Google Chrome OS (with a Linux kernel)...

Discussion in 'all things UNIX' started by Climenole, Jul 8, 2009.

Thread Status:
Not open for further replies.
  1. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    You don't seem to get it. Such exploits would have virtually no effect on the machine because Linux has a separation of privileges. Windows has this too, but no one uses it because it makes life difficult and breaks a lot of software. Linux was designed from day one with privilege separation in mind, where Windows only tacked it on as an add-on. M$ completely ignored security during the 95-ME days and, even though Vista is much better, Windows still suffers from the single user paradigm issues because of the fact that most Windows application programmers still require admin privileges for their apps. This is a result of M$ pushing the single, superuser paradigm for so long. Old habits are hard to break.



    Of course this is possible and will no doubt happen at some point in the future. But Linux does have one advantage to mitigate this threat -- package managers. Moreover, Linux has a lot of diversity in its binaries, thus making it more difficult to target all Linux distros at once.

    See point one. Such vulnerabilities would have little effect on the system at large since the application would not have root privileges to begin with. It seems many Windows users have a hard time understanding this, and understandably so, since they are used to always running their machine as a superuser. Even most people in these security forums run their boxes as admin and are quick to dismiss those who recommend UAC or LUA's. "I don't need no LUA because I know what I am doing" they claim. Yeah, that's fine until they are hit with a drive-by download that exploits a zero-day.

    Again, drive-by malware is *precisely* the type of malware Linux is best against. Drive-by malware assumes that the user's machine is running in a superuser state, which 95% of Windows machines are. Only a very small percentage of idiots run their Linux machines as root.

    Linux has had around 1% market share for a while now. It has millions of desktop users world-wide. I hang around many of the most popular Linux security forums and I have NEVER -- not once -- seen a single case of someone infected with a virus or malware. Never. Sure, some people come to those forums claiming they have been infected, but every time, upon inspection from people who know what they're doing (like me), we discover that their troubles have nothing to do with security issues at all. Usually it is a case of them being unfamiliar with how Linux works and being "spooked" by completely normal behavior that they don't understand.

    Even though Linux is only 1% of the market, we should still see at least a few viruses in the wild, yet we don't. Actually hundreds of viruses, worms, and malware have been written over the years, but they are never in the wild. Why?

    Now, I *have* seen a few boxes that have been cracked. Yes, it happens. However, every instance of this I have seen has been due to the following:

    1) People running VNC servers WITHOUT a password! One guy came on the Ubuntu forums the other day complaining that he was hacked. We asked him if he had a VNC password, he said "Yeah, the password is the same as my username." Duh!
    2) People running kernels that are several years old, and then running servers to the Internet at large so that the old kernels are easily exploitable.
    3) People running servers when they have no idea what they are doing, and have absolutely no reason to be running a server in the first place.

    In every case, one thing remains the same: These boxes were cracked by someone targeting the box directly. It has never been a case of viruses or drive-by malware like is so often a case with Windows boxes.

    And Linux has a few mechanisms for the paranoid. For instance, I use AppArmor (a Mandatory Access Control system) on my box. I have firefox and all other network facing apps locked down to the point that even if there is a zero-day firefox exploit out there, it won't be able to do anything (and that's not even taking into account that I always run as a limited user, which is another layer of protection in itself).
     
  2. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    I hope my reply doesn't count as OS war, since our mods already wisely warned us to keep that off-topic tangent out of this thread. My attempt here is just to state some facts that are easily verified, and I hope that does not count into the OS war tangent as much as it counts for just setting the record straight. :) Security discussions, unfortunately, are often more about the way people think things are than about how things actually are in reality.

    You seem to be in the dangerous mindset that only superusers can cause any damage. That is completely and utterly false, and this has been proven countless times. Anyone should know that, especially people that encourage others to not run as root or admin, which is something that for example I have done for a long time (in Linux, of course, but also in Windows NT).

