Linked by Igor Ljubuncic on Mon 21st Jun 2010 09:35 UTC
Privacy, Security, Encryption I've bored the readers of my personal website to death with two rather prosaic articles debating the Linux security model, in direct relation to Windows and associated claims of wondrous infections and lacks thereof. However, I haven't yet discussed even a single program that you can use on your Linux machine to gauge your security. For my inaugural article for OSNews, I'll leave the conceptual stuff behind, and focus on specific vectors of security, within the world of reason and moderation that I've created and show you how you can bolster a healthy strategy with some tactical polish, namely software.
Thread beginning with comment 430890
To read all comments associated with this story, please click here.
Don't need anti-virus?
by Timmmm on Mon 21st Jun 2010 13:46 UTC
Timmmm
Member since:
2006-07-25

While I agree that anti-virus is pretty pointless on Linux, and even detrimental on Windows I think your reasons are nearly all flawed.

1. User account stops viruses getting root

This is largely moot. Viruses aren't really interested in gaining root access. They can do nearly anything as the user anyway - key-logging, sending spam, DDoS, and so on. Besides once you have access to a user's account it is trivial to gain root - just change their path to point to a fake 'sudo' program which logs their password.

2. System updates provide security fixes for all software.

Ok this is a fair point.

3. Software is obtained from trusted repository

This is true up to a point. I'd bet most linux users install stuff from outside the repositories, and besides we've already seen examples of mirrors, and even source code being maliciously modified.

4. By default files aren't executable

This is just silly. Most viruses work either by buffer overflow type exploits, or by tricking the user into running a program. File permissions aren't going to help in either case. By the way, you can easily execute non-'executable' binaries like this:

/lib/ld-linux-x86-64.so.2 ./a_file

5. Diversity

This is true. Although I'd wager Ubuntu is becoming popular enough to count as a single target.

6. People will see vulnerabilities in open-source code.

Well evidently not, otherwise there wouldn't be any need for security updates. See also the Underhanded C Contest: http://underhanded.xcott.com/

7. Linux users are more skillfull.

True, I suppose.

The real reason you don't need anti-virus on linux is because there are a very very small number of linux viruses. And that is almost certainly due to the fact that it has a 1% market share (and probably the diversity and skill factors to some extent).

Reply Score: 4

RE: Don't need anti-virus?
by fewt on Mon 21st Jun 2010 14:40 in reply to "Don't need anti-virus?"
fewt Member since:
2010-06-09


7. Linux users are more skillfull.

True, I suppose.


This is no longer true. The stated goal of Ubuntu is to build a consumer distribution, and it is being sold by Linux zealots that non-skilled users are safe using it.

This has opened a wide vector for attack.

Reply Parent Score: 1

RE: Don't need anti-virus?
by wirespot on Mon 21st Jun 2010 15:43 in reply to "Don't need anti-virus?"
wirespot Member since:
2006-06-21

Viruses aren't really interested in gaining root access. They can do nearly anything as the user anyway - key-logging, sending spam, DDoS, and so on.


Note: don't call them viruses, call them worms. Viruses are a different beast (they don't use networking as a vector).

Second, it's not that easy. As an unpriviledged user you can NOT snoop on other users or open ports under 1024 (which is where most legitimate servers like to reside). But yes, you have network access so spam and DoS are valid points.

Besides once you have access to a user's account it is trivial to gain root - just change their path to point to a fake 'sudo' program which logs their password.


It's NOT trivial to gain root, if it was trivial the whole UNIX security would be worthless. The particular method you described is not really practical.

I think you mean social engineering -- tricking the user with a sudo window. Which can work (if the user doesn't bother to think why there's a sudo window all of a sudden).

But the point is moot. If there's malicious stuff running on your machine you're pretty much screwed. This is the 1st major vector of computer security: remote break-ins without user intervention. This is a very important important thing and THIS is why Linux is more secure than Windows: on Linux, everybody makes every effort so that the break-in doesn't happen. On Windows they let it happen and deal with it afterwards.

I'd bet most linux users install stuff from outside the repositories, and besides we've already seen examples of mirrors, and even source code being maliciously modified.


