[Full-Disclosure] iDEFENSE: Security Whitepaper on Trusted Computing Platforms

From: Richard Johnson (thief_at_bugtraq.org)
Date: 05/10/04

  • Next message: Chris Smith: "Re: [Full-Disclosure] iDEFENSE: Security Whitepaper on Trusted Computing Platforms" 
    To: full-disclosure@lists.netsys.com
Date: Mon, 10 May 2004 09:42:44 -0400

    iDEFENSE: The Power of Intelligence : Current Intelligence Report
    iSecurity Brief 05.10.04: Why OpenBSD is more secure than Linux
    Author: Richard Johnson, the DataThief

    Introduction
    Well my mother just finished knitting me a new pair of asbestos
    booties so I thought it was high time I try them out. Set phasers to
    "flame". Please read the entire article before using them. Just
    remember, I could have copped out by making the title something like
    "Will Linux ever be as secure as OpenBSD?" or even "Which is more
    secure, Linux or OpenBSD?". But I didn't. As well you should check out
    the LASG/LSKB if you haven't already. I also know about ImmunixOS from
    WireX and the NSA's SELinux (go read last week's column!).

    The code

    Let's face it, Linux is a great OS, I have more then a few machines
    running it, but due to a number of factors it's never going to be as
    secure as OpenBSD (which I also have running on several machines). But
    Linux will never be as secure as OpenBSD, for technical, political and
    marketing reasons. One of the most obvious differences between Linux
    and OpenBSD (assuming you look under the hood a bit) is the fact that
    OpenBSD has done an extensive code audit. The OpenBSD team has
    literally spent dozens of man years of effort auditing code, not only
    for security but for general correctness. Even the man pages for
    OpenBSD are clean and consistent. This is a very proactive form of
    security, OpenBSD fixes many problems before they become security
    issues. No such form of extensive code audit exists in the Linux
    world, and likely never will. Most vendors I have spoken with
    typically have a small security team of less then a half dozen people
    (usually much less). Even ignoring the fact that Linux vendors ship
    many more packages as standard then OpenBSD (which tends to rely on
    the ports collection for add on software) the basic components that
    both Linux and OpenBSD have (kernel, command shells, system utilities,
    etc.) are quite large, several hundred megabytes of source code in
    total. There simply are not enough competent Linux programmers to do a
    security audit on this code, let alone every vendor hiring enough
    people to fix their own versions/etc. Even when vendors do do code
    audits they typically face a problem, many programmers maintaining
    software are indifferent, or even hostile to people sending them
    security fixes, so it is very common for the original software to be
    insecure, and the vendor must maintain their own patch set. This
    problem affects OpenBSD far less as they maintain their own code base
    now, and it has significantly diverged in many areas (ssh and OpenSSH
    being a prime example). Even if Linux vendors wants to audit all their
    code there aren't enough Linux programmers capable of doing this. This
    means that Linux vendors are essentially doomed to reacting to
    security problems, applying patches and shipping out fixed versions of
    software, leaving users open to vulnerabilities for hours, days or
    even weeks in some cases.

    This is far more important then it sounds, even with additional
    security products such as PitBull there may be ways for an attacker to
    exploit some bug in the kernel that allows them to bypass add-on
    security, this happened with PitBull for Solaris, PitBull was fine,
    the Solaris kernel was not. Generally speaking add on security
    products cannot completely protect the system, for example unless a
    firewall product replaces the TCP-IP stack of an OS any problems in
    the TCP-IP stack will still be exploitable.

    Cryptographic software

    This is an area where OpenBSD trounces Linux. OpenBSD not only ships
    OpenSSL, OpenSSH, IPSec, and several other cryptographic software
    packages, but they have actually been largely responsible for OpenSSH,
    which is an incredibly important piece of software now. While many
    Linux vendors do ship OpenSSL and OpenSSH there are several that do
    not (Caldera being a notable example). However no major Linux vendors
    ship IPSec support built in, while there is a project for Linux IPSec,
    it is difficult at best to install and configure, and at worst almost
    impossible (I know, I've used it). OpenBSD on the other hand ships by
    default with one of the best IPSec implementations available. OpenBSD
    also provides a different (better in many ways) key daemon, with
    support for various forms of authentication, an area where FreeS/WAN
    is weak. Additionally because the majority of Linux work is done from
    within the US (Linus Torvalds now lives there) there is almost no
    cryptographic support built into the Linux kernel. If you want to add
    crypto you must patch the kernel and rebuild it. Very few vendors, if
    any at all any (I'm not aware of a single one), ship any crypto built
    into the kernel such as IPSec support, or any form of cryptographic
    hooks (however many do ship OpenSSL/OpenSSH and other cryptographic
    components). Because OpenBSD is done from Canada, the export of public
    domain (usually interpreted as OpenSource) is not a problem, giving
    you out of the box support.

