Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - How to test OS X Mountain Lion's Gatekeeper in Lion InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

How to test OS X Mountain Lion's Gatekeeper in Lion

Published: 2012-02-22
Last Updated: 2012-02-22 02:16:20 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

While I started working on comparing various OS X hardening guides (see the prior diary from a couple of days ago), Apple announced one important new security feature in OS X 10.8 (Mountain Lion). The new operating system to be released this summer will include a white listing system based on iOS. iOS has received a lot of criticism for its closed nature, but so far, I have to admit it has worked pretty well. We have heard very little about iOS malware while Android malware appears to start steal the show from Windows malware (it got a while to go, but all the news lately appears to be about Android malware).

iOS uses a pretty simple and effective security model to fight malware: Whitelisting. All software installed on an iOS device has to be digitally signed. In order to be digitally signed, the software has to be reviewed by Apple. Only software that uses standard Apple vetted APIs is considered trustworthy to be signed, making it difficult to sneak in malicious code. If malicious software slips through, it can be recalled later. 

Over the last few years, the opposite model, blacklisting ("Anti Malware") has failed spectacularly. Even many desktop users now use third party whitelisting software which is usually more granular then what Apple proposes.

Apple's approach allows for essentially three different "settings":

- Only allow Apple approved software (pretty much what iOS does)
- allow Apple approved software, but also allow software signed with specific additional certificates (you could use this to sign your own software. Kind of like accepting the certificate from an iOS developer for testing)
- allow all software (pretty much "unlocked" in iOS terms)

There are some specific limitations to Apple's approach:

- the signatures are only tested during install. If malicious software passes the install, it will not be inspected further.
- only executables are checked. A malicious PDF may still cause havoc, even if it may no longer be able to then download and install additional malware

The best part in my opinion is that the functionality was already pushed out to systems as part of the last OS X update (10.7.3). So you can already experiment with the feature and see how well it works (or doesn't work). I am running it now for a while off and on and so far, haven't experienced any ill effects, aside from it blocking me once or twice from installing software. Each time, I just disabled it temporarily (which could be considered a weakness).

The command line utility spctl can be used to enable or disable the feature. spctl --enable will enable it, spctl --disable disable it. You need to be root to run the utility.

 
 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: apple lion spctl
2 comment(s)
Diary Archives