I mean, this is the company where the only security certification advertised on their website for macOS [1][2] only achieved the lowest possible level of security, EAL1.
A level only fit for products where [3]: "some confidence in correct operation is required, but the threats to security are not viewed as serious" which is one level lower than "demonstrating resistance to penetration attackers with a basic attack potential" [4]. Which is four full levels below "demonstrating resistance to penetration attackers with a moderate attack potential" [5].
Apple has never once, over multiple decades of failed attempts, demonstrated "resistance to penetration attackers with a moderate attack potential" for any product. It should be no surprise that the systems, processes, and people who lack the knowledge, ability, technology, and experience to make a system resistant to moderate attackers, despite nearly unlimited resources, have the security of their systems completely defeated by moderate attacks like small groups of skilled researchers. Apple positively, absolutely, 100%, certifies they can not. Though, it would be nice if their marketing were restricted to what their engineering can prove.
EAL is not a measure of security but a measure of the depth of analysis. Looking at the complexity of monolithic-kernel-based operating systems, I don't much can be derived from certifications with an EAL < 5.
Evaluated assurance levels (EAL) are a bundle of security assurance requirements (SAR) that reasonably trace to varying levels of assurance that the target of evaluation (TOE) enforces the Security Functional Requirements (SFR) of the product. One of the core SARs being AVA (vulnerability assessment) which evaluates resistance to penetration attackers and the presence of vulnerabilities. It is only at EAL5 that you are required to demonstrate AVA_VAN.4 which is resistance to penetration attackers with a moderate attack potential.
What we derive from companies only able to achieve EAL < 5 is that their systems are not designed, nor capable of protecting against moderate attackers. This has been borne out by decades of experience where the security properties of these systems have been routinely defeated by attackers with moderate or lower attack potential. The certification process is both effective and accurate at identifying that these consumer operating systems are inadequate against attackers of moderate ability as an upper bound.
We further know from decades of experience that any system that attempts EAL5 certification and then fails has structural deficiencies that make it practically impossible for any configuration to ever be certified without a total redesign. As far as I know, nobody has ever achieved that despite decades of attempts and billions of dollars spent attempting to retrofit inherently insecure designs such as Windows, Linux, or macOS.
So, what we know is that macOS, iOS, Linux, Windows, BSDs, etc. are structurally insecure against moderate attacks such as those employed by commercial hackers and organized crime, let alone state-level actors, and that it is hopeless for them to ever be improved to reach such a level. Anything less than EAL5 is inadequate for the modern threat landscape of established commercial hackers and state actors as experienced by consumers, businesses, and governments. Therefore, the systems currently deployed are universally unfit for their usage in these connected systems and we have the certifications and continuous examples to prove it.
How do you define "penetration attackers with a moderate attack potential"?
No EAL>4 certification does not imply that something is insecure.
Judging something as "insecure" or "structurally insecure" is highly opinionated. Not everyone has the same tolerance of risk. For most users the common operating system is secure enough. Besides that security is not only depending on the kernel. Smartphone operating systems which are based on Linux practically provide more security through app isolation than most desktop-oriented Linux-based distributions.
Besides that a CC certification does not necessary certify the product as a whole which finally means you cannot even derive a state of security statement for the end user.
Another example was the genugate firewall which has been certified on EAL4+ (including ALC_FLR.2, ALC_PAM.1, ASE_TSS.2, AVA_VAN.5), so in the end it was certified against attack with a high attack potential. Yet, the product was vulnerable to a simple authentication bypass of the management interface resulting in a CVSS score of 9.8:
https://nvd.nist.gov/vuln/detail/CVE-2021-27215
“Moderate potential” is defined in the standard [1]. As we are generally discussing blackbox attacks on publicly accessible remote endpoints, basically the only relevant factors are “Elapsed Time”, “Expertise”. So, a “moderate attack potential” is: expert proficiency attacking team over four months. A “high attack potential” is expert proficiency attacking team over six months.
I know, the standard is embarrassingly low by modern attack standards. It really should be much stricter these days, but even at these embarrassingly low levels the standard commercial vendors such as Apple can not achieve them.
No, my statement on structural insecurity is quite objective. I said they are structurally insecure against commercial hackers and organized crime. That is a statement relative to a threat model and can be objectively verified.