    Yes, you need superuser privileges to cause system-wide damage, IOW, completely rooting the system, gaining full control. However, any user account has write access to something, or it's a rather pointless account. As I write this, I am logged in as a non-superuser. But, if some malware were somehow to execute, it could still delete all my files (rather, all the files that this user account has write access to, which is a lot, since I do work on this account, such as write documents). Or, it could send all of the files off to the badguy, or set up a spam bot, or a keylogger to steal my passwords, and do all kinds of other nastiness. It could not infect the entire system, could not install rootkits, and so on, but there would still be a major effect. So, it is completely inaccurate to claim that "such exploits would have virtually no effect on the machine because Linux has a separation of privileges." In reality, if such an attack was made, and it was successful, it could have a very serious effect - theft/destruction of data, for example. It would not affect the "machine" meaning the physical hardware, or the core OS, but it would affect user data. Separation of privileges protects 1) the system from being modified by users with low privileges, 2) user accounts and their data from being accessed/modified by other user accounts, but 3) it does NOT protect the currently logged on user from anything that runs in that user's context, such as a drive-by malware. People need to realize that, or they will get a completely wrong idea about privilege separation. For a user to be able to use email and make PDF documents, the user needs to have some write access, somewhere in the filesystem. And anywhere the user has write access, so does any malware that gets executed in his account's context, even when the account is not a superuser account. That's just the way things are.

    Linux was designed from day one with privilege separation in mind, that much is true. As for Windows, however, your statement is not entirely true. Windows is not "Windows", it's "Windows 9x" and "Windows NT", and these two are entirely different beasts. Your statement is somewhat correct about Windows 9x - it was not designed for privilege separation at all, but then again, it wasn't ever tacked on either, since it never had any privilege separation. Windows NT, however, was made from the ground up with privilege separation, so with Windows NT your statement is entirely incorrect and false. Privilege separation was not "tacked on as an add-on" to NT, it was there right from the first day, just like Linux. The difference, as usual, was in default settings.

    See answer to point one. While such vulnerabilities would have no effect on the entire system, such vulnerabilities would still have full effect on anything the logged on user has write access to, like say, all of his personal documents, email and so on. Some of that could be pretty valuable stuff that they might not want to have sent off to some Russian server. :) Anyone reading this thread, ask yourselves a question: does the account you are now logged into have write access to anything you consider valuable? Also, ask yourselves whether you would mind having a keylogger run in that account or a spam/DoS bot? There are other methods to protect the data of the currently logged on user from various attacks, but privilege separation is not such a method - it only protects other user accounts and the system from modification and unauthorized access. It seems many people have a hard time understanding this, but why that is, I do not know. Perhaps someone can enlighten me.

    I could not agree more. It is very, very sad to see supposedly security-minded people running as admin or root all of the time, instead of taking advantage of privilege separation built into their OS. However, even though LUA is a great security measure, it is not a panacea, for reasons stated above.

    I really don't know where you're getting the idea that drive-by malware assumes that the user is running as a superuser. Only very stupid drive-by malware assumes that. Then again, it is true that most malware is stupid, that is to say coded poorly. Even so, there is nothing that prevents anyone from making a smart drive-by malware attack that assumes the user has limited privileges, and acts accordingly.

    My experience is similar to yours. However, you may have noticed the same thing as I about the typical Linux user. And that thing is that he knows a lot more about computers than the typical Windows user, and therefore has a better chance of operating the system in a safe manner. Which leads me to the following...

    In my opinion, that is because there is no reason to target Linux. Why would anyone target it? Seriously, why? Why would anyone target a platform like Linux that has 1) less desktop users compared to Windows, 2) more secure default settings compared to Windows and most importantly 3) much smarter users compared to Windows, when they could target Windows which is far more widespread and used by users that barely know how to turn the system on and off? There is nothing inherent, technologically, in Linux that makes it an impossible target for all kinds of malware from viruses to rootkits. The simple fact is that Linux is not targeted because Windows is a lot easier to target, having poorer default settings and less informed users than Linux. However, again, in Windows there is nothing, technologically, that makes it "insecure" as compared to Linux. A smart Windows admin changes some default settings, and suddenly Windows is vastly more secure than out of the box, and quite comparable to Linux.

    That is, again, my experience as well. And it's because no-one bothers to make malware for Linux, when Windows and especially the people using Windows are easier targets.

    And these are the in the group of "other" methods I spoke of earlier, to protect the currently logged on user account from data theft or other attacks. Windows, of course, has a lot of software made for it that can provide all kinds of lockdown, from the built in group policy (including software restriction policy) to third party products. So, Linux is certainly not alone in providing handy mechanisms for protection for the paranoid. Although, if I was paranoid, I would be running Linux and only Linux, and not Windows, as Windows is closed source. Or more accurately, I'd be running something with Unix background - could be Linux, could be something else, just not Windows. Fortunately, I'm not paranoid, and can use Windows just as well as Linux, and do so.