Granted, the dependence of the repositories is a weak link. But the repositories are distributed and closely watched by many people. I'd say they do a much better job than, say, Apple does with the AppStore. Not to mention they have the source code too.

As for installing stuff from other sources... this is the 2nd big vector: users bringing malware in themselves. And there's not much anybody can do about it. Unless the user understands not to install stuff from unofficial sources, all bets are off.

BTW, a Linux distro can easily close 99% of this vector by only allowing certain repositories and disallowing direct installation of package files (deb, rpm etc.) But it's not practical.

Most viruses work either by buffer overflow type exploits, or by tricking the user into running a program. File permissions aren't going to help in either case. By the way, you can easily execute non-'executable' binaries like this:

/lib/ld-linux-x86-64.so.2 ./a_file


For that to happen you need to already be able to run code. If you managed that you don't need that trick. On the rest, you're right.

But let me point out that when you're trying to trick someone into running malware, it's one thing if all it takes is to double-click (a universal action used for everything) or if you need to go into file properties and change some stuff. You have to admit that executable status in metadata is better than executable status as part of the file name.

Although I'd wager Ubuntu is becoming popular enough to count as a single target.

The real reason you don't need anti-virus on linux is because there are a very very small number of linux viruses. And that is almost certainly due to the fact that it has a 1% market share (and probably the diversity and skill factors to some extent).


That point of view is wrong.

Some people like to say that once a platform is more popular there's more (or more motivated) people attacking it so chances for break-in increase. That's bull. Remember that most of the servers of the world run some form of UNIX or Linux and that has NOT made them more vulnerable. There's no direct link between popularity and security.

There is an indirect one. Some of the installations are old and not updated. If you have lots and lots of installations, statistically the chances increase for running into an old one. It's a numbers' game. No relation to actual security.

The reason there is so much Windows malware is because it's easy for it to exist: lots of vulnerabilities, bad underlying security models (fixed with Windows 7, hopefully), unpatched machines, many propagation vectors. There's next to none for Linux because vulnerabilities get patched fast, almost all installations update by default and propagation vectors are few.

Well evidently not, otherwise there wouldn't be any need for security updates.


Not sure how you mean that. Since there are security updates, obviously somebody DID see the vulnerability (and fixed it). Ok, they didn't see it the first time, but second time is better than never. Between a platform with 1000 vulnerabilities which has updates for all 1000 and a platform with 2 vulnerabilities which leaves 1 open, I'll take the first.

Linux users are more skillfull.

True, I suppose.


Don't count on it. Educating users will not work in the long run. Most users are not skilled enough, and security is a highly skilled game.

The most you can teach them is not to install software from anywhere else but the official distros. The rest of the security job needs to be done by the OS and software with no user intervention.

Which will always leave social engineering as a backdoor. But that's valid anywhere.

Edited 2010-06-21 15:53 UTC

Reply Parent Score: 7

RE[2]: Don't need anti-virus?
by fewt on Mon 21st Jun 2010 15:50 in reply to "RE: Don't need anti-virus?"
fewt Member since:
2010-06-09

[q]It's NOT trivial to gain root, if it was trivial the whole UNIX security would be worthless. The particular method you described is not really practical.

I think you mean social engineering -- tricking the user with a sudo window. Which can work (if the user doesn't bother to think why there's a sudo window all of a sudden).


echo alias sudo='sudo do bad stuff >/dev/null 2>&1;sudo' >>~/.bashrc

I agree with pretty much everything else you said though. Malicious people that want in don't necessarily need in "right now", they wait patiently for it.

Edited 2010-06-21 15:54 UTC

Reply Parent Score: 1

RE: Don't need anti-virus?
by ssokolow on Mon 21st Jun 2010 15:44 in reply to "Don't need anti-virus?"
ssokolow Member since:
2010-01-21

You guys forget that security features don't exist in a vacuum and I'm not sure you realize how much Linux does to mitigate the user being the weak link.

4. By default files aren't executable

In combination with things like a lack of embedded program icons, not hiding file extensions and, for Nautilus users, extension-header mismatch warnings, this works to prevent "Cool picture!.jpg.exe"-style exploits.

I vaguely remember the devs recognizing a hole in this protection relating to .desktop files about a year ago and rushing to close it.

