Linux And Security
April 24, 2006 on 8:12 pm | In Linux, Security |I’m sorry about my absence, but I have been extremely busy the past few days. Revising for exams, building a computer from scratch, reading quite a few documents, finding out more about a degree in Computer Science, and returning to school after a brilliant Easter. So what is this post about? Linux, and security. I have been talking to a security professional about my first article, Proposing a Compelling Linux Business Case. First of all, my article was aimed at the public sector, and so certain parts of it may seem irrational and outright wrong to a security professional. I’m hoping that one of my readers knows enough about Linux to be able to respond to him with a valuable argument, because this has reached a stage which is too complex for me to handle. Maybe you could give it a shot! Contact me via the contact form if you’re interested 
I will lead you through our discussion. The security professional goes by the alias ‘catch’, and he is a member of the TAZForum. Feel free to join there and post - it is a great community of friends, and you will be received with open arms. Back to the discussion. The person who is sending the message is in bold, and if they have quoted a paragraph (of the other person’s message), it will be italicised. catch’s first impressions on my article:
catch:
J_K9… that article I deemed unfinishable and submitted a different one… explaining why the first couldn’t be done. In short because “Linux” is such a debased term that no one even knows what it means anymore. It is really just a loose theoretical concept with a few “most likely” facts. That article of yours is a fine example. FYI, Linux is not the main sysem of the US Military. In practical terms, Windows would be their main system, because they have mostly Windows installations… but depending on the use you will see AIX, IRIX, QNX, SecureOS, STOP, SMG, LOCK, SNet, FreeBSD, and a myriad of other legacy and research systems including Linux. If you would like to discuss the rest of that article we can… I think I might be able to point you in the right direction.
So, thoroughly intrigued, I sent him this:
Me:
Ah, right. I picked up the US Military info from a few books and websites, so I assumed it was correct.. There was no way for me to check it though, as I neither live in the US or have ties with the military there
You are right about the term ‘Linux’. It is ambiguous to the extent that the community cannot decide whether it is just the kernel or includes the whole operating system, which should be called by its full name GNU/Linux. However, ‘Linux’ is short and sweet, and is therefore a more attractive name nowadays for the general public.. Which leaves some developers confused as to whether Linux refers to the kernel or the OS. Most people have taken Linux to be the OS now, and IIRC even Linus calls the OS ‘Linux’. Moving forward with the times, I think?
But I would definitely like to talk more about my article, if you have the time. I aimed it at the public, trying to convince them to give Linux a go, so I understand that a security professional might view it differently..
When I say ‘I aimed it at the public’, I’m not saying I lied - not at all. Neither am I bending the facts. I’m proposing a decent alternative to Windows on a home computer, and the details I mention are correct. Linux is a stable, secure operating system, there’s no doubt about that, and it’s perfect for your home computer, office fileserver, webserver, and fulfils pretty much all other needs!
Catch’s reply to my previous PM:
catch:
The term “Linux” is mostly ambiguous in way that no one knows what functionality a Linux|Gnu/Linux system will have so people like to just take all the best things from all the different distros and put them together neverminding that many of those points are mutually exclusive. Especially with regrard to security.
The next area of ambiguity is that most software in Linux has no assurance whatsoever… you only trust that it does what the developer says it does, because they say so. There is no assured QA no oversight at all. This is sometimes presented in the manner of SELinux, something that the NSA said outright is just for research and people were slapping it on production systems and it was included into the kernel with no further development.
If you would like me to create a thread on that Linux article of yours, I can do that. Its not that I dislike Linux… I actually like it just fine, I dislike mis/ambiguous information taken as gospel.
cheers,
catch
And mine:
Me:
catch wrote:
The term “Linux” is mostly ambiguous in way that no one knows what functionality a Linux|Gnu/Linux system will have so people like to just take all the best things from all the different distros and put them together neverminding that many of those points are mutually exclusive. Especially with regrard to security.I’d like to disagree there. Anyone who has taken the time to read up on Linux will know what functionality a GNU/Linux system has. Different distros are suited to different people and sectors, so they will be set up differently and include different features/apps. All the distros are different, and that is what I think you’re talking about. That there is no set standard for a Linux (GNU/Linux) distribution, and therefore the term has no real meaning. I disagree. The term encompases all the distributions - it shows expandability, configurability, and tons of other things. It means that an operating system does not HAVE to be like ‘x’, but can be expanded to be something much more powerful, much more usable, or much more efficient. Ultimately, it is down to the distro’s designer[s] to make the distro just the way he/the team wants it. No distro can possibly get the perfect combination, because that is not what GNU/Linux as an OS is trying to achieve. It is trying to suit everyone’s separate needs and requirements, and it does this marvelously. Build your own distro using Linux From Scratch, and you can have exactly what YOU want on your operating system, not what someone else has chosen for you
Quote:
The next area of ambiguity is that most software in Linux has no assurance whatsoever… you only trust that it does what the developer says it does, because they say so. There is no assured QA no oversight at all.But isn’t that the case with proprietary products as well? You don’t know what you’ll get until you install it and find out what it can do. Example: You buy a commercial anti-virus application, which claims it has the most signatures and is therefore the best. Pretty easy to be fooled. But, that may be because it counts different forms of the same malware (like MSBlaster) as separate pieces, and so it achieves the largest number of AV signatures. Does this mean it is the best AV? Obviously not. Theoretically, it could be; but it most likely isn’t.
Quote:
This is sometimes presented in the manner of SELinux, something that the NSA said outright is just for research and people were slapping it on production systems and it was included into the kernel with no further development.I thought you’d bring SELinux up. SELinux, for the most part, seems to be pretty stable. I know you’ll know about SELinux, but see what Red Hat has to say about it. To me, it looks like they have advanced it quite a lot, and if companies like RH are contributing to make it better then it is a worthwhile project. Only a few distributions bring SELinux, like FC, but many do not - for the simple reason that it IS, as you said, experimental software. Experimental software which seems to work well for most people
Quote:
If you would like me to create a thread on that Linux article of yours, I can do that. Its not that I dislike Linux… I actually like it just fine, I dislike mis/ambiguous information taken as gospel.By all means do so! I personally like Linux a lot, and I see potential in it for the future (I recently set up a project to aid Ubuntu’s advancement as the easiest distro to use - I think it’s in my AO sig), but as I enjoy saying, ‘to each his own’. I am not the kind of person who goes around waving a banner with the message ‘Linux is more secure than Windows’ by the way
Thanks for your sharing your views catch, always interesting to read and discuss!
Regards,
-Max
His:
catch:
J_K9 wrote:
I’d like to disagree there. Anyone who has taken the time to read up on Linux will know what functionality a GNU/Linux system has.Hehe… we’ll test this theory later.
Quote:
It means that an operating system does not HAVE to be like ‘x’, but can be expanded to be something much more powerful, much more usable, or much more efficient.This sounds great in theory, but in actuality is little more than different sauce on the same piece of chicken.
Quote:
Build your own distro using Linux From Scratch, and you can have exactly what YOU want on your operating system, not what someone else has chosen for youAgain… the OS is the same, just because you can run different stuff on it doesn’t change the OS itself. People get confused though because they know what they see and use.
Quote:
But isn’t that the case with proprietary products as well?Those targeted at the home user, absolutely.
Quote:
Only a few distributions bring SELinux, like FC, but many do not - for the simple reason that it IS, as you said, experimental software. Experimental software which seems to work well for most people
How would you feel if your bank or whatever used such software because it seems to work for most people?
Quote:
I am not the kind of person who goes around waving a banner with the message ‘Linux is more secure than Windows’ by the wayYeah, I’d have flamed you for that.
So… no ambiguity with Linux… Does linux have a reference monitor?
cheers,
catch
A mouthful! And my reply:
Me:
catch wrote:
Hehe… we’ll test this theory later.That’ll be interesting
Quote:
Again… the OS is the same, just because you can run different stuff on it doesn’t change the OS itself.Not entirely true - if you want, you can configure the kernel the way you want and change it completely. I’m not saying the apps will work after a significant change in the kernel, but with a few kernel alterations then it’s safe to say that it’s a ‘branch’ off Linux and therefore another OS? So, from LFS, you can change the kernel’s source code as much as you want, and end up with an OS based on Linux but not GNU/Linux itself.
Quote:
Those targeted at the home user, absolutely.The best thing about Linux is that if there’s something that isn’t included and you want it, you can code it yourself (as long as the app’s licenced under the GPL). For example, there isn’t an option in Nessus to use a self-defined port scanner instead of the default one. No problem, just grab the source code (I’m talking about version 2.x), add whatever you want, and compile. Can’t do that with commercial applications!
