December 7, 2004

What are the real vulnerabilities of Linux?

Author: Jay Lyman

Some Linux fans are tired of reading reports
and articles
about viruses and attacks for the Linux operating system that would be as
bad as malware for Windows if the open source OS was most popular. Why waste
your time worrying about a potential threat for which there is little
historical or empirical evidence that it even exists, right?

OK. For this article, it is accepted that in today's real world, there is
little to suggest that worm writers would or could create the same degree of
havoc on Linux as they have for Windows. However, that does not mean that
Linux is impermeable to attack by the same kind of malicious,
worm-writer-minded efforts that plague Windows. So what are the real
vulnerabilities of the Linux operating system? A few experts weighed in for
NewsForge.

Basis for backdoor concerns

Ryan Russell, software security expert and author ("Stealing the Network: How to Own the Box") stipulated that he
does believe the threat of viruses and worms is largely tied to popularity.
He also, however, acknowledged that Linux worms are a case of predicting the
future, and there is a lack of past history that would help this foul code
forecasting.

Russell recalled when most viruses were written for DOS and it was novel
to see a Windows attack -- somewhat similar to cases of today's Linux
viruses that have had limited success. His reasoning for the idea of
increased virus attacks on a more popular and widely-distributed Linux: the
nature of the worm writer.

"You have all these virus authors out there, and they're doing it at an
alarming rate," Russell said. "If 90 percent of the world was on Linux, I
don't believe they would just give up and go home. They may be less
successful, but it's not going to stop them altogether."

The reference to less success against Linux has to do with the increased
difficulty of socially engineering a Linux user. The reason is not that the
Linux user is profoundly more technically savvy, but because, according to
Russell, the operating system itself is more difficult to exploit.

"It's not as easy to social engineer someone with Linux," he said. "You
have to go through more effort."

Although it may be less susceptible and more defendable, Linux has
nevertheless seen its share of security issues -- the most significant of
which center on backdooring efforts that have typically been caught before
too long or too far into the kernel or component. However, these efforts
indicate there may be more, similar attempts -- some of which may not have
been caught, Russell said.

"The threat of someone slipping in a backdoor of some kind is fairly
real," Russell said. "We've seen two attempts -- they failed because it was
detected and they didn't get far enough [into development] to be a big deal.
But I think it's reasonable to think one has slipped through in the past."

Russell said a subtle backdoor could surreptitiously be written into a
popular Linux side component or package as well, and he used the case of Monkey.org as an example.
Once again, that security breach was quickly discovered and addressed.
Nevertheless, it highlighted that attackers have their sites set on building
into Linux what Redmond already provided for Windows.

Russell illustrated the issue by questioning how Linux developers deal
with gifted coders. "Take the case of someone new, who is fairly
talented," Russell said. "How much do you let them contribute, how do you
watch them, and for how long?"

While he called the addition of a more rigorous audit trail to the Linux
development process -- announced
last May
-- Russell said the matter of trust remains a security issue.

"I think there are a lot of unanswered questions in that area," Russell
said. "The fact that [backdooring] happens at all means people are targeting
that. It's hard to imagine some of the more blatant backdoors could stay
there for a long time, but it's hard to say."

A related security issue for Linux, which faces a real vulnerability in
backdoor additions just as Windows faces a real threat in today's onslaught
of viruses, is the adoption of supposedly "official" Linux packages that are
not the verified version, according to Russell.

Russell said he himself has downloaded an ISO image that was "grabbed
from anywhere," and verified the MD5 signatures, but he wondered how many
Linux users do not.

"It uses a public key, and that's what you're supposed to do," Russell
said of the signature verification process on the ISO download. "That's why
it's there. Yet you have to wonder how many people do that."

Russell referred to an instance of some Red Hat ISOs he downloaded which
did not have matching signatures.

"It was a random error, rather than something malicious," he said.
"Still, there's the possibility of the same thing happening with an
unverified package."

Russell added that there is far greater financial incentive to hack in a
backdoor these days, because phishing-type phonies and spamming techniques are
increasingly tied to malicious software.

The Linux black box

Another real security issue for Linux, according to Russell and others,
is that the operating system is often viewed as a "black box."

"It's the self-administration problem of any operating system," Russell
said. "There are systems out there, and no one's paying attention to them. No
one's fixing them. And that's a problem."

Ken Dunham, director of malicious code intelligence for iDefense,
agreed to a certain degree, even though he flatly contended that Linux is
more secure than Windows.

"The [Linux] users who use default settings or do not harden for security
are increasingly at risk," Dunham said. "They don't harden against attack --
they're not patching and they're not ensuring their passwords won't be
attacked. That audience is growing increasingly for Unix and increasingly
with Linux, which is now being sold at Wal-Mart."

