Linked by Thom Holwerda on Thu 3rd Nov 2011 22:54 UTC
Mac OS X And so the iOS-ification of Mac OS X continues. Apple has just announced that all applications submitted to the Mac App Store have to use sandboxing by March 2012. While this has obvious security advantages, the concerns are numerous - especially since Apple's current sandboxing implementation and associated rules makes a whole lot of applications impossible.
Thread beginning with comment 495956
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Good move
by frderi on Sat 5th Nov 2011 00:53 UTC in reply to "RE[3]: Good move"
frderi
Member since:
2011-06-17

I'd argue that DVD and Blu-Ray encryptions are broken by design, like many other forms of DRM, because they rely on distributing a "secret" copy of the decryption key with every single device and software that can playback them. In such circumstances, it is obvious that the decryption key will be leaked by someone at some point.


The biggest problem when it comes to security is software bugs. The bulk of exploits are based on the fact that there's a bug in the software that facilitates buffer overruns which allows one to execute code. The only way of making sure your system isn't compromised is to unplug it from the network and write the software it runs yourself. However, this doesn't tend to be a desirable use case these days. :-) Bottom line : Everything which is software is breakable. The point with running sensible security measurements is that you need to minimize the risks as much as possible.


To the best of my knowledge, there is no such known flaw with the design of sandboxing in itself.


As with any software implementation, its bound to have bugs and thus its exploitable. If the zero-day bug gets discovered by someone looking for them who has ill intentions, most of the time this information just gets sold in black markets online and it ends up in the hands of malware writers which exploit them in their code.

My question is : why is the PDF reader able to get root access to the device at all ?


Point is it doesn't have to have to be exploitable, a bug which allows for improper code execution is enough.


With proper sandboxing, an exploit in the PDF reader would only allow a cracker to have a look at the PDF reader's private data, which is a much, much less interesting trick.


Not necessarily. If memory is written outside the applications heap, its more than likely to have full access to the system allowing the malicious code (not the app itself) for any anything it wants to do.


Fair point, but doesn't this argument also hold for other repository systems where you can freely add other software sources to your OS beyond the vendor-provided one ?


Sure it does, and in the desktop space, there's been quite a few of them : tucows, download.com, versiontracker and macupdate are just a few. But these are merely aggregators not App Stores. They offer no guarantee of the purchase process and in most cases even about the availability of the listed application.



It will also put you in front of heaps of thousands of different software to do the same thing, with no quick way of deciding what works best for your purposes except for relatively flawed indicators such as "featured" or "frequently downloaded" (also known as "popular" in some circles).


Not if you know what functionality you're looking for. You might search for an unrar app, a VNC client, an RSS Reader, … Doing those searches conveniently pops up a list of all available apps allowing you to pick the one with the functionality and price point you find appropriate for your needs.


So since exploring everything and making informed choices is not envisionable for most people in such centralized systems, you end up relying on others (magazines, websites, relatives...) to do the work for you. Which is why I say that word of mouth remains the #1 way of finding software even in big centralized software libraries.


You're more likely being served in a better way if you just consult the app ratings and read the user reviews in the App Store. Why wait 2 months for a published magazine to pick up a newly released app? This used to be my methodology of working in the past, but now we're talking about the nineties, when broadband wasn't among us yet and magazines with CD-ROMs were still a huge deal.


This is the positive side of things. The negative side of things is that if there's a lot of choice you'll end up going through a lot of uninteresting garbage (for you !) before finding what you're looking for.


You browse trough the list, you look at the user ratings, reading the reviews and description, and look at the screenshots. I don't see much difference in the selecting process. When you like something its a quick trip to the the buy button and you have it working. Instant gratification. The barrier can't get much lower than this.

Reply Parent Score: 1

RE[5]: Good move
by Neolander on Sat 5th Nov 2011 09:13 in reply to "RE[4]: Good move"
Neolander Member since:
2010-03-08

The biggest problem when it comes to security is software bugs. The bulk of exploits are based on the fact that there's a bug in the software that facilitates buffer overruns which allows one to execute code.

As far as I know, buffer overruns are not a fatality, and protections exist against them : read-only code and canaries at the CPU level, fixed-length buffers at the API level... But I agree with your general point that every software implementation is breakable, which is why careful testing of critical code and regular updates are so important.

"My question is : why is the PDF reader able to get root access to the device at all ?"

Point is it doesn't have to have to be exploitable, a bug which allows for improper code execution is enough.

"With proper sandboxing, an exploit in the PDF reader would only allow a cracker to have a look at the PDF reader's private data, which is a much, much less interesting trick."

Not necessarily. If memory is written outside the applications heap, its more than likely to have full access to the system allowing the malicious code (not the app itself) for any anything it wants to do.

Wait a minute...

On x86 CPUs, and I'm pretty sure it's the case on ARM too, there's a MMU and memory protection. When this feature is used to implement processes, the net result is that every software lives in a "private" chunk of RAM, and only communicates with other software through controlled communication channels.

So if a given software runs amok, it should only run amok within the boundaries of what it's allowed to do. Am I correct ?

Sure it does, and in the desktop space, there's been quite a few of them : tucows, download.com, versiontracker and macupdate are just a few. But these are merely aggregators not App Stores. They offer no guarantee of the purchase process and in most cases even about the availability of the listed application.

Not if you know what functionality you're looking for. You might search for an unrar app, a VNC client, an RSS Reader, … Doing those searches conveniently pops up a list of all available apps allowing you to pick the one with the functionality and price point you find appropriate for your needs.

Fair point : there is a trade-off between general usage convenience and decentralization. A centralized system gives an unreasonable amount of power to the repository owner, but also means centralized knowledge about software availability.

You're more likely being served in a better way if you just consult the app ratings and read the user reviews in the App Store.

Ratings and reviews are a mixed bag, in my experience. Sometimes they work, sometimes they don't.

Let's talk about ratings, first. While it is very easy to give binary ratings to stuff which you feel is excellent or extremely bad, it is much harder to express mixed feelings in a rating, and if a large number of people do it the information is likely to be averaged away. Typically, I take a rating that is less than "perfect" as a warning, but it doesn't give me much more information without an attached written reviews.

As for reviews themselves, when you're dealing with a small and informed user base, such as on some computer hardware websites, they can be very helpful. But when the user base grows, there is a growing number of parasites who post poor-quality reviews, or stuff which does not even qualify as a review (the "I have a big dick" or "First" variety of comments). On frequently reviewed software, the noise often ends up erasing the insightful information, unless you're ready through 4 pages of comments to get an idea about each piece of software.

To fight this tendency, some websites which use ratings and reviews, like Amazon, have a way for users to say "this review is insightful" or "this review did not help", which in my experience works quite well. But I don't think Apple have this in their stores.

Why wait 2 months for a published magazine to pick up a newly released app? This used to be my methodology of working in the past, but now we're talking about the nineties, when broadband wasn't among us yet and magazines with CD-ROMs were still a huge deal.

This is why I also mentioned websites and relatives, which in the Internet age are sure much faster than magazines ;) Magazines still have their use though, as they can provide higher-quality reviews than other solutions for "big" software which doesn't change a lot in time such as office suites, image and video editors, CAD tools...

You browse trough the list, you look at the user ratings, reading the reviews and description, and look at the screenshots. I don't see much difference in the selecting process. When you like something its a quick trip to the the buy button and you have it working. Instant gratification. The barrier can't get much lower than this.

Again, you're right that centralization does have its good sides, including convenience for everyday use.

Reply Parent Score: 2