Mac OS X uses encrypted files

Discussion in 'MacBytes.com News Discussion' started by MacBytes, Nov 10, 2006.

  1. macrumors bot

    Joined:
    Jul 5, 2003
    #1
  2. Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
  3. SMM
    macrumors 65816

    SMM

    Joined:
    Sep 22, 2006
    Location:
    Tiger Mountain - WA State
    #3
    So what? Apple is trying to protect itself? There WOULD be a story if it were the opposite.
     
  4. macrumors 6502a

    bluebomberman

    Joined:
    Jan 9, 2005
    Location:
    Queens, NYC
    #4
    But it's a decidedly different approach to Windows' antipiracy measures. I think that deserves to be noted.
     
  5. macrumors G4

    Joined:
    Jan 5, 2006
    Location:
    Redondo Beach, California
    #5
    The author of this article failed to look up "TPM" (trusted Platform Modual" in wikipedia.
    Had he done so he would not have made the technical errors he did. Intel macs have a TPM chip on the M/B the chip is used to de-crypt the binary. This has nothing to do with stoping people from giving away copies of the software. Read the Wiki.
     
  6. Moderator emeritus

    Joined:
    Jun 25, 2002
    Location:
    Gone but not forgotten.
    #6
    Everywhere else I've read, the TPM is not being used. It is available though.

    The technique of encryption of operating system modules is also not that unusual but in this case, it assures that the Intel version of Mac OS X is running on a machine for which it was meant.

    Don't put absolute faith in Wikipedia documents--they're written by people.
     
  7. macrumors 68040

    matticus008

    Joined:
    Jan 16, 2005
    Location:
    Bay Area, CA
    #7
    To take that one step further for the obvious-impaired, this is a system which protects unauthorized modification of system files and creates an added layer of security.

    It does not preclude anyone from replacing them if they choose to do so, however. You can disable the encrypted check and replace modules with unencrypted ones if you were so inclined or needed to run a customized version of an encrypted system file.

    In other words, it has a legitimate purpose.
     
  8. Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    Whakatane, New Zealand
    #8
    TPM is not used, the new MBPs don't even have a TPM chip. In fact, the original article (which I've lost the link to) mentions this.
     
  9. macrumors 68030

    Analog Kid

    Joined:
    Mar 4, 2003
    #9
    These links will do:
    MacDev
    OS X Book, Link 1
    OS X Book, Link 2

    I tend to put some faith in this source considering he wrote a driver to access the TPM. Apple isn't using the TPM and at least some Intel machines don't even have one.

    It's amazing how widely spread the myth is that Apple is locking their OS with the TPM-- probably because so many people say "you shouldn't trust Wikipedia" but do anyway...

    It does raise the question though where Apple keeps their keys... Is that what the limerick is used for? He refers to that as integrity data though... I can't think of where they could hide a key though that couldn't be easily extracted so you may as well use a copywriten limerick as the key.
     
  10. Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    Whakatane, New Zealand
    #10
  11. macrumors 603

    shadowfax

    Joined:
    Sep 6, 2002
    Location:
    Houston, TX
    #11
    That article (OS X Book, Link 2) makes me curious as to what (if any) performance hit the executables take, since that module that acts as a vnode for the "encrypted" segments seems to "decrypt" those segments from RAM every time the processor requests them. I suppose this would depend on the size of the segments.

    I also wonder if those segments are ever stored unencrypted in L1/L2 cache, and if there's any way to look at that and extrapolate decrypted versions of the segments, replace them, and remove that flag from the executable.

    The other bit I don't understand is whether this has anything to do with keeping OS X off my Dell (no I do not actually own one). I mean, it all sounds like it isn't looking at any specific hardware in the machine. It really sounds like it's more to make these kids a little harder to reverse engineer, which I really don't think anybody cares too much about (although, figuring out how to break such protection would be interesting, no doubt).
     
  12. macrumors 68040

    matticus008

    Joined:
    Jan 16, 2005
    Location:
    Bay Area, CA
    #12
    It's my understanding that the files are decrypted at boot time, and once decrypted, remain in RAM until the next boot cycle--there's no performance hit beyond the slight additional time needed to decrypt the files during the boot process. They're not stored in RAM in their encrypted form, in other words. Granted, it has been quite some time since I paid close attention to this issue.
     
  13. Moderator emeritus

    Joined:
    Jun 25, 2002
    Location:
    Gone but not forgotten.
    #13
    That's not as stringent as OpenBSD where RAM is checked to make sure that it hasn't had modification to code.
     
  14. macrumors 68030

    Analog Kid

    Joined:
    Mar 4, 2003
    #14
    That's the part I'm not getting either, and the articles seem to skip over that part. Where does Apple keep the keys? It seems like, without a TPM type interface, the keys can always be found. From what I'm seeing so far, the encryption doesn't actually prevent someone from hacking it onto PC hardware, just makes it very clear that what the hacker is doing is illegal.

