Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux on Windows Exposes a New Attack Surface (eweek.com)

Posted by EditorDavid on from the reports-from-Black-Hat dept.

An anonymous Slashdot reader writes: The Linux in Windows 10 isn't running inside of a hypervisor; it's "running on the raw hardware, getting all the benefits of performance and system access, as well as expanding the potential attack surface." eWeek reports on a new threat discovered by Alex Ionescu, the chief architect at cybersecurity company Crowdstrike, which begins with the fact that "The Windows file system is also mapped to Linux, such that Linux will get access to the same files and directories."

Ionescu says "There are a number of ways that Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows." According to eWeek, "The modified Linux code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated." Ionescu describes it as "a two-headed beast that can do a little Linux and can also be used to attack the Windows side of the system."

8 of 228 comments (clear)

  1. Clickbait by real+gumby · · Score: 3, Insightful

    What kind of "new threat" is this? All he's saying is that running code on a machine can have affect its state.

  2. *yawn* by jargonburn · · Score: 4, Insightful

    The Server Application in Windows 10 isn't running inside of a hypervisor; it's "running on the OS, getting all the benefits of performance and system access, as well as expanding the potential attack surface." eWeek reports on a new threat discovered by Alex Ionescu, the chief architect at cybersecurity company Crowdstrike, which begins with the fact that "The Windows file system is also mapped to the Server Application, such that the Server Application will get access to [...] files and directories."

    Ionescu says "There are a number of ways that Windows applications could inject code, modify memory and add new threats to the Server Application running on Windows." According to eWeek, "The modified Server Application code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated."

    I'll Tell you what else increase your attack surface: Turning the computer on.
    Didn't RTFA (naturally!), but the summary fails to convince me that this is more than incrementally worse than running...well...MOST applications that do anything useful on Windows.

    1. Re: *yawn* by tlhIngan · · Score: 3, Insightful

      The first thing that comes to my mind is wondering how MS mapped windows users to linux UIDs. When linux is allowed to access the filesystem there could be all sorts of things to abuse in the permission translation. I would be interested in an article describing the design decisions though, instead of one generically predicting doom and gloom.

      Probably some mapping of the user SID to a UID is my guess. After all, the UID is just a user representation, and internally it gets translated into a normal Windows SID that the kernel uses for all actions.

      Honestly, it's a load of hyperbole. The Linus subsystem is not running Linux. It's running the Windows kernel, and the kernel is enforcing all the standard security mechanisms it always had. If you can't write to a file in Windows, you certainly can't on Linux subsystem. (All of Windows' security is enforced in the kernel anyways).

      The Linux subsystem is only a bit more than the standard subsystem mechanism on NT - you know, the ones that could run Win32, OS/2 and POSIX apps? Each one of those is a separate subsystem, and because of that, there were pesky limitations (POSIX applications can't interact with Win32, because the only commonality is... the kernel).

      What Windows 10 can do is run Linux userspace binaries by emulating the Linux syscall interface. It's no different than the FreeBSD mechanism that existed for years.

      Hell, if you want to get technical, call it GNU/NTOSKRNL. That's all it is. It can run Linux binaries on Windows, in this case, Ubuntu 14.04.

  3. Attack the Windows side of the system? by PPH · · Score: 1, Insightful

    We've pretty much written Windows off years ago.

    Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows.

    Windows has been able to do that to itself for years. No Linux needed.

    --
    Have gnu, will travel.
  4. Shill by eWarz · · Score: 3, Insightful

    Very few people (except developers) will have WSL running on their machines. WSL is isolated from Win32 except via FS access. Just based on it's current state, WSL is practically impossible to exploit thansk to it's limitations. Alex Ionescu is (was?) a ReactOS 'developer'. He has a beef against Microsoft. Disclaimer, in a past life, I was a ReactOS core developer for a certain period of time in the late 90s to early 2000s.

  5. Re:Big, fat, NO FREAKIN' DUH! by Dr.Dubious+DDQ · · Score: 3, Insightful
    The kernel is actually "NT", I believe.

    Therefore, it really ought to be "GNU/NT" (pronounced "guh-nunt", because that amuses me for some reason.)

    --
    Hacker Public Radio is our Friend
  6. Re: Big, fat, NO FREAKIN' DUH! by Anonymous Coward · · Score: 3, Insightful

    it's really just another attempt by microsoft to sour the reputation of linux.

  7. Re: Big, fat, NO FREAKIN' DUH! by danbob999 · · Score: 3, Insightful

    it's not a POSIX interface, it runs native Linux (not BSD, not OS X, not other POSIX OS) AMD64 binaries