What's in a Leopard ? A lot of welcome security improvements at least. And this is a good thing, as Mac OS X becomes more popular and thus more of a target.

We will not cover the obvious (and nonetheless very useful) like the Time-Machine backup utility, but rather delve into the roots of Leopard, where some true security features await.  Most of those are of the "anti-exploitation" kind, meaning they are designed to make it harder for an intruder to compromise the system through a vulnerability or a legitimate application.

Sandboxing

Leopard will restrict what certain applications can do. Those network-facing or system-wide apps like Spotlight, QuickLook or Bonjour will thus be limited in terms of what file they can modify, access or what they can do. This is truly a role-based access control approach. For example, applications that do not need to create new accounts on the system as part of their usual role can be prevented to do it. 

Yet, we found a limitation in the way sandboxing is implemented in Leopard : very few applications, and especially not the more usefull ones like Mail or Safari, are being sandboxed. On the other hand, a lot of obscure-but-dangerous services (like IPC) are covered.

And since the tool is there, nothing prevent future updates to extend the sandboxing to other apps.

Application Tagging

Next up is a convenient way to warn the user that an application comes from the Internet and might not to be safe. All executables being downloaded from the network will be flagged and the system will present a warning when they are run for the first time. While this can seem useless to most users (you do know what you download, do you ?), it will prove usefull for automatically downloaded and executed malicious codes, like the ones the Windows world know so well. And don't fool yourself : the Mac will have them, too.

Library Randomization

One thing other operating systems get right (including Windows Vista) is to try and make it harder for attackers to run code after having broken the system through a vulnerability. The attacker needs to know precisely where to put its code in memory for it to run properly, instead of just crashing the system. Library Randomization makes it harder by randomly shuffling those memory spots so that the attacker can't just aim a specific part of the memory. 

While this is a very effective hardening technique, Apple did not go all the way, and according to experts some libraries are not covered by this randomization process, making them vulnerable. Still, it's a very welcome change, that can only get better (ie, cover more libraries)

The end of InputManagers

InputManagers were a very convenient way to enhance applications : just drop a file in a specific directory, and the code it contains essentially becomes part of that application code. Nifty, but very, very dangerous, as it allows intercepting and manipulating the data that comes in and out of applications. 

Apple has not axed InputManagers, as it was feared, but made them controlled by the system instead of the user. With Leopard, InputManagers live in the system Library (thus needing administrative rights to get there) and will only run if owned by root, thus needing a voluntary effort by the user. Nice.

Temporary guest accounts

A good idea gone bad, temporary guest accounts are accounts that you open to let people use the Mac, and that get deleted when the session is closed. Unfortunately, while the account is active users can setup cron jobs or mount file systems that will be persistent, even after the account is deleted. We can only hope this feature gets more comprehensive in time with future updates.

Code signing

Developpers (and Apple itself, of course) can now sign code. This will allow for signed applications not to run if they are tampered with, either before downloading (on a compromised website) or on the system itself (infected by a virus). Of course, this is only useful if developpers sign their code, which is not mandatory. We guess pretty few of them will go through the hassle of code signing, making this feature much less attractive than what it could be.  

New firewall

Mac OS X's built-in firewall have been improved to be more granular at the application level and to offer outbound filtering. That's nice, but Little Snitch has been around for so long it almost feels like a part of every Mac. And the granularity offered by the new firewall is not that... granular ! A better idea would have been using the sandboxing interface to allow fine control of what applications can or can not do, including using the network.

We're sure a third-party app will offer this in no time...

Everything else : VPN, encryption, Windows sharing...

A host of other smaller, but still important, updates bless Leopard : VPN support for corporate networks have been upgraded, SMB packet signing will allow connecting to encrypted Windows shares, and encrypted disk images get upgraded from 128 bits AES to 256 bits AES. Not that anybody managed to break 128 bits AES yet, but still nice. And finally, Leopard offers more control on file sharing (who can access what).

All in all, Leopard is probably the biggest security-rich version of Mac OS X, even if security is not what Apple is putting forth in its marketing effort. Of course, we love it. Just have to wait for the first release bugs to settle down, though...