![[RSS 2.0 Valid]](http://freez.security-portal.cz/templates/freez/img/valid-rss.png)
With the constantly growing userbase of this successful free operating system, an increasing number of companies and individuals researching security really starts to put effort in discovering hidden flaws. Now I have to patch and rebuild applications almost daily, since vulnerability-disclosure is done more frequently than ever before. This situation is not getting any better, beyond the users feel safe just because they're running a non-mainstream OS. I'm gonna describe decent protection mechanisms to prepare for the next decade.
The solution may be a set of patches, namely hardened toolchain with SELinux and PAX. These provide W^X (write xor execute segments), randomly placed padding in heap, quotas with limits and a canary which triggers process-termination, once somebody overwrites it.
An attacker has to find a segment in an executable file which is not only executable, but also writable. Then the correct padding has to be guessed in order to figure out where the heap begins (it changes with each execution) and finally canaries must not be touched, as they trigger a signal to terminate a process. With this done, it's presumably alright to use unpatched programs without allowing remote access.
If 5% of GNU/Linux users are actually having these protections, it exceeds my expectations and makes me kinda surprised. Basically, users prefer a binary distribution, such as *buntu, making themselves vulnerable for most of the time.
When asked about what their key to security is, they just say "Stop using crappy software!". As a matter of fact, all software is less or more crappy. Not even software written by security experts, such as OpenSSL, is vuln-proof. Imagine your GNU/Linux box equals to billions lines of unprotected C code. Let's admit it has buffer overflows, memory leaks, information disclosures, denials of service, string formatting vulnerabilities and privilege escalations.
Switching to "hardened toolchain" with SELinux and PAX doesn't necessarily solve everything. Only gcc-3.x.x actually has appropriate patches for hardened toolchain and the project seems to be officially dead for quite some time. New software often won't compile with gcc3, thus you end-up running only partially hardened system, possibly with also proprietary software included which no one has full control over. For example Adobe Flash Player is in that category.
So far, I found OpenBSD being the best solution available. It's secure by default and doesn't require any extra hassle to keep serving you. Its slogan is "Only two remote holes in the default install, in more than 10 years!".
When something sucks in GNU/Linux or Windows, developers usually add a new layer of abstraction on top of that, making it more bloated and slower. OpenBSD is different. Its developers rewrite bad code (often completely from scratch), keeping it well-designed and maintainable for all the time.
It's so wonderful to see e.g. how cute Makefile it has when compared to GNU auto-tools which results in longer ./configure and Makefile than the entire code of an application.
Needless to say, strong security applied in praxis has also some cons. The first one could be performance which is always a bit affected due to extra tasks when securing a software. Another one may be compatibility, as proprietary software has no chance to run in such a system.
I've used OpenBSD in dual-boot with Gentoo GNU/Linux for quite some time and I'm seriously considering whether or not to completely leave GNU/Linux. It's not only because of security. I'd love to have clean and small source codes, like OpenBSD offers. Another point is the Linux developers don't care about security. I can often find out details about new flaws only from changelog which is released with new version. Linux uses proprietary blobs in its drivers and doesn't seem to be changing the strategy.
With *buntu/deb, you just have Windows #2. Other distributions will be assimilated soon, or their userbase drops to unpleasant numbers.
Another possible solution may be isolation of an insecure OS in a virtual environment, such as VirtualBox or VmWare. It's easy to let it access only public data, while keeping private data inaccessible. Again, one of its cons is performance.
It's just a matter of time when attackers migrate to GNU/Linux and start exploiting insecure boxes in the wild. What's your strategy to be prepared?
OpenBSD resources: Exploit Mitigation Techniques
It was always targeted, yet safe, for example it was always targeted by server-edition hackers, and note that Linux Servers use the same kernel as Desktop's kernels, so things won't really change, it's secure by design..
based on false claims, really..
Months after my article, all major security news are full of extreme vulnerabilities that affect all GNU/Linux systems. GNU/Linux is now proven insecure even if all its security features are enabled at their absolute maximum: http://www.theregister.co.uk/2009/07/17/linux_kernel_exploit/
I waited for this moment since you dropped your naive ignorant comment here. GNU/Linux, secure by design? You're a moron.
It's nothing new that Linux is broken, it's known to security experts and hackers for years now.... BUT there's thin line between usability and security. You can't just say Linux and Windows are broken, use OpenBSD. "Well you can't even play youtube videos, but you are secure!"
evo: mentioned vulnerabilities are not known for years. They are new. You can play youtube videos all you like, while also staying secure and without junkware, such as Adobe Flash -> use greasemonkey + http://userscripts.org/scripts/show/34765
GNU/Linux, Windows and Mac OS are insecure. Use OpenBSD :)
Top
