Linux.com

The challenge in evaluating Windows and Linux on any criteria is that there is not a single version of each operating system. Windows 98, Windows NT, Windows 2000, Windows 2003 Server, and Windows CE are just a subset of Microsoft's offerings. Linux distributions vary by the Linux kernel release each is based on (e.g., 2.2, 2.4, and 2.6) and the versions of all the packages each contains. This study evaluates operating system security according to the current technology available in the market rather than legacy solutions.

Users need to keep in mind that there are philosophical differences in the design of Linux and Windows. The Windows operating system is designed to support applications by moving more functionality into the operating system, and by more deeply integrating applications into the Windows kernel. Linux differs from Windows in providing a clear separation between kernel space and user space. This matters because the ability to make either operating system more secure varies depending on architectural design.

Fundamental changes in Linux and Windows security

For users, the evolution of Linux and Windows has all the trappings of a muscle car drag race. Users may have their favorite but at the same time continue to assess the competition. Microsoft has shown a great willingness -- no doubt spurred on by industry cynicism and the growing adoption of Linux -- to dedicate massive resources to Windows security. Microsoft will make advances in Windows security within the next few months when it releases Service Pack 2 for Windows XP. This service pack enhances Windows security by turning off some services by default and will also provide new patch management tools. For example, the Alterer and Messenger service has been turned off to reduce the amount of spam received. In many cases, turning off features is good since it makes a system more secure. However, the challenge is to enable to security without a tradeoff in key functionality or flexibility.

What is most outstanding is Microsoft's focus on enhancing security through improved usability. For example, a number of Microsoft security exploits in 2003 were the result of an email attachment launching as an executable (e.g., MyDoom). Service Pack 2 features an attachment execution service that will have a central place for attachments to be accessed by Outlook/Exchange, Windows Messenger, and Internet Explorer. This will reduce the risk of an end user enabling a virus or worm by launching an executable. Also, disabling execution of data pages will limit the potential for buffer-overflow exploits. Still, rather than actually fixing Windows' broken infrastructure and secure communications, Microsoft leaves the burden on the user.

Microsoft's focus is clearly on shoring up application security. There are a number of Service Pack 2 enhancements that specifically target Outlook/Exchange and Internet Explorer. For instance, there will be an intelligent MIME-type review in Internet Explorer that will check the content type of an object and let the user know if is a potentially harmful executable. This raises the question of whether the software will be able to distinguish a virus from a colleague's spreadsheet extension.

Another new feature in Service Pack 2 is the ability to uninstall additions to a browser, which potentially places more responsibility on the end user who may have to look at many plug-ins and uninstall the right ones. Outlook/Exchange will have the ability to preview email messages, so a user can delete a message without actually opening it. A further application security enhancement is a firewall that starts prior to the network stack. For software developers, the changes to remote procedure call permissions will make it a harder to write code that is not secure.

Service Pack 2 will offer many flashy new features for Windows users, but the question remains: Will these features burden system administrators, and possibility end users, with more complexity, rather than addressing the security of Windows operating system code?

Open source, shared source

A purely philosophical difference between Linux and Windows is the approach to code transparency. Linux is licensed under the GNU General Public License, which means it is possible for users to copy, modify, and redistribute the source code. Windows is a closed source operating, which is why its security methodology is often characterized as "security through obscurity." In 2001, Microsoft responded to the demands of its customers and critics with the Shared Source Initiative, which provides access to Windows source code. Today, the Shared Source Initiative has one million participants, and source code is available for Windows 2000, Windows XP, Windows Server 2003, Windows CE 3.0, Windows CE .Net, and the C#/CLI implementations, as well as components of ASP .Net and Visual Studio .Net. Shared Source Initiative licensees include corporate customers, governments, partners, academics, and individuals.

To a large degree Microsoft's Shared Source Initiative is a policy of "look but don't touch." The rare exception is the Windows CE Shared Source Premium Licensing Program available to companies, which brings Windows CE-based devices and solutions to market. This is the only Windows program under the Shared Source Initiative that provides original equipment manufacturers (OEMs), silicon vendors, and systems integrators full access to Windows CE source code. All licensees have complete access to the source code and the right to modify the code; however, only OEMs can commercially distribute those modifications in Windows CE-based devices. All other shared source licensees have to make a trip to Microsoft in Redmond, Wash., to access source code that is not available through the program.