Dunham reiterated that the Linux platform is generally more secure than
Windows because it is not as widespread as Windows -- something Dunham does
not see changing.

"There will always be a certain subset nature to Linux," he said.

Still, Dunham cautioned of increased attacks on Linux and a need for
better security from Linux users.

"The hope is that the server folks will harden [their Linux boxes]," he
said. "It is an area of increasing concern. There's an increased number of
servers that are never patched and never maintained. The group [of Linux
users] is changing."

Security not sexy, riddled by 'bit rot'

Cybersource CEO Con Zymaris,
a vocal critic of the theoretical threat of nasty viruses to Linux, said
although Linux is automatically more secure by virtue of being open, the
operating system is also created in a dynamic way that carries with it some
vulnerabilities.

"By being open, it means that it is possible for disparate parties to
make secure coding modifications," Zymaris said, adding that Linux is still
in a better security position than other, proprietary operating systems.
"One needs to approach security as a prime requirement and motivator, much
as the OpenBSD team do," Zymaris said in an email. "The Linux community
mindset is different. Linux development is dynamic and races ahead towards
more and broader functionality, drawing a multitude of interested parties in
to make interesting extensions and adaptations at a rapid rate.

"In order to do security the BSD way, however, much more effort needs to
be spent auditing code for holes, which is much less sexy, and attracts a
different set of coders," Zymaris added. "The important point is that by
being open, at least it is possible to do this with Linux. You can't do this
with Solaris or Windows at present."

Another high profile Linux susceptibility, according to Zymaris, is the
rapid development of the operating system.

"By essentially producing fresh, new versions of the entire OS platform
on a high rotation, cutting-edge Linux distros may usher in an era where
non-techie IT professionals might throw up their hands in dismay of ever
keeping pace, [allowing] their Linux servers to suffer security bit rot,"
Zymaris said. "[The risk is] package upon package of vulnerable and
exploitable system modules not being updated because it's become too hard."

Zymaris conceded that Linux geeks have no problem playing with new
distros and putting in the work but added the security upgrade issues are
growing as Linux becomes more popular and widespread.

"People from outside that space don't want to refresh their OS-core more
than once every three to five years, by which point, many of the Linux
distros will have deprecated that particular platform," he said.

Zymaris said there are viable solutions to such issues -- selecting less-progressive distros which have a guarantee of minimal support for the
duration, for example.

"The overly rapid deprecation problem isn't resolved yet," Zymaris added.
"Yes, you can select RHEL or older, stable versions of Debian, but these in
turn have their issues. Some work is being done with projects like Fedora
Legacy, but it's hard work and needs more hands to make it lighter."

More on Page 2: Diversity good, people bad

Diversity good, people bad

Zymaris touted technical superiority for Linux compared to Windows,
citing less concern for the malware vectors and models used against Windows
and more automated and simple orchestration of perimeter defenses such as
firewalls with Linux. He also said autoexecuting content, macros embedded in
documents, platform and application homogeneity, and lack of different user
and security policies are all Windows plagues that never have been nor will
likely be a concern to Linux users.

However, the security expert said there is a need to mix up the Linux
lineup, particularly given the popularity of Internet-visible servers.

"We in the Linux space must bear diversity in mind when moving forward,"
Zymaris said. "Don't run all your Web sites on Apache. Don't use just
Sendmail or BIND. Don't use just Linux. Diversify, diversify, diversify!"

In addition, just like Windows, Linux requires humans in order to run,
and humans are generally blamed as the weakest security link of any system.

"The biggest problem is people," Zymaris said when asked about the top
real vulnerabilities for Linux. "Security technology must not only be
present, but must also be either automatic -- with sensible defaults -- or
extremely easy for non-propellerheads to implement."

As an example, Zymaris said while traditional Linux techies would abhor
the idea of adding X and a GUI desktop to a firewall, it may be the
difference between an average IT pro configuring the firewall properly or
not.

"Simplicity and convenience must come front and center," Zymaris said.
"Linux has the underlying technology, which is all very well to its high
priests, but to keep an increasing number of non-techies secure, Linux
distros must ship with 'Security for Dummies' configuration, support,
testing, and patching tools."

Dealing with bugs and holes, ditching horrible security

For his part, Bastille Linux
Project
lead developer Jay Beale qualified his response by taking a
security hardening approach that is based on configuration. Beale said the
worst thing for Linux security is the same thing that has been the biggest
issue for Windows: the fact of software bugs and holes.

