Why Is It Safer?

[Matt]

Everyone whos ever been interested in Linux has heard how much safer and more secure it is than Windows. My question is why? What makes Linux so much safer? What securities do you have running as a normal user verses running as root? Is there anything that would actually stop a piece of malware from running undetected on a Linux machine?

These are a few questions that I've been wondering for a while. What actually stops a process from running in the background without the user's knowlege? Is it just that malware isn't written for Linux yet?

Hitest and I were discussing this a little in the chat; but I'd like to extend this thread to everyone.

Any/all comments, ideas, facts, opinions welcomed.. just no OS flaming

Thanks,

Matt

[jcl]

My question is why? What makes Linux so much safer?

Edited June 19, 2006 by jcl

[iccaros]

in my opinion the NT structure is too Complex to manage correctly. Even Seasoned NT admins don't apply least privilege model *NIX systems do.

if you take a look at File permissions on a Windows machine you will see lots of options and with lots of options comes more problems. you have user A who needs to just read a file while you have user b who needs to write to a file (maybe this is just a script running as a user) and user c who needs all. well in thought this is simple, right.. well no, we find that other software, like the software that reads the file may require some other attribute instead of just read. now a good admin goes through and finds out what that is and only includes this in the user rights. But what normally happens is the user is given all rights to make them happy and the admin moves on to the next fire to put out.

Then add layers of contradicting security. In NT we have Global policy, we have Domain policy and we have local policy. In this we have many group policy objects saying who can do what and when, sometimes these contradict in ways that are unknowable, in this case you have to dig through policy's to find the problem.

In the *NIX situation we have have have a simple system that says owner can ®ead ,(W)rite or (X) exacute with a point value, groups can RWX and everyone one else can RWX.

So now take system files that say owner root can RWX but people in system group (the OS and ROOT) can RX and everyone else can only R. This protects the OS from outside abuse.

Now the hole in all this is the user. In *NIX a user can download and install stuff that if added to the .rc (note this may have different names in different systems) script will start when ever that user logs in. but can only run as that user and only affect what that user has rights to. Now the good news is, things just don't install, you must manually install things, which is one of the complaints about Linux or other *NIX systems. That its too hard to install stuff right??

while I believe someone could write a java script or something that installs something from the browser, the main browser is not tied to the OS, and as such its more of moving target as to what underpinnings as there to do harm to the system . Unlike IE and activeX, and Host Scripting and with the new Powershell I learned at Tech-Ed last week, one misconfiguration of powershell and you just gave the entire system up through web access.

the last thing is role based authentication.

This is one thing you can have in Windows, but no one (not even Microsoft) does.

In Linux you have user accounts. These are user accounts and because of that can not touch the system.

We must change accounts or use sudo (which runs commands as the root account) but either takes a password to make work. And while not impossible to get passwords its one more slowdown point in people write one for all attacks.

In Windows we see that the admin has one user account and in that account they are domain users, domain admins ect. So no matter what they do, email, web surf patch the system they are admin and have admin privileges. what should be done IMHO is there is one account admins use for normal login and one they have individually that is just an admin account for getting admin task done. But in windows that normally requires to log out and log in (switch user) or set up short cuts that run as another user..

these are some reasons

others may include, with choice there are differences in how Linux systems are built meaning an attacker has to do more work to find where things are, while in systems like Windows you know what is on the base system and where it is on all systems.

But read up on Role Base authentication, Mandatory access control (SELinux adds this )

and Label Security (again SELinux)

Thanks for the Question it makes people think,

in the end you can make Windows as secure... (don't take my Linux card for that:) )

but the normal practice does not take these simple steps in mind. Or else when you first install windows it would have you create an admin account and then make you create a less privilege user account.. but in VISTA they trust signed keys, lets not talk about how at Tech-Net we were learning how easy signed keys are to get around (drop a key in the everyone writable key folder...) and pop ups that warn when you might be doing something you should not.

Edited June 19, 2006 by iccaros

[Pierce]

The even easier way to answer this is to look at windows Vista.

Windows vista asks you if your sure you want to allow a process to open a particular section, like device manager etc. Something familyar with linux, su - first, or in most gui systems enter root password.

A lot of experts say that windows is too complicated to be inovative. And was cited as a reason by jounalists as to why Bill Gates job as chief artetecture was friviouless. It has 50 layers of code, and the only thing they can do is put out fires as they happen or make sure they dont happen.

Also look the philosophy of how the operating systems are given to the user. Windows install 101 things just to close it down. *nix open up lots of things to do certain things. Users are too lazy to apply needed security, so another possible reason.

Linux is also a very small minority. Why hack linux when its impact is low in comparision to windows? Though i predict this will change, but only once enterprise level compaines start using *nix exclusivly or primarily.

Just a slightly different perspective.

Pierce

[naraku9333]

IMO the primary problem with windows is the implamentation of the security model (as previously stated in this thread) which I am hoping is remedied with vista. If it is, that alone could drasticly reduce spyware/adware etc, but only time will tell. But in the end I still give the security win to linux (and the bsd's) because nature of OSS is software scrutiny. Every application vulnerability I 've seen was patched very quickly. As opposed to Microsoft who quite often wont acknowledge a vulnerability untill a patch is ready(security by obscurity?)

[iccaros]

Thats a good point and I think you will be disapointed. at PDC which is Microsoft's developers confrece, at a talk called writing more secure code, which was hosted by Microsofts secuerity czar.

The number one rule was never let anyone see your code to be secure. if they can see the code then they can always hack it was the theam of the entire session.

they spent little time on cross domain access or buffer overflow or authenication.

[jcl]

The number one rule was never let anyone see your code to be secure. if they can see the code then they can always hack it was the theam of the entire session.

Native code? Managed code is transparent. System.Reflection reveals all. They know that, it's a major feature.

He's right of course but it's an odd point. The only way to prevent people from seeing the code is to not ship it.

[iccaros]

He's right of course

so does that mean Open Source is insecure because you can see the code?

[jcl]

so does that mean Open Source is insecure because you can see the code?

That's not what I meant. He's right that if the someone has no access the code it's more difficult for them to attack the program. The flaw in his logic is that everyone who has a copy of the program has the code. Object code isn't opaque. It's not significantly more difficult to find vulnerabilities in a disassembler dump of an executable than in the original source. It might be easier to find them with a debugger than a static analysis of the source.

The problem with security through obscurity isn't that obscurity has no security benefits (think encryption) but that the systems aren't actually obscure. If you want to find vulnerabilities in NT you just install the (free) debugging tools and look.

In reality there's no difference between closed and open source software w.r.t. obscurity: they're equally open to a competent attacker.

Anyway, I just found it odd that he seemed to understand that code security could be important but didn't understand that source code security isn't sufficient. (Unless he talking about server-side apps or something, in which case it might make sense.)

Edited June 23, 2006 by jcl