• poVoq@lemmy.ml
    link
    fedilink
    arrow-up
    15
    arrow-down
    1
    ·
    3 years ago

    The author seems to subscribe to the holy church of the sandbox security theater ;)

    They add an incredible amount of complexity and thus potential security issues to a system while making the users and system designers think it is ok to run a malware distribution channel as the primary update mechanism (i.e. the Playstore).

    I am not against sandboxes in general (it is for example good to have the javascript code sandboxed in a browser), but all to often they are used to justify the implementation of much more fundamental security issues.

    Most security issues are social issues anyways and not really technical.

    • ᗪᗩᗰᑎ@lemmy.ml
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      3 years ago

      Another thing to point out is that he states how the Linux kernel has hundreds of vulnerabilities found compared to other OS’s. Well yeah, Linux is open source and literally any researcher/security expert can read the code to find bugs. Good luck trying to do the same with Windows or MacOS.

      Lastly, most Linux distros are “complete” in the sense that you generally (or at least for the majority) don’t have to install much software outside of whats already in your distribution’s repos; you’re not having to google/download sketchy apps, so this threat model of rogue apps trying to hack/steal your data is minimal, if not non-existent.

      The real problem is those systems (Windows, MacOS, iOS, Android) all have an app store where a ton of developers are trying to make money off of you in any way possible by stealing your data/invading your privacy, so they had to build a permission system because you can’t trust those random people. You can generally trust your Linux distro to not package malware and can safely install any app that’s available.

      Edit: I should add, its still a good writeup. I think he makes some good points and it would be great to see Linux improve in some areas, even if the problem doesn’t really exist as much as it does for the more commercially backed operating systems.

      • Lunacy@lemmy.ml
        link
        fedilink
        arrow-up
        3
        arrow-down
        9
        ·
        3 years ago

        Good luck trying to do the same with Windows or MacOS.

        When it comes to find bug, vulnerabilities, audit etc. closed source is not so different from open source, people can actually reverse engineering closed source software, that’s why Windows 10, for instance, has malware. If I recall correctly, reverse engineering is used even for open source software because its more easy to understand how the code work.

        • ninchuka@lemmy.ml
          link
          fedilink
          arrow-up
          6
          arrow-down
          2
          ·
          edit-2
          3 years ago

          how the fuck is reverse engineered code easier to read then the source code?? that makes no sense what so ever

          • Lunacy@lemmy.ml
            link
            fedilink
            arrow-up
            3
            arrow-down
            3
            ·
            edit-2
            3 years ago

            Hi. Can you please be more nice in the future? I don’t see any reasons to be rude. Maybe I’m wrong, I’m open to discussion, but your point doesn’t prove anything in my opinion.

            In software design, reverse engineering enables the developer or programmer to add new features to the existing software with or without knowing the source code. Different techniques are used to incorporate new features into the existing software.

            Reverse engineering is also very beneficial in software testing, as most of the virus programmers don’t leave behind instructions on how they wrote the code, what they have set out to accomplish etc. Reverse engineering helps the testers to study the virus and other malware code. The field of software testing, while very extensive, is also interesting and requires vast experience to study and analyze virus code.

            The third category where reverse engineering is widely used is in software security. Reverse engineering techniques are used to make sure that the system does not have any major vulnerabilities and security flaws. The main purpose of reverse engineering is to make the system robust so as to protect it from spywares and hackers. Infact, this can be taken a step forward to Ethical hacking, whereby you try to hack your own system to identify vulnerabilities.

            https://blog.udemy.com/reverse-engineering-tutorial/

            Beyond that, there are different articles about this topic, including,

            Reverse engineering is a process that hackers use to figure out a program’s components and functionalities in order to find vulnerabilities in the program. You recover the original software design by analyzing the code or binary of the program, in order to hack it more effectively.

            https://medium.com/swlh/intro-to-reverse-engineering-45b38370384

            After a while, I decided a write a short blog post about Linux binary reversing CTFs in general.

            https://osandamalith.com/2019/02/11/linux-reverse-engineering-ctfs-for-beginners/

            During a past job interview, I was tasked to reverse four linux binaries of increasing difficulties as proof of my ability into the reverse engineering field.

            https://blog.kartone.ninja/2019/03/25/when-a-reverse-me-ctf-binary-makes-you-loose-that-job/

    • SeerLite@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      3 years ago

      Running everything sandboxed even if the software that’s being run is FOSS and comes from trusted sources doesn’t sound too bad though. Just another layer of defense. What are the potential security issues this could cause?