"Security vulnerabilities are just normal software bugs that turn out to
be capable of giving an attacker illicit privilege when he takes advantage
of, or exploits them," Beale said in an email. "Sometimes these bugs are
coding practice-related, like buffer overflows, but they're very often logic
related, where the developer had made bad assumptions about how the deep,
underlying technology they're using works."

Beale said through black-box auditing -- especially with Web applications --
there are a number of logic flaws that are usually caused by
misunderstanding of HTTP's statelessness or by assumptions that browsers
will enforce application security policy through JavaScript, hidden from
other elements or cookies.

While bugs and holes may be unavoidable facts of life, it is in the
ability to respond, to harden, and to defend Linux where the open source
operating system is superior security-wise to Windows, Beale said.

"The first way to deal with vulnerabilities is by hardening systems --
deactivating unused programs or configuring for better security," Beale
said. "Unfortunately, most of the system administrators out there don't do
this yet. This is our first failing, as Linux and Windows sysadmins."

Beale, who said Bastille Linux and the Center for Internet Security's
hardening benchmarks are staring to counter that lack, listed patching as
the second way to deal with those unavoidable vulnerabilities, particularly
ones that cannot be avoided through hardening.

"Organizations are just learning how to do that now, as they fight worms
and learn that a perimeter-focused firewall can't stop a worm that came in
on a laptop or VPN connection," Beale said. "It's sad that we're not better
at patching, but this is rapidly improving. All major vendors have
incorporated a fully-optional automated patching solution, making patching
significantly easier."

The third way to deal with vulnerabilities, according to Beale, is to
stop running software with a horrible security history.

"I'm constantly surprised at the number of people still using Outlook
instead of Eudora, Mozilla Mail, Lotus Notes or any of the others," he said.
"We're getting better at abandoning bad software, but only so much better.
Most Linux vendors have moved from the often vulnerable WU-FTPd and Pro-FTPd
FTP daemons to the security-focused vsftpd. This has had an amazing effect
on security, reducing the number of FTP server compromises on newer Linux
systems to around null."

The conversion from Sendmail to Postfix, however, is happening much more
slowly, Beale said. Still, it is an overall area where again, Linux is more
easily secured than Windows.

"This is one of those places where Linux is doing far better than
Microsoft," Beale said. "Microsoft can't abandon bad software because it's
not in their nature. Linux vendors can and have ditched the old FTP daemons
and don't have to explain the move to the shareholders or FTP server
development teams."

Faster, deeper defense

Beale, who downplayed the significance of vulnerability counts or total
attacks because they are too simplistic and do not account for many of the
important factors of deployment, said the speed at which the Linux community
is both developing and addressing security issues put the operating system
in a more secure situation.

Beale said with frequent Linux distribution updates -- typically at least
twice per year -- there is good opportunity to make improvements in response
to bugs or holes.

"Microsoft and even the traditional Unix vendors have three-year release
cycles that mean they only get to respond to user demands once every three
years," Beale said. "Three years is a long time in the security space."

Beale said the faster embrace and adoption of new technology in Linux
also helps secure the operating system. While Microsoft cannot make major
changes without worrying about their impact on administrators that may not
fully understand a firewall, the problem is not prevalent for Linux.

"We don't have this problem in Unix/Linux -- sysadmins understand the
system deeply, can cope with change by understanding it and planning for it,
such that the addition of a firewall doesn't shut down their servers," Beale
said. "If they don't, we deem them incompetent and make sure that they don't
run a shop on their own or get promoted to senior-level."

Beale also said the nature of Linux development leads to amazing
technology advancement, citing SE Linux and competing projects grsecurity,
LIDS, Subdomain, and systrace.

"Linux had effective host-based intrusion prevention before it became a
buzzword," he said. "All of this came out of developers creating [the]
technology they needed and building on each other's work."

Beale, whose Bastille Linux project creates a security
hardening program for Linux, HP-UX, and Mac OS X systems, said Linux is also
worlds easier to defend than Windows because it is easier to deactivate
programs and configure the ones that are in use with security in mind.

"Part of this is that the system administrator has much more granular
control over the [Linux/Unix] system," he said. "Part of this is that
Linux/Unix is just far simpler, and even better documented, than Windows, so
the interactions between components that you might want to configure or
deactivate are much better understood."

The issue of "over-integration" in Windows makes it harder to defend
because it is difficult to limit the scope of a vulnerability in an
application such as Outlook or Explorer, which are tightly tied into the
system and interact, as Beale put it, "in a huge number of seemingly
unpredictable ways."

"Linux doesn't have this problem yet," he said.

Category:

  • Security
Click Here!