5. Diversity

Ubuntu may be approaching "single-target" popularity, but I suspect the presence of Kubuntu, Xubuntu, and Lubuntu will prevent it from ever having that problem as badly as Windows or MacOS could.

6. People will see vulnerabilities in open-source code.

While this is somewhat optimistic, open-source does have a deterrent effect on bundled malware and, more importantly, it means that features like stack-smashing protection, NX-bit buffer overflow security (A.K.A. Hardware DEP), and the like can be easily phased in by adding the userspace changes to the compiler.

For example, on Windows, last I checked, Hardware DEP was still an opt-in thing in the default configuration to ensure backwards-compatibility with older software. On 64-bit Linux (and 32-bit distros which don't need to ensure no on-boot freezes on Pentium Pro), GCC has been appropriately setting the DEP opt-out flag in ELF headers for years. (nested functions, JIT compilers, and so on require the ability to dynamically build code and then execute it)

Here are some of the other things I didn't see mentioned:

1. Linux vendors have a better track record than Microsoft for patching vulnerabilities quickly. (Is Microsoft still equating their confirmed exploits to Linux potential vulnerabilities and ignoring the Security/Crash/Bug/Annoyance flags to pad the numbers? I know they used to do that)

2. Without root access, malicious programs can't remove themselves from the list of running, killable processes, interfere with syslog, etc. Last I checked, Windows was still struggling to virtualize all the admin-level access that older programs expected to have.

3. On Linux, because privilege separation was around from the start, the number of escalation dialogs users see is significantly smaller than on Windows (partly because of the batching of package installs) so users are less likely to get in the habit of just clicking OK without reading them.

Also, the presence of user accounts from the beginning means families which give different people different accounts are less likely to run into rough edges or to end up depending on apps which implement their own user profile systems. (Which means that you can have users who don't know any better (eg. kids) but don't have the admin password or access to mommy and daddy's files)

4. Linux media players aren't vulnerable to the "Use Windows Media Player and get tricked into visiting a malicious DRM auth site" vulnerabilities I see every now and then. Any automatically-offered codecs come from the same signed repository farm as the OS.

5. Linux provides many APIs for implementing drivers in userspace (libusb, CUPS, FUSE, CUSE, etc.) minimizing the amount of potentially vulnerable code that runs in kernel space. (Especially important since, video aside, the main remaining things which don't use a standard OS-bundled driver seem to be USB doodads and printers)

5. Linux provides no hooks for programs to steal file associations, which removes the need for 90% of those buggy, tray-resident "agents". (Especially when combined with the general preference for minimizing wheel-reinvention (outside the world of Linux audio))

Reply Parent Score: 3

RE: Don't need anti-virus?
by lemur2 on Wed 23rd Jun 2010 04:27 in reply to "Don't need anti-virus?"
lemur2 Member since:
2007-02-17

This is true up to a point. I'd bet most linux users install stuff from outside the repositories, and besides we've already seen examples of mirrors, and even source code being maliciously modified.


Correction: We have seen a few examples of mirrors where someone hacked into a machine, but no distributed software was altered because of that. Just lately, we saw one example of an obscure source code tarball being replaced on some mirrors by a trojaned version. Fortunately this affected the repositories of only two know distributions, Arch and Gentoo, both of which are minor distributions.

It is unlikely that as many as a dozen systems were ever infected by any of this activity.

BTW: I personally install very litlle software from outside the repositories. Why would I? Debian repositories contain over 25,000 packages. There is very little outside that you would actually need.

If we are going to try to scope the problem, lets try to keep it real. Compare this real-world scope for malware infection of Linux systems to the estimated 50% of Windows machines that are infected (perhaps 200 million machines or more) ... that gives it some perspective.

Reply Parent Score: 2

RE: Don't need anti-virus?
by djannie on Fri 25th Jun 2010 14:07 in reply to "Don't need anti-virus?"
djannie Member since:
2010-06-25

Personally I think Linux is much more secure than Windows and it is more reliable than Windows. However all Distro(s) run as server will be set up an anti virus software to increase the protection.

The following link shows The Most Reliable Hosting in May/2010:
http://news.netcraft.com/archives/2010/06/08/most-reliable-hosting-...

Reply Parent Score: 1