      • poVoq@lemmy.ml
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        edit-2
        3 years ago

        No, but what would be the benefit? Sandboxed are only needed when running untrusted code. That is unavoidable sometimes as the web would be pretty much unusable without javascript. But when someone tries to sell you a sandbox the malware distribution channel usually follows closely behind (I am looking at your Snapstore >:( ).

        • pinknoise@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          3 years ago

          Just a bunch of stupid bugs can turn your well behaved code into malware. You should not trust any code to do what you think it does, especially if you have written it yourself. If it’s possible to enforce fine grained access control and isolation then it should be done.

          the web would be pretty much unusable without javascript.

          Imo it would be a better place without it

          • poVoq@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            3 years ago

            A bug is not malware (i.e. software intentionally written to do harm). It might get exploited, but that is an entirely different story and usually requires another piece of actual malware to work.

            Adding a sandbox to mitigate against bugs might sound like a good idea at first, but in reality it adds bloat and makes people stop actually fixing bugs. And a lot of the impacts of bugs can be more easily mitigated against with general system improvements that actually make the system overall better instead of adding layers of bloat. Take Rust for example: it is a memory safe language that actually improves the system, but of course a sandbox can also mitigate against software written in memory unsafe languages. But hopefully you agree that Rust is the better idea then wrapping everything in a sandbox.

            As for Javascript on the web. No it would be a much poorer system overall, with people reverting to shoddy apps to supplement webcontent. Maybe you are having rose tinted glasses or are too young to remember, but the web was not better before widespread javascript use. In fact it had stuff like Shockwave and Flash to do some of what Javascript does today shudder

            • pinknoise@lemmy.ml
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              3 years ago

              And a lot of the impacts of bugs can be more easily mitigated against with general system improvements

              Yes and these improvements will converge to be a sandboxed environment. Even original unix had (weak) process isolation and ACL’s. Should we go back to cooperative multitasking because a scheduler is bloat? No, because it’s not practical. Should we remove all exploit mitigations and fix all the bugs instead? No, because it’s not practical. For reasonably complex programs we can’t tell if they are bug-free and even if we could the hardware it runs on may have bugs. The best we can do is minimize the impact a glitched program can realistically have.

              Rust is the better idea then wrapping everything in a sandbox.

              Rust prevents a range of stupid bugs that don’t have to happen. (plus other cool stuff) It can’t prevent logic bugs. Say e.g. you have a server with an unintentional arbitrary file inclusion. Would you rather like to wait for the bug to be fixed and be completely vulnerable in the meantime or have the impact limited to the files the server process/user is explicitely allowed to access?

              In fact it had stuff like Shockwave and Flash

              Sure, compared to those (whose turing completeness javascript predates btw.) it’s nice but no builtin RCE at all is still the better solution.

  • Lunacy@lemmy.ml
    link
    fedilink
    arrow-up
    16
    arrow-down
    5
    ·
    3 years ago

    Hi!

    I personally saw a bit of confusion in the comments. I think you’re missing the point of the article, which is a technical analysis about a software, in this case Linux. He actually is a security researcher and his points in the article are not false since many other security researchers have the same view about Linux, including:

    • Brad Spengler, the developer of the most extensive kernel hardening patchset in existence and inventor of many widely used exploit mitigations along with pipacs (including ASLR, W^X, CFI, etc.):

    https://grsecurity.net/10_years_of_linux_security.pdf

    https://grsecurity.net/~spender/interview_notes.txt

    https://nitter.net/grsecurity/status/1249850031357788162

    https://nitter.net/spendergrsec/status/1308734202330963970

    https://nitter.net/spendergrsec/status/1308762791734632454

    • Kees Cook, Alexander Popov and more prominent Kernel Self-Protection Project members:

    https://www.youtube.com/watch?v=v7_mwg5f2cE

    • Daniel Micay, lead developer of GrapheneOS (formerly CopperheadOS), hardened_malloc, linux-hardened, etc.:

    https://www.reddit.com/r/GrapheneOS/comments/bddq5u/os_security_ios_vs_grapheneos_vs_stock_android/ekxifpa/

    • Dmitry Vyukov, another prominent Linux security developer:

    https://events19.linuxfoundation.org/wp-content/uploads/2017/11/Syzbot-and-the-Tale-of-Thousand-Kernel-Bugs-Dmitry-Vyukov-Google.pdf

    https://github.com/ossf/wg-securing-critical-projects/blob/main/presentations/The_state_of_the_Linux_kernel_security.pdf

    • Joanna Rutkowska, founder of QubesOS and author of many well-known security papers:

    https://nitter.net/rootkovska/status/1136220742662664193

    https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html

    • Jon Oberheide, co-founder of Duo Security:

    https://jon.oberheide.org/files/syscan12-exploitinglinux.pdf

    • Solar Designer

    https://www.openwall.com/lists/oss-security/2020/10/05/5

    Now, of course this doesn’t mean that madaidan and the others people I “quoted” are promoting closed source instead of open source, they simply did a security analysis on Linux.