And most things in the Linux world tend to stick to the details. So, if a GPL’d app says it does x, y and z, then it probably does - because there are so many contributors and testers that the lie would be spotted - and corrected - almost immediately.
Quote:
How would you feel if your bank or whatever used such software because it seems to work for most people?That’s different. You’re assuming that if they were to use Linux, that they would have SELinux installed (I know you just used it as an example, but I’m following on hehe). They probably wouldn’t, and if they did, the IT team would assure the directors that it was stable enough for a production environment - if not it would be turned down. You have to remember that these types of decisions - like including SELinux into a distro - are usually taken by professionals who know the implications this could have if it went wrong. Therefore, in Red Hat’s case, I’m guessing they have improved SELinux to a level where it is stable and mature; I’m sure they wouldn’t want the bad publicity an SELinux problem could bring when they release the next edition of RHEL!
I am actually going to get a tour around Barclays’ IT department (probably within the next few weeks/months), so I will be able to get more info then on this example! I will ask the head of IT there what he thinks.
Quote:
So… no ambiguity with Linux… Does linux have a reference monitor?To be perfectly honest with you, I do not know enough about the Windows reference monitor to say how much of an advantage it provides over Linux - but there must be external applications which do exactly the same for it. If I’m not mistaken, AppArmor does something similar?
Again, I do not know enough about reference monitors to propose a valuable argument. But, let me ask this - if it works so well, then why are malicious exe’s not stopped for accessing - and altering - KEY system files? Oh, the user should not be running as admin in the first place.. But from a Win XP install, are you not left with an account with Administrator privileges? Hmm.. Interesting
Regards,
-Max
Fighting fire with fire? I thought so, but his flame is obviously much larger:
catch:
Quote:
Not entirely true - if you want, you can configure the kernel the way you want and change it completely.This is where all of the Linux arguments end up… “Anything you say, I can make Linux do by changing it!” From my many years of InfoSec experience, I can say that this is a great answer for CS students, a great answer for labs, and a terrible, terrible answer for production environments. There simply isn’t a sufficient ROI and companies typical lack the resources overall required to make and more importantly maintain any significant changes to the OS. Custom means expensive and troublesome… a COTS, turnkey solution is always the best and custom should only be considered when no COTS solution meets the requirements.
Another thing people forget, is that Windows is equally configurable, just download yourself a copy of DDK and have a field day.
Quote:
The best thing about Linux is that if there’s something that isn’t included and you want it, you can code it yourselfThis is also no different than Windows or any other system that I can think of. This is where so many Linux users lose their way… functionality is only one part of the picture and if we remember back to the CMMs, you will recall that the quality of the software is directly related to the maturity of the process involved with developing said software. This practice of just adding and changing things yourself is as immature a process as one can get.
Quote:
And most things in the Linux world tend to stick to the details. So, if a GPL’d app says it does x, y and z, then it probably does - because there are so many contributors and testers that the lie would be spotted - and corrected - almost immediately.Are you familiar with V&V (Validation and Verification)? The Linux world is huge on Verification, but Validation is almost non-existent. Put simply Validation is ensure that something does the right thing (“Does this functionality meet the requirements?”) Verification ensures that the thing was done right (“Is this code free of obvious errors?”). Very little attention is paid to requirements to ensure that they are properly met… everyone just worries about source level bugs and such. Despite all of this, there have been some rather significant studies regard the typically lifespan of source level bugs in the Linux kernel (over two years on average and over seven years in some cases) and that is in the kernel itself!
The basic security model of Linux is a great example… seems no one every bothered to validate it. It offers no predictability whatsoever… rights are transitive in ways that are so loose you simply can make no life-cycle calculations of the level of access on any object in the system. Since the whole point of security is predictability and control… how is this a good thing?
Quote:
You’re assuming that if they were to use Linux, that they would have SELinux installedI wasn’t making that assumption, I was asking if you would mind them using it.
Quote:
They probably wouldn’t, and if they did, the IT team would assure the directors that it was stable enough for a production environment - if not it would be turned down.Of course they would, so does them saying it is secure make you feel any better about them using it? Does that somehow change its research status?
Quote:
You have to remember that these types of decisions - like including SELinux into a distro - are usually taken by professionals who know the implications this could have if it went wrong.You have to remember that in the commercial world “Industry Best Practice” trumps all. No one cares what is actually good or secure or stable, all they care is what is commonly accepted as good or secure or stable. Where do you think that information comes from? That’s right… not the IT department but the vendors’ marketing departments. Decisions to race to include SELinux in the kernel are based on all the press releases that can be made about Linux being more secure than Windows and the ability to include words like “NSA” and “Military level security” into those case studies and sales meetings.
Remember, even from CalTech or MIT as a CS major you learn NOTHING useful about InfoSec until you reach the post graduate level… in fact your first few post grad security classes are focused on unlearning everything before that on the subject. Never forget that real security is way over most people’s heads, and so it doesn’t do too well in sales meetings… especially because most InfoSec managers started off life as business managers or accounting folk… because the industry isn’t mature enough yet to have enough viable Sr. Level people with solid security backgrounds.
Quote:
To be perfectly honest with you, I do not know enough about the Windows reference monitor to say how much of an advantage it provides over Linux - but there must be external applications which do exactly the same for it.Reference monitor concept cannot be implemented by an external application (where part of the Linux philosophy falls apart) it must be in the security kernel. The Windows reference monitor is really no different than any other… they all must consist of three aspects as defined by DOD-5200.28-STD (http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html#HDR6.1):
1. Must be tamper-proof (Even from root)
2. Must always be on (Non-toggleable or something you can add and remove)
3. Must be small enough to be subject for formal analysis and testingI designed a reference monitor for a system a few years back, the first two are easy… the last one is unbelievably difficult. Because in addition to all the testing, the finished product must have no exceptions at all… I mean no functional exceptions and no theoretical ones either since formal analysis includes V&V here. It must be proven to enforce the security philosophy… which typically includes the prevention, detection, and analysis of any number of covert channels.
Quote:
Again, I do not know enough about reference monitors to propose a valuable argument. But, let me ask this - if it works so well, then why are malicious exe’s not stopped for accessing - and altering - KEY system files?See… this is a bad argument. A reference monitor will only enforce the security policy; it does not define the policy. So if the policy says that the Subject can write to a given Object, the reference monitor will allow it. Sure Windows could ship with a strong default policy… but people don’t want secure systems, if they did no one would be using Linux because everyone would know that its model was proven to be insecure back in the 70s. People like technology they can understand… people like point and click and slight geeks like a simple, monolithic system that is inefficient, insecure, unstable, and poorly scalable when compared to contemporary systems because they understand it and can be a part of it.
Quote:
But from a Win XP install, are you not left with an account with Administrator privileges? Hmm.. InterestingFrom a Linux install, are you not left with a root account? What do you do? Just start browsing the web and checking your mail or do you create a new account for that? Why are the systems held to a different standard of use?
I actually made the switch from Win2k to XP 64 recently and I quite like it. Don’t get me wrong, 2k worked like a dream for over half a decade for me… XP just has a slightly more refined feel to it. Though I did have a bit of trouble finding a wireless NIC with 64bit drivers… I was reminded of trying to install Caldera on my new computer back in 1996. Back then NT was so bad and Macs so expensive that I didn’t mind spending a month on the phone to friends at several of the world’s finest technical universities as we wrote up new drivers. This time around I just did a little hunting to track down some obscure brand.
cheers,
catch
That’s the last one to date. This started yesterday, and catch’s last PM was received at 4:09pm today. I could reply to half the things up there, but the rest is waaay beyond me. So, if someone reading this can prepare a good answer, let me know and I’ll get you two in touch (or I can send it to him with credits to you), or maybe even become a member of the TAZForum to discuss it! It’s definitely interesting, and I’d like to see where this ends..
Thanks, and if you wish to leave a comment expressing your confusion, you’re most welcome to - you’re not the only one!
Until soon,
-Max aka. J_K9
Unfortunately, much of this is way beyond me too
You could try contacting Unspawn and/or Captain Caveman through LQ as they are the resident security experts.
You say you are going to the Barclays IT department. Is that the one in the Docklands area or elsewhere?
Comment by ray — April 25, 2006 #
Mozilla Firefox 1.5.0.1 on 
Linux
Using
Thanks Ray - I will email them (I’m not yet a contributing member) and hopefully they can help.
