Wanted: Burglar alarm for OS X

A couple of months ago, I started to update an article which I wrote for MacUser six years ago, about network intrusion detection systems (NIDS). Each time I go back to it, it gets more difficult to complete.

In the real world, the parallel is obvious. Many homes and pretty well all business premises (apart from the tiniest) do not rely solely on their locks and barriers to prevent the ingress of intruders: they also have alarms which detect the presence of an intruder within.

Our Macs are different. All of us (I hope) have firewalls to stop incoming assaults from potential intruders, and systems such as OS X’s Gatekeeper to prevent us from running apps which might have slipped past. But we have nothing to match the burglar alarm when it comes to detecting an intrusion which has made its way past that protection.

Years ago, I used to run a neat little Mac app named HenWen, which was a port of the Snort NIDS with a friendly dialog-based front end. But a lot has changed since then: HenWen withered away quietly, CISCO acquired Snort, and we have seen two competitors in the form of Bro and Suricata. I got quite excited by Suricata, but none of these three available NIDS is as friendly as HenWen was; indeed none is even available in an OS X package, instead they each have to be compiled from source code.

As I was trying to work out the best way to present this, Patrick Wardle came along with his discovery of dylib hijacking, and NIDS all seemed less than relevant. If you were very lucky, malware which hijacked dylibs might trigger one of the NIDS, but they were hardly a front-line defence.

But the most serious nail in the coffin for my intended article was XcodeGhost. Although an iOS attack, it reinforced the irrelevance of our current NIDS, had its perpetrators chosen to load their code into OS X apps supplied through the Mac App Store instead.

Worse than that: the fact that many millions of iOS users had been running infected apps for anything up to five months before anyone noticed that there was a problem, makes me realise how a NIDS could not only fail to detect such malware, but could lull a user into an even more false sense of security.

So for the moment, my plans to update the article about NIDS are on hold. Yes, if you are running a corporate network which could be breached in all sorts of other ways, and could face internal threats, running a NIDS could be important. But those of us with smaller business or home networks are unlikely to achieve anything useful by installing a NIDS at present, and the effort and technical knowledge required to obtain any security benefit from a NIDS far outweighs any marginal advantage.

Then I was pointed in the direction of Steffen Ullrich’s research on evading NIDS, firewalls, and most other security systems using what he terms the ‘Semantic Gap’ in HTTP and MIME. He explains that this results from gaps in specifications or implementations – in other words, there are differences in interpretation between the system doing the protecting, and the system being protected. Such gaps can be exploited to sneak payloads past virus scanning and protection systems, as demonstrated by Ullrich’s test site.

So for the time being, Mac users remain in need of a burglar alarm. Patrick Wardle’s free tools are very helpful, but not a complete answer at present.

Of course Apple could have invested its engineering effort in moving OS X and iOS to more robust security models, such as a self-monitoring and self-repairing OS, instead of repeatedly redesigning the interface, adding more motion and animation, and such glitzy things. But investing in security does not bring the same instant gratification as a new system font.

As we are all poised to upgrade to El Capitan, I hope that Apple is taking a serious look at what it can do in OS X 10.12 to better prevent and detect malware.