    Madaidan itself uses Linux and he said many times how much he loves Linux and how much he hates windows.

    • snek_boi@lemmy.ml
      link
      fedilink
      arrow-up
      8
      ·
      edit-2
      3 years ago

      First of all, thanks for sharing this. I also found their text a couple of days ago, and was thrown off by it. It’s both enlightening and slightly scary. I really want FLOSS’s flourishing to be not only a personal wish upon the world, but to result in an objectively securer world . However, I think Madaidan successfully lets us see the proactive approaches towards security that Windows and MacOS have adopted, as well as the concrete ways in which those manifest. But some people are highly critical of them. That threw me off further. So here we are, thrown off and wanting to talk about it to sort it out to the extent that we can.

      My opinion of them has to be prefaced by two disclaimers that frame it. First, I think it’s perfectly possible for us to recognize the truth as well as wish for a different reality. Second, there is an objective reality that is always filtered through our perspectives. This means we can’t play the ‘God trick’ of claiming all truth nor claim knowledge is 100% relative; rather, knowledge is positioned.

      So back to Madaidan. Do we want to dismiss a clearly-laid-out and valid argument because it doesn’t align with our expectations (e.g. “FLOSS is securer. Linux is FLOSS. Therefore, Linux is securer”)? The answer depends on whether we feel comfortable with the world not aligning with our perspective. Similarly, the criticisms I’ve seen of him are mainly about their “racist” views, their censorship of others, and their promotion of non-FLOSS software. Some of these are not light accusations, and they have implications for the interpretation of his arguments. For example, are they aiming for FUD for people to trust Linux less? Maybe, but I can’t help but notice that the criticisms levied against them are not directly dealing with the validity of their claims, but rather are about their personal characteristics and their behavior.

      This is where the positioning of knowledge is important. It’s perfectly possible for someone to be a bigot and yet make a valid argument. The value-laden goals that motivate someone to argue something (e.g. ‘racial superiority’ [sic] justifying racism, or freedom justifying open licensing) are important to know whether to be skeptical or to ease our guard. But until a validity threat weakens the argument, an argument that is well crafted is valid. Even Hitler could validly argue that the Earth rotates around the Sun and not the other way around. I’m not defending people worth condemning. I’m trying to get at the golden nuggets of truth that can be found if we’re willing to accept a world that is different to what we want.

      So, is there truth in what Madaidan says? I certainly think their arguments in the Linux post are valid. I am also perfectly willing to search for and accept others’ validity threats to their argument, a search spurred by the context of accusations against them. For example, the discussion regarding sandboxing, present in a couple of different comments, is precisely the kind of discussion that we should be having to untangle this whole thing!

      Finally, I think it’s valuable to give fodder to accept the worst case scenario. That scenario is Linux indeed having poorer security in many respects compared to Windows and MacOS. If anything, this kind of open discussion about Linux’s security approach is precisely what is great about FLOSS! I had never heard about these problems in Linux’s security model, but in the past week I’ve found Madaidan’s article three times in three entirely different contexts. I think they’re turning a lot of heads. Hopefully that will spur changes in Linux for the better. It could be improved systematically with the insights that have been garnered for the past couple of decades.

      • JustEnoughDucks@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        3 years ago

        I think a big distinction that must be made would be acknowledging the problem, vs a proposed solution. I think, that is where the internal motivations make more of an impact.

        Linux devs can agree that there exists a problem while not agreeing on a solution. Perhaps Madaidan has been more criticized because his possibly bad motivations would influence the solution, not just recognition of the problem? As the above poster said, many other security experts have released similar reports, why is this one turning so many more heads than those?

        Perspective of a non-security expert by far. I don’t understand everything in the article, but it was relatively well simplified for the common power user I think.

        Also, specific question: is his points about sudo insecurity mostly mitigated by the better security of Wayland? Is there a better way to secure sudo, or would that significantly reduce usability?

        • pinknoise@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          3 years ago

          keylogging mostly mitigated by the better security of Wayland?

          Yes and no, programs can’t keylog or record the screen of other programs via the wayland interface as they can in X. Wayland (and pipewire) have mechanisms for access control builtin. Thats a good start but it’s pretty useless if you don’t have proper access control / “sandboxing” for the other parts of your system. I remember reading some PoC code for a wayland keylogger that just injected a library (edit: into user programs) and there are probably some other (more creative) ways to do it.

