tag:blogger.com,1999:blog-24586388.post8958558851864832778..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: About Apple’s Security Foundations, Or Lack Of Thereof...Joanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger23125tag:blogger.com,1999:blog-24586388.post-27825439175270899332009-10-12T23:31:43.612+02:002009-10-12T23:31:43.612+02:00@Anonymous: Sure it sucks the firmware is unsigned...@Anonymous: Sure it sucks the firmware is unsigned (all firmware reflashing should always require signed updated!). But my question here was rather about the whole update download process -- i.e. whether the Mac's updater application somehow verifies the files it downloads over the *Internet*?Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-26090762929171153272009-10-12T05:07:40.422+02:002009-10-12T05:07:40.422+02:00"BTW, anybody checked if the Apple updates ar..."BTW, anybody checked if the Apple updates are digitally signed somehow?"<br /><br />Joanna, did you see K. Chen's Black Hat presentation? Apple didn't sign their keyboard firmware update... I wonder what other surprises Macs have in store.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-51420260139953459142009-10-02T09:23:37.838+02:002009-10-02T09:23:37.838+02:00Greatly overdue response, but...
> 1) Can you ...Greatly overdue response, but...<br /><br />> 1) Can you provide a command that would index *all* binary files on the volume and count how many of them are unsigned vs. signed?<br /><br />No, I can't, because I've never actually constructed it. But I would expect that it would involve the following pieces, on a clean system:<br /><br />1. find -x / (to iterate over the entire boot volume)<br /><br />2. file (to determine Mach-O binaries from other things)<br /><br />3. codesign (to determine if the file is unsigned, signed, or a nested resource).<br /><br />And, it goes without saying: grep.<br /><br />> 2) I have never seen in my life OSX displaying info about installer being signed. You saying such a possibility exists -- perhaps it does, but why I, as a Mac user, have never seen it? And why I have seen it all the times on Vista? For some reason nobody uses it, and this is precisely the problem I'm point out. Of course, I can try filing bug reports (or emailing support) to a few dozen of app vendors, but, frankly, I don't have time for this. Why I have never had to do that on Vista? Why the very same vendors properly sign their installers for Windows, but don't do that for Mac? Obviously there must be some more generic reason for that.<br /><br />There is a possibility. For example, if you're on Leopard, download the 10.5.8 combo updater manual package. Installer will start up, and you'll see a little certificate icon in the upper-right corner. If you click it, the Installer will show you information from the signing certificate, including whether its chain validates for that purpose.<br /><br />There are at least a few I can think of: <br /><br />Apple isn't signing all of its own packages, as you note below.<br /><br />Signing a package is a "hard" (as in difficulty) step, involving a command-line tool.<br /><br />Some software vendors, as I'm sure you know, treat OS X as a second class platform, and don't give its users the effort they deserve.<br /><br />Apple would induce insane dialogue fatigue if it made installing an unsigned package a drop-everything, must-tell-the-user-now kind of watershed event.<br /><br />> BTW, can I also sign a DMG file, or only the installer package inside it? What about all those programs that do not use "installer" to install, but that you just "drag to Applications folder" after opening DMG? Sure, if they were signed (but they are not, even iWork '09 is not signed!) I could do codesign on those files inside just-openen-dmg, but, come on, this is not the way a user-friendly system should behave.<br /><br />To my knowledge, there is no way to sign a disk image directly, as disk images are intended to support writable container file systems. You can sign either an Installer package or an Application bundle for drag-installs (and ideally, you should sign the application your installer installs, even if the installer is itself signed).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-70944403305784733082009-09-07T16:14:04.868+02:002009-09-07T16:14:04.868+02:00i find it more unexplicable when i see the things ...i find it more unexplicable when i see the things they are doing with ipods an iphones, specially the arguments they use to control app on the storegaragedhttps://www.blogger.com/profile/03572564429315732422noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-9259692321877226272009-09-03T16:35:44.882+02:002009-09-03T16:35:44.882+02:00@macsphere: Just the fact that Mac will warn when ...