Once you are over the online install experience, the upside down mouse gestures and all the other bling that comes as part of OS X Lion, it is time to look at what has changed from a security point of view. Apple doesn't exactly advertise security features, but Lion provides some significant security improvements.
Just an important note: Lion is just a day old now, so a lot of these features haven't exactly been tested yet by the large masses of users.
Address Space Layout Randomization (ASLR)
ASLR will make exploiting vulnerabilities significantly harder. In itself, it doesn't prevent any vulnerabilities. Snow Leopard introduced ASLR, but limited it to libraries. ASLR on Snow Leopard also missed randomizing the stack and the heap.
Automatic Security Updates
In Snow Leopard, like in most other operating systems, the user was told about updates, but had to manually approve / install them. In Lion, this is all going to happen behind the scenes. We will have to see how well this works as "automatic" or "unmanaged" updates may of course break incompatible applications
Time machine backups can now be encrypted.
Air drop sounds a bit dangerous, and we will have to revisit this protocol. It essentially allows setting up quick peer-to-peer networks to exchange files. However, the file transfer is TLS encrypted according to Apple and authenticated using the users Apple ID (which has always been available as a client certificate). It also appears to set up appropriate firewall rules. Looks like they did think about the important issues, but this is very much a topic that needs further testing.
File Vault 2
The original file vault feature in Snow Leopard only encrypted the users home directory. It was rather clunky and didn't interoperate well with time machine. File Vault 2 implements full disk encryption. In addition, a number of additional features are implements. For example, one can instantly "wipe" the disk by deleting the key. If a users is afraid of losing the key, the key can be escrowed with Apple. Initial performance test have been pretty good.
Update: After experimenting with File Vault 2, I found that it can only be used if the installer was able to create a recovery partition, which it didn't do in my case. Also, File Vault 2 is encrypting the partition, not the entire disk like other products (e.g. PGP).
Lion uses refined privacy preferences in particular limiting the access to location information
Apple ID for authentiation
Not sure Air Drop, but other authentication features leverage your Apple ID. As you sign up for an apple id, Apple will create a client certificate for you that you can now use to authenticate for file sharing, iChat and Screen Sharing. The certificate has existed in the past, and was used in iChat. But now it is used by other features of the OS.
Complete Feature List: http://www.apple.com/macosx/whats-new/features.htmlDefending Web Applications Security Essentials - SANS Security West 2019
Jul 21st 2011
7 years ago
One thing that is most annoying is that the new OS disabled access to my windows domain. Anyone who has a ".local" Active Directory Domain is going to have this problem. If you are still using old-style NETBIOS and WINS you can still get access but who does these days? My network is Windows 2008 R2 native domain/forest and I presume most people are at least Windows 2003 native.
Jul 23rd 2011
7 years ago