      • Lunacy@lemmy.ml
        link
        fedilink
        arrow-up
        3
        arrow-down
        2
        ·
        edit-2
        3 years ago

        Thank you for your reply, is quite impressive! I agree with you. Just one thing;

        Similarly, the criticisms I’ve seen of them are mainly about their “racist” views, their censorship of others, and their promotion of non-FLOSS software. Some of these are not light accusations, and they have implications for the interpretation of his arguments. For example, are they aiming for FUD for people to trust Linux less? Maybe, but I can’t help but notice that the criticisms levied against them are not directly dealing with the validity of their claims, but rather are about their personal characteristics and their behavior.

        The reason why I wrote my first comment is because every time this article appears on the internet there are some people full of anger who spread misinformation about madaidan and/or miss the his point. For instance, some people says that he is racist. While this is a really heavy accusation, it quite obvious he is not. Everyone can easy check whether this is true or not by joining his community - which is only spite, he was never part of the nogoolag -.

        Personally, I really like Linux and the ideology behind. I actually think it’s important to understand the possible linux’s flaws in order to make it better in the future. Being in denial mode is not a good approach in my opinion.

        Again, thank you. It’s really nice to debate pacifically without involving hate. :)

    • federico3@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      3 years ago

      This statements can be profoundly misleading when taken without context.

      Security is complex and multi-faceted. It needs to be understood with the proper context:

      • what type of user are we protecting: skilled, unskilled, an entire company? An entire nation?
      • what type of data are we protecting: a database? The user email address, browsing activity, connection metadata?
      • what is the threat model or the attacker: a simple email scam? Surveillance from big companies? Targeted attack from a nation state?

      The majority of security breaches are surprisingly low-tech (phishing, guessable password…, stalkerware, built-in telemetries)

      Without context an article that goes “Linux being secure is a common misconception in the security and privacy realm.” can easily fuel FUD.

  • Dessalines@lemmy.ml
    link
    fedilink
    arrow-up
    12
    arrow-down
    2
    ·
    3 years ago

    Other kernels, such as the Windows and macOS kernels, are somewhat similar too, in that they are also large and bloated monolithic kernels with huge attack surface, but they at least realise that these issues exist and take further steps to mitigate them. As an example of this, Windows has historically been plagued by vulnerabilities within its font parsing code so in response, Microsoft moved all font parsing out of the kernel and into a separate, heavily sandboxed user space process, restricted via AppContainer. Windows also implemented a mitigation to block untrusted fonts from specific processes to reduce attack surface. Similarly, macOS moved a substantial portion of its networking stack — the transport layer — from the kernel into user space, thereby significantly reducing remote kernel attack surface and the impact of vulnerabilities in the networking stack. Linux, however, does not focus on such systemic approaches to security.

    This one is particularly funny, combined with the idea that they think windows or macOS is more sandboxed than linux. For years, internet explorer was so tightly integrated into windows, that clicking a browser link could install malware that would affect your entire filesystem, steal all your regex and system data, and even cause your OS not to boot. In the mid 1990s, identity theft was exacerbated by the fact that microsoft, rather than fix bugs, would sue the people publishing the bugs.

    • snek_boi@lemmy.ml
      link
      fedilink
      arrow-up
      7
      ·
      3 years ago

      Ouch. Microsoft used to sue people instead of fixing bugs? What a way of guaranteeing insecurity in the long run!

      I wonder if the whole “Microsoft moved all font parsing out of the kernel” as well as the “macOS moved a substantial portion of its networking stack - the transport layer- from the kernel into user space” happened after the “years [in which] internet explorer was so tightly integrated into windows”. You could both be right. The quote of his actually supports your point: “Windows and Mac kernels are somewhat similar too, in that they are also large and bloated kernels. […] Windows has historically been plagued by vulnerabilities within its font parsing code.”

      So what I understand is that you’re right that it’s funny to think that macOS and Windows were more sandboxed than Linux. Based on his quote, it appears as if this has recently changed, at least in the examples given and the general “systemic approach” to security.

  • ericbuijs@lemmy.ml
    link
    fedilink
    arrow-up
    8
    arrow-down
    1
    ·
    3 years ago

    First of all I’m no security expert but I do know that security is relative. I’ve yet to see a objective scientific approach that can compare the security models of GNU/Linux and Windows (or any other OS). This could, given a proper experimental setup, provide objective data to substantiate that a certain Linux installation or distribution (or Windows for that matter) is secure (or insecure) in comparison. Understandably this scientific approach is very difficult to define given the numerous variables one has to include in this experiment. Until then we have to settle with self-proclaimed security experts that argue perhaps even rightfully why one system or the other is (in)secure. Often leading to endless debates without a decisive clear outcome.

