I know I’ve talked about memory before, but I haven’t really talked about the library randomization that was added to 10.5. Library randomization is part of ASLR (address space layout randomization) and a good part of the way to moving into full ASLR inclusion, but they haven’t completed that circuit, which a recent TechTarget article mentions:
The weakness Dai Zovi exploits is in heap memory, which is memory that’s not in use. To address memory security issues, the PaX project for Linux developed a set of features to protect address space. Two of these are Address Space Layout Randomization (ASLR) and Non-executable memory (NX). ASLR makes it harder for malware authors to predict where a piece of information would be in memory, therefore making it harder to break into the system. NX prevents exploits by marking writable memory as non-executable.
In the future we hope to see further adoption of ASLR (more here) and if possible the addition of the NX bit set. However, this is not included in Mac OS X 10.5 as part of the existing library randomization. Because the heap is a moving target it also becomes difficult to protect against these types of attacks using Sandbox, although that’s a good start.
For now I hope to see continued theoretical issues, which I hope will propel full ASLR inclusion and thus a more secure memory management paradigm overall. Having said this, ASLR itself isn’t perfect, thus NX, DEP, kernel patch protection and other techniques. However, it’s the next logical step and hopefully we’ll see it come fall. Safari will continue to have problems (cross-platform ones) because it’s a browser and they all have problems (author of this article ducks so chairs don’t hit him, but really they do all have problems then fixes then problems, etc), but if memory issues continue with Mac OS X there is a very limited amount of time before there are a number of serious security problems that require no elevated privileges and even little or no input from the end user. Might as well be right where everyone else is if only to keep the Mac from being the first one owned at Can Sec West four years in a row…