OS X Leopard is now certified Unix, but is it safe?

Open Group Unix 03 certification puts the upcoming OS X Leopard on a par with AIX and HP-UX. Is there any truth to the fearmongering about security?

The Open Group has issued Apple a lovely certificate of compliance. I suggest that all Leopard users print it on fine-quality, high-rag paper, frame it, and hang it in their server rooms and Mac-blessed cubicles as a reminder to Linux weenies that there are pretenders, and then there is the real thing. And guess what? I am genuinely unconcerned about those who see such statements as blasphemous or as baiting the Linux community. Those who frequent Enterprise Mac or Ahead of the Curve know that I’m a certified Unix snob, a Mac client and server user, and proud to be both.

“Wait a minute,” I hear some of you saying, “aren’t those three certified commercial Unixes proprietary? Why would anybody want OS X to fly that flag?” Well, don’t forget that Solaris is legitimately open source, and it runs on hardware (including Macs under hardware-accelerated virtualization) that doesn’t bear Sun’s badge, so there is a precedent for open, nonproprietary, genuine Unix. From my perspective, the primary value of Leopard’s Unix certification is that it gives commercial server ISVs a heaping helping of confidence that their native code will port easily to OS X on Mac. Satisfying Unix 03 requirements indicates that “recompile and run” is now a reality, not only for Leopard Server but for Leopard client as well, given that both are based on exactly the same kernel, dev tools, libraries, commands, and utilities, most of which Apple laudably publishes as open source.

Open source has not been very good to Apple of late. Open system software is the best way to future-proof commercial computers for customers, full stop, but Apple’s open sourcing of its true Unix imposes potential drag on OS X’s credibility in organizations that equate the Unix trademark with secure systems. The informed know that OS X is no more vulnerable to black hat exploits than other OSes, closed and open alike. Yet parties from IBM to Windows and Linux anti-virus vendor Panda Security, along with some Linux users, routinely foster negative public opinion about OS X. Anyone can prod bloggers worldwide just by putting “OS X” and “security” in the same sound bite. Nobody calls them on it. I will: Vendors, if you slam OS X security, put your money where your mouth is by refusing business from accounts that have deployed Macs. After all, an enterprise is only as secure as the least secure system on the network. You wouldn’t want to open your servers to exploits by helping prospective customers integrate your equipment with Macs. Just walk away from the table and leave the money to vendors such as Sun, which doesn’t bad-mouth OS X.

Apart from public perception, there is a contingent at Apple that is mightily honked that Darwin renders OS X ultimately crackable, leading to successful independent efforts to open Apple’s locked-down platforms–Mac, Xserve, Apple TV, and iPhone–to third-party software. OS X has been cracked to run on non-Apple PCs, albeit with gaps in functionality related to video and Wi-Fi. Apple TV is fully cracked, resulting in the ability to replace the device’s cut-down edition of OS X with the full OS distributed with Mac systems and sold as a shrink-wrapped upgrade. And recently, iPhone was opened to custom native applications by developers who modified the GNU toolchain for the popular ARM microcontroller to produce OS X-compatible Mach-O executables. The iPhone effort is far from complete, but like OS X and Apple TV, iPhone cracks rely on Darwin’s open sources and binary compatibility with OS X.

Apple could easily close that gap by ditching the Darwin project or tweaking it to make it binary-incompatible with Leopard. HP-UX and AIX are closed source, and that hasn’t hurt IBM’s or HP’s sales. In fact, I recently had a day of discussions with IBM about its new POWER6 CPU during which a panel of IBM tech executives disclosed an overall lack of customer interest in Linux among its enterprise customers, despite the fact that IBM is extremely active in Linux development. For customers, platform selection is a matter of trust.

If Apple were to close OS X by withdrawing or limiting Darwin, would that bolster customers’ faith in Leopard’s security and scalability? Much as I’d hate to see OS X closed, and I hate the hell out of that idea, I have to admit that closing OS X’s source code, combined with Apple’s Unix certification, might help push OS X into organizations that associate Unix with stability and scalability.

Exploits and cracks of the various OS Xs routinely make the news, eclipsing even Windows. For example, I’ve read that iPhone is especially vulnerable to exploits because clicking on a phone number on a Web site dials it, and because all of its executables run as root (the unrestricted user account in Unix and Unix-alikes). But stories crafted to spread fear among the mobile masses neglect to mention that most smartphones make no distinction between privileged and unprivileged code except to alert the user that an application is trying to place a voice or data call. Mobile platforms place limitations on code that might compromise security by means of digital signatures that make executables traceable to the individual or company that produced them.

Code signing is also a feature of Leopard — and the developers who cracked Apple TV and iPhone found evidence of a signing mechanism in those devices’ OSes. Requiring digital signatures on privileged executables would afford OS X adequate protection while allowing it to remain an open OS. Such signatures can be cracked, but Apple can play dodgeball with crackers by building new keys into firmware updates. The crew that cracked iPhone also uncovered a sandbox, or jail, that allows native, nonprivileged third-party code to run in a locked-down mode that blocks access to system directories and makes root access difficult enough that most developers and prospective customers wouldn’t bother trying to break it.

I know that I’ve been all over the place in my treatment of this subject, but I’ll circle back around to my main point: Apple deserves to benefit from Unix’s image as a stable and secure platform. OS X is mature, open, beautifully and thoroughly documented, and uniquely delivered to customers in a turnkey, deployable state. Real Unix never looked so good or delivered such a smooth ride.