The Barclays I was refering to is back at home, in another country. An accountant who works with my mother has a son who is the head of IT in the bank, and he’s offered to give me a tour
I’m a bit cautious of spelling out where I live here.. 
Comment by J_K9 — April 25, 2006 #
Internet Explorer 6.0 on 
Windows XP
Using
Ah. The company I work for looks after Barclays IT in the UK. Or at least, we will do until the summer….
Comment by ray — April 25, 2006 #
Mozilla Firefox 1.5.0.1 on 
Linux
Using
Hmmm… I couldn’t follow the discussion after a few posts.
Maybe you should format your post with the poster name highlighted in bold before every post.
Comment by hari — April 26, 2006 #
Mozilla Firefox 1.5.0.1 on 
Debian GNU/Linux
Using
Ray - Cool, I didn’t know that
Hehe..
Hari - Sorry, I’ve reformatted the messages. Hopefully you can make sense of whose PM each one is now
Comment by J_K9 — April 26, 2006 #
Internet Explorer 6.0 on 
Windows XP
Using
To be honest, much of what “catch” says seem to be driven by the same old argumentative attitude by calling into question certain generalities and then making them out to be specifics. In reality, this complex argument of a “Linux security model” cannot be discussed in this fashion. I suppose it’s a never ending question. Maybe only a kernel developer would truly understand the underlying design of a “security model” and why it’s superior to Windows. And maybe for the same reasons as I mentioned, a kernel developer wouldn’t bother addressing the doubts of the sceptics because he’s too busy coding anyway
But from a practical and real-world point of view, how can anybody deny that Linux is more secure than Windows? Talking about “admin” or “root” accounts is besides the point… there is too much half-baked theory which is passed off as the truth!
The real thing is that I doubt whether “catch” is truly interested in addressing the practical issues. Seems more focussed on refuting your arguments rather than bringing forward concrete examples of the Windows security model. He seems to be mixing and matching the enterprise and desktop market and then creating arguments that make no sense from either perspective. I suggest that you politely decline to further argue this issue. Obviously there are real world issues to be discussed here, but I doubt whether any discussion can be progressed in a positive manner without going deep into specific areas and not merely generalizing…
Comment by hari — April 27, 2006 #
Mozilla Firefox 1.5.0.1 on 
Debian GNU/Linux
Using
Hi Hari,
I think the specifics are necessary where security is concerned.. Because, every single specific can be a potential flaw, and that flaw alone can cause the whole system to be compromised. So, while he has used specifics as examples on a more general topic, I think they are valid questions.
When you say “how can anybody deny that Linux is more secure than Windows” - well, it’s easy to say.. But is it so easy to prove? I’m not disagreeing - I also think that Linux is more secure than Windows, but that is an opinion I have composed after reading as much as I can about the topic. It may not necessarily be more secure than Windows, and if you asked me for facts to prove it, the only thing I’d be able to do is set up a Linux webserver and a Windows 2003 one and let you try to penetrate both
catch is more of a theory writing guy, rather than a ‘HOW TO’ one. If you want, I could email you a few of his essays/theories. Anyway, I asked catch to reply to your post, and his PM back to me was the following:
Those are his precise words.
I’ve gotta rush to lunch.. But if you’d like those theories then let me know and I’ll send you the pdf
Comment by J_K9 — April 27, 2006 #
Internet Explorer 6.0 on 
Windows XP
Using
Well, I’m not getting into any arguments.
He’s obviously knowledgeable. I’m just a user. I doubt whether I’ll understand his technical outlook.
But as I said before, I’m not blaming him at all. Much of what “catch” writes is suitable for two programming/system experts to debate about. Since I’m nowhere near that level , I doubt whether I can debate at that level… All I can say is that my personal, practical experience says that Windows is less secure than Linux. And that seems to be the common experience of most Linux users as well. What more can I say?
Comment by hari — April 27, 2006 #
Mozilla Firefox 1.5.0.1 on 
Debian GNU/Linux
Using
Hehe.. I agree. I’m nowhere near that level either, so my points are quite futile. Like you, my personal experience has led me to believe that Linux is more secure than Windows - but there are so many factors that could affect this that maybe it isn’t a right judgement.. For example, Windows systems are a much greater target than Linux systems, because there are many more Windows PCs than Linux ones. Or, we could just have been lucky that we have had less trouble with Linux than with Windows. And more
I’ve contacted Capt_Caveman and unSpawn. unSpawn seems to be very busy at the moment, so I have sent him a summarised version of catch’s last PM in case he has some time to answer it. And I’m sure Capt_Caveman is also quite busy.. So, it’s now down to luck that someone else at catch’s level comes to read this post
Thanks for trying though!
Comment by J_K9 — April 27, 2006 #
Internet Explorer 6.0 on 
Windows XP
Using
The interesting thing is why do you expect someone “at my level” to disagree with me? Issues of security policy are not opinion, they are in fact mathematical models that can be proven or disproven.
There is no shadow of a doubt that the Windows access control system is more robust and finely grained than the Linux one. What most people fail to realize is how little that has to do with most system compromises, and how far it could go to prevent these issues.
The majority of system compromises are the result of exploitable services. Now a service having a flaw has nothing to do with the system security policy. So arguments like “IIS has more vulnerabilities than Apache.” is a bit misguided.
The ability to compromise a service does not, in and of itself constitute a vulnerability.
A vulnerability is defined as “A weakness in system security procedures, system design, implementation, internal controls, etc., that could be exploited to violate system security policy.” by NCSC-TG-004-88. Now consider what the system security policy may be:
“Web users must not be able to modify web content.”
Does an IIS/Apache exploit violate this policy? Even if the execution of arbitrary code is involved. The answer is “No”. What will violate that policy is a IIS/Apache exploit AND incorrect access controls that grant the IIS/Apache user to modify web files.
Without the technical flaw, you cannot take advantage of the weak policy and without the weak policy, no vulnerability is present. This is why application level exploits really are not too much of a concern if a finely grained access control system allows for the effective use of the least privilege concept and strong auditing is employed.
With this in mind, the standard Windows security system is much stronger than the standard Linux one… just because many people don’t use it correctly or by default it is weaker does not change this simple fact.
cheers,
catch
Comment by catch — April 28, 2006 #
Internet Explorer 6.0 on 
Windows Server 2003
Using
>> There is no shadow of a doubt that the Windows access control system is more robust and
>> finely grained than the Linux one. What most people fail to realize is how little that has to do
>> with most system compromises, and how far it could go to prevent these issues.
As I said before, I have no way of knowing or verifying what you say. But that doesn’t mean that I automatically agree with you but neither do I disagree. It’s just that I am not informed enough to disucss this topic on such a theoritical level.
But you’ll invariably come across people like me who express this opinion. No doubt, it must frustrate you that you’re not in a position to “prove” it. But that’s what happens to all of us who have specialized knowledge in our fields. We need to keep on fighting the “masses” to prove a fact which might be construed as an opinion.
Comment by hari — April 28, 2006 #
Mozilla Firefox 1.0.7 on 
SuSE Linux
Using
“As I said before, I have no way of knowing or verifying what you say.”
No? Perhaps I can help.
Linux Permissions:
Owner/Group/World(Read, Write, Execute)
These permission are defined on a per object basis.
These permissions are implicitly denied if not explicitly granted.
These permissions do not apply to special accounts like “root”.
I assume you agree with this?
Windows Permissions:
User/Role/Group/Computer(Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete, Read Permissions, Change Permissions, Take Ownership)
These permissions may be applied to a specific object or specific inheritance rules, “This folder”, “This folder, subfolders, and files”, “This folder and subfolders”, “This folder and files”, Subfolders and files only”, “Subfolders only” or “Files only”.
These permissions are implicitly denied if not explicitly granted and they may also be explicitly denied.
Special accounts are not excluded from adhering to this policy.
What does all of this mean? That with such a fine degree of tough and support for access based on systems and roles, not to mention the deny functionality… the Windows access control model allows for far greater predictability and easier to manage precise controls.
Next in addition to permissions, Windows supports finely grained privilege controls. In Linux there are no privilege controls there is only “root” (all privileges) and everyone else (no privileges). In Windows all the privileges may be defined again on a per User/Role/Group/Computer basis and include such privileges as “Adjust memory quotas for a process”, “backup files and directories”, “bypass traverse checking”, “change system time”, “allow/deny access to this computer from the network”, “increase scheduling priority”, “load and unload device drivers”, “manage auditing and security logs”, “restore files and directories”, “shutdown the system” and “take ownership of files or other objects”. This means that rather than having a single all powerful account, you can break down administrative tasks into little parts and assign these to different roles or users. This is helpful because it helps contain the compromise of critical accounts and it mitigates fraud and such committed by internal admins.
