How Gatekeeper makes Mountain Lion
more resilient against malware
SINCE OS X
10.5 Leopard, when you run an installer for an app that you’ve downloaded, and
the first time that you run that installed app, the Finder alerts you to the
fact that it was downloaded from the internet, asking you to confirm your
actions. This is because the installer and the app that it installs have a
hidden flag set in their extended attributes indicating that they’re
quarantined. This flag is cleared once you’ve run the app for the first time,
so doesn’t trouble you again. However, items that you’ve installed from the Mac
App Store don’t show this behaviour, being deemed safe to use without passing
through quarantine.
Gatekeeper in Mountain Lion extends this
process of quarantine. Most apps should now have code signatures embedded in
them: to check this, select Apple’s Mail app in the Finder, for example, and
Ctrl-click for the Finder’s contextual menu. When you’re there, select Show
Package Contents, so that the app appears as a single folder named Contents:
open that and you’ll see a folder named _CodeSignature, which contains Mail’s
code signature.
With
Gatekeeper set to approve signed apps, you should see the same check dialogs as
in Lion when an app is correctly signed
Code signatures are neither new to the Mac,
nor a recent innovation. However, left to their own devices, developers have
been slow to sign their products, and as a consequence OS X hasn’t been able to
use them to enhance security. This was a similar situation to that on Windows,
where code signing has had little impact on its malware jungle.
Signatures consist of two parts: a secure
certificate that identifies the developer against an approved whitelist
(maintained by Apple and kept locally on each Mac), and a hash that verifies
the integrity of the contents of the installer or app; if anything tampers with
those contents, the hash is invalidated.
Leave Gatekeeper at its default setting,
and you’re allowed to install and run apps from the App Store and from
elsewhere with valid code signatures; all this does is alter what happens to
installers and apps in quarantine. Try to run an installer and Gatekeeper
checks whether it has a valid code signature. If it doesn’t, you won’t be able
to run the installer normally; if it does, then it works as previously. Once
the app is installed, but remains in quarantine, when you try to launch it
Gatekeeper checks the app’s code signature. Again, if the signature is missing,
you won’t be allowed to run it in the normal way; if it’s present and valid,
the app will run as intended and is released from quarantine.
SOME DEVELOPERS HAVEN’T yet started signing their installers and applications. However, you
can still install and run these, either by setting Gatekeeper to its off
position (allowing all apps to run), or by opening them using the Open command
Finder’s contextual menu. In the latter case, you’ll be confronted with a
further warning, through which you can click, run the app and bring it out of
quarantine.
As of this first release of Mountain Lion,
once an installer or app is out of quarantine, Gatekeeper won’t trouble you
over it again. Neither will Gatekeeper fret about installers and apps that you
haven’t downloaded, but copied across, say, from an optical disc or USB memory
stick, as these don’t go into quarantine. Furthermore, at present, Gatekeeper
doesn’t keep a watch on plug-ins or other extensions: there’s nothing to stop
an app from running an old or dangerous plug-in.
Gatekeeper is capable of a great deal more
than this fairly simple and unobtrusive task, though. When read from apps,
signatures are added to a new SecurityPolicy database kept in /var/db, and
Gatekeeper consults that to help validate code signatures. Individual apps can
have different security policies, something that can currently only be set
using the ‘spctl’ command in Terminal’s command shell.
FOR THE MOMENT, Mountain Lion is using Gatekeeper to guard against the most obvious
threat: that of installing and running Trojans. As the threat landscape changes
during the lifetime of OS X 10.8, we should expect security updates to modify
Gatekeeper’s rules and behaviour to address these changing threats. If malware
authors start pushing out malicious Safari plugins, for instance, it would be
relatively simple for Apple to place Gatekeeper in their way. However, Apple
has spared us such rigours for the moment, as relatively few of our current
plug-ins will have code signatures, so the impact on users would outweigh the
benefits right now.
Mountain
Lion is using Gatekeeper to guard against the most obvious threat
Code signing is a requirement for the other
main security protection offered by all App Store apps, the App Sandbox, and is
often confused with it. Apps that run with the Sandbox are isolated from other
apps, protecting them and OS X from interference by malware. They’re limited in
the sensitive features of OS X that they access.
This doesn’t mean that they can’t do
potentially risky things such as look up passwords and access the internet
directly, but that they’re specifically authorised to do what they need to do.
The App Sandbox ensures that an app that isn’t licensed to open your keychain
or access USB devices can’t do so. Sandboxed apps are also restricted as to
which folders they can use for storing preferences and other files.
For the end user, the combination of code signing,
the App Sandbox and Mountain Lion’s fastidious security features should bring
great assurance that apps that they obtained from the App Store (and
third-party sources meeting the same standards) aren’t malicious and can’t be
subverted by malware. As long as you only run the current release of OS X and
such resilient apps, you should have no fear of Trojans or other types of
attack.
However, there remains sufficient
flexibility to treat Mac users as grown-ups: you can still install and use
software development environments, access Terminal’s shell commands and
scripts, and do other powerful but potentially dangerous things. Mountain Lion
leaves you in charge; although in some other respects iOS and OS X may be
converging, there are no plans to lock down OS X in the way that iOS is nor is
there any benefit in doing so.
Some software developers have expressed
their fears that Apple is taking complete control of the Mac platform, as it
will have the ability to repudiate the authority of code signatures and lock
down the functionality of products. This position of power could, they claim,
be abused to damage those whose products compete against Apple’s and could
disadvantage independent developers who don’t wish to sell through the App
Store.
Any allegations of such abuse would, of
course, be open to legal action, and in the US at least could put Apple in
breach of antitrust legislation, something that would threaten its continuing
corporate integrity. However, Apple does need to come up with a robust and fair
process for dealing with any disputes with developers.
It’s also inevitable that those who write
malicious software will be conducting detailed evaluations of these features,
probing for weaknesses that they could exploit. The next couple of years will show
whether Gatekeeper and the other security enhancements in Mountain Lion prove
to be effective deterrents and let us get on with using our Macs without fear.
