You say you are going to the Barclays IT department. Is that the one in the Docklands area or elsewhere?

The Barclays I was refering to is back at home, in another country. An accountant who works with my mother has a son who is the head of IT in the bank, and he’s offered to give me a tour I’m a bit cautious of spelling out where I live here..

Maybe you should format your post with the poster name highlighted in bold before every post.

Hari - Sorry, I’ve reformatted the messages. Hopefully you can make sense of whose PM each one is now

The real thing is that I doubt whether “catch” is truly interested in addressing the practical issues. Seems more focussed on refuting your arguments rather than bringing forward concrete examples of the Windows security model. He seems to be mixing and matching the enterprise and desktop market and then creating arguments that make no sense from either perspective. I suggest that you politely decline to further argue this issue. Obviously there are real world issues to be discussed here, but I doubt whether any discussion can be progressed in a positive manner without going deep into specific areas and not merely generalizing…

I think the specifics are necessary where security is concerned.. Because, every single specific can be a potential flaw, and that flaw alone can cause the whole system to be compromised. So, while he has used specifics as examples on a more general topic, I think they are valid questions.

When you say “how can anybody deny that Linux is more secure than Windows” - well, it’s easy to say.. But is it so easy to prove? I’m not disagreeing - I also think that Linux is more secure than Windows, but that is an opinion I have composed after reading as much as I can about the topic. It may not necessarily be more secure than Windows, and if you asked me for facts to prove it, the only thing I’d be able to do is set up a Linux webserver and a Windows 2003 one and let you try to penetrate both

catch is more of a theory writing guy, rather than a ‘HOW TO’ one. If you want, I could email you a few of his essays/theories. Anyway, I asked catch to reply to your post, and his PM back to me was the following:

I don’t really see a point in replying to that post. Basically they accused me of making vague comments and then failed to defend any of their vague points. Hell, I cited standards and explained everything.

If someone interesting replies, I will, but that was just an empty reply with considerable transference.

If you wish to have an idea about comparing access controls, check out this document: www.cs.purdue.edu/homes/ninghui/papers/exp_ccs04.pdf the math is easily applied to Windows and Linux policy. You will see, the numbers don’t lie.

cheers,

catch

Those are his precise words.

I’ve gotta rush to lunch.. But if you’d like those theories then let me know and I’ll send you the pdf

But as I said before, I’m not blaming him at all. Much of what “catch” writes is suitable for two programming/system experts to debate about. Since I’m nowhere near that level , I doubt whether I can debate at that level… All I can say is that my personal, practical experience says that Windows is less secure than Linux. And that seems to be the common experience of most Linux users as well. What more can I say?

I’ve contacted Capt_Caveman and unSpawn. unSpawn seems to be very busy at the moment, so I have sent him a summarised version of catch’s last PM in case he has some time to answer it. And I’m sure Capt_Caveman is also quite busy.. So, it’s now down to luck that someone else at catch’s level comes to read this post

Thanks for trying though!

There is no shadow of a doubt that the Windows access control system is more robust and finely grained than the Linux one. What most people fail to realize is how little that has to do with most system compromises, and how far it could go to prevent these issues.

The majority of system compromises are the result of exploitable services. Now a service having a flaw has nothing to do with the system security policy. So arguments like “IIS has more vulnerabilities than Apache.” is a bit misguided.

The ability to compromise a service does not, in and of itself constitute a vulnerability.

A vulnerability is defined as “A weakness in system security procedures, system design, implementation, internal controls, etc., that could be exploited to violate system security policy.” by NCSC-TG-004-88. Now consider what the system security policy may be:

“Web users must not be able to modify web content.”

Does an IIS/Apache exploit violate this policy? Even if the execution of arbitrary code is involved. The answer is “No”. What will violate that policy is a IIS/Apache exploit AND incorrect access controls that grant the IIS/Apache user to modify web files.

Without the technical flaw, you cannot take advantage of the weak policy and without the weak policy, no vulnerability is present. This is why application level exploits really are not too much of a concern if a finely grained access control system allows for the effective use of the least privilege concept and strong auditing is employed.

With this in mind, the standard Windows security system is much stronger than the standard Linux one… just because many people don’t use it correctly or by default it is weaker does not change this simple fact.

cheers,

catch

As I said before, I have no way of knowing or verifying what you say. But that doesn’t mean that I automatically agree with you but neither do I disagree. It’s just that I am not informed enough to disucss this topic on such a theoritical level.

But you’ll invariably come across people like me who express this opinion. No doubt, it must frustrate you that you’re not in a position to “prove” it. But that’s what happens to all of us who have specialized knowledge in our fields. We need to keep on fighting the “masses” to prove a fact which might be construed as an opinion.

