Apple Technical White Paper Presented By : Rajhesh Babu

Introduction Overview Secure Data Storage & Deletion Public Key Infrastructure Firewalls Core Security Malware Protection Privacy Conclusion

Security is one of the main concerns of any Operating system. Apple strives to ensure that the core of the operating system provides critical protection for services, applications and data. In the view for the organization’s security, all security options should be examined and the need for security must be balanced.

OS X is designed to provide concrete defenses against outside security threats with a series of protective systems. OS X and many of it’s integrated services are built on a foundation of open source solutions. Strong security is a benefit of open source software. An open source development approach provides the transparency to ensure OS X is as secure as possible. OS X has a number of features designed to protect the confidentiality of users and their data.

OS X provides easy-to-use methods for ensuring that files stored are securely protected using Advanced Encrypted Standard(AES). The Data storage options include FileVault 2 and Encrypted Containers(also called as Disk Images). OS X also provides methods for deleting files securely which prevents deleted files from being recovered. Data deletion options include Secure Empty Trash, Secure Erase and Remote Lock and Wipe.

FileVault 2 : FV2 was introduced in OS X Lion, provides full disk encryption for Data-at-rest(DAR) protection. Initial encryption is fast and unobtrusive, meaning all data is encrypted in the background. During the setup, FV integrates a recovery key as a safety net for accessing the encrypted volume. The two different recovery keys are personal recovery key and institutional recovery key. With FV 2 enabled, a user must enter valid login credentials or a recovery key before the computer can access the files and continue with the boot process.

Encrypted Containers – Disk Images: With the Disk Utility tool, you can easily create encrypted Containers known as “disk images”, by using 128-bit or a stronger 256-bit AES encryption. When the underlying disk image is encrypted, any files and folders placed under it are encrypted and decrypted automatically. When you decrypt a disk image, blocks of file data are decrypted in real time. This encryption/decryption process is nonintrusive to the user and creating an encrypted disk image is simple as clicking the the New Image button in Disk Utility.

Secure Empty Trash: OS X includes a Secure Empty Trash command to prevent deleted files from being recovered. You can access the same functionality and more advanced management from the command line. Secure Erase: Just as deleting a file from a computer doesn’t truly remove it, erasing the hard drive doesn’t truly remove the data from a drive. Disk Utility includes a variety of options to securely erase old data on an entire drive or volume. The secure erase options are 1. Fastest : default action that occurs when you erase or reformat a drive or volume.

2. Zero Out Data : This option will write zeros over all the data at once. This is the quickest but less secure pass secure : This option is a DOE-compliant 3 pass secure erase. 4. Most secure : This writes seven diff passes of information to the drive. Time consuming, but secure. Remote Lock and Wipe : Using OS X, you organization’s IT department can offer users a web-based method for remote locking and even wiping their systems. IT can use Profile Manager to lock, Unlock and wipe a remote MAC without user intervention.

Public key Infrastructure(PKI) is all the components (i.e hardware,software,policies,processes) and the complex interactions that occur among them. OS X is designed as a OS based PKI where all the services are performed by the OS and not by the individual applications. Digital Certificates : The fundamental basis of a PKI is a “digital identity”, which consists of a digital certificate and corresponding public and private keys.

OS X uses digital certificates to support secure collaboration and enable the following services: Authentication Data Integrity Encryption Nonrepudiation Technologies in OS X that can use digital certificates: FileVault/encrypted disk images Login Window Safari Remote Login Mail System Administration

Basic purpose of a firewall is to control connections made to a computer from other computers or devices on a network. For casual users, Apple provides an “Application layer firewall” where users can control connections on a per application basis, rather than per service basis. For IT professionals with more complex needs and knowledge, Apple provides “IPFW2 firewall” for finer grained control. Since IPFW2 processes traffic at packet level which is lower in the networking stack than the Application Layer Firewall.

In addition to securing local data and network access, OS X employs techniques to protect the core functioning of the operating system and applications. Some Techniques are 1. Mandatory Access Controls : This access control mechanism enforce restrictions on access to system resources. Mandatory access controls are integrated with the exec system service to prevent execution of applications that aren’t authorized.

2. Sandboxing : This helps ensure applications do only what they are intended to do and prevent malicious code from hijacking applications and OS services to run their own code. 3. Execute Disable : One of the most common techniques used by developers of malicious software to gain unauthorized access is called “buffer overflow”. To avoid this OS X has provided no-execute stack protection by taking advantage of the XD function available in recent Intel processors.

Protecting data, workstations and servers within a network goes beyond encryption and access controls. OS X is not generally associated with high risks for viruses or other forms of malware, some forms of malware have been discovered that may affect it. Application Quarantine : Quarantining applications help prevent users and processes from accidently running applications of unknown origin, which are potentially malicious.

Identification and Removal : When unknown executable code is downloaded to the Mac, OS X provides protection by ensuring that the code will never execute if it’s one of the known pieces of malware. Because the malware code is already quarantined, OS X can remove the malware and notify the user of the blocked attempt. Antivirus Protection : When the antivirus deployment to the OS X systems within an organization is centrally managed, you can use central antivirus management to alert administrators the presence of viruses on individual systems.

With increased number of devices, apps and services, the increase need for keeping personal info private. For example : when using navigation or mapping services users must allow their private devices to provide exact location data, but revealing those details can expose private info to unauthorized service or application. Location Services : OS X provides preference controls and ability to control location services. Includes a Privacy Pane – for enabling and disabling location services as well as usage of data.

Online Privacy : A Privacy pane provides info about and control over online privacy. Users can clear website data, customize cookie settings and decide whether websites can request location information. Privacy pane in Safari also includes web history, where each site is stored and what data is stored on the Mac.

Security is the ever-present concern of every IT department regardless of the OS they use. OS X offers a solid set of security components that are built-in to every Mac. Industry-standard solutions and meeting the security guidelines from the U.S federal government agencies make the impact of security.

Apple’s Technical White Paper

Questions???

Thank you