    Cryptographic hardware

    Yet another area where OpenBSD shines and Linux is almost completely
    lacking. OpenBSD supports several cryptographic acceleration products,
    allowing you to build very powerful (and cheap) IPSec gateways for
    example. While there is some SSL acceleration hardware available for
    Linux this is essentially an easy problem to solve (most web load
    balancers can handle the encryption, and keep sessions organized
    properly). There is as far as I know no IPSec capable hardware
    acceleration products for Linux. As well OpenBSD is currently working
    towards allowing hardware to accelerate other cryptographic software
    such as ssh, which will become an increasingly large problem (how much
    CPU would you have to add to a server to support 1000 users using ssh
    instead of telnet?). As well with OpenSSH's support for large file
    transfers (via scp and sftp) load on servers using the SSH protocol
    will only increase.

    On the cryptographic front OpenBSD has Linux beat, hands down. The
    chances of Linux gaining this support is unlikely for a number of
    reasons, US crypto export policy, and a lack of programmers that are
    capable of writing the software to name a few. This is not something
    that will change for a long time (if ever).

    Happy customers

    Linux vendors care about having happy customers. OpenBSD developers
    don't. The Linux market has become a very competitive space, with
    around a dozen "major" distributions, and literally dozens (if not
    hundreds) of smaller players. The major distributions generally pursue
    similar markets, home desktop users, corporate/educational desktop
    users and corporate/educational servers. Almost every commercial
    vendor has invested significant effort in graphical installation
    programs, desktop software like Gnome and KDE, and other
    usability/entertainment/productivity software. There is absolutely
    nothing wrong with this, as more people use Linux the installation
    must become easier, and things like word processors are needed.
    However it means that Linux vendors have to spend a lot more effort
    pleasing users, several distributions now ship on multiple CD's
    because of all the add on software they include. Although customers
    complain about security, very few will actually take a secure product
    instead of an insecure product with more features (even if they may
    not need those features). Unless a sizable portion of customers start
    putting their money where their mouth is vendors will not change
    significantly.

    Secure by default

    In comparison OpenBSD 2.8's install files (all of them) are just over
    90 megs, installed (with everything) it requires around 200 megs of
    space. The only things enabled by default in OpenBSD are those that
    the developers deem "safe". For example Telnet is disabled by default,
    and OpenSSH is enabled. Sendmail is configured to run in local queue
    mode, it can send mail but not receive (you must add the "-bd" option
    in rc.conf to enable it). As OpenBSD's webpage puts it:

    Four years without a remote hole in the default install!

    Which is not something any Linux vendor can claim (or ever will in all
    likelihood). A typical installation of Linux will result in a half
    dozen or more network services being started, and while some vendors
    are starting to improve it is unlikely many will since disabling
    things results in frustrated users and increased support costs
    (although one wonders about the cost of rebuilding machines after they
    are broken into).

    Summary

    We need to teach people how to program well, and then maybe we can
    teach them how to program securely. We then need these programmers to
    either completely rewrite major portions of the software most Linux
    vendors ship, or audit the existing stuff (in both cases a task that
    is unlikely to be done). Since this is basically impossible we need to
    look at other solutions. ImmunixOS and SELinux are two solutions to
    this problem, and when installed, maintained and used correctly they
    do help, a lot. However this will not benefit the vast majority of
    Linux users. OpenBSD users on the other hand have an extremely clean
    and secure code base to work from, that is proactively being audited
    on a continuous basis. Linux has dug itself into a very deep hole, and
    appears to be digging downwards at an ever faster rate. Even with add
    on software like PitBull LX, or NSA's SELinux kernel modifications
    there are still potential security holes that could allow an attacker
    to bypass any Mandatory Access Controls, RBAC, Type Enforcement as was
    the case with PitBull for Solaris (Solaris had a flaw that allowed
    attackers to compromise the system despite PitBull). Without a high
    level of assurance in the actual source code of the Linux kernel and
    associated files there will always be a hint of doubt about the
    security of the system as a whole. This is why Linux can never be as
    secure as OpenBSD.

    Reference links:

    http://www.openbsd.org/ - OpenBSD

    http://www.openbsd.org/security.html - OpenBSD security page

    http://www.openbsd.org/crypto.html - OpenBSD crypto page

    http://seifried.org/lasg/ - Linux Administrators Security Guide

               _____________________________________
              / Why can't those cheap bastards from \
              \ Bank of America pay bills on time? /
               -------------------------------------
                    \ _
                     \ (_)
                      \ ^__^ / \
                       \ (oo)\_____/_\ \
                          (__)\ ) /
                              ||----w ((
                              || ||>>

    About iDEFENSE:
    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical vulnerabilities
    and hacker profiling to the spread of viruses and other malicious code.
    iALERT, our security intelligence service, provides decision-makers,
    frontline security professionals and network administrators with timely
    access to actionable intelligence and decision support on cyber-related
    threats. We are currently trying for complete market dominance and hope
    to soon eliminate the Carlyle Group by any means necessary. We already
    have stolen their webdesign - their customer base is next. For more
    information, visit http://www.idefense.com, or our research team's
    official website at http://idefense.bugtraq.org. 

    -- 
Richard Johnson, CISSP
Senior Security Researcher
iDEFENSE Inc.
thief@bugtraq.org
Get paid for security stuff!!!!!!
http://www.idefense.com/contributor.html
and become part of our reearch team!
http://idefense.bugtraq.org/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Chris Smith: "Re: [Full-Disclosure] iDEFENSE: Security Whitepaper on Trusted Computing Platforms"