Linux Permissions:
Owner/Group/World(Read, Write, Execute)
These permission are defined on a per object basis.
These permissions are implicitly denied if not explicitly granted.
These permissions do not apply to special accounts like “root”.

I assume you agree with this?

Windows Permissions:
User/Role/Group/Computer(Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete, Read Permissions, Change Permissions, Take Ownership)
These permissions may be applied to a specific object or specific inheritance rules, “This folder”, “This folder, subfolders, and files”, “This folder and subfolders”, “This folder and files”, Subfolders and files only”, “Subfolders only” or “Files only”.
These permissions are implicitly denied if not explicitly granted and they may also be explicitly denied.
Special accounts are not excluded from adhering to this policy.

What does all of this mean? That with such a fine degree of tough and support for access based on systems and roles, not to mention the deny functionality… the Windows access control model allows for far greater predictability and easier to manage precise controls.

Next in addition to permissions, Windows supports finely grained privilege controls. In Linux there are no privilege controls there is only “root” (all privileges) and everyone else (no privileges). In Windows all the privileges may be defined again on a per User/Role/Group/Computer basis and include such privileges as “Adjust memory quotas for a process”, “backup files and directories”, “bypass traverse checking”, “change system time”, “allow/deny access to this computer from the network”, “increase scheduling priority”, “load and unload device drivers”, “manage auditing and security logs”, “restore files and directories”, “shutdown the system” and “take ownership of files or other objects”. This means that rather than having a single all powerful account, you can break down administrative tasks into little parts and assign these to different roles or users. This is helpful because it helps contain the compromise of critical accounts and it mitigates fraud and such committed by internal admins.

I hope this helps make the issues a little clearer.

cheers,

catch

ps. The OS reporting on here is incorrect, I am not using Win 2003 on this system.

Let’s get something straight here. Theory involves abstract reasoning, positions based on limited information, ideas yet to be proven. catch isn’t writing from theory, catch is writing from a practical, how-it-works, studied-my-ass-off-for-years-to-learn-this-stuff perspective. What he is explaining here, and the links and references he is providing, will back his statements in practical, measurable, definitive ways. It is real, not unfounded opinion. You can take the information and perform the same actions or tests yourself and come up with the same results.

You can say that you have the opinion that Linux is more secure than Windows, and that is fine, as far as opinions go. Opinions are like belly-buttons and a**holes, everyone has one. It doesn’t mean it is worth anything.

What I find completely amazing is that when presented with real, solid, verifyable information, people don’t want to be confused with facts and want to hold to their opinions no matter how invalid or vapid they may be. If you are going to deal with things at this level, you must be willing and able to critically examine your views in light of new information.

I’m not here to defend catch, he doesn’t need that. And, we don’t always see eye-to-eye on everything. We work in different worlds, so we shouldn’t. But I will stand behind his statements and presentations on the security of Windows vs. Linux. I’ve checked his information, followed the links and references and looked at my own systems (I use both Windows and Linux).

Now, back to your regularly scheduled programming.

It is true that we, as Linux users, are told that Windows is inherently less safe than a *nix install and we take it on faith that it is true. If it isn’t, that would knock away one of the cornerstones of Linux Advocacy. If, however, it is true, then I for one would like to see that debate/discussion.

Personally, even though I am not at all knowledgeable ont he subject, I would like to see it played out (in as plain english as possible please) so that I can understand the subject better.

But, being a Linux user (apart from when I’m in school - still trying to move forward with this), I am not so ready to believe that Windows is more secure than Linux.

Because, catch, attributes on Linux can be more complicated than what is allowed by the chmod command. On ext3, ReiserFS, and ext2 if I’m not mistaken, the chattr command can also be used. This allows quite a few more attributes to be set. But, quite possibly not as many as Windows. And Linux users can also be more flexible than just ‘root’ and ‘user’ - depending on the newly created user’s umask (and other more complex options), they will have access to certain files and not to others, to certain sections of the filesystem etc.

What Ray said is right - I’m not trying to disprove you, catch. I’m trying to hear your views from more than one mouth. Not because I don’t trust you, but because I would like to hear what another person equally knowledgeable in the security field has to say - and with more experience on the Linux side of the fence. I’m still just a Linux desktop user who is trying to learn more about the OS; so, that’s why I’m going to leave a reply to anyone else capable of doing so.

Ray
It is true that we, as Linux users, are told that Windows is inherently less safe than a *nix install and we take it on faith that it is true. If it isn’t, that would knock away one of the cornerstones of Linux Advocacy. …

Linux’s strength isn’t how well is stacks up against Windows in security. This is a relatively recent effort to lift Linux from the doldrums of open source into a more robust consumer and enterprise market. And, as catch points out, it is an effort based on not very solid information.

