flat assembler
Message board for the users of flat assembler.
 Home   FAQ   Search   Register 
 Profile   Log in to check your private messages   Log in 
flat assembler > Heap > Can an OS be TOO secure?


Can an OS be TOO secure?
Yes
50%
 50%  [ 2 ]
No
50%
 50%  [ 2 ]
Total Votes : 4

Author
Thread Post new topic Reply to topic
ProphetOfDoom



Joined: 08 Aug 2008
Posts: 101
Location: UK
Can an OS be TOO secure?
I remember quite a while back Tomasz posted his concerns that assembly programming might one day be made illegal. I also remember reading a short story by Richard Stallman about a dystopian future in which only an elite are allowed to use debuggers. Now I've become very disillusioned with Stallman and his four freedoms after I found out that he's in favour of chopping up live babies (he prefers the term "abortion"). I decided Stallman is not a moral authority on anything. Moreover, I discovered a couple of years ago that my love of Linux was actually a love of Unix, and I didn't actually much care if the source code was available. I've used Linux for 12 years and have only looked at the kernel source once.

Now something has happened which has caused me to pause and reconsider. I decided a few days ago to write a source-level debugger for MacOS. I thought I would get a working prototype ready fairly quickly, but the obstacles Apple's OS has put in my way are extreme to say the least.
First of all, ptrace() on MacOS is unable to obtain the register values of another process (or read/write from/to that program's memory). It's just impossible. A few years ago, there was a workaround where you could call some mach functions (task_for_pid() and thread_get_state(), amongst others) to accomplish the same goal. But then Apple brought in something called SIP (System Integrity Protection). This feature has become increasingly... well... protective. At first it meant that you couldn't write to certain directories even using sudo (for example /usr/bin and /usr/lib). Later, it meant you couldn't access the low-level mach functions without a self-signed certificate. The current situation seems to be that even a certificate isn't enough (maybe a certificate from Apple would work? MacOS's standard debugger, lldb, seems to work somehow). You can disable SIP by rebooting into safe mode and running a simple command, however no-one can ask end users to do this and realistically expect their product to be used. Most Mac users probably don't even know how to do this.

So the future architecture of my debugger is looking like this: two FIFOs (named pipes) sending messages between the traced program and the tracer. With pipes a program can volunteer its registers... the only way for another process to get at them. And instructions can be sent and received using some sort of agreed protocol to ask a process to read/write memory. It's hardly ideal.

It is like Linux with an ultra-hardened kernel. The question is, are all these things sensible security measures or an erosion of user freedom? Will Microsoft Windows and Android start to behave in a similar way? I'm fairly sure Linux is safe. Or is it?
Post 31 Aug 2017, 02:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex
It is a trend that is appearing on more and more devices these days. The manufacturers want to keep control, for your protection of course. The devices receive updates and send telemetry and treat the user as a hostile entity. For your protection of course. And naturally we should trust the manufacturers because they said they are trustworthy (tautology is a wonderful thing). For your protection of course. And if you try to hack into it then they have already lobbied for laws to make you a criminal (DMCA et. al.). For your protection of course. And to keep the revenue rolling in and to make sure the company stills makes a profit all your apps and programs will come only from the approved store. For your protection of course. If you want to do something custom or different or out of their control then you will be blocked at every turn, and arrested for being a dangerous hacker. For your protection of course.
[/paranoia]

Well, okay, perhaps not so bad ... yet. But we are getting there. If we just sit back and accept it, then we deserve everything we get.

Right now open source is our only hope, but it has problems, it is messy. But it is slowing getting better with more usage. That doesn't mean Linux is the answer though. Perhaps other options will come up. Perhaps Linux is the answer. We don't know yet.
Post 31 Aug 2017, 02:41
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex

ProphetOfDoom wrote:
Can an OS be TOO secure?