I hope this helps make the issues a little clearer.
cheers,
catch
ps. The OS reporting on here is incorrect, I am not using Win 2003 on this system.
Comment by catch — April 28, 2006 #
Internet Explorer 6.0 on 
Windows Server 2003
Using
This is to help hari out a little. I’ve been reading and learning from catch for some time now in other venues. I find it interesting that people read his posts and information and claim these are his “opinions.” Then after learning–sometimess painfully–how knowledgeable he is, claim he is writing at the “theoretical” level. Their most common mistake is to presume catch is another of the plethora of internet expert-wannabes with limited or no real education or experience in the field.
Let’s get something straight here. Theory involves abstract reasoning, positions based on limited information, ideas yet to be proven. catch isn’t writing from theory, catch is writing from a practical, how-it-works, studied-my-ass-off-for-years-to-learn-this-stuff perspective. What he is explaining here, and the links and references he is providing, will back his statements in practical, measurable, definitive ways. It is real, not unfounded opinion. You can take the information and perform the same actions or tests yourself and come up with the same results.
You can say that you have the opinion that Linux is more secure than Windows, and that is fine, as far as opinions go. Opinions are like belly-buttons and a**holes, everyone has one. It doesn’t mean it is worth anything.
What I find completely amazing is that when presented with real, solid, verifyable information, people don’t want to be confused with facts and want to hold to their opinions no matter how invalid or vapid they may be. If you are going to deal with things at this level, you must be willing and able to critically examine your views in light of new information.
I’m not here to defend catch, he doesn’t need that. And, we don’t always see eye-to-eye on everything. We work in different worlds, so we shouldn’t. But I will stand behind his statements and presentations on the security of Windows vs. Linux. I’ve checked his information, followed the links and references and looked at my own systems (I use both Windows and Linux).
Now, back to your regularly scheduled programming.
Comment by rapier57 — April 28, 2006 #
Mozilla Firefox 1.5.0.2 on 
Windows XP
Using
Rapier, I don’t think the intent is to disagree unreasonably with Catch. It’s more that JK9 wants to continue the discussion from a more knowledgeable position.
It is true that we, as Linux users, are told that Windows is inherently less safe than a *nix install and we take it on faith that it is true. If it isn’t, that would knock away one of the cornerstones of Linux Advocacy. If, however, it is true, then I for one would like to see that debate/discussion.
Personally, even though I am not at all knowledgeable ont he subject, I would like to see it played out (in as plain english as possible please) so that I can understand the subject better.
Comment by ray — April 28, 2006 #
Mozilla Firefox 1.5.0.1 on 
Linux
Using
Precisely. I know that catch supplies reasonable information which can always be backed up with documents. Information which should be considered thoroughly, and weighed against your own opinion to see the differences. Your opinion may be wrong and catch’s information may be right.
But, being a Linux user (apart from when I’m in school - still trying to move forward with this), I am not so ready to believe that Windows is more secure than Linux.
Because, catch, attributes on Linux can be more complicated than what is allowed by the chmod command. On ext3, ReiserFS, and ext2 if I’m not mistaken, the chattr command can also be used. This allows quite a few more attributes to be set. But, quite possibly not as many as Windows. And Linux users can also be more flexible than just ‘root’ and ‘user’ - depending on the newly created user’s umask (and other more complex options), they will have access to certain files and not to others, to certain sections of the filesystem etc.
What Ray said is right - I’m not trying to disprove you, catch. I’m trying to hear your views from more than one mouth. Not because I don’t trust you, but because I would like to hear what another person equally knowledgeable in the security field has to say - and with more experience on the Linux side of the fence. I’m still just a Linux desktop user who is trying to learn more about the OS; so, that’s why I’m going to leave a reply to anyone else capable of doing so.
Comment by J_K9 — April 28, 2006 #
Internet Explorer 6.0 on 
Windows XP
Using
I’ll say again, be prepared to critically examine your views and your beliefs in the face of solid information.
Ray
It is true that we, as Linux users, are told that Windows is inherently less safe than a *nix install and we take it on faith that it is true. If it isn’t, that would knock away one of the cornerstones of Linux Advocacy. …
Linux’s strength isn’t how well is stacks up against Windows in security. This is a relatively recent effort to lift Linux from the doldrums of open source into a more robust consumer and enterprise market. And, as catch points out, it is an effort based on not very solid information.
Linux’s main strengths are in open source, free software, democratic development and support environment and a strong user community.
Where it is weak is the conflicting approaches to desktop and user interface. It is still an operating system that I wouldn’t give my parents as an alternative to Windows. They wouldn’t understand it. The Linux community shoots itself in the foot on a regular basis with the counter-intuitive, obtuse Gnome and KDE interfaces. Even when they are stable, navigation is difficult and confusing.
The cornerstone for Linux Advocacy should be on standards. Standard desktop, standard updates and installs, more transparency for the non-technical users, standard and ubiquitous driver and device support. Evangelize all you want on security of Linux, but the bottom line is that the OS has to be adopted by the average user if it is to become more than just a hobbyist platform. How do you update your Linux? The Yum command line? Yeah, right. How do you install a new program? Uh, Terminal, SU as root, configure, make config, make, install? What’s all that? How do you get it to use your wireless card? Yeah, good luck!
I messed with the first Linux in the early 90s. There was no GUI desktop. Other than that, things haven’t changed all that much since then. If you want to know why Linux hasn’t made deeper inroads into enterprise or home use, it isn’t because people aren’t buying the “more secure than Windows” line. It is because the average user just isn’t finding what they need in the system.
My Linux (Fedora Core4) has OpenOffice and FireFox and a number of network and system pen-test tools. My Windows has StarOffice, FireFox, IE and a number of other network and system pen-test and analysis tools. When I fire up the laptop for writing or other activities, I normally end up in Windows. Why, it works with everything I’m using. Linux won’t access the wireless card on my laptop, so if I need network connectivity I need to be in Windows. Linux sometimes freaks out when I’m trying to write in OpenOffice. StarOffice in Windows is rock solid and it obeys commands from my mouse. I had so much trouble, I blew away the Linux partition and installed a Linux VM, which works flawlessly, BTW.
When I’m in the command line, or running Metasploit or some other tools, Linux rocks. For anything else, though, I use Windows.
As a technician, Linux is great and I use it. The average user is going to go Windows or Mac. These decisions aren’t made based on logic, math or security. They are made strictly on “I need to do thus and such. I need it to be easy.” (Ref: Staples “Easy” button).
Comment by rapier57 — April 28, 2006 #
Mozilla Firefox 1.5.0.2 on 
Windows XP
Using
It is still an operating system that I wouldn’t give my parents as an alternative to Windows. They wouldn’t understand it.
If your parents had never seen a computer before, and you gave them a Windows one, would they understand it? I doubt it. ‘Baby duck syndrome’.
The Linux community shoots itself in the foot on a regular basis with the counter-intuitive, obtuse Gnome and KDE interfaces. Even when they are stable, navigation is difficult and confusing.
I don’t think so. The Linux community offers choice - and KDE seems to be the most popular. Anyway, KDE is very stable (at least, it has been kind to me!), and it is not difficult to navigate at all. If anyone finds it complicated and ‘confusing’, that’s due to ‘baby duck syndrome’. They’re entering unknown territory.
The cornerstone for Linux Advocacy should be on standards. Standard desktop, standard updates and installs, more transparency for the non-technical users, standard and ubiquitous driver and device support
But, that defeats the point of Linux. Different distributions are suited to different sectors. For example, Mandriva, Fedora Core 5, and SUSE are all great newbie distros. They offer easy package management (and software installation), nice - and simple - graphical interfaces, and any non-technical user can use them. I left a Mandriva computer I was testing (when 2006 came out) on when I went out, and I came back to find my older brother and mother both using it. They had never used Linux before, and yet they had managed to open up Firefox (which they didn’t know of) and browse the web as if they were already familiar with the OS. Thus, I stand by the fact that Linux is NOT hard to use.
Other distros like CentOS are suitable for servers. Gentoo and Slackware are for the more advanced users, who like to have more control over what is installed and how it is installed. As you can see, the list goes on. Therefore, I think diversity within Linux is a GOOD thing, as there will almost always be the perfect distro for you out there.