    Linux is a secure OS with most distros having default settings far safer than Windows. Why do you think I run Linux (in addition to Win NT)? :) But, OS wars are ridiculous, useless things. Instead of opinion, it is far wiser to concentrate in facts. And the facts are:
    1) privilege separation is good,
    2) which is why Linux and Windows NT had it from the start,
    3) although Windows 9x was just plain stupid from a security perspective,
    4) but it was a commercial success for MS and that's what counts for them I guess, but I digress, and the main point of fact is that...
    5) privilege separation does not prevent any malware that was coded by a person who knows about privilege separation, like for example me or you, from causing great damage to the data of the currently logged on user (you). Other methods may prevent it. Privilege separation does not. And everyone lived happily ever after. :)
     
  3. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Bingo. Which is why the Sturm und Drang regarding modern OS's is so innane.

    Sure, those default settings have huge practical consequences, but focus where the actual differences reside, in the default configuration and secondary consequences of poor programming practices which make assumptions along these lines. I realize that there are other pertinent differences as well (package management for example), but none of these are insurmountable issues if one chooses to address them. The greater problem is that casual users simply aren't aware of them.

    Finally, there is an intrinsic tension between facile usability/experience richness and security on any platform. This tension will always be present.

    I've already noted it elsewhere
    and it actually seems to be aligned with the developers thoughts as well
    Exactly.

    Blue
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Truer words were never written!

    I am not a Linux user but I follow some of the discussions with interest since at some point I may be one!

    Reality (= real life situation) in security can be used in a general sense: how the general population is affected. And in a specific sense: how individuals are affected.

    One thing I've concluded is that if I were to become a MAC or Linux user, I would not approach security any differently than I do now on a Windows system. This is because I've always felt that the most important ingredient is the user:

    • policies/procedures employed,

    • decisions made.

    In this respect, the Operating System is irrelevant when user error is involved. Hence, the success of the MAC DNS Changer exploit from a year or so ago:

    DNS changer Trojan for Mac (!) in the wild
    http://isc.sans.org/diary.html?storyid=3595

    But you focus on the drive-by attack:

    There are at least two ways of dealing with these types of attacks:

    • blocking at the point of entry

    • containing the damage if entry is gained

    I have air vents around the perimeter of my house. To prevent rats and rodents from doing damage, I can block off the entry points with wire mesh. Or, I can set traps inside underneath the house. Which is preferable? If they enter, they will leave droppings, perhaps chew on wiring, before they get to a trap. But if prevented from entering, no damage will be done.

    The current drive-by attacks targeting Windows systems are easily blocked by proper configuration of the browser; This takes care of both browser-based and application-based (Flash, Adobe Reader). I've not found any that succeed. I don't doubt this also holds for securing browsers on non-Windows systems.

    There are also execution-prevention products for Windows that provide secure prevention against the malware drive-by attacks. I don't doubt that as non-Windows systems become targeted, similar solutions will emerge.

    From my point of view, the arguments about "which is more secure" is completely irrelevant. Note that I'm using "reality" in the specific sense: I speak for myself and those I've helped: Windows is just as secure as the user wants it to be.

    That many Windows users don't secure, is irrelevant to the fact that many do and have a safe computing experience.

    If I were starting computing now, I would use Linux for reasons that have nothing to do with security. It's concept is exciting, and as more programs are developed that will attract Windows users who have their favorite types of applications, Linux will become more widespread. That's why the Google Chrome development will be eagerly watched!

    regards,

    rich
     
  5. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Hello, Windchild. I didn't mean to come off so condescending in my previous post. I failed to look and see who I was responding to, and I remembered we have had some good exchanges in other threads. I don't think you are a Windows shill like some others who like to come here and spread mindless FUD, so I apologize if I was a bit harsh.

    As for the user-account malware subject: Yes you are right, it is possible for malware to attack a non-privileged user account and still do damage to the user's personal files, etc. However, there is one problem -- the user would still have to chmod + x the file and then manually execute it. This essentially eliminates the problem of drive-by downloads. (There is one exception to this and that are the so-called desktop files, but that is another issue).

    I think we can all agree that there is no easy way to stop users from doing stupid things. The only thing the OS itself can do is force the user to take a moment and think whether they want to install or execute something. But, I think the fact remains that Unix/Linux has more sane defaults with both privileges and with how executables are treated. A newbie is not going to know how to make a file executable (thank God) and by the time they figure out the command, perhaps they will have thought twice.

