Академический Документы
Профессиональный Документы
Культура Документы
1
Contents
1 Introduction to Macintosh Security 3
1.1 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 The Security Pref Pane and FileVault . . . . . . . . . . . . . . . 4
1.3 A bullet-proof password . . . . . . . . . . . . . . . . . . . . . . . 5
2 Open Firmware 6
2.1 High-level security is almost useless . . . . . . . . . . . . . . . . . 6
2.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Working with Open Firmware . . . . . . . . . . . . . . . . . . . . 6
2.3.1 GUI tools . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.2 Terminal.app . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.3 OF prompt . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2
1 Introduction to Macintosh Security
Security is something that deserves a lot of attention in order to avoid unex-
pected and unwanted situations. Mac OS X Tiger is a powerful OS which brings
security close to easyness-of-use as never before: a lot of interesting options are
just a click-away from the user.
1.1 Firewall
Let’s consider the firewall : open “System Preferences.ap” and choose the “Shar-
ing” pane. Through the “Service” tab it’s easy to allow or disallow FTP or SSH
access, SMB, Documents Sharing plus many other common services; in the
same easy way you can personalize the behavior of the firewall: just click on
the “Firewall” tab, and you will also be able to choose which ports ought to
be open or closed. The “Advanced” button lets you disallow UDP traffic and
turn on the “Stealth mode”, in which any unexpected packet is discarded (this
actually stops ping from working).
Apple’s solution is well integrated into the Operating System and easy to
use but does hide many useful options; as an alternative you may consider ipfw
(a command line tool to set up the firewall) or FireWalkX, a shareware GUI (
http://www.pliris-soft.com/products/firewalkx/index.html )
3
1.2 The Security Pref Pane and FileVault
Another interesting thing in Tiger is the “Security” preferences pane, which is a
sort of shortcut to many security options: through this pane you can make your
Mac ask for a password when awaking from sleep or exiting the screensaver.
Moreover, you might want to disable automatic login or make you Mac logout
automatically after N minutes of inactivity (5 <= N <= 960).
One of the most useful security options is FileVault which ciphers the user’s
home directory continously; this way, even if your hard drive gets stolen your
documents cannot be read without knowing the password: this is wonderful
since all the options considered before can be skipped given physical access
to the machine. The home directory is ciphered with AES-128 (Advanced
Encryption Standard with 128-bit key) which causes a difference in performance
which is hardly noticeable (except when using applications such as GarageBand,
which extensively uses the hard disk). To enable FileVault you first have to
set a Master Password (which can recover home directories of users who have
forgotten their password) and then click on “Turn on FileVault...”: all the files
in your home directory will be encrypted and will be automatically deciphered
after login. This feature is almost transparent to the user.
To tighten even more security of your Mac disable Automatic Login from
the Account preference pane (in the Login Options section).
4
1.3 A bullet-proof password
What about passwords? Good passwords usually are a good sign. How should
you choose a good password? Well, all you need is to be unpredictable and, of
course, not to tell your password to anyone.
Let’s see a few advices to get a password which:
• is long
5
2 Open Firmware
2.1 High-level security is almost useless
We have had a quick look at security options available from GUI: they can
be defined as “high-level options”. But they are not enough since they don’t
protect against physical threatens, for example:
• [power button held down for 5 seconds] resetting hardly a computer makes
sleep and screensaver passwords useless
• [pressing c during boot] booting your computer from a CD/DVD allows
to reset root/admin password; booting from the Mac OS X install disk
just click on the menu “Installer” > “Reset password...” and you’re done
2.2 History
Open Firmware was born in 1988 at Sun Microsystems and it is defined by the
standard IEEE 1275 ; it was adopted by Apple which has used it on its PowerPc-
based Macs. With the introduction of Intel-based Macs Open Firmware is
no longer used by Apple: it has been replaced by EFI (Extensible Firmware
Interface), which has similar features but offers a more granular architecture.