Linux’s main strengths are in open source, free software, democratic development and support environment and a strong user community.

Where it is weak is the conflicting approaches to desktop and user interface. It is still an operating system that I wouldn’t give my parents as an alternative to Windows. They wouldn’t understand it. The Linux community shoots itself in the foot on a regular basis with the counter-intuitive, obtuse Gnome and KDE interfaces. Even when they are stable, navigation is difficult and confusing.

The cornerstone for Linux Advocacy should be on standards. Standard desktop, standard updates and installs, more transparency for the non-technical users, standard and ubiquitous driver and device support. Evangelize all you want on security of Linux, but the bottom line is that the OS has to be adopted by the average user if it is to become more than just a hobbyist platform. How do you update your Linux? The Yum command line? Yeah, right. How do you install a new program? Uh, Terminal, SU as root, configure, make config, make, install? What’s all that? How do you get it to use your wireless card? Yeah, good luck!

I messed with the first Linux in the early 90s. There was no GUI desktop. Other than that, things haven’t changed all that much since then. If you want to know why Linux hasn’t made deeper inroads into enterprise or home use, it isn’t because people aren’t buying the “more secure than Windows” line. It is because the average user just isn’t finding what they need in the system.

My Linux (Fedora Core4) has OpenOffice and FireFox and a number of network and system pen-test tools. My Windows has StarOffice, FireFox, IE and a number of other network and system pen-test and analysis tools. When I fire up the laptop for writing or other activities, I normally end up in Windows. Why, it works with everything I’m using. Linux won’t access the wireless card on my laptop, so if I need network connectivity I need to be in Windows. Linux sometimes freaks out when I’m trying to write in OpenOffice. StarOffice in Windows is rock solid and it obeys commands from my mouse. I had so much trouble, I blew away the Linux partition and installed a Linux VM, which works flawlessly, BTW.

When I’m in the command line, or running Metasploit or some other tools, Linux rocks. For anything else, though, I use Windows.

As a technician, Linux is great and I use it. The average user is going to go Windows or Mac. These decisions aren’t made based on logic, math or security. They are made strictly on “I need to do thus and such. I need it to be easy.” (Ref: Staples “Easy” button).

If your parents had never seen a computer before, and you gave them a Windows one, would they understand it? I doubt it. ‘Baby duck syndrome’.

The Linux community shoots itself in the foot on a regular basis with the counter-intuitive, obtuse Gnome and KDE interfaces. Even when they are stable, navigation is difficult and confusing.

I don’t think so. The Linux community offers choice - and KDE seems to be the most popular. Anyway, KDE is very stable (at least, it has been kind to me!), and it is not difficult to navigate at all. If anyone finds it complicated and ‘confusing’, that’s due to ‘baby duck syndrome’. They’re entering unknown territory.

The cornerstone for Linux Advocacy should be on standards. Standard desktop, standard updates and installs, more transparency for the non-technical users, standard and ubiquitous driver and device support

But, that defeats the point of Linux. Different distributions are suited to different sectors. For example, Mandriva, Fedora Core 5, and SUSE are all great newbie distros. They offer easy package management (and software installation), nice - and simple - graphical interfaces, and any non-technical user can use them. I left a Mandriva computer I was testing (when 2006 came out) on when I went out, and I came back to find my older brother and mother both using it. They had never used Linux before, and yet they had managed to open up Firefox (which they didn’t know of) and browse the web as if they were already familiar with the OS. Thus, I stand by the fact that Linux is NOT hard to use.
Other distros like CentOS are suitable for servers. Gentoo and Slackware are for the more advanced users, who like to have more control over what is installed and how it is installed. As you can see, the list goes on. Therefore, I think diversity within Linux is a GOOD thing, as there will almost always be the perfect distro for you out there.

Driver support will be a grey area until hardware companies get their act together. I still think that hardware support is quite good for Linux, if you consider all the different architectures it runs on. Try to get Windows XP running on a SPARC processor, or on the old PPC Macs

My Linux (Fedora Core4) has OpenOffice and FireFox and a number of network and system pen-test tools. My Windows has StarOffice, FireFox, IE and a number of other network and system pen-test and analysis tools. When I fire up the laptop for writing or other activities, I normally end up in Windows

FC4 was really only an updated version of FC3. FC5 is the one the developers have really taken the time to improve and make more user-friendly, and I’ve heard that it’s a very polished distribution.

So, I wouldn’t rely on FC4 on a production system, and I have always said this. I haven’t had time to try out FC5 yet, as I never managed to finish downloading it.
Talking about network/pen-test tools, I have far more on my Slackware partition than I could even dream of having on my Windows one. Sure, one tool I tried to install didn’t work, as you may remember - but that was due to it being my first real experience with Slackware. It still is my first, and it’s going remarkably well.

