Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 5 Oct 2020 19:30:22 -0400
From: Eli Schwartz <eschwartz@...hlinux.org>
To: oss-security@...ts.openwall.com
Subject: Re: major changes if gnu/linux dominates the desktop
 and/or mobile market?

On 10/5/20 8:02 AM, Georgi Guninski wrote:
> Disclaimer: I am not watching the security theatre closely,
> so this is likely trivial.
> 
> Are there major security changes needed if
> gnu/linux dominates the desktop and/or mobile phone
> markets?
> 
> Remarks:
> 1. there was android malware on google play

There was malware everywhere, no software source AFAIK has ever been
fully immune. Some are rarer than others.

Linux desktop distributions have one advantage in that they are
*curated* by a small handful of trusted individuals, who collect popular
programs, vet them, and provide trusted binaries. We know exactly what
source code goes into distro packages, we can audit this source code and
check PGP signatures from upstream authors, and due to
https://reproducible-builds.org/ we can double-check the supply chain
and verify the maintainer didn't go rogue and fiddle with the source
code before releasing packages, or their compiler wasn't backdoored.

Your chances of installing outright malware are pretty low on GNU/Linux
desktop systems, or on mobile if those desktop systems spread to the
mobile market. Assuming you stick with official, vetted software
sources. Once you start downloading random github binaries, or
snaps/flatpaks, or `npm install theworld`, you've devolved to the level
of smartphone appstores where it is mostly just automated analysis of
millions of user submissions, and malware can easily slip by.

Even on desktop systems with vetted supply chains, you have more to
worry about than merely malware. Any software that random users can
interact with e.g. over the network can have vulnerabilities, which is
arguably what most of the interesting security issues are about. No
vetting can save you from that. On the other hand, avoiding GNU/Linux
won't save you from that either -- all software suffers from this,
Windows has *many* problems with this too. So I don't believe there are
going to be any major changes here. Locking down systems vulnerable to
external input that triggers bugs, finding those bugs and fixing them,
preventing them from causing too much damage, is and has been a problem
on every OS.

> 2. ad-free and free as in beer android games are hard to find for us

I'm not sure what this has to do with security???

> 3. we are pissed off by browsers accessing the microphone
> or camera (seen in the wild)

Nominally speaking, on smartphones this should be stopped by permission
models, unless of course people impatiently click to permit everything.

Desktop browsers have their own permission dialogs for this.

Generic desktop programs designed for accessing your camera still kind
of assume the only permission they need is the trust you provide by
installing and running the program. Vetted linux distro repositories
make it unlikely these programs are intentionally spying on you,
especially when you choose when to start them.

> 4. reading $HOME might reveal more interesting stuff than
> root reading /etc/ (on debian 10 /home/loser is 755 and the
> default umask is 0022)

And reading C:\Users might reveal more interesting stuff than
HKEY_LOCAL_MACHINE; individual android app settings or your downloads
folder might reveal more interesting stuff than defeating Samsung Knox.

This has always been the case, and always will be. It's still
advantageous to prevent compromising the entire OS, because that
prevents malware from hiding its activities, installing more malware
that persists across reboots, or spreading its reach to other programs.

But, of course you need to protect yourself from malware running as the
local user too. Vet the sources of your software, or let a distro team
do the vetting for you, and most issues will be completely avoided.
Don't visit shady sites in your browser, use tools like
https://noscript.net/ to prevent completely untrusted and usually
suspicious executable code running in your browser (otherwise known as
javascript). These are things you could do on any OS.

...

There are explorations in sandboxing and confining expected-trusted
programs to prevent vulnerabilities from being usable by attackers, and
this may take the form of seccomp, bubblewrap, etc.

flatpak tries to provide a GUI appstore for popular applications in
sandboxes, with permission models for allowing resources into the
sandbox, e.g XDG Desktop Portal to broker access to files from the host
system through a trusted agent.

Though my understanding is in order to be (conveniently?) usable,
programs end up in practice needing to be granted access to the entire
host filesystem and therefore aren't really isolated after all. Not
entirely dissimilar to the situation on smartphones ;) where every
application's manifest tries to grab every permission it can, and
declares most of them as so vital the program won't even run without
those permissions.

Apparently both giving power to the user *and* preventing software from
running rogue, is indeed hard.

-- 
Eli Schwartz
Arch Linux Bug Wrangler and Trusted User



Download attachment "signature.asc" of type "application/pgp-signature" (1602 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.