Hackers versus Apple
An interview with Charlie Miller and Dino Dai Zovi
Heise's new Mac & i magazine recently interviewed Charlie Miller and Dino Dai Zovi, co-authors of “The Mac Hacker's Handbook” about Apple security and how to compromise it. The H is able to present that interview in full. Both Miller and Dai Zovi are well known for their exploits against the Apple Mac software environment. Miller is a researcher currently employed by the security consultants Independent Security Evaluators. He previously worked for the NSA and has won prizes for successful exploits at several Pwn2Own contests.
Like Miller, Dai Zovi is a regular at Pwn2Own and was successful at the first Pwn2Own contest at CanSecWest 2007, where he hijacked a MacBook Pro through a cross-platform QuickTime flaw. He has been named by eWeek as one of the top 15 most influential people in security and currently works as an independent security consultant, author and speaker.
Mac & i: If there was something like a Mac Hacker Rockstar, the title would probably be yours. Rumour has it the both of you are avid Mac fans and users as well. Why is it you still do all that hacking?
Charlie Miller: There are a couple reasons. One is, as you mentioned, I use a variety of Apple products and it is in my best interest to see them be as secure as possible. The other is to let Mac users understand the real risks. If you only listen to Apple (or Mac fanboys), you would believe Macs are impossible to hack, which isn't the case. By telling people of the risks, in a real and fair way, I hope users can make informed decisions about how they use their Apple devices.
Dino Dai Zovi: I started using Macs for the same reason that I started hacking on them, I think that they are interesting technology. I like to pick software apart and see how it works (and/or fails), so since I often have a Mac with me, I'll often spend some idle time reading Mac OS X source code or binaries to see how something is implemented. I like also like to know first-hand the level of security offered by software that I use and I'll often try and spend some time "kicking the tires" a bit.
Mac & i: On their OS X security page, Apple maintains "OS X has you covered". When you compare that to Windows 7, how secure is OS X with Snow Leopard? What are the main differences security-wise between both OSs?
DDZ: Comparing the level of security between two operating systems is difficult and only part of the picture. You need to factor in whom you are defending against, how resourced they are, and what the attack vectors are. For most of the readers of the magazine, their primary concern would be defending against malware while browsing the web. At present, a Mac with Snow Leopard is the safer option primarily due to its market share being well below Windows 7's. From a targeted attack, however, it has been my experience that finding and exploiting vulnerabilities in Mac OS X is significantly easier than doing so in modern Windows systems (Vista and 7). However, the 3rd party plug-ins installed in most users' browsers makes attacking even the latest and greatest Windows systems significantly easier. I recommend that users surf the web with Google Chrome, disable unnecessary plug-ins, and use site-based plug-in security settings for the plug-ins that they do need.
CM: There are two main issues with "security". One is how many vulnerabilities does a platform have. The other is how hard is it to turn those vulnerabilities into an exploit. For the former, it is hard to measure how many bugs the OS and its default applications possess. However, experience shows me that OS X probably has more bugs than a Windows browser. Every QuickTime vulnerability is accessible through the browser, and there are a lot of those! As for difficulty of exploitation, Mac OS X is weaker than Windows 7 as well. The industry standard for stopping exploitation are Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). While these are highly technical terms, the fact is that Windows since Vista practises full ASLR and DEP while OS X does not. OS X only randomises some portions of memory and so does not have full ALSR and its DEP is limited to only 64-bit processes, like Safari, but does not affect 32-bit processes like Flash.