Monday, November 9, 2015

On The Security of the Linux Kernel

Hey everyone - This week, I wanted to talk a little bit about an article I recently read in the Washington Post about the inherent "insecurity" of the Linux kernel due to the attitude of its creator, Linus Torvalds.  I think the article is worth a read because I believe it touches on an interesting concept that I believe is one of the underpinnings of information security: the security of a system should not be determined by each of its individual parts, but rather, the security of those parts as a whole.

Before we get started, this is not about whether the Linux kernel has security flaws or whether Torvalds is right or wrong about his views on security.  It would be nice if Linux kernel development had a sharper focus on security, and it is difficult for me to fully empathize with kernel developers who believe security is not a priority.  I think that has to do with my chosen field though.  I wonder how I would feel if I was not a part of the security community.  The Linux kernel almost certainly has security vulnerabilities, some known, some unknown.  Pretty much everything has vulnerabilities.  But as I have said before, securing a network is more than trying to achieve a completely secure system.  It is about managing and mitigating risk while maintaining usability.  Additionally, remember that a system is not only made up of its kernel, be it BSD, Linux, Windows, whatever.  There is plenty going on in userspace that can compromise the security of something you are trying to protect on the system.


There was one part of the article that I want to talk about.  It goes along with my feelings about defense in depth and basic network security architecture:

When the interviewer asked whether Linux — designed in an era before hacking had become a major criminal enterprise, a tool of war and constant threat to the privacy of billions of people — was due for a security overhaul after 24 years, Torvalds replied, “You’re making sense, and you may even be right.”
But what followed was a bracing example of why Torvalds said the interviewer was wrong: Imagine, Torvalds said, that terrorists exploited a flaw in the Linux kernel to cause a meltdown at a nuclear power plant, killing millions of people.
“There is no way in hell the problem there is the kernel,” Torvalds said. “If you run a nuclear power plant that can kill millions of people, you don’t connect it to the Internet.”

That last sentence is the part that really stood out.  A common misconception is that there is a product, operating system, or some "silver bullet" that will keep your system secure by itself.  Think about it: let's say you buy a fancy IDS and install it in your network but give no one the responsibility to monitor it.  It could be sending up red flags all day, but if you do not see them or do anything about them, you are no more secure than if you did not have the IDS at all.  The security of a system or network must be treated holistically and not as a group of isolated parts.

Thinking that you are safe because you run the Linux kernel follows the same reasoning.  The Linux kernel is not inherently secure because it is not Windows (the security of Windows itself is not that bad nowadays) or because it is open source.  If you practice bad security "hygiene," then it does not matter which operating system or kernel you are using.  The nuclear plant example hits this directly.  If that system in the nuclear plant was running Windows, but you had it connected to the Internet, and the machine was compromised, it would be wrong to blame Windows.  There were multiple failures that caused the attacker to be able to get to the point to execute a kernel exploit.  Those failures need to be addressed as well in addition to whatever failure may exist in the kernel.

Another excerpt from that same article:
Even more broadly, the battle over Linux security is a fight over the future of the online world. At a time when leading computer scientists are debating whether the Internet is so broken that it needs to be replaced, the network is expanding faster than ever, layering flaw upon flaw in an ever-expanding web of insecurity. Perhaps the best hope for fixing this, some experts argue, lies in changing the operating system that — more than any other — controls these machines.
I have to disagree with those experts.  While any insecurities in Linux need to be addressed, the security of the system depends on spreading awareness of security vulnerabilities and mitigations.  It is easy to place blame on something as big as Linux or Windows without considering the overall architecture and security practices of a network and its users.  The thing is, even if Linux and Windows were perfect, if you make it easy for someone to get on the computer and compromise root / Administrator credentials, then it does not matter if the kernel is secure.  A kernel exploit is not required to gain root / Administrator access to a system.  Again, that is not to say that we do not need to concern ourselves with the security of the kernel.  We do, but there are other vulnerabilities as well, and a lot of misconceptions.  Take this part of the article:
Versions of Linux have proved vulnerable to serious bugs in recent years. AshleyMadison.com, the Web site that facilitates extramarital affairs and suffered an embarrassing data breach in July, was reportedly running Linux on its servers, as do many companies.
If I recall correctly (and please correct me if I am wrong), the Ashley Madison breach was due to Heartbleed, a flaw in OpenSSL, not the Linux kernel.  Windows machines running vulnerable versions of OpenSSL were also vulnerable to Heartbleed.  Admittedly, that is a very small number of Windows machines since most Windows web servers run IIS which does not use OpenSSL.  And yes, there are software packages that are not web servers that run OpenSSL as well, but the majority of OpenSSL usage is likely for web servers.  Again, this goes back to bad security hygiene.  The Linux kernel was not at fault that breach.  The cause of that breach was improper or non-existent patching practices.

Another quote:
The Security Intelligence Response Team for Akamai, a leading Internet content delivery company, spoke bluntly on the rising vulnerability of Linux in September when it announced the discovery of a massive botnet that attacked up to 20 targets worldwide each day.
“A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion’s share of attacks at the time,” Akamai’s security team wrote. But the sharply rising popularity of Linux has meant “the potential opportunity and rewards for criminals has also grown. Attackers will continue to evolve their tactics and tools and security professionals should continue to harden their Linux based systems accordingly.”
So there are two problems here.  The XOR botnet (the botnet they reference) compromised systems by brute forcing weak SSH passwords.  This is not a problem with the Linux kernel.  This is a problem with poor security practices.  If you have a weak Administrator password on a Windows machine exposed to the Internet, and someone RDPs into it, that is not Windows' fault.  That is your fault.

The second issue I have with this is the second paragraph.  They are basically saying security through obscurity is no security at all.  That is not a Linux kernel problem.  Linux is not more secure than Windows because it is not Windows.

One last quote:
The problem, as critics pointed out, was that these protections [SELinux] relied on building walls around the operating system that, however high or thick, could not possibly stop all comers. Those who penetrated gained control of the Linux kernel itself, meaning the hackers could make a compromised computer do anything they wanted — even if every other piece of software on the machine was flawlessly protected. According to veteran security engineer Kees Cook, this made the Linux kernel “the ultimate attack surface.”
I do not believe you will always stop a determined attacker.  Your "high and thick" walls should make the attacker make moves that allow a security person looking at the indicators to see that something is up and act on it.  Get rid of the low hanging fruit and make the attacker work for the fruit at the top of the tree.

In the end, I think that whatever environment you build, you need to take security into consideration and figure out how much risk you are willing to accept.

What do you think?  I would like to hear your thoughts on this discussion.  Thanks for reading!

No comments:

Post a Comment