@macsphere: Just the fact that Mac will warn when an unsigned .app is accessing keychain, is almost irrelevant. Most apps don't use Keychain at all.<br /><br />All I want is to know, *before* I install given app (no matter if it's going to use Keychain or not), if it is non-tampered.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-67356984929226923382009-09-03T16:30:41.081+02:002009-09-03T16:30:41.081+02:00I wish I could post an image in the comments :)
W...I wish I could post an image in the comments :)<br /><br />When you distribute a unsigned update to your app, that uses confidential user information that resides in the Keychain, the OS asks you whether to allow/deny access to this information.<br /><br />I'm not sure whether this applies to all unsigned apps and not just updates (it's been ages since I read those docs). It probably does. Apple considers the Keychain to be the central repository of sensitive information, so it probably happens (or should happen) with all apps.nicktoumpelishttps://www.blogger.com/profile/00030722503918591650noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-60614279235605694472009-09-03T16:14:15.702+02:002009-09-03T16:14:15.702+02:00@macsphere: What are you talking about? Can you be...@macsphere: What are you talking about? Can you be more specific? I have never observed the behavior you mention...Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-68107220402498082042009-09-03T16:09:30.869+02:002009-09-03T16:09:30.869+02:00Mac OS X also check whether a new version is signe...Mac OS X also check whether a new version is signed by the original vendor, and asks the user whether she wants to trust her credentials to the new version.nicktoumpelishttps://www.blogger.com/profile/00030722503918591650noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-8229986307389297982009-09-03T16:05:52.842+02:002009-09-03T16:05:52.842+02:00@Aleksandar: Can you somehow support your statemen...@Aleksandar: Can you somehow support your statement about unverifiable installers not being a real problem?<br /><br />Consider e.g. a freedom fighters in China -- do you really think the Chinese government would not attempt to put a backdoor into the files they download from the net?Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-76956177994756725352009-09-03T16:01:41.359+02:002009-09-03T16:01:41.359+02:00Joanna, you argue about potential problem, not an ...Joanna, you argue about potential problem, not an actual one. What is going to happen to poor Apple uninformed users when they start to run untrusted dangerous installs.<br /><br />This is not happening. There is no mentionable problem (apart from pirated and tampered with SL install .dmg now and iLife09 before it) out there.<br />And I'm certain we will never see anything like UAC or signed/unsigned warnings on Mac that exists on Windows (I was Win user for 10+ years and still am at the office). It does not fit in Mac UX. Is it bad or not is irrelevant - it will not happen. <br /><br />On the topic - I'm sure Ivan Krstić was not hired by Apple to sit and look pretty ;)aleckhttps://www.blogger.com/profile/03012909167339990580noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-54434819045580669822009-09-03T16:00:27.387+02:002009-09-03T16:00:27.387+02:00@Anonymous: Please note that Windows *unlike* Mac ...@Anonymous: Please note that Windows *unlike* Mac OS X, has managed to force most of the (mature) vendors to sign their installers. We shall not pick on Windows for this one thing.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-83549531721120986802009-09-03T15:56:08.771+02:002009-09-03T15:56:08.771+02:00Thats why windows and probably mac systems are so ...Thats why windows and probably mac systems are so flawed. Even if os is secure, that winamp.exe you download gets you owned.<br /><br />This is the most serious security argument over systems without signed software repositories.<br /><br />I am using ubuntu and all aditional software i install from ubuntu signed repositories. So no problems for me (until skype/picassa needed...)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-8520643710753869132009-09-03T13:06:15.966+02:002009-09-03T13:06:15.966+02:00Mozilla has bugs about this, since 2007.