    I guess that fits the evidence...
    The way I read it, it's decrypted into virtual memory and there's no method for paging it out. I think that means that if it were paged out, it would be thrown away and would need to be decrypted again-- but since these are high use modules, they're unlikely to be paged out at all.
     
  15. macrumors regular

    Joined:
    Sep 29, 2005
    #15
    And so is the Encyclopedia Britanica....

    And very difficult....
     
  16. Moderator emeritus

    Joined:
    Jun 25, 2002
    Location:
    Gone but not forgotten.
    #16
    They have to correct mistakes, as well.

    Have you heard of revisionist history? Simply finding it coming from a certain source does not make it the truth, whether people believe it or not.
     
  17. Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #17
    Is that an anti-infection feature more than an anti-piracy one? It sounds like an excellent idea to use some kind of check codes for kernel elements in memory....

    Is there any way Apple can adapt Plays For Sure to protect its OS? Just to spite MS, now that it's done with it? :D That way we'll be sure that at least the Zune is an MS device that will never run OS X. :D
     
  18. Moderator emeritus

    Joined:
    Jun 25, 2002
    Location:
    Gone but not forgotten.
    #18
    Yes, they're making sure that the operating system is not compromised. They check and re-check the code before running it. I've not seen anything about the runtime latency. I would assume that the virtual memory would have to be very fast for the system to not appear sluggish.

    I'm not sure that the Plays for Sure programme is done. It's just that Microsoft doesn't need to proclaim it for their player. Everyone else must comply. :D

    I'm sure that Zune will run Linux, just to see that it can be done, but of course, it probably already runs on the Toshiba Gigabeat. Does that mean that MS has to go to greater lengths to make sure their device isn't compromised?
     
  19. macrumors 68020

    bobber205

    Joined:
    Nov 15, 2005
    Location:
    Oregon
    #19
    I hope this messes up dorks at my college from trying to pirate OS X. They asked me for my copy to copy.

    Guess what I told them. ;)
     
  20. Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #20
    But so for some reason, this logic does not apply to all those people running bootleg OSX86 type computers?
     
  21. macrumors 68030

    Analog Kid

    Joined:
    Mar 4, 2003
    #21
    I guess that depends on your reference point for difficult.
     
  22. macrumors 603

    shadowfax

    Joined:
    Sep 6, 2002
    Location:
    Houston, TX
    #22
    yeah, I'll say. some girl at blackhat root-kitted windows by malloc-ing memory til it paged the kernel out, and then used some I/O magic to overwrite sections of the kernel. That was cool.

    if you have root access on OS X, I don't think it'd be that hard to pull out the decrypted segments of the executable from RAM and piece them back together into the original executable, then remove that LC flag or whatever it was called...

    Seems that in cryptography that the chain's only as strong as it's weakest link--for example, if you're sending a message with 2048-bit encryption or something, and you decide to send your buddy the key to decrypt it over the channel, unencrypted... you might has well have not bothered. This isn't exactly like that, of course, but it's still odd. I mean, you're storing it with encrypted sections on disk, and that's all well and good, but it seems like somewhat of a waste of time--decompiling binaries is a challenging art to begin with, especially if you obfuscate your source code to begin with. It seems like most 'hackers' who could decompile an executable into something they could modify/otherwise steal could get the bit out of ram. I'm just rambling now, but yeah.

    I really don't see why this is getting published. This really sounds like an obfuscation scheme. "packing" executables has been around for years, as a way to save space as well as to keep nosey eyes out. The trade-off with "packing" is that you often get a (usually minor) performance hit. It seems like Apple's got a sort-of solution to that by only encrypting parts of the code. Who cares? everyone who's not doing open-source code obfuscates their stuff somehow... why not put that in the news? seems like it might help whoever thought this was news....
     
  23. macrumors 68030

    Analog Kid

    Joined:
    Mar 4, 2003
    #23
    Maybe it's the engineer in me, but I agree that is pretty freakin' cool. And people wonder why it's so hard to secure a system...

    Some poor MS engineer is seeing that and asking "some nut case gobbled up the entire system memory, pushed my kernel code to disk, tweaked it to root the system, and you're saying that's my fault?!".

    Yeah, I know, proper permissions on the swap file probably would have prevented it, but you know that girl was awfully darned proud of herself when that one worked.
     
  24. macrumors 603

    shadowfax

    Joined:
    Sep 6, 2002
    Location:
    Houston, TX
    #24
    I think that Microsoft has or will go the safer-than-that route and modified the OS to require that the kernel never be paged out, no matter how much any other program mallocs--this seems more secure and performance-enhancing. I can't remember if microsoft did this, but that's what the woman recommended when she demonstrated her exploit.
     
  25. macrumors 68040

    shamino

    Joined:
    Jan 7, 2004
    Location:
    Purcellville, VA
    #25
    Actually, a few articles I've read say that the newest Macs (the Core 2 Duo boxes) don't even have TPM chips.

    Mac OS does not use TPM for anything. This has been proven by many authors.
     

Share This Page