    With the newest versions of Windows, much of these protections are possible, but it's not the default. And even some of the most security savvy tend to ignore it out of the perceived "annoyance" factor. Again, I don't think there is anything wrong with UAC itself -- it wasn't designed to be annoying -- it's just that so many Windows apps are still coded to run as admin, which increases their nagging for admin privileges when they shouldn't need it. Just about every Linux app I have seen has very sane privilege requirements -- most don't require admin access at all during operation.
     
  6. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Hi, Rmus.

    You are almost right about approaching security the same way on Unix as Windows. I say "almost" because I have found that many Linux converts come to the Linux security forums asking things like "What AV software should I install" or "What firewall should I install." The problem is they are approaching Linux security from the Windows mindset and are thus distracted from what security measures really *matter*.

    Of course, the newbs are always (rightly) told that AV on Linux is a waste of time and that a very powerful firewall already comes with the OS. I always try to drill it into their heads that one should not worry about viruses and malware because, for one, the AV scanners for Linux primarily only scan for Windows malware (ClamAV, for instance, was created to run on Linux e-mail servers to help protect Windows users). Moreover, if they worry too much about malware they get a false sense of security because the bigger threat to Linux is *not* malware.

    Here is all one needs to do for a Linux desktop box:

    1) Buy a router and flash it with a Linux based firmware, like DD-WRT, Tomato, or OpenWRT. Configure it so it blocks all incoming. If one doesn't have a router, then simply configure IPtables locally to do the same.

    2) Only install software from the repos.

    3) Never run as root (this is the most important advice).

    4) Update the system when prompted (Linux has a very fast turnaround for security fixes).

    5) If one is paranoid, configure a MAC system.

    If one does these things, one will never have an issue with security. Simply installing ClamAV or Avast (for Linux) will do absolutely nothing for security and, again, just distracts the user from what they should be doing.
     
  7. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    This is an interesting discussion! :)

    This is always worth repeating. There is always a tradeoff when one increases security - or increases ease-of-use features and such. How often do we hear people complaining: "Operating system X is just too difficult to use, it sucks! And operating system Y is so insecure, it sucks, too!" And so rarely do these people notice the import of what they are saying. It would be a lot easier to get into a car if there were no door locks getting in the way, but then, that would be less secure than most would like. Gods, my car analogies sound atrocious, but we all get the point. :D

    MS, targeting the mass market, has attempted to balance things by building all kinds of reasonably solid security measures in their OS and then turning them off by default so they don't make things "difficult" for novices. And the result is the "everyone is root" disaster, but also Windows on almost every desktop computer. These days, they're trying a somewhat different strategy, and starting to enable the safety features by default, little by little. It will be interesting to see where that goes: perhaps attacks will start to concentrate even more heavily than today in the social engineering methods.


    Difficult to disagree with that! Something like Chrome OS may be exactly what the average user, or a part of the average user pool, needs and wants. Indeed it may be what some advanced users also want. Different people, different needs and tools. Personally, Chrome OS is not going to be the OS for me, but it may be exactly what the doctor ordered for some people.


    Hey, no problem - I tend to be a bit harsh myself. One of my personal faults, of which there are many. :D

    Having to chmod +x is a nice precaution, and at least gives the user about to be tricked time to think again: "Do I really need to execute this unknown file to see dancing pigs?" It obviously works against any attempted drive-by attack that does not exploit a code execution vulnerability, but how many of these do we know, except perhaps for loose ActiveX settings in IE, which obviously isn't an issue with Linux? But against the drive-by attacks that are based on exploiting an existing code execution vulnerability in some application such as the web browser or a browser plugin (say, Flash, or Java), it doesn't really do anything, now does it? In such an attack the exploited program is already executable and running, and the malicious code runs inside that program, without any user interaction needed. And from there, the malicious code can do a lot of things still without user interaction, and without there ever being any file the user needs to run chmod +x on and then manually execute it. Of course, such exploits can be screwed up, too, by bad coding, but they are pretty dangerous. And those are the exploits that are owning Windows systems, as common methods of attack right after social engineering attacks and exploiting those insecure default settings in popularity.