Thinking about this question a little bit more. I think we need to define who it is secure for. If it is secure for you and no one else then the more secure the better IMO. But if instead it becomes more secure for some remote entity at your expense, for your protection of course, then that would be a bad thing IMO.
Post 31 Aug 2017, 08:56
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 267
human-alike is hostile entity to open security
Post 31 Aug 2017, 09:40
View user's profile Send private message Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 267
actual animals are more open to obvious limitations
Post 31 Aug 2017, 09:42
View user's profile Send private message Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 267
if not for a higher authority, humans are completely responsible for what's going on
humans share as much collective responsibility as animals do
Post 31 Aug 2017, 09:47
View user's profile Send private message Reply with quote
ProphetOfDoom



Joined: 08 Aug 2008
Posts: 101
Location: UK
I have been thinking more about the situation since my first post too. I would hesitate to call what Apple is doing dystopian because as I said, SIP can be turned off. But it's incredibly annoying. I suspect the reason SIP can be switched off is because Apple's own staff found it too restrictive. And SIP can be helpful. My niece (who I'd bet doesn't even know what a CPU register even _is_) got her MacBook Air because she was impressed with their resilience to malware (her Android phone had an adware on it).
One thing that does bother me is that we are moving away from the idea that a computer is a thing the end user can program. Computers are now considered entertainment devices. When I was 5 and I got my first computer, it came with a programming manual. It was assumed that I would want to program it. Contrast that to today.
MacOS definitely is secure for parties other than the end-user though. Films I rent "expire" after 48 hours. It obviously took extra code to make the films expire. So that is an example of Apple using my electricity to run to run code that benefits them and inconveniences me. I tolerate this because I'm a Catholic and I do broadly agree with the idea that creators should be paid for their "content", even if I disagree with the way payment is enforced. Plus there is the practical thing that torrented apps/content can't be trusted to be free of malware. So am I contributing to a future dystopia by accepting this? Um, I hope not.
And you're right, Linux is not ready. I was really hopeful about Ubuntu for phones but it was literally the worst OS I have ever used and I reflashed the phone with Android as soon as I realised Canonical had abandoned it.
On a more practical level, I just wish I could write a traditional debugger and it's really peeing me off! Luckily it's a source level debugger so the pipe solution is workable. I don't know how someone would write an assembly level debugger without Apple's permission.
Post 31 Aug 2017, 13:31
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex

ProphetOfDoom wrote:
... without Apple's permission.

Therein lies the crux of the problem. Control is in the hands of someone else. And that someone else does not have your best interests as their highest priorities. Apple will continue to "secure" their OS, naturally, but it will be secure against you, requiring you to politely ask Apple for permission to use it, on a system that you paid for.
Post 31 Aug 2017, 13:41
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 759
Just FYI, Linux also disallows you from inspecting another process' memory or registers even under the same user, by default.

I don't see it as a big deal: it helps "casual" people with zero technical knowledge in being slightly more secure. And, as long as it can be turned off, it's fine for technical people too.

You have to jump through a few hurdles (with Linux it's easy just a kernel parameter in the pseudo-filesystem), but you're doing that ANYWAY to stay secure. For example, you'll add multiple users so that malware won't infect your main (offline!) user account. Use a different account for browsing or such (and run it from the main user, no relogging needed in Linux, just make a bash script).

Mind you, even with turning that option off, Linux won't allow you to read another process' memory if it's a different user. Unless you're root. So it's fine.

However, I despise Apple because most of their decisions revolve around lockdown and not security. Wouldn't be surprised if this was the reason for SIP. But Linux is definitely not in the same boat, since it can be turned off, guaranteed.
Post 31 Aug 2017, 13:42
View user's profile Send private message Reply with quote
ProphetOfDoom



Joined: 08 Aug 2008
Posts: 101
Location: UK
So ptrace can't get the registers of another process on Linux??? Even from a forked, child process? Are you sure? I never knew this. How do you get around it?
Post 31 Aug 2017, 13:47
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex
For a different user, I get that. A multi-user system shouldn't allow indiscriminate cross user interaction. But for all processes under the same user there should not be such a restriction IMO. Unless I missed something?
Post 31 Aug 2017, 13:53
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 759
Well, wine sort of requires scanning other processes' memory (since Windows requires it), so there's a way to disable it. I'm just saying it's no big deal to disable it (other user accounts still won't be able to scan your memory, since different users, so run your browser as another user always).

You can either disable it "dynamically" after it loaded with this command:

Code:
sudo sh -c 'echo 0 > /proc/sys/kernel/yama/ptrace_scope'

Or edit /etc/sysctl.d/10-ptrace.conf as root and add:

Code:
kernel.yama.ptrace_scope = 0

Or place the first command in rc.local, or on a script you run whenever, etc.