6
2.3.1 GUI tools
The most famous GUI tool to interact with Open Firmware has been devel-
oped by Apple: its only purpose is to set an Open Firmware password and
stop unauthorized access to the Mac. It can be download from http://-
docs.info.apple.com/article.html?artnum=120095
It’s an easy and well documented tool so we won’t cover it here.
2.3.2 Terminal.app
The nvram command can be used to show and set every Open Firmware variable;
the general syntax is:
sudo nvram variable="newvalue"
We will see an example of usage at the end of the article; you may obtain
more information typing
man nvram
2.3.3 OF prompt
Why should you limit yourself? Interacting directly with Open Firmware opens
many doors and that’s why we are analyzing the OF prompt in the next section.
Welcome to Open Firmware, the system time and date is: hh:mm:ss
nn/nn/nn
Command security mode.
ok
0 >
You can obtain nice information from this welcome screen such as what kind
of Mac you’re using, what security mode is set, etc...
Open Firmware also advises two commands: mac-boot and shut-down to
boot the OS or to turn the computer off. As you can see Open Firmware is not
password protected! What you need to do is to set a password; just type
7
password
none this is the default option for PowerPC-based Macs: OF password will
never be asked (even if it has been set with the password command)
command OF will ask for a password when trying to:
• boot from CD [C]
• boot from a NetBoot Server [N]
• boot in Target Disk Mode [T]
• boot in Single User Mode [COMMAND+S]
• reset PRAM or NVRAM (reset-nvram and reset-all from the OF
command line)
• enter bootloader [ALT]
full this is the option I have chosen for my Mac. OF will ask for a password
everytime the Mac is starting up or waking from hybernate (be careful:
not sleep!! )
We have said that security-mode is a NVRAM variable. The general syntax
to edit the value of a NVRAM variable is (spaces are highlighted):
setenv <variabile> <value>
for instance
setenv beans 3
That’s what we will write:
setenv security-mode command
or
setenv security-mode full
depending on the security-mode chosen.
8
3.2 Some Open Firmware variables
To show the complete list of NVRAM variable, type:
printenv
The output will be layed out on three columns: the first gives the name of the
variable, the second the current value and the third the default value.
DON’T EDIT NVRAM VARIABLES YOU DON’T KNOW THE
MEANING OF. YOU MIGHT DAMAGE THE LOGIC BOARD OF
YOU MAC.
9
Of course, this is a great option for forgetful users but, at the same time, it
represents a real security threaten.
3.3.1 Aliases
The first important concept you have to learn is aliases.
Open Firmware keeps track of every device connected to the Mac in a struc-
ture called device tree; you can navigate through using dev and ls (similar to
cd and ls on a Unix box); for instance:
dev /
ls
shows the entire tree.
As you can see, devices have quite long names; the internal hard disk, on my
iMac G4, is called /pci@f2000000/mac-io@17/ata-4@1f000/disk@0. Luckily,
thanks to aliases I don’t have to remember it: /pci@f2000000/mac-io@17-
/ata-4@1f000/disk@0 can simply be called hd. This is true for almost any
device; you can obtain the whole list of aliases typing
devalias
3.3.2 Partitions
Now let’s imagine this is your partition table:
Partition map (with 512 byte blocks) on /dev/disk0
device type name
/dev/disk0s1 Apple partition map Apple
/dev/disk0s2 Apple Bootstrap bootstrap
/dev/disk0s3 Apple UNIX SVR2 swap
/dev/disk0s4 Apple UNIX SVR2 boot
/dev/disk0s5 Apple UNIX SVR2 debian
/dev/disk0s6 Apple UNIX SVR2 home
/dev/disk0s7 Apple HFS Macintosh HD
/dev/disk0s8 Apple HFS Share Partition
A short explanation:
disk0s1 Partition map
disk0s2 Bootloader: it is needed to boot Linux (which cannot be loaded directly
by Open Firmware); it basically shows the list of the available OSes and
lets you select the one you want to boot.