    As a sidenote. It’s funny that the author while describing the lack of sandboxing applications in Linux puts Linux against ChromeOS while the latter is a Gentoo Linux-based operating system.

    And another one. Any OS is as secure as it’s user.

  • brombek@lemmy.ml
    link
    fedilink
    arrow-up
    6
    ·
    3 years ago

    Yeah, would be nice to have some of the mitigations in Linux but in practice these are not needed when you don’t run malware on your system by default and keep the attack surface small. And if you do run malware or have the system full of crazy bloat (just look at the MSHTML exploit) then no amount of sandboxing or hardening is going to help you.

    • MarcellusDrum@lemmy.mlOPM
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      3 years ago

      I think this has worked till now because:

      1. Linux’s user base is small, so it isn’t a very attractive to malware developers.

      2. Linux’s userbase is mostly tech savvy people, who don’t do stupid stuff.

      But the question is, does it scale up if Linux became mainstream and popular among the tech illiterate?

      • poVoq@lemmy.ml
        link
        fedilink
        arrow-up
        7
        ·
        3 years ago

        If the Linux desktop is used like Windows (downloading and running random malware from the internet as the default way to install apps) it is about as secure as Windows, meaning not at all…

        Is this the fault of the Kernel developers and should they add a lot of security bloat that at best mitigates this issue a bit? I don’t think so.

      • Helix 🧬@feddit.de
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        3 years ago

        Linux’s user base is small, so it isn’t a very attractive to malware developers.

        Linux’ user base is huge and there were lots of malware for all kinds of devices, e.g. Linux routers. I think what you meant was that the market share for GNU/Linux on desktop devices is pretty small.

        Linux’s userbase is mostly tech savvy people, who don’t do stupid stuff.

        Both of these assumptions are false:

        • There’s a difference on being an active administrator of a Linux system and not even knowing you run Linux.
        • Tech savvy people do stupid stuff all the time, just nobody catches them doing it because most of the time they don’t go around telling people (they can usually fix it themselves).
      • brombek@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        3 years ago

        Yes, I and hope the “the day of the Linux desktop” never comes due to this :D Well, you can see what happens where this two does not hold with Linux, just looks at Android and ChromeOS. Would the community jump on the mitigations/sandboxing side of things same way Google did?

        Linux is secure thanks to they way it is used and developed. If you change the way it is used the whole security model changes and it would not be as secure as for example Android in the same use cases.

  • AceKat@lemmy.ml
    link
    fedilink
    arrow-up
    5
    ·
    3 years ago

    Before reading it I though it was another poorly written blog post, but it actually brings up great points

  • Kromonos@fapsi.be
    link
    fedilink
    arrow-up
    6
    arrow-down
    2
    ·
    3 years ago

    A system is only as secure as it is set up to be. Even Windows can be secure. Most of those who make such claims that a system is insecure have, in most cases, never really took a look into it.

    • Bilb!@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      3 years ago

      This is true, but I think if Linux was designed today it would have a permissions model similar to something like Android from the start. Every app would need explicit permission to access data and hardware, etc.

      • poVoq@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        3 years ago

        That doesn’t really help much. A person installing some random un-trustworthy .apk on their Android device is also just going to approve the app permission request.

        • Bilb!@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          3 years ago

          It would be useful to a more security/privacy minded person though. There’s not much you can do to protect people from themselves.

    • federico3@lemmy.ml
      link
      fedilink
      arrow-up
      3
      ·
      3 years ago

      The article is indeed one-sided and often makes exaggerated claims.

      One example: "This is in contrast to a rolling release model, in which users can update as soon as the software is released, thereby acquiring all security fixes up to that point. "

      This ignores that facts that new releases are the only source of new vulnerabilities.

      Plus, new vulnerabilities are still to be reported. A 0-day in the wild is usually worse than a published vulnerability: at least you can learn about the latter and take decisions on how to handle it.

      • Echedenyan@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        3 years ago

        They also ignore effort of some distributions to backport fixes to their supported version of the software as well as promoting the maintenance-mode or ESR releases of software.

  • Echedenyan@lemmy.ml
    link
    fedilink
    arrow-up
    7
    arrow-down
    5
    ·
    edit-2
    3 years ago

    This guy is a GrapheneOS (which supports Goolag Walled Garden) and propietary shit.