(/proc is a pseudo-filesystem, used for kernel commands and such, it's not actually on disk)



@revolution: You'd be right if everyone was competent Wink

But Windows taught us, casual people use only one user account and if they aren't forced to, an Administrator account, always. These security measures are for those people. In Apple's case I'm sure it's all about lockdown/control though.
Post 31 Aug 2017, 13:55
View user's profile Send private message Reply with quote
ProphetOfDoom



Joined: 08 Aug 2008
Posts: 101
Location: UK
Hmm. I was wondering how the IDA debugger works on MacOS and thinking I may have overlooked something. Some technique to access a process's registers. But it looks like IDA ships with drivers so maybe that's the answer as I've read some Mach kernel code and it appears it can access the SIP function calls without restrictions. If there's some super geek out there that can tell me how to get hold of this stuff purely in user space though , I'd love to be proven wrong!
Post 31 Aug 2017, 22:23
View user's profile Send private message Reply with quote
nyrtzi



Joined: 08 Jul 2006
Posts: 187
Location: Off the scale in the third direction
And if the device is in your head interfacing directly with your brain?

Didn't Elon Musk get involved with such a company just lately?

In the Journal of the ACM there was an article about this stuff too. How secure can it be? When will the cops and other officials who have access to your data start to demand that they should be able to read your mind too?
Post 01 Sep 2017, 17:27
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex

Furs wrote:
You'd be right if everyone was competent Wink

But Windows taught us, casual people use only one user account and if they aren't forced to, an Administrator account, always. These security measures are for those people. In Apple's case I'm sure it's all about lockdown/control though.

Perhaps if the UI was improved people might actually start using different accounts. As it is now the whole thing is a mess, so it is not surprising people are reluctant to use alternative accounts. It is just too much hassle, and people are basically lazy.
Post 01 Sep 2017, 17:36
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15096
Location: The Unicomplex

nyrtzi wrote:
In the Journal of the ACM there was an article about this stuff too. How secure can it be? When will the cops and other officials who have access to your data start to demand that they should be able to read your mind too?

UK's RIPA laws are very scary IMO.
Post 01 Sep 2017, 17:37
View user's profile Send private message Visit poster's website Reply with quote
ProphetOfDoom



Joined: 08 Aug 2008
Posts: 101
Location: UK
I tend not to worry about these authoritarian laws that get introduced from time to time. It's partly my Catholic faith, I know that all evil is turned to good in the end. But also more practically, one or two authoritarian laws does not make a fascist/communist government. For example, in the 1940s and I think the 1950s it was legal for the authorities in Britain to chemically castrate homosexuals. That, in my opinion, is a truly evil thing to do to any human being and utterly inexcusable, whatever the person may have done. But was the British government more generally authoritarian? Absolutely not. We'd just defeated fascism and most of our other laws were perfectly sane and normal. It was just an anomaly that eventually got corrected.
Post 02 Sep 2017, 14:57
View user's profile Send private message Reply with quote
nyrtzi



Joined: 08 Jul 2006
Posts: 187
Location: Off the scale in the third direction

revolution wrote:

nyrtzi wrote:
In the Journal of the ACM there was an article about this stuff too. How secure can it be? When will the cops and other officials who have access to your data start to demand that they should be able to read your mind too?

UK's RIPA laws are very scary IMO.



They're working on something similar in my country too here in the Nordics and it follow the common pattern.

There are some good arguments they could make but in the media they just seem to concentrate on the iffy and the bad ones. And they make themselves sound like they're just emotionally reacting to being embarrassed by it having been other countries that they needed to ask for help to get the information. In the end their reasons end up sounding like stupid excuses in the light of the counterarguments that point out that likely negative consequences and side-effects like "Who is going watch the watchers?", etc.

Recently a retired military historian who had been for decades and was still writing columns for the journal for the national officer corps was told his services are no longer needed because the publication felt that they needed someone with a fresher perspective. This was after he wrote a column where he pointed out that during the Soviet era the military was sucking up to the Soviets while now they are sucking up the Americans. During the Soviet era after weapon systems were bought from the East people were sent for training to Moscow where obviously a fair bit of brainwashing was going on but the people who came back still had a firm grip of reality as a part of our modern national ethos is built around our memories of barely having been able to keep our independence through our wars against the Soviets.