Driver support will be a grey area until hardware companies get their act together. I still think that hardware support is quite good for Linux, if you consider all the different architectures it runs on. Try to get Windows XP running on a SPARC processor, or on the old PPC Macs
My Linux (Fedora Core4) has OpenOffice and FireFox and a number of network and system pen-test tools. My Windows has StarOffice, FireFox, IE and a number of other network and system pen-test and analysis tools. When I fire up the laptop for writing or other activities, I normally end up in Windows
FC4 was really only an updated version of FC3. FC5 is the one the developers have really taken the time to improve and make more user-friendly, and I’ve heard that it’s a very polished distribution.
So, I wouldn’t rely on FC4 on a production system, and I have always said this. I haven’t had time to try out FC5 yet, as I never managed to finish downloading it.
Talking about network/pen-test tools, I have far more on my Slackware partition than I could even dream of having on my Windows one. Sure, one tool I tried to install didn’t work, as you may remember - but that was due to it being my first real experience with Slackware. It still is my first, and it’s going remarkably well.
Ultimately, whatever OS you boot into is your choice. I prefer Linux, but because of school ‘requirements’ I have to use Windows. And IE6 to a certain extent.
The average user is going to go Windows or Mac.
Because they don’t know any better. e.g I use Linux, and all my friends seem to think I’m a ‘hacker’ for that. I’m not joking. It’s a misconception which seems to have spread quite far and wide, and the reason they don’t switch to Linux is because they think it’s the black screen with green text from The Matrix.
Anyway, I wouldn’t like to put this post off-track.. If there’s another security professional around here, your comments would be gratefully received
Comment by J_K9 — April 28, 2006 #
Internet Explorer 6.0 on 
Windows XP
Using
“Because, catch, attributes on Linux can be more complicated than what is allowed by the chmod command. On ext3, ReiserFS, and ext2 if I’m not mistaken, the chattr command can also be used. This allows quite a few more attributes to be set. But, quite possibly not as many as Windows.”
It allows a few, trivial attributes to be set… and all of the interesting ones require a superuser. Hardly particularly useful.
“And Linux users can also be more flexible than just ‘root’ and ‘user’ - depending on the newly created user’s umask (and other more complex options), they will have access to certain files and not to others, to certain sections of the filesystem etc.”
You are confusing permissions and privileges.
Permissions control what subjects can access what objects (reading or writing files or directories). Privileges control what tasks a given subject can perform. (setting system time, taking ownership, profiling processes, changing priority, binding to low number ports, etc) Linux, like all superuser based systems has no granularity. (Again we are excluding points like LIDS and SELinux, because they are atypical, unproven, and muddy the water since the exclusion of security extensions for Windows is assumed.)
A few words on permissions and privileges from the good people at Sun Microsystems:
http://docs.sun.com/app/docs/doc/816-4557/6maosrjff?a=view
“The cornerstone for Linux Advocacy should be on standards. Standard desktop, standard updates and installs, more transparency for the non-technical users, standard and ubiquitous driver and device support-
But, that defeats the point of Linux. Different distributions are suited to different sectors.”
I strongly disagree with this… standards are key and standards do not equate to uniformity. The Linux system should e a black-boxed modular one. So you start with the kernel and drop in whatever functionality is needed with no concern for configurations or conflicts. If that were true, Linux would be a downright respectable system instead of a big example of how to repeat mistakes from 30 years ago.
cheers,
catch
Comment by catch — April 29, 2006 #
Internet Explorer 6.0 on 
Windows Server 2003
Using
Just tell me one thing catch.
WHat is more likely to happen:
Getting a trojan or virus while browsing the web with Windows in Internet Explorer. Or with Linux with Konqueror or Firefox.
Now don’t get me wrong. This is the answer that most desktop users care about. I don’t care how finely you can tune Windows to make it more secure. That’s theory… theory… theory… Going by your own logic, most Windows users aren’t bothered about the finer aspects anyway. All your security tutorials go out of the window here.
Now I’m not denying that most of what you say might be right in theory. Certainly your post about access control makes that clear. The thing is: are the majority of people actually using that?
You say your mom or dad shouldn’t use Linux. If they used Windows, could they configure the security from your perspective.
I hit you back in your own arguments about the so-called “average” user. Forgive me. I still will not take your words on face value in spite of vocal support you seem to be getting…
Comment by hari — April 29, 2006 #
Mozilla Firefox 1.5.0.2 on 
FreeBSD
Using
“WHat is more likely to happen:
Getting a trojan or virus while browsing the web with Windows in Internet Explorer. Or with Linux with Konqueror or Firefox.”
“More likely” is such a silly question… are you comparing the average Windows user (like my grandmother) against eh average Linux user (programming student)? Are we assuming default configuration? What? These types of “How do other people use this?” questions are worthless. Why do you care if people misuse something? Are you planning on misusing it? I know I’m not.
I will tell you that my Windows 2000 server, which was just retiered last month survived for over five years without an update… serving rich content and was known by people I’d pissed off from many, many security communities.
Consider before what I said about application exploits and security policy… a vulnerability must find a flaw in both (or just the policy) and considering that the windows reference monitor hasn’t had a vulnerability in as long as I’ve been using Windows, that means there has never really been a real vulnerability in all that time.
Nearly all user security issues (including malware) are removed if the user doesn’t surf as an Admin account. I know my parents are more than capable of this (despite them both being math-phobic therapists).
And… again, what does the “average user” have to do with the system capabilities?
I don’t hold you in a poor light for being questioning. Questions are the best way to learn, by all means keep asking until you know everything you want.
cheers,
catch
Comment by catch — April 29, 2006 #
Internet Explorer 6.0 on 
Windows Server 2003
Using
I don’t deny your knowledge or technical expertise in the field which you chose. Having said that I probably have a broader view of life and reality than you.
In fact, you might be 100% right and have 1000 pages of data to back it up!
But do you want a harsh reality? 99% of the people don’t bother or care in the real world. You might have the best product X and say it’s better than Y, but if you market your product in the world by such a “black-or-white” argument you’re going to make little headway. Most people will simply yawn and others might even dub you as an intellectual elitist. Even if you give them irrefutable proof. Understand that perception and attitudes do shape our opinions and beliefs even if they might lead to wrong conclusions.
Harsh, but true.
Now you didn’t take the hint when I said I didn’t want to debate this. You probably were eager to provide me with technical data and irrefutable proof to back your theories. In reality maybe 2% of people in this world are interested in such things.
It’s an attitude and perception driven world out there. You have to speak in the language of the masses if you want to convince them and not assume a superior attitude even if you’re entitled to.
Do you know something? I was actually willing to learn something from you, but your assumptions about my questions being “silly” won’t cut ice in the real world. People who question you will be far less knowledgeable than I am and you simply cannot sell your case if you make things out in black and white (even if they are). Nobody wants to know all that.
Do you know why marketing professionals and advertisers exist? Because they understand that mere technical superiority of a certain product doesn’t guarantee it life. They believe in creating the right perception even though reality might not reflect this. That’s a cynical way to put it, but that’s why they exist.
Call me stubborn or dub me an idiot, but I think probably 90% of people would have reacted in a similar manner. I personally enjoy learning, but you got to understand that mere technical expertise and skill won’t sell anything: even a viewpoint.
Comment by hari — April 29, 2006 #
Mozilla Firefox 1.5.0.2 on 
FreeBSD
Using
Look, mate. I’m sorry if my post above came across as a little harsh or overcritical. In reality I was trying to say that you cannot convince people beyond their willingness to be convinced. No amount of facts, figures or truth will get over that barrier of attitude. I’ve learned this over and over again and only got frustrated in the bargain. It’s something all of us learn over time. I thought I’d share that because I personally don’t know you and cannot assume things about you and from the effort you put into your posts, it did appear that you wanted to score off others even if you wanted to share knowledge. In reality nobody likes to be scored off…
I hope you understand this and not get frustrated while trying to share knowledge. No body or field of knowledge can exist outside of human emotion, attitude and behaviour. This is something that I always feel… You should always try and understand the psychology of the other side before you approach them.
That’s merely my point. The attitude that Linux is securer than Windows is probably embedded in our mindsets, so it does seem as though most of your points are wasted.
Sorry, and no hard feelings
Comment by hari — April 29, 2006 #
Mozilla Firefox 1.5.0.2 on 
FreeBSD
Using
“Having said that I probably have a broader view of life and reality than you.”
Wow, you don’t even know me.
“99% of the people don’t bother or care in the real world. You might have the best product X and say it’s better than Y, but if you market your product in the world by such a “black-or-white” argument you’re going to make little headway.”
