How to test OS X Mountain Lion's Gatekeeper in Lion

How to test OS X Mountain Lion's Gatekeeper in Lion
While I started working on comparing various OS X hardening guides (see the prior diary from a couple of days ago), Apple announced one important new security feature in OS X 10.8 (Mountain Lion). The new operating system to be released this summer will include a white listing system based on iOS. iOS has received a lot of criticism for its closed nature, but so far, I have to admit it has worked pretty well. We have heard very little about iOS malware while Android malware appears to start steal the show from Windows malware (it got a while to go, but all the news lately appears to be about Android malware). iOS uses a pretty simple and effective security model to fight malware: Whitelisting. All software installed on an iOS device has to be digitally signed. In order to be digitally signed, the software has to be reviewed by Apple. Only software that uses standard Apple vetted APIs is considered trustworthy to be signed, making it difficult to sneak in malicious code. If malicious software slips through, it can be recalled later. Over the last few years, the opposite model, blocklisting ("Anti Malware") has failed spectacularly. Even many desktop users now use third party whitelisting software which is usually more granular then what Apple proposes. Apple's approach allows for essentially three different "settings": - Only allow Apple approved software (pretty much what iOS does) - allow Apple approved software, but also allow software signed with specific additional certificates (you could use this to sign your own software. Kind of like accepting the certificate from an iOS developer for testing) - allow all software (pretty much "unlocked" in iOS terms) There are some specific limitations to Apple's approach: - the signatures are only tested during install. If malicious software passes the install, it will not be inspected further. - only executables are checked. A malicious PDF may still cause havoc, even if it may no longer be able to then download and install additional malware The best part in my opinion is that the functionality was already pushed out to systems as part of the last OS X update (10.7.3). So you can already experiment with the feature and see how well it works (or doesn't work). I am running it now for a while off and on and so far, haven't experienced any ill effects, aside from it blocking me once or twice from installing software. Each time, I just disabled it temporarily (which could be considered a weakness). The command line utility spctl can be used to enable or disable the feature. spctl --enable will enable it, spctl --disable disable it. You need to be root to run the utility. ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022	Johannes 4479 Posts ISC Handler Feb 22nd 2012
Thread locked Subscribe	Feb 22nd 2012 1 decade ago
Does the Gatekeeper system work for code the application may download later, e.g. plugins, etc? Does it work for interpreted code (i.e. scripts) or only compiled binaries? Thanks	Anonymous
Quote	Feb 22nd 2012 1 decade ago
Just for everyone's reference: The Ultimate OS X Hardening Guide Collection (https://isc.sans.edu/diary.html?storyid=12616). Also, can anyone provide examples of the "third party whitelisting software" that "many desktop users now use"? I must not be one of those users. Thanks	Anonymous
Quote	Feb 22nd 2012 1 decade ago

While I started working on comparing various OS X hardening guides (see the prior diary from a couple of days ago), Apple announced one important new security feature in OS X 10.8 (Mountain Lion). The new operating system to be released this summer will include a white listing system based on iOS. iOS has received a lot of criticism for its closed nature, but so far, I have to admit it has worked pretty well. We have heard very little about iOS malware while Android malware appears to start steal the show from Windows malware (it got a while to go, but all the news lately appears to be about Android malware).

iOS uses a pretty simple and effective security model to fight malware: Whitelisting. All software installed on an iOS device has to be digitally signed. In order to be digitally signed, the software has to be reviewed by Apple. Only software that uses standard Apple vetted APIs is considered trustworthy to be signed, making it difficult to sneak in malicious code. If malicious software slips through, it can be recalled later.

Over the last few years, the opposite model, blocklisting ("Anti Malware") has failed spectacularly. Even many desktop users now use third party whitelisting software which is usually more granular then what Apple proposes.

Apple's approach allows for essentially three different "settings":

- Only allow Apple approved software (pretty much what iOS does)
- allow Apple approved software, but also allow software signed with specific additional certificates (you could use this to sign your own software. Kind of like accepting the certificate from an iOS developer for testing)
- allow all software (pretty much "unlocked" in iOS terms)

There are some specific limitations to Apple's approach:

- the signatures are only tested during install. If malicious software passes the install, it will not be inspected further.
- only executables are checked. A malicious PDF may still cause havoc, even if it may no longer be able to then download and install additional malware

The best part in my opinion is that the functionality was already pushed out to systems as part of the last OS X update (10.7.3). So you can already experiment with the feature and see how well it works (or doesn't work). I am running it now for a while off and on and so far, haven't experienced any ill effects, aside from it blocking me once or twice from installing software. Each time, I just disabled it temporarily (which could be considered a weakness).

The command line utility spctl can be used to enable or disable the feature. spctl --enable will enable it, spctl --disable disable it. You need to be root to run the utility.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022

Johannes

4479 Posts
ISC Handler

Feb 22nd 2012

Does the Gatekeeper system work for code the application may download later, e.g. plugins, etc?

Does it work for interpreted code (i.e. scripts) or only compiled binaries?

Thanks

Anonymous

Just for everyone's reference: The Ultimate OS X Hardening Guide Collection (https://isc.sans.edu/diary.html?storyid=12616).

Also, can anyone provide examples of the "third party whitelisting software" that "many desktop users now use"? I must not be one of those users.

Thanks

Anonymous