Although some users may find the Shared Source Initiative useful for debugging applications, the requirement to be physically at Microsoft headquarters to do a build is a significant limitation. Despite Microsoft's efforts to add more transparency, this inability to do a build makes it difficult, if not impossible, to know whether the code will work when implemented in an actual IT environment.

The restrictions against modifying and recompiling Windows source code reduce the incentive for people with access to the Windows Shared Source to look for security vulnerabilities.

Linux security benefits in the data center and on the desktop

During the next 12 months, Linux will strengthen its hold in the data center and make significant inroads on Microsoft's desktop monopoly. To a large degree this will be the result of new features and functionality in the 2.6 version of the Linux kernel. With Linux v2.6, the security architecture is now modularized. Under this model, all aspects of the Linux kernel are designed for fine-grained user access instead of the prior scheme of providing total control to the superuser. The implication is that while Linux systems will still support root, which gives a user total access to a system, it will be possible to create Linux systems that do not follow this model.

Another major change with Linux v2.6 is the addition of Linux Security Modules (LSM), which allows users to add additional security mechanisms to a Linux distribution without needing to patch the kernel. A variety of access control mechanisms have been built on top of LSM, including the United States' National Security Agency's (NSA) Security Enhanced Linux (SELinux). SELinux grew out of the NSA's interest in operating system security and the value of mandatory access controls. The NSA researchers worked on Linux security modules to support type enforcement, role-based access controls, and multi-level security in the v2.6 kernel. SELinux, using a security scheme known as Domain Type Enforcement, can limit the impact of compromised applications or network services by separating applications from each other and from the base operating system.

SELinux's fine-grained Boolean labeling support has been added to the Linux kernel v2.6. Other vendors have taken advantage of the NSA's work as well. For example, Immunix offers a set of products, including StackGuard, and sub-domain LSM modules to configure a process to a specific system call. Red Hat has announced that SELinux will play a major part in the security architecture in Red Hat Enterprise Server 4.0.

Today, Linux has a powerful, flexible mandatory access control architecture built into the major subsystems of the kernel. The system mandates the separation of data based on confidentiality and integrity requirements, so any potential damage, even by a superuser process, is confined on a Linux system.

Linux v2.6 also provides support for cryptographic security, with the addition of a cryptographic API used by IPSec. This enables multiple algorithms (e.g., SHA-1, DES, Triple DES, MD4, HMAC, EDE, and Blowfish) to be used for network and storage encryption. Linux's ability to support IPSec protocols for IPv4 and IPv6 is a significant advance. With security abstracted to the protocol level, applications are less vulnerable to a potential exploit. Cryptographically signed modules are not yet a part of Linux, but if the issues about implementing such a feature can be resolved it will prove useful in preventing unsigned modules from being accessed by the kernel.

One of the issues that continues to plague Windows users is buffer overflow. Linux users will appreciate the ability to use the exec-shield patch, which is available with the Linux 2.6 kernel. Exec-shield enables protection against a variety of exploits that attempt to overwrite data structures or insert code within these structures. Since a recompile is not required for the exec-shield patch to work, this makes it easier to implement. Also, the addition of a preemptive kernel, also in v2.6, reduces latency, which is likely to drive the use of Linux not only in the data center, but also for applications that require a deterministic kernel with soft real-time capabilities.

Many Linux users depend on non-open source drivers and other binary modules from hardware manufacturers and systems providers. The problem is that although adding these drivers and modules is often useful, it is not necessarily beneficial to the operation of a Linux system. For example, a non-open source driver or binary module can overwhelm a system call and change the system call table. The Linux v2.6 kernel provides protection against these dangers by placing restrictions on the level of access a non-open source driver or module has to the kernel. This feature promotes stability, but does not place any new restrictions from a security point of view to stop a determined hacker from writing a malicious module.

Perhaps one of the most innovative developments for Linux users is User-mode Linux (UML), which is a patch for the Linux kernel that allows an executable binary to be compiled and executed on a host Linux machine. There are a number of advantages to UML, but the more compelling attribute is the ability to use it as a virtual machine. Since processes within UML are not allowed access to the host system, it can be used as a sandbox to test software, run unstable distributions, and examine activities that could otherwise pose a risk. UML will eventually lead to a fully virtualized environment for security infrastructure.

Next: Key findings: Linux vs. Windows security capabilities

Share    Print    Comments