https://...Mozilla has bugs about this, since 2007.<br /><br />https://bugzilla.mozilla.org/show_bug.cgi?id=400296<br />https://bugzilla.mozilla.org/show_bug.cgi?id=409459juliennoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-83135034882542481082009-09-03T10:41:02.746+02:002009-09-03T10:41:02.746+02:00@Anonymous-with-whom-we-argue-if-it's-"ma...@Anonymous-with-whom-we-argue-if-it's-"many"-or-"most"-of-system-files-that-are-unsigned-and-also-if-the-osx-should-warn-about-unverifiable-installers:<br /><br />1) Can you provide a command that would index *all* binary files on the volume and count how many of them are unsigned vs. signed?<br /><br />I'm talking here about every possible binary, including libraries, System preference extensions, filesystems, just every potential binary. I don't know how to write one clean command that would find all the files (and verify them). In fact I gave up on the task for doing that log time ago, just after I installed Leopard, because I just saw too many examples of unsigned files. Anyway, it would be interesting to get the numbers (and to see which types os files are still unsigned).<br /><br />2) I have never seen in my life OSX displaying info about installer being signed. You saying such a possibility exists -- perhaps it does, but why I, as a Mac user, have never seen it? And why I have seen it all the times on Vista? For some reason nobody uses it, and this is precisely the problem I'm point out. Of course, I can try filing bug reports (or emailing support) to a few dozen of app vendors, but, frankly, I don't have time for this. Why I have never had to do that on Vista? Why the very same vendors properly sign their installers for Windows, but don't do that for Mac? Obviously there must be some more generic reason for that.<br /><br />BTW, can I also sign a DMG file, or only the installer package inside it? What about all those programs that do not use "installer" to install, but that you just "drag to Applications folder" after opening DMG? Sure, if they were signed (but they are not, even iWork '09 is not signed!) I could do codesign on those files inside just-openen-dmg, but, come on, this is not the way a user-friendly system should behave.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-20364359679817621542009-09-03T04:02:42.152+02:002009-09-03T04:02:42.152+02:00Perfectly good article and some of you had to brin...Perfectly good article and some of you had to bring law into the comments.<br /><br />Believe me--if it ever made it to a jury I was on, I'd ignore what the EULA said and rake the vendor over the fire.<br /><br />As Joanna put it so elegantly--some of us prefer to live in the "civilized world."<br /><br />On a related note--when dealing with an untrusted HTTP source, I often download the image from my home connection, a proxy in boston, and a proxy in Europe and checksum all of the images for equality. It isn't perfect, but I've always kind of assumed that it'd be a pain in the ass for anyone performing a MITM to do it completely untargeted. Of course, they could always just have stolen the DNS and it wouldn't do any good... but it's better than the nothing HTTP gives me.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-1171307239224875972009-09-03T03:49:00.632+02:002009-09-03T03:49:00.632+02:001. Several of those lines say "Object file fo...1. Several of those lines say "Object file format invalid or unsuitable", because you've recursed into the plug-ins of a top-level kext which is signed. The fact that a handful of kexts are unsigned (and most of those are third party code) does not validate your conclusion that "most of the system files are not signed". Most of those kexts won't even load unless you use specific third-party accessories that they're designed to support.<br /><br />2. To further demonstrate that the kexts are outliers, go through /bin, for example. No unsigned code whatsoever.<br /><br />3. Mail.app was not intended to be a representative data point, simply an example of how to use the tool, since your post states you "don't even attempt" to verify your system's integrity. Obviously, I misinterpreted that sentence.<br /><br />4. Mac OS X won't warn you if a package you're installing is unsigned, but it will display a certificate indicator you can use to see that the package is signed (and by whom). Check for digital signature indicia and if you don't trust the package's signer, or the package isn't signed, *don't install the package*. Throwing a warning in the user's face is not a security strategy, it's a nuisance.<br /><br />5. If installing unverifiable software is annoying to you (and I can certainly understand why it would be) then:<br /><br />FILE BUGS<br /><br />with the perpetrators (Apple, Mozilla), or at least describe specifics. Over-generalizing statements like "most of the system files are not signed" will not help anyone *fix* the behavior you're criticizing.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-81506268826965685882009-09-03T00:22:35.586+02:002009-09-03T00:22:35.586+02:00@Grzegorz:
Well, IANAL2, but a common sense sugge...@Grzegorz:<br /><br />Well, IANAL2, but a common sense suggests, at least in the civilized world, you cannot simply sell something to the customer and take zero responsibility for it. Just the fact you write something in the EULA, doesn't exclude you from the (inter)national laws. E.g. can you imagine a car maker selling cars with a "use at your own risk" statement?<br /><br />Again, neither of us is a lawyer, so lets cut off this discussion at this stage. One is sure at least -- without certificates, no matter what the law was, I couldn't sue anybody for a malicious application. The certificates open this possibility from the technical perspective. And I think that's just grate. (Plus they eliminate the problems with untrusted network connections). Everything else in the hands of courts and lawyers.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-49269827306726191012009-09-02T23:56:21.484+02:002009-09-02T23:56:21.484+02:00Well, it's always funny how people sometimes d...Well, it's always funny how people sometimes discover these license gems and then slashdot runs some paranoic reality check article.<br /><br />But I was thinking more in the terms of blocks like this one from the MIT license: "blah blah blah IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT<br />HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY blah blah blah"<br /><br />I understand they can be malicious or stupid, but either way you are on your own.Grzegorz Adam Hankiewiczhttp://elhaso.com/noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-36956179487506231922009-09-02T23:24:17.960+02:002009-09-02T23:24:17.960+02:00@Grzegorz:
Well, of course, if the vendors writes ...@Grzegorz:<br />Well, of course, if the vendors writes in the EULA that "this software is going to spy on you and leak out your pgp keys", then it's an interesting challenge for a lawyer (although I still believe that the vendor would be punished for such a trick, just like various companies are often punished for "unfair" clauses in their contracts).Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-23466665286964686122009-09-02T23:14:05.206+02:002009-09-02T23:14:05.206+02:00@Anonymous (AKA Mr. Multiple Substantial Inaccurac...@Anonymous (AKA Mr. Multiple Substantial Inaccuracies):<br /><br />I'm well ware of the codesign tool and I uphold my statement that most of the *system* files are not signed. E.g. this command will show you how many kernel(!) extensions are not signed:<br /><br />find /System -name "*.kext" -exec codesign -v {} \;<br /><br />And just a FYI, Mail.app, is not the best example of a system file;)<br /><br />Regarding packagemaker and its ability to sign installation packages. It doesn't matter, because Mac OS X doesn't display any message if the dmg/pkg is not signed. So, there is no incentive for application developers to sign their packages -- in the end the user experience will be just the same.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-25451354204636005062009-09-02T21:39:18.019+02:002009-09-02T21:39:18.019+02:00How many mere mortals do know what a PGP signature...How many mere mortals do know what a PGP signature is? (I'm not even talking on how to check the signature is correct). I'd say less than 15%.felipe-alfaro.orghttps://www.blogger.com/profile/07461292384051781983noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-78053154939056179192009-09-02T21:30:25.043+02:002009-09-02T21:30:25.043+02:00Hi there.
In this article and the previous one yo...Hi there.<br /><br />In this article and the previous one you repeat saying that a signed installer only provides liability to sue the author of the installer.<br /><br />Is this really serious? IANAL but AFAICS all EULAs and similar software disclaimers and agreements force the user to just ignore the fact that you may have downloaded skynet into your computer and it may soon kill your pet, minutes before nuking earth.<br /><br />So, what liability are you really talking about? Your ISP? The air in between? While most software can be downloaded through a direct link, there are providers who force you to go through an HTML confirmation page before getting the software, so that may have already forced you to not sue anybody.Grzegorz Adam Hankiewiczhttp://elhaso.com/noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-16371784343530216952009-09-02T20:12:37.251+02:002009-09-02T20:12:37.251+02:00Multiple substantial inaccuracies:
1. "most ...Multiple substantial inaccuracies:<br /><br />1. "most system files are not signed anyway"<br /><br />Most every binary or bundle installed on a Mac OS X system is signed. True, there is no UI for looking at individual files, but you can see the signature information for a given bundle or binary by using the codesign(1) command. For example, Mail.app:<br /><br />$ codesign -v --verbose /Applications/Mail.app; codesign -d --verbose --verbose /Applications/Mail.app<br />/Applications/Mail.app: valid on disk<br />/Applications/Mail.app: satisfies its Designated Requirement<br />Executable=/Applications/Mail.app/Contents/MacOS/Mail<br />Identifier=com.apple.mail<br />Format=bundle with Mach-O universal (i386 x86_64)<br />CodeDirectory v=20100 size=16043 flags=0x0(none) hashes=796+3 location=embedded<br />Signature size=4064<br />Authority=Software Signing<br />Authority=Apple Code Signing Certification Authority<br />Authority=Apple Root CA<br />Info.plist entries=28<br />Sealed Resources rules=10 files=530<br />Internal requirements count=1 size=104<br /><br />2. "when you open such a file under Mac, the OS will never display any information about if this file is somehow signed (e.g., by who) or not. I'm pretty sure it's never signed."<br /><br />While it's true that most developers (including Apple) don't sign their packages regularly (the 10.5.8 package is signed), the OS does have package verification capabilities. Developers can sign their packages using the packagemaker(1) command line tool in the Developer Tools suite.<br /><br />If the lack of signed, verifiable installation media bugs you (which I can certainly understand) then file a bug in Mozilla's/Apple's bug tracking system (as well as those of other distributors you come across) asking them to please sign their packages.Anonymousnoreply@blogger.com