Ultimately, whatever OS you boot into is your choice. I prefer Linux, but because of school ‘requirements’ I have to use Windows. And IE6 to a certain extent.

The average user is going to go Windows or Mac.

Because they don’t know any better. e.g I use Linux, and all my friends seem to think I’m a ‘hacker’ for that. I’m not joking. It’s a misconception which seems to have spread quite far and wide, and the reason they don’t switch to Linux is because they think it’s the black screen with green text from The Matrix.

Anyway, I wouldn’t like to put this post off-track.. If there’s another security professional around here, your comments would be gratefully received

“And Linux users can also be more flexible than just ‘root’ and ‘user’ - depending on the newly created user’s umask (and other more complex options), they will have access to certain files and not to others, to certain sections of the filesystem etc.”
You are confusing permissions and privileges.

Permissions control what subjects can access what objects (reading or writing files or directories). Privileges control what tasks a given subject can perform. (setting system time, taking ownership, profiling processes, changing priority, binding to low number ports, etc) Linux, like all superuser based systems has no granularity. (Again we are excluding points like LIDS and SELinux, because they are atypical, unproven, and muddy the water since the exclusion of security extensions for Windows is assumed.)

A few words on permissions and privileges from the good people at Sun Microsystems:
http://docs.sun.com/app/docs/doc/816-4557/6maosrjff?a=view

“The cornerstone for Linux Advocacy should be on standards. Standard desktop, standard updates and installs, more transparency for the non-technical users, standard and ubiquitous driver and device support-

But, that defeats the point of Linux. Different distributions are suited to different sectors.”

I strongly disagree with this… standards are key and standards do not equate to uniformity. The Linux system should e a black-boxed modular one. So you start with the kernel and drop in whatever functionality is needed with no concern for configurations or conflicts. If that were true, Linux would be a downright respectable system instead of a big example of how to repeat mistakes from 30 years ago.

cheers,

catch

WHat is more likely to happen:

Getting a trojan or virus while browsing the web with Windows in Internet Explorer. Or with Linux with Konqueror or Firefox.

Now don’t get me wrong. This is the answer that most desktop users care about. I don’t care how finely you can tune Windows to make it more secure. That’s theory… theory… theory… Going by your own logic, most Windows users aren’t bothered about the finer aspects anyway. All your security tutorials go out of the window here.

Now I’m not denying that most of what you say might be right in theory. Certainly your post about access control makes that clear. The thing is: are the majority of people actually using that?

You say your mom or dad shouldn’t use Linux. If they used Windows, could they configure the security from your perspective.

I hit you back in your own arguments about the so-called “average” user. Forgive me. I still will not take your words on face value in spite of vocal support you seem to be getting…

Getting a trojan or virus while browsing the web with Windows in Internet Explorer. Or with Linux with Konqueror or Firefox.”
“More likely” is such a silly question… are you comparing the average Windows user (like my grandmother) against eh average Linux user (programming student)? Are we assuming default configuration? What? These types of “How do other people use this?” questions are worthless. Why do you care if people misuse something? Are you planning on misusing it? I know I’m not.

I will tell you that my Windows 2000 server, which was just retiered last month survived for over five years without an update… serving rich content and was known by people I’d pissed off from many, many security communities.

Consider before what I said about application exploits and security policy… a vulnerability must find a flaw in both (or just the policy) and considering that the windows reference monitor hasn’t had a vulnerability in as long as I’ve been using Windows, that means there has never really been a real vulnerability in all that time.

Nearly all user security issues (including malware) are removed if the user doesn’t surf as an Admin account. I know my parents are more than capable of this (despite them both being math-phobic therapists).

And… again, what does the “average user” have to do with the system capabilities?

I don’t hold you in a poor light for being questioning. Questions are the best way to learn, by all means keep asking until you know everything you want.

cheers,

catch

In fact, you might be 100% right and have 1000 pages of data to back it up!

But do you want a harsh reality? 99% of the people don’t bother or care in the real world. You might have the best product X and say it’s better than Y, but if you market your product in the world by such a “black-or-white” argument you’re going to make little headway. Most people will simply yawn and others might even dub you as an intellectual elitist. Even if you give them irrefutable proof. Understand that perception and attitudes do shape our opinions and beliefs even if they might lead to wrong conclusions.

Harsh, but true.

Now you didn’t take the hint when I said I didn’t want to debate this. You probably were eager to provide me with technical data and irrefutable proof to back your theories. In reality maybe 2% of people in this world are interested in such things.

It’s an attitude and perception driven world out there. You have to speak in the language of the masses if you want to convince them and not assume a superior attitude even if you’re entitled to.