Good thing I don’t have to deal with those people in business. I deal with people that have specific problems and need verifiable solutions. Those people are more common then you think… as evidence by the fact that I’ve had much professional success over the last decade.
“WHat is more likely to happen:
Getting a trojan or virus while browsing the web with Windows in Internet Explorer. Or with Linux with Konqueror or Firefox.”
and:
“Now you didn’t take the hint when I said I didn’t want to debate this.”
Again with the tranference.
“You have to speak in the language of the masses if you want to convince them and not assume a superior attitude even if you’re entitled to.”
I don’t care about the masses, I care about people that ask for my input, like Max.
“I was actually willing to learn something from you, but your assumptions about my questions being “silly” won’t cut ice in the real world.”
But your question was silly… It was like asking “How do you explain that th web is good when everyone uses it for porn?” back in 1996. I can’t control nor can I speak to the way people use a technology and nor do I care to. Your question about the way people use their systems was exactly that, asking me to speak for them and not for the system itself. Thus it was a silly question… I’m not a mind reader.
“Do you know why marketing professionals and advertisers exist? Because they understand that mere technical superiority of a certain product doesn’t guarantee it life.”
No, marketing people exist because it is easier to say something is good than to actually make something good, especially for the same resources.
“Call me stubborn or dub me an idiot, but I think probably 90% of people would have reacted in a similar manner. I personally enjoy learning, but you got to understand that mere technical expertise and skill won’t sell anything: even a viewpoint.”
You keep assuming that I am talking to home users… home users have negligable security concerns and I don’t deal with them save for my friends and family… and even then I am very tight with the advice. As I said before, I deal with people who know that I am a valuable asset to them, I save them money and make their organizations more predictable. I don’t care if you switch operating systems or not, I’m not trying to sell to you. I am merely providing Max with information about the two systems.
“In reality I was trying to say that you cannot convince people beyond their willingness to be convinced. No amount of facts, figures or truth will get over that barrier of attitude.”
Yeah, hence I have no emotional attachment either way, I merely provide information, if you find it useful… great. If not, makes no difference to me. I value education and I know how hard it is to get straight answers on this subject, so I do what I can to help others seeking information. Nothing more.
“This is something that I always feel… You should always try and understand the psychology of the other side before you approach them.”
I understand the psychology aspect… but again my point isn’t tell sell you anything or even change your mind, so why would I bother with efforts directed at doing either of those things?
“The attitude that Linux is securer than Windows is probably embedded in our mindsets, so it does seem as though most of your points are wasted.”
That is a choice.
cheers,
catch
Comment by catch — April 29, 2006 #
Internet Explorer 6.0 on 
Windows Server 2003
Using
Hi,
Sorry, I’ll have a look through the comments when I get the chance. But in the meantime, here’s unSpawn’s contribution (note that these are not in reply to the last message as a whole, but several bits I took out from it):
Comment by J_K9 — April 29, 2006 #
Internet Explorer 6.0 on 
Windows XP
Using
“SELinux addresses the need for a secure, “trusted” Linux kernel offering Mandatory Access Control (MAC), the prime “Orange Book” B1 rating’s concern, using Type Enforcement (TE) and Role-based Access Control (RBAC).”
I never questioned this, however to include such as I said merely muddies the waters. Several kernel drivers exist for Windows which add MLS and other functionalities to different degrees. However, since B1 is a pretty worthless target, these are not widespread and are only employed under very specific conditions.
“If we look way back we see that Microsoft Windows NT, which was designed with security in mind, reached a TCSEC C2 rating (Unices “usually” come in at a lower C1) long before Red Hat or SuSE applied for one. It however did so under strictly defined lab conditions that did not mimick real life deployment. The “paper” rating proved to be no guarantee for security, no assurance at all once deployed in a hostile environment.”
I assume you are talking about the “Secrets and Lies” myth about the Windows configuration. These are completely false, and if Bruce had even a basic understanding of DOD-5200.28-STD he would realize that his comments made no sense. The Final Evaluation Reports are available here:
http://www.radium.ncsc.mil/tpep/library/fers/NCSC-FER-95-003.pdf
http://www.radium.ncsc.mil/tpep/library/fers/TTAP-CSC-FER-99-001.pdf
Both of these indicate networked system with no mention of epoxy or whatever else.
Nearly all of Windows’ security woes have been the result of a weak default configuration and weak network encryption tools (which are not part of the evaluation).
“The decision to include the Linux Security Module framework, and SELinux as an part of that, was to cater to calls for a trusted Linux kernel”
Actually SELinux is a port of the Flask security architecture for the Flux operating system and was developed by the NSA as a means of researching the implementation of flexible security architectures into existing open source systems.
Before SELinux, much of the Linux community scoffed at the idea of Trusted Systems, calling them “too cumbersome”, and “dated”. Previous MLS efforts for Linux had existed, some of them like Pitbull LX are even superior to SELinux in many regards… but lacked the sex appeal of that association to the NSA.
“The concept of the Reference Monitor itself has not been undisputed (MLS) but more importantly it is not the single qualifying criterium for proving an Operating Systems’ security posture in theoretical nor practical sense (as shown above).”
As shown above, where?
Without a reference monitor, a system simply cannot be trusted, period. (hence the need for defense in depth, where B2 and beyond systems typically exist as guards)
“FYI, the first Linux Reference Monitor was provided by the LIDS kernel patch around the turn of the last Millennium, the current one is of course provided through SELinux.”
Neither of these systems offer full reference monitor functionality. Neither is non-bypassable (oh the blight of the monolithic kernel), neither is always on (both systems are toggleable), and neither is small enough to be formally verified. They merely offer reference monitor style centralized control.
Practical security isn’t the question. I would never disagree that for many environments Linux is a very practical solution. The topic originally dealt with the fact that Linux’s decentralized and immature development structure lends itself to the development of much misinformation.
cheers,
catch
Comment by catch — April 29, 2006 #
Internet Explorer 6.0 on 
Windows Server 2003
Using
I was talking about this with thehorse13. He said that he doesn’t recommend third party addons to provide more functionality than RWX privileges on Linux. Which leads me to this: why don’t the kernel developers add more functionality? I know it is quite a lot of work, but is it something they are thinking of introducing in the next major release? Linux is known to be a good multi user system, but with simple RWX privileges, I don’t know to what extent that is true.. Is this something the kernel developers are thinking about?
And what you said about Pitbull LX actually being better than SELinux - could you point me to a few documents to prove this, or explain it? Thanks.
Bare in mind that I’m not shedding a bad light on Linux, and I won’t stop using it as my desktop OS because of that - I’m just wondering why this feature (privileges) hasn’t been improved yet.
Another thing that has made me wonder is why the NSA bothered implementing a reference monitor into SELinux if it was going to be a half-hearted attempt. According to you, it fails on four levels: lack of functionality, it is not non-toggleable, it is not tamper-proof, and it is too large. So why did they put it there? Another question that begs a response is why the Linux community has not tackled this, and made the reference monitor in SELinux work according to standards?
Comment by J_K9 — May 3, 2006 #
Internet Explorer 6.0 on 
Windows XP
Using
“why don’t the kernel developers add more functionality?”
Doing so is more difficult than you might think.
http://sarmlabs.com/archives/MISSI%20B-level%20Windows%20NT%20Feasibility%20Study.pdf
…is an old, but still worthwhile article on adding more security functionality to the Windows NT operating system. The task is huge and requires real security experts, of which there are few in the Linux community. The Argus people just extended a Product made for Solaris over the Linux and the NSA people moved one from Flux over to Linux. Neither SELinux nor Pitbull LX were home grown as it were.
“And what you said about Pitbull LX actually being better than SELinux - could you point me to a few documents to prove this, or explain it?”
I might… I’ll need to look. What I have is the fact that Pitbull LX is a mature product that was securing banks and government agencies in the real world, after being formally evaluated while SELinux was and is still in the lab. In fact the people working on SELinux, TCS… many of their top people came from Argus. In my experience, SELinux is in many ways still a cumbersome system, inferior to traditional trusted operating systems like Trusted Solaris and HP-VV, while Pitbull LX uses newer functionality, Domain Based Access Controls (DBAC) to add simplicity of administration lacking in the Type Enforcement (TE) architecture with a finer touch of control. Pitbull LX makes the definition of least privilege exceptionally easy to implement to a very high degree. Most importantly… Pitbull LX isn’t running any borrowed intellectual property. TE is patented and owned by Secure Computing Corporation (SCC). For the moment SCC says it will not create any issues with the TE license, however SCC is a small company in a fickle market and if Sun or IBM (who supports SELinux) or Microsoft feel that SELinux is cramping their style a bit too much… SCC might get eaten and all IP with it.