10
disk0s3-6 Linux partitions
disk0s7-8 Mac OS X partition and the share partition.
My default OS is Mac OS X; this means that typing
printenv boot-device
I get:
boot-device hd:07,\\:tbxi
This is because Mac OS X resides on the seventh partition of my hard disk.
Whenever I want to boot Linux I have two options:
1. To modify the boot-device variable and make Linux my default OS; this
is accomplished typing:
setenv boot-device /pci@f2000000/mac-io@17/ata-4@1f000/-
disk@0:02,\\:tbxi
or more simply:
setenv boot-device hd:02,\\:tbxi
I had to choose the bootloader partition becase the Linux kernel cannot
be loaded directly by Open Firmware. To boot Linux you still need to
type:
mac-boot
Or more simply:
boot
The big disadvantage of this option is that it makes a permanent modifi-
cation to the boot-device variable; what to do if you want to keep Mac
OS X as your default OS? Just use option #2!
2. To use the boot command specifying a parameter, for instance:
boot hd:2,\\:tbxi
This way the boot-device variable is not affected and you can boot Linux
with just one command.
What has been said also applies to the case in which you want to boot from
a CD or from an external hard drive. The general syntax of a bootable device
is:
<device>:<partition>,<path><filename>
in which
<device> is the start up device, which can be:
• hd (hard disk)
• cd (cd or dvd)
11
• but even ultra0 (=first IDE disk) or scsi-int/sd@1 (=second SCSI
disk connected to the internal SCSI controller)
• any bootable device
<partition> which is the number of the partition, for instance ultra0:4
<path> specifies the path where to look for <filename>; it can be:
• a specific folder written in the form \path\to\folder\, for instance
\System\Library\CoreServices\
• \\, the root of the device.
<filename> can be:
• a file, for example BootX
• or ‘‘:tbxi’’ which doesn’t specify a boot file but just make OF
search for a file of type tbxi it in the folder <path>.
3.4 Banners
3.4.1 OF Banners
Two really interesting variables are oem-banner and oem-banner?, which makes
OF show a welcome message at the top of the screen: you can use it to print
your contact information; this way, if anyone finds your lost computer, he or
she may return it to you.
First of all, you have to enable the banner typing:
setenv oem-banner? true
Now enter the message you want to show:
setenv oem-banner <testo>
For example:
setenv oem-banner This Mac is Steve Jobs’ property. If
found, please call 555-NNNNNN and you’ll receive a reward
in golden iPods
If your security mode is set to full or if auto-boot? is set to false every time
your Mac starts up (or awakes from hibernation) the banner will be shown.
12
call 555-NNNNNN and you’ll receive a reward in golden iPods
</string>
...
You can also modify the size of the font, just add:
<key>LoginwindowText-FontSize</key>
<real>24</real>
in which you can specify any number.
13
ASCII creates a simple correspondence between characters and numbers.
For example the character i equals 105 in the ASCII table.
105 has the following binary representation: 0110 1001
0xAA has the following binary representation: 1010 1010
0110 1001 XOR 1010 1010 = 1100 0011
1100 0011 equals 195 which has the following hexadecimal representation:
0xC3
1. You can install this Mac OS 9 app which shows the password
http://www.securemac.com/openfirmwarepasswordprotection.php#fwsucker
2. Or, if you have physical access to the Mac, follow this steps:
• turn off your Mac and disconnect all the cables
• locate the RAM slots
• remove or add a RAM bank
• start up the Mac and press COMMAND+ALT+P+R (which resets
the PRAM)
• add or remove the RAM bank you have previously removed or added
• et voilá. . . no more Open Firmware password!
14
3.5.3 Brute force won’t work
Open Firmware has adopted a progressive delay technique to discourage brute-
force attacks.
Every time the password you type is wrong you will not be able to try again
until 2x seconds pass; x is the number of attempts made.
This is a very simple but effective way to make this kind of attack very rare.
15