Do you know something? I was actually willing to learn something from you, but your assumptions about my questions being “silly” won’t cut ice in the real world. People who question you will be far less knowledgeable than I am and you simply cannot sell your case if you make things out in black and white (even if they are). Nobody wants to know all that.

Do you know why marketing professionals and advertisers exist? Because they understand that mere technical superiority of a certain product doesn’t guarantee it life. They believe in creating the right perception even though reality might not reflect this. That’s a cynical way to put it, but that’s why they exist.

Call me stubborn or dub me an idiot, but I think probably 90% of people would have reacted in a similar manner. I personally enjoy learning, but you got to understand that mere technical expertise and skill won’t sell anything: even a viewpoint.

I hope you understand this and not get frustrated while trying to share knowledge. No body or field of knowledge can exist outside of human emotion, attitude and behaviour. This is something that I always feel… You should always try and understand the psychology of the other side before you approach them.

That’s merely my point. The attitude that Linux is securer than Windows is probably embedded in our mindsets, so it does seem as though most of your points are wasted.

Sorry, and no hard feelings

“99% of the people don’t bother or care in the real world. You might have the best product X and say it’s better than Y, but if you market your product in the world by such a “black-or-white” argument you’re going to make little headway.”
Good thing I don’t have to deal with those people in business. I deal with people that have specific problems and need verifiable solutions. Those people are more common then you think… as evidence by the fact that I’ve had much professional success over the last decade.

“WHat is more likely to happen:
Getting a trojan or virus while browsing the web with Windows in Internet Explorer. Or with Linux with Konqueror or Firefox.”

and:

“Now you didn’t take the hint when I said I didn’t want to debate this.”

Again with the tranference.

“You have to speak in the language of the masses if you want to convince them and not assume a superior attitude even if you’re entitled to.”
I don’t care about the masses, I care about people that ask for my input, like Max.

“I was actually willing to learn something from you, but your assumptions about my questions being “silly” won’t cut ice in the real world.”
But your question was silly… It was like asking “How do you explain that th web is good when everyone uses it for porn?” back in 1996. I can’t control nor can I speak to the way people use a technology and nor do I care to. Your question about the way people use their systems was exactly that, asking me to speak for them and not for the system itself. Thus it was a silly question… I’m not a mind reader.

“Do you know why marketing professionals and advertisers exist? Because they understand that mere technical superiority of a certain product doesn’t guarantee it life.”

No, marketing people exist because it is easier to say something is good than to actually make something good, especially for the same resources.

“Call me stubborn or dub me an idiot, but I think probably 90% of people would have reacted in a similar manner. I personally enjoy learning, but you got to understand that mere technical expertise and skill won’t sell anything: even a viewpoint.”

You keep assuming that I am talking to home users… home users have negligable security concerns and I don’t deal with them save for my friends and family… and even then I am very tight with the advice. As I said before, I deal with people who know that I am a valuable asset to them, I save them money and make their organizations more predictable. I don’t care if you switch operating systems or not, I’m not trying to sell to you. I am merely providing Max with information about the two systems.

“In reality I was trying to say that you cannot convince people beyond their willingness to be convinced. No amount of facts, figures or truth will get over that barrier of attitude.”

Yeah, hence I have no emotional attachment either way, I merely provide information, if you find it useful… great. If not, makes no difference to me. I value education and I know how hard it is to get straight answers on this subject, so I do what I can to help others seeking information. Nothing more.

“This is something that I always feel… You should always try and understand the psychology of the other side before you approach them.”

I understand the psychology aspect… but again my point isn’t tell sell you anything or even change your mind, so why would I bother with efforts directed at doing either of those things?

“The attitude that Linux is securer than Windows is probably embedded in our mindsets, so it does seem as though most of your points are wasted.”

That is a choice.

cheers,

catch

Sorry, I’ll have a look through the comments when I get the chance. But in the meantime, here’s unSpawn’s contribution (note that these are not in reply to the last message as a whole, but several bits I took out from it):

I am not part of this discussion but was asked if I could provide some information. In doing so I’ve taken care to avoid stooping down to that side of the discussion that uses tactics like provocation, spreading false or partial information, derogatory remarks and drawing false conclusions. If anyone spots an error, please correct these in a cooperative, factual and constructive way.

1. “The basic security model of Linux is a great example… seems no one every bothered to validate it. It offers no predictability whatsoever… rights are transitive in ways that are so loose you simply can make no life-cycle calculations of the level of access on any object in the system. Since the whole point of security is predictability and control… how is this a good thing?”