Our objective verification is that their security properties get routinely invalidated by such attackers thousands of times a year. You would be hard pressed to find a professional hacker who would say something like: “Oh no, they are using a Mac, my plans are foiled.”
Commercial hackers and organized crime are expected threat actors. If you are running a commercial enterprise, you will be attacked by commercial hackers these days. If your systems are useless against them, then your security is objectively inadequate for your use case. Using systems certified to be inadequate for your use case is just engineering malpractice.
Yes, a Common Criteria certification does not mean the entire product is certified in much the same way that a nail certification does not mean your airplane is certified. You need to certify the entire product for the entire product to be certified. That should be obvious.
I do not know why you bring up uncertified composed products having problems in uncertified components. Yes, those components suck, we already know that. That in no way supports using composed products consisting entirely of inadequate components.
You seem to be confused about how you should use a Common Criteria certification to evaluate a product. EAL5 does not mean you are guaranteed to be protected against moderate attackers. It just provides some reasonable confidence that might be the case. What it really tells you is that you should have minimal or no confidence in systems not certified (or even worse failed certification) to EAL5.
A AVA_VAN.5 component might be vulnerable to moderate attacks. But a component that failed certification to AVA_VAN.3 is certainly vulnerable to moderate attacks.
The genugate firewall is EAL4. I do not see how this bolsters your point. There is a reason why we use EAL instead of just reporting the AVA_VAN requirement.
I do not have any particular insights into their product or that vulnerability. It is certainly possible they were over certified.
Looking at the PoC, it seems to indicate a administrator login authentication bypass. In the genugate firewall TOE [2] it indicates that the administrator network is assumed to be isolated and trusted. If an administrator login page is only meant to be accessible from the administrator network then the CVE would be out of scope of their certification. Though the CVE indicates other logins that might be affected, so I can not speculate any further. Certainly could be over-certified. But again, certification does not mean confidently secure, it is non-certification which means confidently insecure.
> But not for people with this level of applied skills.
Perhaps not for people with this level of applied skills who live in the US. But salaries vary drastically around the world, and remote jobs are not feasible for everyone.
I understand this is arbitrary code execution with root access. I'm imagining the potential of infecting a high status individual and I think a bad actor would pay millions for such an exploit.
That would be a fair question, we generally don't come to our impressions by random choice alone. My guess is the value of the vulnerability on the black market would be significantly higher and Apple could afford to compete with that better if they wanted. Only the GP could tell us the reasoning for their impression though.
Well deserved. By reading the code you can tell there is a lot of analysis and knowledge required to make that exploit happen.
OS development, security, shader programming, computer architecture, etc.
The code is clean and has plenty of comments explaining what is happening at each step.
And for the ones do not know, Asahi Lina is the same person who made it possible to run GPU-enabled Linux on Apple Silicon, among with other contributors.
How does this work anyway? I reported a password bug that went unfixed for months and didn't hear back from Apple. Do you need to be the first/only person to have reported something, or what?
Most bug bounty payouts go to the first person or group that report it, and only if the bug in question is novel to the company in question.
I.e if you report after someone else or report after it’s already been identified internally , you’re not likely to get a payout unless you have novel details
He hasn’t admitted it directly, but there is a large amount of circumstantial evidence. Asahi exclusively uses Marcan’s private infrastructure. They both name their systems after little girls from the anime “PreCure”. They are NEVER talking/streaming at the same moment, even when they appear together. In fact Marcan used to stream quite a bit on his personal channel, but once Asahi appeared he stopped almost entirely. They even have similar typing styles once you start comparing their long-form writings. Not to mention the fact that Asahi’s specialities just so happen to align with Hector’s to the point where they can interchangeably work on reverse engineering Apple Silicon. How many people in the world exist that can do that? And how many would share the exact same interests and peculiarities as Hector?
Finally, and my personal favorite: Asahi’s VTuber reveal was by “hacking” and hijacking one of Marcan’s streams. The introduction was literally replacing Hector.
The fact that the comment you replied to is buried shows that it's probably too close to be true and makes people uncomfortable. Are we supposed to believe the character is literally an animated humanoid with animal ears? Is it not ok to question who the human entity behind it is? In any case, it's super easy to spot when it's a man pretending to be a woman, in case that's the source of the controversy.
