As a result, users may now encrypt an entire hard drive rather than only a user directory. You can do only what the sandbox allows you to do.”Īpple has also completely rebuilt its FileVault disk encryption scheme to make it operate at the block level, well below the file level, as was the case previously. “Even when you get code execution, you no longer have free rein to do whatever you want. “Now, you end up inside this restricted process that only does the web parsing, and you can't do other things you might want to do as an attacker, such as write files or read a person's documents,” Miller explained. The design is intended to limit the damage that can be done in the event an attacker is able to exploit a buffer overflow or other bug in the browser. With virtually all browser exploits targeting the way the program parses web content, Apple engineers have tightly locked down the new process, called Safari Web Content. Safari, for example, has now been divided into two processes that separate the browser's user interface and other functions from the part that parses JavaScript, images, and other web content. Among them is a sandbox design that shields the most vulnerable and vital parts of the computer from attack.
What's more, Lion's refurbished ASLR has been augmented, so that even if hackers clear that hurdle, they'll still have to bypass other new protections.
Now, they've made significant changes and it's going to be harder to exploit.” “They might have said there was more security and it was better, but at a low functionality level there really wasn't any difference. “When they went from Leopard to Snow Leopard, as far as I'm concerned, there really wasn't any change,” said Charlie Miller, principal research consultant at security firm Accuvant and the other coauthor of The Mac Hacker's Handbook.
0 kommentar(er)