UNIX was not designed with high security in mind (Thompsons own remarks). GNU/Linux was not designed with security in mind either, let alone the “high security environment” standards of the Common Criteria (CC) kind. SELinux addresses the need for a secure, “trusted” Linux kernel offering fine-grained Mandatory Access Control (MAC), the prime “Orange Book” B1 rating’s concern, using Type Enforcement (TE) and Role-based Access Control (RBAC). If you are interested in what this means
certification-wise: SuSE SLES9 was CAPP/EAL4+ certified in 2005.

If we look way back we see that Microsoft Windows NT, which was designed with security in mind, reached a TCSEC C2 rating (Unices “usually” come in at a lower C1) long before Red Hat or SuSE applied for one. It however did so under strictly defined lab conditions that did not mimick real life deployment. The “paper” rating proved to be no guarantee for security, no assurance at all once deployed in a hostile environment.

2. “Decisions to race to include SELinux in the kernel are based on all the press releases that can be made about Linux being more secure than Windows and the ability to include words like “NSA” and “Military level security” into those case studies and sales meetings.” - he is arguing that SELinux has been taken up prematurely by many distros and that, because of its ‘research status’, it shouldn’t even be considered in a production environment.

The decision to include SELinux and the Linux Security Module (LSM) framework in the kernel was to cater to calls for a trusted Linux kernel offering compartmentalization, separation and control. To prove correctness of the framework tools have been developed that do both static and dynamic analysis. SELinux is actively being developed further, for instance working on other parts of Common Criteria certification, enhancing Multi Level Security (MLS) deployment and adding dynamic policy
enforcement as well as policy language and generation enhancements.

3. “Reference monitor concept cannot be implemented by an external application (where part of the Linux philosophy falls apart) it must be in the security kernel. The Windows reference monitor is really no different than any other…” - that there is no Linux reference monitor, and so Linux cannot be fully secure.

The concept of the Reference Monitor itself has not been undisputed (MLS) but more importantly it is not the single qualifying criterium for proving an Operating Systems’ security posture in theoretical nor practical sense (as shown above). FYI, the first Linux Reference Monitor was provided by the LIDS kernel patch around the turn of the last Millennium, the current one is of course provided through SELinux.

In closing I think the most important question is this: Is GNU/Linux a “high assurance”, a “trusted” Operating System? With respect to the Common
Criteria B1 certification or the way a DO-178B-certified Operating System wuld be designed: no, but that was never the goal.
With respect to practical security: definately, yes.

Best regards,

unSpawn

I never questioned this, however to include such as I said merely muddies the waters. Several kernel drivers exist for Windows which add MLS and other functionalities to different degrees. However, since B1 is a pretty worthless target, these are not widespread and are only employed under very specific conditions.

“If we look way back we see that Microsoft Windows NT, which was designed with security in mind, reached a TCSEC C2 rating (Unices “usually” come in at a lower C1) long before Red Hat or SuSE applied for one. It however did so under strictly defined lab conditions that did not mimick real life deployment. The “paper” rating proved to be no guarantee for security, no assurance at all once deployed in a hostile environment.”

I assume you are talking about the “Secrets and Lies” myth about the Windows configuration. These are completely false, and if Bruce had even a basic understanding of DOD-5200.28-STD he would realize that his comments made no sense. The Final Evaluation Reports are available here:

http://www.radium.ncsc.mil/tpep/library/fers/NCSC-FER-95-003.pdf
http://www.radium.ncsc.mil/tpep/library/fers/TTAP-CSC-FER-99-001.pdf

Both of these indicate networked system with no mention of epoxy or whatever else.

Nearly all of Windows’ security woes have been the result of a weak default configuration and weak network encryption tools (which are not part of the evaluation).

“The decision to include the Linux Security Module framework, and SELinux as an part of that, was to cater to calls for a trusted Linux kernel”

Actually SELinux is a port of the Flask security architecture for the Flux operating system and was developed by the NSA as a means of researching the implementation of flexible security architectures into existing open source systems.

Before SELinux, much of the Linux community scoffed at the idea of Trusted Systems, calling them “too cumbersome”, and “dated”. Previous MLS efforts for Linux had existed, some of them like Pitbull LX are even superior to SELinux in many regards… but lacked the sex appeal of that association to the NSA.

“The concept of the Reference Monitor itself has not been undisputed (MLS) but more importantly it is not the single qualifying criterium for proving an Operating Systems’ security posture in theoretical nor practical sense (as shown above).”

As shown above, where?
Without a reference monitor, a system simply cannot be trusted, period. (hence the need for defense in depth, where B2 and beyond systems typically exist as guards)

“FYI, the first Linux Reference Monitor was provided by the LIDS kernel patch around the turn of the last Millennium, the current one is of course provided through SELinux.”

