In talking about yesterday's Mac malware alerts, I alluded to Mac OS X's built-in security features. Some of these features are rather widely known because they appear in most product literature and offer user settings in how they're implemented, but others are built-in components of Apple's OS and go almost unheard of by most users. So, here's a quick run-down of the major features that you may or may not know about.
- Encrypted disk images – You can created disk images (files that act like an external drive when opened) that are password protected and encrypted with either 128-bit or 256-bit encryption using Disk Utility or the command line hdutil tool.
- FileVault – An automatic feature enabled in System Preferences (the Security pane) that creates 128-bit encrypted disk image that is used to store your home folder (all settings and documents). If used with Apple's Time Machine, all backups are also encrypted.
- Encrypted Virtual Memory – Like other Unix OSes, Mac OS X uses a virtual memory swap file. Optionally all data in the swap file can be encrypted so data can't be retrieved if the device is compromised (again use the Security to enable).
- Secure Empty Trash – Overwrites all disk space containing deleted files when the Trash is empty rather than simply marking the sectors of the disk as free. Located in the Finder menu just below the standard Empty Trash option.
- Secure Erase – Available in Disk Utility, this option allows you to zero out data on a hard drive when erasing or to do a 7-pass (DOD security requirement) or 35-pass erase. You can erase an entire drive, partition, or just all empty space (essentially a more secure version of Secure Empty Trash that affects al previously deleted data).
- Keychains – Encrypted (168-bit 3DES) archives for login credentials, security certificates, and additional secure/sensitive resources (both local and network-based as well as user and system based). Can also be used to store secure notes with user-defined information (credit card numbers, ATM PINs, and so forth).
- Application signing – A built-in feature that allows all applications to include a digital signature verifying their authenticity and integrity (applications not signed by developers are signed by a Mac on first launch). If an application is modified, the system will ask users to when it attempts to access various resources (such as the Internet or stored password information) It is also used by parental controls, the built-in Firewall, and client management features in large environments like businesses and school to ensure proper restriction of access to applications.
- Application firewall – An adaptive firewall that blocks access based on per-application rules designed for easy and effective management by non-power users that relies on application signing (the more traditional port-based ipfw is also built into Mac OS X).
- Application/service sandboxing – Core feature that isolates processes and applications and underlying services from each other to prevent a compromised process (typically one accessible via the Internet) from hijacking other processes.
- Execute disabled – A common security feature enabled by Intel-based systems that helps prevents buffer overflow attacks from injecting malicious code into the system.
- Library randomization – A feature that further limits the capabilities of buffer overflow attack by placing running code in random memory locations, making it harder to successfully compromise a system using a return to libc attack.
Application tagging/quarantine – When applications or files containing executable code are downloaded from the Internet or copied to a Mac, they are tagged with information with the date and the application that downloaded them (the tag remains even if the application or code was part of a compressed archive). When first run, Mac OS X will display this information and ask if the user actually wants to allow their use.
Of course, no operating system is completely secure and, as I noted yesterday, Mac users should invest in anti-virus software (even if it's something open source like ClamXav).