“I’m just wondering why this feature (privileges) hasn’t been improved yet.”
Permissions, RWX are permission bits.
“Another question that begs a response is why the Linux community has not tackled this, and made the reference monitor in SELinux work according to standards?”
Monolithic kernels cannot effectively support reference monitors. Have a look at:
http://sarmlabs.com/archives/The%20Reference%20Monitor%20An%20Idea%20Whose%20Time%20has%20Come.pdf
… to get a better idea… you’ll note that they mention the practice in monolithic systems is to just slice of a chunk of the kernel and call it a reference monitor, despite the fact that it isn’t really one. Linux would require a complete restructuring and a complete change in architecture to support a true reference monitor… Oh the disadvantages of using an OS designed by a guy proud to have failed his OS design classes. (But at least he had a big ego and looked cool fighting “the man”, right?)
cheers,
catch
Comment by catch — May 3, 2006 #
Internet Explorer 7.0 on 
Windows XP 64 bit
Using
I see.
The task is huge and requires real security experts, of which there are few in the Linux community.
Hmm.. But why wasn’t this corrected years ago? If the security experts had realised this before and had instructed the kernel developers accordingly, maybe this could have been sorted out.. Although, Linux wasn’t designed to be highly secure. But still
Pitbull LX makes the definition of least privilege exceptionally easy to implement to a very high degree. Most importantly… Pitbull LX isn’t running any borrowed intellectual property.
But SELinux is still used instead because of its ties to the NSA. Aha.. This is something that I may try to bring up on the kernel developers mailing list - let’s see what answers I get!
Permissions, RWX are permission bits.
My bad! I got that muddled up. Back to privileges - why are Linux’s not extended to be more flexible than simply ‘root’ and ‘user’? Or would this also require a substantial change in the kernel’s design..
Thanks for both those articles (I corrected the links) - I don’t have time to read the first (I’ll leave it for the summer - right after I’ve read the now 8 books sitting on my shelf :D), but I’m going through the second right now. I’ll edit this post (or post again, depending on whether there’s another reply) once I’m done.
[edit]
“Ironically, the appearance of the reference monitor in modem operating systems will cause a change in how trusted systems are viewed. Since the reference monitor could not be directly implemented in the large monolithic kernels, there have been many techniques developed to overcome this limitation.”
‘Many techniques developed to overcome this limitation’ - It doesn’t explain these, so I’m not sure if one of these techniques would be applicable to Linux. Although, if one were, I assume it would already have been done?
“There is an idea that has been around for a long time, that of the reference monitor. For the last twenty years, the large monolithic kernels of operating systems prevented a direct implementation of the RVM. Current work in operating system design exploits some of the features of the RVM, even without the trust considerations. Consequently, we are now in the position where our technology is just now allowing us to adopt a twenty year old concept.”
This implies that an RVM (reference validation mechanism) could be implemented into a large monolithic kernel, such as that of Linux?
Comment by J_K9 — May 4, 2006 #
Internet Explorer 6.0 on 
Windows XP
Using
I was reading a thread on a forum, and I saw something that you may like catch ;). It was quoted from here: http://www.catb.org/~esr/faqs/hacker-howto.html
“Q:
I’ve been cracked. Will you help me fend off further attacks?
A:
No. Every time I’ve been asked this question so far, it’s been from some poor sap running Microsoft Windows. It is not possible to effectively secure Windows systems against crack attacks; the code and architecture simply have too many flaws, which makes securing Windows like trying to bail out a boat with a sieve. The only reliable prevention starts with switching to Linux or some other operating system that is designed to at least be capable of security.”
After reading this discussion I find that very funny. There was a time where I probably would have agreed with him though. Peace.
Comment by skiddieleet — May 4, 2006 #
Mozilla Firefox 1.0.7 on 
Windows XP
Using
“Hmm.. But why wasn’t this corrected years ago? If the security experts had realised this before and had instructed the kernel developers accordingly, maybe this could have been sorted out.. Although, Linux wasn’t designed to be highly secure. But still”
You seem to keep forgetting that Linux isn’t a true OS in the eyes of security experts. At best it is a platform to tinker with (like the NSA did) at worst it is a new system that shows no progression over various older operating systems and is in fact behind what should be its contemporaries.
“But SELinux is still used instead because of its ties to the NSA.”
Pitbull LX is used by various governments and many banks in real live roles… but it is a proprietary system so it is unavailible as open source for further development. The interesting thing will be to see how the IBM/TCS SELinux turns out as far as source availibility since much of that team used to be on the Argus team.
“My bad! I got that muddled up. Back to privileges - why are Linux’s not extended to be more flexible than simply ‘root’ and ‘user’? Or would this also require a substantial change in the kernel’s design..”
SELinux incorporates RBAC for more finely frained privilieges. Linux doesn’t have that normally because then there would be no root user, which would make it totally different for what people are used to and many software packages would need to be retooled.
“This implies that an RVM (reference validation mechanism) could be implemented into a large monolithic kernel, such as that of Linux?”
Nah… you skipped over:
“Abrams et al also discuss the slight change in usage of the terms security kernel and RVM. In view of the fact that monolithic kernels were divided arbitrarily, it is not surprising that there is confusion.”
and:
“The RVM is a theoretical construct that was usually not implemented. Rather a monolithic kernel was arbitrarily divided and a one of the those subdivsions was simply called the RVM.”
Which is exactly what Linux has done, just taken a random part of the kernel and called it a reference monitor because it examines the access requests. However it fails to meet the three requirements of a true reference monitor.
Skiddieleet:
There is an entire internet full of such people… such “security experts”
I am happy that you’ve been able to find value in such conversations as this though.
cheers,
catch
Comment by catch — May 5, 2006 #
Internet Explorer 7.0 on 
Windows XP 64 bit
Using
You seem to keep forgetting that Linux isn’t a true OS in the eyes of security experts. At best it is a platform to tinker with (like the NSA did) at worst it is a new system that shows no progression over various older operating systems and is in fact behind what should be its contemporaries.
Then why does it play such an important part of so many security degrees, and courses? And I’m referring to Linux, not UNIX or any other *nix relatives…
Pitbull LX is used by various governments and many banks in real live roles… but it is a proprietary system so it is unavailible as open source for further development. The interesting thing will be to see how the IBM/TCS SELinux turns out as far as source availibility since much of that team used to be on the Argus team.
Ah, right - I didn’t know it was proprietary. That would explain why it hasn’t been implemented, and SELinux was chosen over it.. (although not the sole reason)
Which is exactly what Linux has done, just taken a random part of the kernel and called it a reference monitor because it examines the access requests. However it fails to meet the three requirements of a true reference monitor.
Aha. And it fails to do that because of the monolithic kernel’s design, which cannot support a full reference monitor. Let’s say that the kernel developers did decide to restructure the kernel completely in order to make it more flexible for things like a full reference monitor - would this mean that every single Linux application would need to be changed in order to work on the new kernel, or would it just be the APIs which would need a change in operation?
Thanks
(Oh, and have you come across any papers which explain how Linux’s kernel would need to be altered in order to be considered a ‘true OS’? As in, what changes in the kernel - like removing its monolithic limitation - would need to happen in order to make it more stable and more secure.)
Comment by J_K9 — May 5, 2006 #
Internet Explorer 6.0 on 
Windows XP
Using
“Then why does it play such an important part of so many security degrees, and courses? And I’m referring to Linux, not UNIX or any other *nix relatives…”
Security degrees and courses? I don’t know about that… but I’d suspect it would mostly have to do with the student’s ability to tinker with the OS. I have course notes from a class on operating system security around someone. I’ll dig them up and post them here… there is no mention of Linux or anything looking like Linux.
“Ah, right - I didn’t know it was proprietary. That would explain why it hasn’t been implemented, and SELinux was chosen over it.. (although not the sole reason)”
SELinux is more of a flexible research product to test different policies. Pitbull is a multi-level security product designed to meet specific security requirements.
“Let’s say that the kernel developers did decide to restructure the kernel completely in order to make it more flexible for things like a full reference monitor - would this mean that every single Linux application would need to be changed in order to work on the new kernel, or would it just be the APIs which would need a change in operation?”