Neither of these systems offer full reference monitor functionality. Neither is non-bypassable (oh the blight of the monolithic kernel), neither is always on (both systems are toggleable), and neither is small enough to be formally verified. They merely offer reference monitor style centralized control.

Practical security isn’t the question. I would never disagree that for many environments Linux is a very practical solution. The topic originally dealt with the fact that Linux’s decentralized and immature development structure lends itself to the development of much misinformation.

cheers,

catch

catch:

Yeah, Linux was not designed to be high assurance… thus the idea of add on assurances makes everything ambiguous (and makes no sense “lets make this system more predictable by adding crap to it!” “Genius!”), which was my original point.

I was talking about this with thehorse13. He said that he doesn’t recommend third party addons to provide more functionality than RWX privileges on Linux. Which leads me to this: why don’t the kernel developers add more functionality? I know it is quite a lot of work, but is it something they are thinking of introducing in the next major release? Linux is known to be a good multi user system, but with simple RWX privileges, I don’t know to what extent that is true.. Is this something the kernel developers are thinking about?
And what you said about Pitbull LX actually being better than SELinux - could you point me to a few documents to prove this, or explain it? Thanks.

Bare in mind that I’m not shedding a bad light on Linux, and I won’t stop using it as my desktop OS because of that - I’m just wondering why this feature (privileges) hasn’t been improved yet.

Another thing that has made me wonder is why the NSA bothered implementing a reference monitor into SELinux if it was going to be a half-hearted attempt. According to you, it fails on four levels: lack of functionality, it is not non-toggleable, it is not tamper-proof, and it is too large. So why did they put it there? Another question that begs a response is why the Linux community has not tackled this, and made the reference monitor in SELinux work according to standards?

http://sarmlabs.com/archives/MISSI%20B-level%20Windows%20NT%20Feasibility%20Study.pdf

…is an old, but still worthwhile article on adding more security functionality to the Windows NT operating system. The task is huge and requires real security experts, of which there are few in the Linux community. The Argus people just extended a Product made for Solaris over the Linux and the NSA people moved one from Flux over to Linux. Neither SELinux nor Pitbull LX were home grown as it were.

“And what you said about Pitbull LX actually being better than SELinux - could you point me to a few documents to prove this, or explain it?”
I might… I’ll need to look. What I have is the fact that Pitbull LX is a mature product that was securing banks and government agencies in the real world, after being formally evaluated while SELinux was and is still in the lab. In fact the people working on SELinux, TCS… many of their top people came from Argus. In my experience, SELinux is in many ways still a cumbersome system, inferior to traditional trusted operating systems like Trusted Solaris and HP-VV, while Pitbull LX uses newer functionality, Domain Based Access Controls (DBAC) to add simplicity of administration lacking in the Type Enforcement (TE) architecture with a finer touch of control. Pitbull LX makes the definition of least privilege exceptionally easy to implement to a very high degree. Most importantly… Pitbull LX isn’t running any borrowed intellectual property. TE is patented and owned by Secure Computing Corporation (SCC). For the moment SCC says it will not create any issues with the TE license, however SCC is a small company in a fickle market and if Sun or IBM (who supports SELinux) or Microsoft feel that SELinux is cramping their style a bit too much… SCC might get eaten and all IP with it.

“I’m just wondering why this feature (privileges) hasn’t been improved yet.”
Permissions, RWX are permission bits.

“Another question that begs a response is why the Linux community has not tackled this, and made the reference monitor in SELinux work according to standards?”
Monolithic kernels cannot effectively support reference monitors. Have a look at:

http://sarmlabs.com/archives/The%20Reference%20Monitor%20An%20Idea%20Whose%20Time%20has%20Come.pdf

… to get a better idea… you’ll note that they mention the practice in monolithic systems is to just slice of a chunk of the kernel and call it a reference monitor, despite the fact that it isn’t really one. Linux would require a complete restructuring and a complete change in architecture to support a true reference monitor… Oh the disadvantages of using an OS designed by a guy proud to have failed his OS design classes. (But at least he had a big ego and looked cool fighting “the man”, right?)

cheers,

catch

The task is huge and requires real security experts, of which there are few in the Linux community.

Hmm.. But why wasn’t this corrected years ago? If the security experts had realised this before and had instructed the kernel developers accordingly, maybe this could have been sorted out.. Although, Linux wasn’t designed to be highly secure. But still

Pitbull LX makes the definition of least privilege exceptionally easy to implement to a very high degree. Most importantly… Pitbull LX isn’t running any borrowed intellectual property.

But SELinux is still used instead because of its ties to the NSA. Aha.. This is something that I may try to bring up on the kernel developers mailing list - let’s see what answers I get!

Permissions, RWX are permission bits.

