Tell of Linux Desktop Security

Tell of Linux Desktop Security

I made a tweet claiming that Linux is late on safety mitigations. This put up is to outline mitigations added to platforms equivalent to Windows, MacOS, and even ChromeOS which bear yet to peep the sunshine of day on the linux desktop.

(Btw, Andrew Kelley is my hero!)

Linux distros are late on imposing contemporary binary exploit mitigations. The last item Linux userspace has carried out is ASLR/PIE and stack canaries: this hasen’t modified for years. Windows and MacOS implement signature checking on all binaries. glibc’s allocator is worn in comparison with LLVM’s Scudo allocator, which mitigates employ-after-frees and heap overflows.

Windows signs heap pages to make certain they’re immutable, as successfully as to hardware-enforced retain watch over slide alongside with the circulation protection. Standard iOS does this too. Windows also implemented one thing tantalizing called a shadow stack, which stores return addresses in a secret, seperate stack from native variables. Here is each faster and extra true than stack cookies.

Linux distros manufacture no longer bear any principle of sandboxing, or any fundamental software safety mannequin. Any app running below Xorg can look the contents of any other app runing below Xorg. Flatpack and snap are each safety nightmares, basically wrong and poorly implemented. The single factual sandoxing API offered by the Linux kernel is seccomp-bpf, and the one program that makes employ of it’s a ways Google Chrome/Chromium. To overview, ChromeOS requires each service to bear its possess seccomp filter.

Additionally a friendly reminder that Debian is repeatedly late on CVEs, and I’m sure that most distros manufacture no longer fare any better.

Inspiration

Daniel Micay’s stance on Linux Desktop Security

I’m factual a student entertaining about safety, if any of the above info is depraved I will like to swap it!

Read More

Share your love