    What I like in Linux is, in addition to it being open souce, that it doesn't attempt to be "easy for everyone", but rather tries to be "as efficient as possible for those who will take time to learn it". If I want to run without any flashy GUI stuff, I can easily do that - the OS doesn't try to stop me from doing that because such an environment might be a little hard for a novice to use. The requirement to set execution permission manually is much the same: it's smart from a security perspective and gives the user more control (=efficient), but novice users would cry all day long about having to do such things just to execute something. Microsoft and MS have to consider that - everyone would complain if Windows suddenly went over to making all files non-executable by default and requiring the user to manually set the execute permissions. Linux and its devs, having no commercial goals of world conquest unlike MS, can just do stuff like that and get away with it! I bet many at Microsoft are actually, honestly envious. :D


    Well said. Security starts with the user. From the user first selecting which OS to run ("Do I run the insecure Win 9x, or do I run something more secure like Linux or Win NT?") to making security policies ("I will try to prevent unauthorized code from executing, by turning off unnecessary scripting features in programs like browsers, and I will not set execute permissions for files that I can't trust") to using plain old common sense when needed ("Hmm, this email says my bank wants me to email them my credit card number and PIN. Sounds fishy."), it's all about the user.

    For the drive-by attack, there are many methods to counter those. I was merely pointing out that privilege separation in itself is not enough as a countermeasure against such attacks.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hello chronomatic,

    You are putting me in the category with other converts! I don't use AV, so I wouldn't apply a Windows Mindset. Therefore, I stand by my statement.

    From my point of view, there are two issues:

    • user error

    • remote code execution (drive-by ) attacks

    As far as I'm concerned, neither has anything to do with which OS is used.

    For user error: as the ISC Diary I cited above points out, the situation applies to both MAC and Windows users: they both willingly supply the administrator credentials to install the junk.

    For the drive-by attack: I look at the exploit, see how it attacks an opening, and add protection accordingly.

    Here, I can't say too much since I've not tested exploits on Linux. I speculated above that the Browser would probably take care of a lot, as it does in Windows. Looking at the PDF exploit as an example:

    The web site runs a script to load the PDF file into the browser window. Configuring scripting per site and controlling the use of plugins stops the exploit at the gate.

    Should the PDF file get loaded and run, exploit code uses the Reader to connect out to the internet to download the malware. Here, I would have to see if a firewall works the same way on Linux: alert for unauthorized outbound connections. If so, the exploit fails at this point.

    [​IMG]

    So you see: The OS doesn't matter: for me, the basic approach to security is the same: If I prevent the exploit at the gate, it doesn't matter what is inside the gate.

    By the way, that was my approach with Win95/98 so I never felt that I was not secure with those Operating Systems.

    By the way #2: using the Foxit PDF reader was suggested in some quarters, but that didn't necessarily put the user out of risk. Foxit had a number of exploits in the wild - it just patched quicker than did Adobe. But there was still a window of opportunity at times.

    [​IMG]

    foxit-2pdfCVE.gif

    regards,

    rich
     
    Last edited: Jul 13, 2009
  9. wat0114

    wat0114 Guest

    Although I don't run a ton of apps on my Windows machines, they all run quite nicely under the limited accounts. Sure, they have to be installed with admin privileges, but after that they're run primarily in user accounts.
     
  10. tlu

    tlu Guest

    I agree with everything you said. But: These vulnerabilities are usually patched very fast. The real problem for Windows users is that many of them (I guess even the majority) are using insecure bowser plugins and/or leaky apps (like PDF readers) because they don't know about these vulnerabilities - unless they use Secunia PSI or something like that (certainly only a tiny minority). However, under Linux you'll have these security fixes applied as soon as they are available. And this makes a huge difference in everyday usage. You don't have to care about security - it's done automatically. I think that's one of the major reasons why Linux isn't affected by malware.

    Having said that, it's clear that there can't be 100% perfection but Linux comes rather close ;)
     
  11. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Folks,

    A reminder - Chrome OS and Linux - those are the topics. Other OS's can be discussed elsewhere on the site. Thanks in advance.

    Blue
     
  12. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Makes sense when you read this

    Seems like Googles OS is tailored for those of whom just want/need to log onto the net and log off. Minimalist computing "browsing" on puny solid state drives.

    Very doubtful this is some revolutionary computing OS.
     
  13. _khAttAm_

    _khAttAm_ Registered Member

    Joined:
    Jul 30, 2009
    Posts:
    8
    I think they made the better choice using the Linux kernel rather than building their own (even if they considered the second option at all). I can't see any advantages of building another kernel, which will need to be tested and debugged and the development will probably take quite a lot of time. And about the drivers and other softwares? Development tools? Another 20 years? I think they have plans to compete with Windows 7, not Windows 10.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.