Nowadays the weapons are bought from NATO but the difference is that the people who come back from training exhibit symptoms akin to religious conversion. Him writing this probably ruffled the feathers of some higher ups and thus he was "let go" with that bullshit excuse.

Now all of the above is what he wrote in a local newspaper so it is public knowledge and just what he says with me not having verified any of it. But it got me thinking because I remember how they tried to sell the idea of the surveillance laws in public national TV broadcasting by bringing out experts who seemed clueless and incapable of explaining why they even thought it was all a good idea. "Of course we must get one because all the other kids have it too" is hardly a very convincing argument and that's what their best argument sounded like to me.

My guess was that the Americans who had built systems of their own for that purpose had been doing marketing and the paperpushers of our armed forces had fallen for the marketing bullshit hook, line and sinker without a trace of healthy critical thought which is obviously something that can be seen as happening if they've been mostly brainwashed by NATO at least to some extent. I wonder what the marketing arguments have been like. Obviously I'm assuming here that the NATO is in reality just an arm of the US military like Chomsky and others say.

Then again all of this stuff is just a part of the geopolitical power games that the major players at the world stage play. A dirty game where all are just advancing their own national interests with smaller countries being mere pawns. Then again obviously I have no clue and no way of even finding out and even less of proving of what kinds of factions within the political system and the military are involved, what their aims are. After all the only sources I have are newspapers and I don't even read them more than randomly perhaps a paper once a month. So I'm just speculating how much of this what I see in the media is again all just theater in order to keep one or another major power happy. Impossible to tell either way. But it is fun to speculate about stuff like this.

Then again the topic here was the security of operating systems but that is related too. The US is wary of network devices and their OSes that come from China. Now where do most of our devices and their OSes come from?
Post 03 Sep 2017, 10:21
View user's profile Send private message Reply with quote
ProphetOfDoom



Joined: 08 Aug 2008
Posts: 101
Location: UK
I must admit I've somewhat contradicted myself on this topic. Mildly alarmed about "oppressive" (secure) operating systems but not alarmed at all about oppressive ("secure"?) laws. I only skimmed over the RIPA article initially. You're right it could be used for evil. But it does mention these powers have been used against corrupt police officers. Police states don't usually crack down on their own police. Or is that just a ploy to make us feel all warm and fuzzy about the surveillance laws?


nyrtzi wrote:
When will the cops and other officials who have access to your data start to demand that they should be able to read your mind too?



Hmm. Yeah, "thought crime". I would tend to think brain/computer interfaces (except to help disabled people see, walk, communicate etc.) are a Really Bad Idea. And, not wanting to sound like a bipolar Protestant or anything, but I think the Mark of the Beast is likely to be technological in nature.


Quote:
Then again the topic here was the security of operating systems but that is related too. The US is wary of network devices and their OSes that come from China. Now where do most of our devices and their OSes come from?



My main computer has an American CPU but I think it was assembled in China. Similarly my phone was designed in Spain but assembled in China (I just had to take a look at the back of the phone to confirm this). Yes I see your point - why trust an OS image that was flashed in China, but distrust router firmware that was also flashed in China? It makes no sense.
Here in the UK we're trusting China to build our next generation of nuclear power plants (last time I heard). I saw a Chinese woman on BBC World News recounting how the authorities forced her to have a late term abortion. It was harrowing. If the Communist Party can't be trusted with their own women and children how can they be trusted not to put back doors in their nuclear technology? I hope the government is sensible enough to demand access to the source code. NOTE: not being racist about Chinese people - just anti communist.

Anyway, back on topic. I was doing some Googling and found out that (at least in 2014) Mac OS X supported some Unix functions that allow memory to be shared between processes that explicitly consent to it. mmap and shm_something. I imagine the resultant synchronisation issues are even worse than with threads though. Sad It could be useful for sharing source code strings though, if it still works. I'm surprised no Unix guru pointed this out to me. I think I will stick with my pipes model. Still no further forward on how to access registers directly.
Post 05 Sep 2017, 09:48
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2005 phpBB Group.

Main index   Download   Documentation   Examples   Message board
Copyright © 2004-2016, Tomasz Grysztar.