My bad! I got that muddled up. Back to privileges - why are Linux’s not extended to be more flexible than simply ‘root’ and ‘user’? Or would this also require a substantial change in the kernel’s design..

Thanks for both those articles (I corrected the links) - I don’t have time to read the first (I’ll leave it for the summer - right after I’ve read the now 8 books sitting on my shelf :D), but I’m going through the second right now. I’ll edit this post (or post again, depending on whether there’s another reply) once I’m done.

[edit]

“Ironically, the appearance of the reference monitor in modem operating systems will cause a change in how trusted systems are viewed. Since the reference monitor could not be directly implemented in the large monolithic kernels, there have been many techniques developed to overcome this limitation.”

‘Many techniques developed to overcome this limitation’ - It doesn’t explain these, so I’m not sure if one of these techniques would be applicable to Linux. Although, if one were, I assume it would already have been done?

“There is an idea that has been around for a long time, that of the reference monitor. For the last twenty years, the large monolithic kernels of operating systems prevented a direct implementation of the RVM. Current work in operating system design exploits some of the features of the RVM, even without the trust considerations. Consequently, we are now in the position where our technology is just now allowing us to adopt a twenty year old concept.”

This implies that an RVM (reference validation mechanism) could be implemented into a large monolithic kernel, such as that of Linux?

“Q:

I’ve been cracked. Will you help me fend off further attacks?
A:

No. Every time I’ve been asked this question so far, it’s been from some poor sap running Microsoft Windows. It is not possible to effectively secure Windows systems against crack attacks; the code and architecture simply have too many flaws, which makes securing Windows like trying to bail out a boat with a sieve. The only reliable prevention starts with switching to Linux or some other operating system that is designed to at least be capable of security.”

After reading this discussion I find that very funny. There was a time where I probably would have agreed with him though. Peace.

You seem to keep forgetting that Linux isn’t a true OS in the eyes of security experts. At best it is a platform to tinker with (like the NSA did) at worst it is a new system that shows no progression over various older operating systems and is in fact behind what should be its contemporaries.

“But SELinux is still used instead because of its ties to the NSA.”

Pitbull LX is used by various governments and many banks in real live roles… but it is a proprietary system so it is unavailible as open source for further development. The interesting thing will be to see how the IBM/TCS SELinux turns out as far as source availibility since much of that team used to be on the Argus team.

“My bad! I got that muddled up. Back to privileges - why are Linux’s not extended to be more flexible than simply ‘root’ and ‘user’? Or would this also require a substantial change in the kernel’s design..”

SELinux incorporates RBAC for more finely frained privilieges. Linux doesn’t have that normally because then there would be no root user, which would make it totally different for what people are used to and many software packages would need to be retooled.

“This implies that an RVM (reference validation mechanism) could be implemented into a large monolithic kernel, such as that of Linux?”

Nah… you skipped over:

“Abrams et al also discuss the slight change in usage of the terms security kernel and RVM. In view of the fact that monolithic kernels were divided arbitrarily, it is not surprising that there is confusion.”

and:

“The RVM is a theoretical construct that was usually not implemented. Rather a monolithic kernel was arbitrarily divided and a one of the those subdivsions was simply called the RVM.”

Which is exactly what Linux has done, just taken a random part of the kernel and called it a reference monitor because it examines the access requests. However it fails to meet the three requirements of a true reference monitor.

Skiddieleet:
There is an entire internet full of such people… such “security experts”

I am happy that you’ve been able to find value in such conversations as this though.

cheers,

catch

Then why does it play such an important part of so many security degrees, and courses? And I’m referring to Linux, not UNIX or any other *nix relatives…

Pitbull LX is used by various governments and many banks in real live roles… but it is a proprietary system so it is unavailible as open source for further development. The interesting thing will be to see how the IBM/TCS SELinux turns out as far as source availibility since much of that team used to be on the Argus team.

Ah, right - I didn’t know it was proprietary. That would explain why it hasn’t been implemented, and SELinux was chosen over it.. (although not the sole reason)

Which is exactly what Linux has done, just taken a random part of the kernel and called it a reference monitor because it examines the access requests. However it fails to meet the three requirements of a true reference monitor.

Aha. And it fails to do that because of the monolithic kernel’s design, which cannot support a full reference monitor. Let’s say that the kernel developers did decide to restructure the kernel completely in order to make it more flexible for things like a full reference monitor - would this mean that every single Linux application would need to be changed in order to work on the new kernel, or would it just be the APIs which would need a change in operation?

Thanks

(Oh, and have you come across any papers which explain how Linux’s kernel would need to be altered in order to be considered a ‘true OS’? As in, what changes in the kernel - like removing its monolithic limitation - would need to happen in order to make it more stable and more secure.)