An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#20724 - 02/19/12 12:08 AM How important is sandboxing?
artie505 Online


Registered: 08/04/09
Is it necessary in todays environment?

Is it no more than an overreaction to some imaginary threat?

Or is Apple being realistically visionary and conducting a pre-emptive strike against an amorphous, but nonetheless real, future threat?
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#20731 - 02/19/12 08:34 AM Re: How important is sandboxing? [Re: artie505]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Originally Posted By: artie505
Is it necessary in todays environment?

Not sure what's being implied by "todays" environment. Sandboxing has been necessary ever since malware was invented.


Originally Posted By: artie505
Is it no more than an overreaction to some imaginary threat?

There are many real threats already in existence (and many vulnerable users to go along with them).


Originally Posted By: artie505
Or is Apple being realistically visionary and conducting a pre-emptive strike against an amorphous, but nonetheless real, future threat?

Nothing visionary about sandboxing today... i think it's already been around a while.

What matters (to me) is the degree of control they provide the end-user. E.g., the version of TextWrangler we get at the MAS is crippled (can't edit system files). Fortunately, we can get a 'normal' version directly from Barebones. If sandboxing gets implemented such that even the direct-download version is irretrievably crippled, then i won't be a happy camper.

Top
#20756 - 02/21/12 02:20 AM Re: How important is sandboxing? [Re: Hal Itosis]
artie505 Online


Registered: 08/04/09
Thanks, Hal.

> Nothing visionary about sandboxing today... i think it's already been around a while.

My "realistically visionary" question was more directed at Apple's push for universal implementation of sandboxing in 3rd party apps than as a general question.

(Since I posted, I've searched a bit and found "Sandbox" folders in both /Library and /System/Library, the former empty...the latter populated, so it obviously has been around for a while.)

And as for your fears about TextWrangler, I'll echo them as respects Butler, v 5.0 of which has been is on indefinite hold because of sandboxing.


Edited by artie505 (02/21/12 02:21 AM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#20757 - 02/21/12 02:26 AM Re: How important is sandboxing? [Re: artie505]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Sandboxing is a preemptive protection from as-yet-undiscovered threats.

It used to be that the operating system was the most common attack surface for any computer. Malware writers looked for operating system flaws in order to spread malware.

However, these days, operating systems--even from Microsoft--are pretty robust and are becoming difficult targets. Mac OS X has always been a very hard nut to crack, and with Microsoft getting serious about security, Windows flaws are becoming harder and harder to exploit. So these days, the majority of malware is spread not through operating system flaws, but through application flaws, with Adobe Acrobat Reader being a great example of a seriously flawed application that's prone to attack.

The idea behind sandboxing is that if a flaw exists in an application that allows a hacker to create a document that will exploit the flaw and allow the hacker to execute arbitrary code, the hacker is still limited in what he can do. An app exists inside a "sandbox"--an enforced perimeter that the operating system provides. If an application attempts to do something that violates that perimeter, say by accessing the system files on the computer, the operating system terminates it.

In a world where most malware is spread by infected documents that corrupt the application that is used to read the documents, sandboxing is very important. It is reasonable for Apple to require software they distribute to be sandboxed.

A lot of folks believe that Apple will soon forbid distributing software except through the Mac app store. I find this belief to be deluded. It ignores reality--OS X isn't a locked operating system; few people would use it if it were; large, complex apps like Adobe Creative Studio are unlikely ever to be distributed via the MAS; developers would be unlikely to code apps for such a platform...

The delusion comes from the fact that people look at smartphones and think of them as portable computers, and so ask "Well, if smartphones can be locked down, why can't computers?" But people use smartphones differently from computers and have different expectations.

A better analogy is to think of smartphones like video game consoles. Ever since the first Nintendo, game consoles have always been locked. Console makers tightly control the market for console games, they must approve all games, they charge developers very high fees to develop games (when the PlayStation came out, game developers had to pay more than $10,000 to license the game development kit), and the console makers always get a cut of every sale.

The Sony PlayStation line of consoles is far more tightly locked down than, say, an iPhone, but nobody says "See? This means Sony is going to start locking its VAIO computers too!" because we don't think of laptops and consoles as similar, whereas we do think of laptops and smartphones as similar. But the way we use them is still very different, and trying to lop a desktop operating system makes it far less useful. Apple is many things, but it's not stupid.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#20764 - 02/21/12 03:29 AM Re: How important is sandboxing? [Re: tacit]
artie505 Online


Registered: 08/04/09
Thanks for the post.

> A lot of folks believe that Apple will soon forbid distributing software except through the Mac app store. I find this belief to be deluded. It ignores reality--OS X isn't a locked operating system; few people would use it if it were; large, complex apps like Adobe Creative Studio are unlikely ever to be distributed via the MAS; developers would be unlikely to code apps for such a platform...

