
          • Not a thoughtful question!

            No, it is not an easy question, at least not to me. :-)

            But, there may be many reasons why there is currently no malware for the Mac
            platform and possibly some of those reason may be interrelated.
            Possibly due to smaller user base
            Possibly due to more robust engineering
            Possibly due to crackers preference to Windows (use the tools you know)
            Possibly due to any one or more of the above
            As much as I would like to be able to point to the significant reason, I can't.
            Maybe someone more knowledgeable on this board has the answer but if they do
            they're keeping it to themselves.

            But why the question intertwining hack ability with lack of malware? Can't you
            figure out the difference between the two? Why the baiting? If it is true that you
            use the Mac then sit back and enjoy the security knowing that your Mac is safe, at
            least for now. Don't gloat, don't point, don't rub anyones nose into it. Just enjoy
            it and hope it lasts.
          • JoeDaddy: You're confused

            The question asked was to illustrate the foolishness of the Mac fanbois. I personally myself would never ask such a question because *I* know the two are not related. I have made many, many posts explaining to the Mac fanbois that the two are unrelated. Yet they still insist on tying them together. Yes, it's foolish but that's what they do.

            As for why there currently is no malware for OS X that's easy: It's primarily due to lack of incentive. This was evidenced at the recent CanSecWest security conference. A challenge was made to hack the Mac. It took a $10K carrot dangled in front of the hackers faces before someone made any sort of effort. And with Windows huge marketshare it will take a while, if ever, for the marketshare of OS X to make it worth their while. I've already run the numbers in this forum.

            As a Mac user I find Mac fanbois annoying but worse they make us normal Mac users look bad. But the worse thing is telling people to switch to a Mac to be secure. If enough people do the incentive will be their and then where will we be?
        • The reason is simple

          OS X is less prone to attacks (not invulnerable, as you suggested) *because* Apple is more pro-active about security.

          Microsoft operating systems from DOS - Windows 98SE were hacker playgrounds because MS designed them for a world where everyone got along and there was no reason to secure the OS.

          Apple took too long to recognize the threats, too, but they've done a much better job than Microsoft in securing their OS since OS X was released. And ALSR is just the latest attempt to make sure that lead remains in place.
          • Still ZERO malware.

            If it's less prone certainly there would be at least ONE malware out there for OS X. It's going on SEVEN years and not a SINGLE malware for OS X. Either the OS is infinitely invulnerable to malware or there is/are another reason/s. So which is it? The former? Or the latter?