Why Linux is more secure than Windows
By Jeff Silverman
The recent security breaches at Target and Neiman-Marcus have
prompted a lot of discussion among computer experts and computer
expert wannabes about the relative security of Windows and
linux. I am writing this essay to straighten the record.
- Windows users can install system software unless the system
administrator locks down the account; Linux users cannot install
system software unless they either know the root password or
have access using sudo.
How often have you come to a website where the site downloads
some software which you then install on a system wide
basis? Happens all of the time in the windows
environment. By way of contrast, in the linux environment,
you have to save the software, and then become root to install
it. Or sometimes you can install it on your own account,
which means you can wipe out your own data, but not the rest of
the system. Critical systems, such as the web server are
put in their own accounts, which ordinary users can't touch.
Exception: there are several privilege escalation exploits when
a process executing on a linux machine can escalate to root
privileges. See for example, scip. This
is a bug in the kernel. Notice that the bug was fixed in three
days. How would a remote attacker exploit such a
bug? Generally, it can be done through sloppy software
written in php although there are other attack vectors.
Lesson learned: any system can be exploited if you have bad
- Linux can be installed in a Read Only Memory (ROM).
Linux has a disciplined separation of software, configuration
settings, and variable data. Windows does not. In
linux, software goes in either /bin, /sbin, /usr/bin, /usr/sbin,
/usr/local/bin, or /usr/local/sbin. Configuration data,
which changes rarely and need not change once the system is
deployed, goes in /etc. Variable data goes in /var.
It is easy to create a file system / on a ROM, and create a
mount point /var. The mount point is then mounted from a
file system on a solid state disk (SSD) and can hold read/write
data (/tmp can be symlinked to /var/tmp). Once the OS and
the applications are saved in ROM, then they are immutable: an
attacker can theoretically get some software in RAM or on the
SSD, but they cannot change the software in ROM.
Period. By way of contrast, Windows has everything all
mixed up. Case in point: the registry. Has to be on
a writable file system. If you have an application, it
typically goes in a directory under C:\Windows and stores both
the application software and application specific data in the
same directory, so it can't be saved in a ROM.
Where the software in ROM approach falls down is a phenomena
called the Internet of Things. Suppose a security
vulnerability is found in software in ROM. Then a
technician has to go to each device with the vulnerability and
change the ROM. That's an expensive proposition.
There are lots (hundreds of millions) of devices that have been
installed with software in ROM, that have known vulnerabilities,
that have not been updated. This is an ongoing problem for
the entire internet industry.
- The Windows registry.
The registry is a gigantic store of state information for a
Windows machine. Because applications manipulate it, it
cannot be protected against the applications by the operating
system. When you edit the registry with the edit32.exe
program, there are all kinds of warnings to be careful, lest the
system be left in an unbootable state. By way of contrast,
there is only one configuration file that you would ever modify
on a linux machine that would make the machine unbootable if you
corrupted it: /etc/inittab, and you rarely modify it. Each
linux application that needs configuring on a system wide basis
either has a configuration file in /etc or in a subdirectory
under /etc. By having a nice, clean separation of
configuration, it is possible to modify the configuration of one
application without messing up some other application.
The National Security Agency (NSA) wanted to build a more secure
operating system. They needed the source code to the
entire operating system. The NSA went to Microsoft, and
our friends in Redmond laughed at them and then politely said
"no". They went to the Linux people, and the response was
"You don't need our permission - take it for free. You can
get it http://kernel.org/ By the way, if you need any
help, just ask and we will help you for free. All we ask
is that if you change the source code, you give back the
changes". The NSA agreed. They created SELinux,
which is just like regular Linux but it has been hardened with
stricter resources controls. Then, they gave it away, for
free. So, if you have an application were security is
important, like a Point of Sales terminal, you can install
SELinux. It is a little more work, but security is worth
it. If somebody were to get an application installed in
RAM, as I postulated above, SELinux would detect that and forbid
that application from accessing any resources.
- Ease of upgrades
Both Windows and modern distributions of Linux have a mechanism
for automatically updating software. One difference is
that when you update your Windows machine, you frequently have
to reboot the operating system, sometimes more than once per
upgrade. By way of contrast, with Linux you rarely have to
reboot the operating system, and then only once. One of
the consequences of this is that some Linux servers have
operated continuously for over three years, and uptime of 700
days or more is fairly common. No windows administrator in
his or her right mind would let a server stay up that
long. Furthermore, Windows has one mechanism for upgrading
Microsoft's software and many mechanisms for upgrading the
applications. By way of contrast, since most linux
software is open source, the distributions send out updates
whenever they happen using the same mechanism for operating
system updates. You decide how frequently you want to
check the distributions for updates.
- Eat your own dogfood
Microsoft is a corporation full of very smart people.
Syria is a country which is too stupid to hold free and honest
elections - they have a civil war instead. And yet we have
things like this
Now, it is quite possible that the Syrian Electronic Army is
actually somebody else (Personally, I think they are a bunch of
Yeshivah boys who want to have some kosher fun, and there is
nothing in the halacha about hacking into somebody else's
computer system). But it doesn't matter who is behind it -
Microsoft seems to have more than their fair share of security
problems with their own systems.
Windows is an okay general purpose operating system. Its
success on the desktop cannot be denied. Of course, the
reason why it is successful is because it is successful, not
because of any intrinsic technical superiority. Windows
costs more, is less efficient, and Windows denies the users some
critical choices. Linux is free, is very efficient, and has
a bewildering number of choices (Sometimes, I think that the vast
number of choices is one of the things that holds Linux
back). However, Windows is the de facto
standard. For embedded systems, such as point of sales
terminals, it does not make sense to use a general purpose
operating system. It makes sense to use an operating system
that is either designed to be an embedded system or else use an
operating system specially modified for such a secure
application. People who advocate using a General Purpose
operating system, such as Windows, for a sensitive application
clearly do not understand the spectrum of design possibilities,
and the consequences of their design decisions.
If anybody wants to argue these points, feel free to contact me
at jeffsilverman at gmail dot c0m.