The delusion comes from the fact that people look at smartphones and think of them as portable computers, and so ask "Well, if smartphones can be locked down, why can't computers?" But people use smartphones differently from computers and have different expectations.


Well... I'm one of those "deluded" people (Read me.), but my "delusion" is rooted in extreme cynicism about...distrust of Apple's motives, rather than as you've guessed.

I've got zero idea, and can't even begin to guess, what they've got in mind, but while your point is valid, I'll bet the farm that what they've begun is nowhere near finished.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#20770 - 02/21/12 11:18 AM Re: How important is sandboxing? [Re: artie505]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Originally Posted By: artie505
Is it necessary in todays environment?

Is it no more than an overreaction to some imaginary threat?

Or is Apple being realistically visionary and conducting a pre-emptive strike against an amorphous, but nonetheless real, future threat?


The cliff's notes for sandboxing basically is to run a program inside a simulated environment, so that in the event that the program (by "design, bug, or malice) does something it's not supposed to, ("breaks out" of the program) it only gains access to the simulated environment, not the real one. It's merely a safety net.

If the world was perfect, sandboxing would serve no purpose. But since "design, bug, or malice" can never be reduced to zero, it has a purpose. The more you can reduce the threat to begin with, the less relevant a sandbox becomes.

But there will always be a risk again by "design, bug, or malice", of the sandbox being escapable. So you haven't added a bulletproof barrier, you've only added one level of exponent to the numbers. When sandboxes become standard, malware will simply be designed as a two-stage attack - escape the application, and then escape the sandbox the app is in. No one will write malware that can't get out of the sandbox, there'd be no point to it. But it would help reduce the effects of bugs. Preventing buggy apps from crashing the OS for example. So it becomes less valuable, but not entirely worthless. In a way even now, when an app crashes it usually doesn't bring down the OS, so in that respect there's already a sandbox of sorts in place. Or at least a buffer/insulator.
_________________________
I work for the Department of Redundancy Department

Top
#20772 - 02/21/12 11:55 AM Re: How important is sandboxing? [Re: Virtual1]
artie505 Online


Registered: 08/04/09
Thanks for that.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#20781 - 02/22/12 02:50 AM Re: How important is sandboxing? [Re: Virtual1]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Originally Posted By: Virtual1


The cliff's notes for sandboxing basically is to run a program inside a simulated environment, so that in the event that the program (by "design, bug, or malice) does something it's not supposed to, ("breaks out" of the program) it only gains access to the simulated environment, not the real one. It's merely a safety net.


Asa technical note, the Apple sandbox design in Lion isn't a simulated or virtual environment. The approach Apple uses is a bit different than many other sandbox designs.

The way that Apple's sandbox works is that an application has a signed list of privileges, which Apple calls "entitlements," that describe the things the program needs to do in order to work. As a programmer, you decide what your application needs access to, and you create a list of these "entitlements." When you submit the app to Apple for inclusion in the Mac App Store, the list of entitlements becomes added to your app.

The entitlements list things like "must be able to write files to the user parts of the disk," "must be able to access the network," "must be able to access the Webcam," "must be able to read the user's iTunes or iPhoto database," "must be able to access Bluetooth," "must be able to download files from the Internet and save them," and so on, and so on.

Mac OS X watches what an application does. If an application attempts to take an action that is not on the list of entitlements, OS X terminates the application immediately.

Say, for example, that you have written an insecure app that reads PDF files. Your list of entitlements would be very small; "read access to user files" and "read files that the user chooses."

Now say a hacker creates a booby-trapped PDF file that, when opened, allows the attacker to run code, and the attacker attempts to download a file from the Internet. (This is a real example of how a common PDF exploit works).

As soon as the user opens the booby-trapped PDF file, the attacker's malicious code hidden in the file executes and tries to download files from the Internet. Without sandboxing, the files are downloaded and executed and the user is now infected. With sandboxing, the moment the attacker's code tries to download a file from the Internet, OS X looks at the list of entitlements and sees that the "download and save files" entitlement isn't there. So the PDF reader program is immediately terminated.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#20792 - 02/22/12 09:25 AM Re: How important is sandboxing? [Re: tacit]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
I'm guessing that (in addition to those entitlements) a mechanism much like chroot might also be employed. E.g., the app will be running chrooted to the user's home... and that affords it no means with which to access (read or write) anything above and beyond that home folder. As far as it knows, the "root" (/) of all available file space is that home folder. It can only reach down within that hierarchy.

Hmm, or perhaps such restrictions are more necessary for writing than reading. Anyway... just guessing there.


Edited by Hal Itosis (02/22/12 09:34 AM)

Top

Moderator:  alternaut, cyn