It would mean that Linux was no longer Linux. You can’t switch a system from monolithic to microkernel and have it be the same thing. The functionality could be maintained, but the structure would just be too dramatically different and in opposition of the Linux design philosophy. You’d have a new OS that, like the systems in that reference monitor paper would offer a Linux compatible environment, potentially along side a Win32 one and any others the developer wanted. STOP is Linux binary compatible… but has almost no design similarities with Linux.
“Oh, and have you come across any papers which explain how Linux’s kernel would need to be altered in order to be considered a ‘true OS’? As in, what changes in the kernel - like removing its monolithic limitation - would need to happen in order to make it more stable and more secure.”
A complete restructing, like described in the aforementioned reference monitor paper.
cheers,
catch
Comment by catch — May 6, 2006 #
Internet Explorer 7.0 on 
Windows Server 2003
Using
catch, did you make an OS switch? Noticed that this site said Windows XP 64 bit before and now it says Windows Server 2003. What happened?
Comment by skiddieleet — May 12, 2006 #
Mozilla Firefox 1.5.0.3 on 
Windows XP
Using
I have been using XP64 the whole time.
It started me off as 2003, then XP64, and now back to 2003. Who knows what this post will say!
cheers,
catch
Comment by catch — May 13, 2006 #
Internet Explorer 7.0 on 
Windows XP 64 bit
Using
I would agree with most of catch’s arguments about Linux security.
Comment by Khurt Williams — May 15, 2006 #
Mozilla Firefox 1.5.0.3 on 
Windows XP
Using
Very interesting and educational thread. Will have to read this over several times more though.
From the technical point , SELinux, might be getting better, but it is not really practical for the business enterprise. It’s complexity and steep learning curve, even for advanced Linux users, means time and money. It offers nothing for non-Linux users. It requires extensive and arbitrary labelling which is time consuming, can break applications, must be changed with o/s upgrades etc., and does not have tools for distributed computing. The TCO is not really there for banks or any other business concern, so while open source may be free, time and training of paid admins/techs is not.
Comment by Rob — May 15, 2006 #
Mozilla Firefox 1.0.4 on 
Debian GNU/Linux
Using
I read this thread with great interest in the hopes of learning something. However, I was struck by how little catch appears to know about Linux systems, yet how great a regard he or she appears to be held in. The lack of understanding about Linux systems is not surprising after some thought.
catch is obviously a Windows security professional, and his occupational well-being appears to be tied to keeping his customers on Windows systems. catch indicates that he doesn’t believe that Linux is a real operating system or that there are actual Linux security professionals, sneers at Linux developers and development, and when told that computer security classes treat Linux as a serious OS, his comment is that he took a class once (he has the notes to prove it) and Linux didn’t get mentioned.
A number of catch’s comments undermined his argument that he was trying to clear up misinformation (versus add to the FUD about Linux).
Apparently, he has a very limited view of Linux permissions and privileges. He believes that root is excepted from them. However, permissions and privileges apply to root as well, and in fact root can set up a system that root does not have permission to access. Have none of you had to set up a system with the safeguard of no single person being able to make changes in the entire system? I’ve done so with three separate root entities having some overlap with one other, but no one of them able to access the entire system. There is a big difference between always setting up a superuser and a user versus having no choice in the matter. The superuser/user dichotomy is primarily to help neophytes understand access and privilege distinctions. Everyone on a Linux system is a user, but some users have more access and privileges than others.
Linux allows for choice and a great deal of flexibility in that regard. Ditto privileges. It is not all privileges or no privileges. In practice, it’s an interval variable, not a nominal one, where privileges can be assigned on a system anywhere between all and none. As I mentioned before, I’ve set up systems where not only permissions, but privileges were distributed over several people such that no one person had access to or control over everything. The fact that Linux does it in a simpler way than Windows, does not make it less robust for real-world uses (which in the business world is the only place that counts). In fact, because it’s simpler, it gets used more often — unlike Windows where setting access controls are frequently ignored.
In fact, the only time I set up a system with a God user versus one or more non-God users is when I’m setting up systems for small offices and home use. catch may not be able to set up a Linux system that his grandmother could use, but there are plenty of people who can. I find Linux is particularly useful for the new user with a low frustration threshold and low self-esteem when it comes to things technological. Windows drives them crazy, but they love Linux. These are Joe Q Public users, not students of computer science.
I read the paper catch suggested on access controls and was dismayed to see that catch misrepresented what it was really about. It was a paper looking at a model that improved simulations of various access control strategies. I know a lot about simulations and how they are set up (and most importantly what they are good for). This meta analytical paper did not conclude that Windows access controls were “better” than Linux’s — it concluded that the authors had developed a better way of simulating access control comparisons. Another way of putting this (in plain English) is how well does their new model show what everyone already believes to be the case over how other models show that. Any results that came out of their demonstration regarding new, interesting ideas about the access control strategies themselves would have to be actually tested to be proved (both as true and as relevant to issues like security). The numbers didn’t lie, but catch sure did imply they were saying something they didn’t (and couldn’t) say on the basis of that study.
When dealing with a system as messy and opaque as Windows, the number of ways of validating the system are very few. It is true that it is possible to not know (and I’m sure no one knows what all it does because there are so many problems in it) what it is really doing. However, when dealing with a system as transparent as Linux, there are a number of perfectly adequate ways to determine validity. To take as given that the issues surrounding Windows and its code are the same for every operating system is absurd.
I was delighted to read in the Wall Street Journal article “Code Red” that the developers at Microsoft were going to take tools like the reference monitor seriously and begin using them in a more timely manner than they have in the past. It’s high time. But confusing Windows and its development issues with Linux and its development issues doesn’t further understanding of either platform’s issues. Quite the contrary is true.
No matter how much catch goes on about the fine granularity of Windows security, the fact is that Windows keels over when attacked. Maybe people like catch should stop worrying about granularity of access controls and start worrying about how it is Windows systems are constantly breached. And do something about that. Right now the security expert skiddieleet thinks got it wrong seems to have gotten it right. The only safe Windows system is one with the plugged pulled.
It looks like that’s the only viable alternative for Windows users who want to stick with Windows, given the attitude of catch and his ilk that they can’t be bothered with the real ways that Windows systems get breached in the real world. catch claims to be concerned about serving his clients, but as a business owner, I wouldn’t let catch anywhere near my systems. I’m not interested in working with people who don’t care about where systems are actually being breached, but only in the one spot they can look at Windows and not cringe. How nice it would be if people, including the ones at Microsoft, bothered to use its “fine” access controls. Then, maybe the rest of us wouldn’t have to filter so much garbage that keeps spewing out from infected Windows systems.
deedee
Comment by deedee — May 15, 2006 #
Mozilla Firefox 1.5 on 
Linux
Using
You make a lot of arguments about how you can setup a Linux system that doesn’t rely on the superuser architecture. All I have to say is thank you. You have proven my original point completely.
“Linux uses a superuser based security policy.”
“I can set Linux up without using superusers.”
Which is true? They both are… which brings me back to my original point, there is too much ambiguity surrounding Linux functionality and Linux security. Too many circumsances where conflicting points are true and in the end what does this mean? It means that the quality of your particular Linux installation relies exclusively on the intelligence and heroics as it were of the installer. Does this remind anyone of the lowest level of process maturity? Low maturity equals low predictability, which equals low trust.
You clearly failed to understand the intent of that access control paper. It merely provides a means for comparing the expressiveness of the Linux RWX model against the Windows ACLs. I am not sure why you put better in quotes. I never stated that the document claims Windows is better than Linux, just that it merely provides a simple and sane way for comparing the access control models of the two.
Next you call Windows “messy and opaque”… just because you don’t understand it, doesn’t mean the rest of us don’t.
Then you confuse validation with code audits.
Then some crap about code red and the reference monitor… not sure how the two are related, good thing a journalist was able to connect them for us… those guys are always right on the ball.
Then you go on some BS about how Windows systems always keel over when attacked… I’ll just laugh at your ignorance and move on.
You continue on about how commonly windows systems are breached… I could have sworn that we addressed the issue of, just because most instances of a system are configured poorly doesn’t make the system itself bad… you must have skimmed that part.
You also rant on about access control granularity… you must have skipped the part on vulnerability analysis and the requirement of policy exceptions even if technical exceptions are present.
Something interesting though… I’ve never had a Windows system compromised, neither a client’s or mine… anecdotal? Of course… the best part is that you’ll respond that you’ve never had a Linux system compromised… but how do you know? The security auditing is so anemic… oh wait, let me guess you went and added some C2 auditing patch from leetlinuxtools.org?
What was that about ambiguity?
cheers,
catch
Comment by catch — May 16, 2006 #
Using