Linux on Windows Exposes a New Attack Surface

An anonymous Slashdot reader writes: The Linux in Windows 10 isn't running inside of a hypervisor; it's "running on the raw hardware, getting all the benefits of performance and system access, as well as expanding the potential attack surface." eWeek reports on a new threat discovered by Alex Ionescu, the chief architect at cybersecurity company Crowdstrike, which begins with the fact that "The Windows file system is also mapped to Linux, such that Linux will get access to the same files and directories."

Ionescu says "There are a number of ways that Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows." According to eWeek, "The modified Linux code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated." Ionescu describes it as "a two-headed beast that can do a little Linux and can also be used to attack the Windows side of the system."

Big, fat, NO FREAKIN' DUH!

[Dog-Cow]

If the Linux personality has the same level of access to the kernel as the Windows personality, then this is a natural consequence. It's the same as if MS added a dozen new win32/64 APIs that could be exploited by apps with appropriate privileges. New code, new bugs. Total non-story.

Re:Big, fat, NO FREAKIN' DUH!

[BarbaraHudson]

It's not even that. You are NOT running linux under windows. There is no such thing. Even Canonical admits that. It's just parts of the Ubuntu user space. No linux kernel. No vm. No container. Nada. Think of wine in reverse.

Linus (or rather, the linux foundation) should sue for slander for anyone calling it "linux under windows."

Re:Big, fat, NO FREAKIN' DUH!

[retchdog]

I'd just like to interject for moment. What you're referring to as Linux, is in fact, GNU/Windows, or as I've recently taken to calling it, GNU plus Windows. Linux is not an operating system unto itself, but rather another possible alternative for a fully functioning system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as (sort of) defined by POSIX. This so-called Linux distribution is really a distribution of GNU/Windows!

Re: Big, fat, NO FREAKIN' DUH!

It's not fucking Linux unless it runs the Linux kernel.

Re:Big, fat, NO FREAKIN' DUH!

[Opportunist]

You traded systemd for Windows. Are you still dancing? Or is that just you trying to get your feet away from the hot red coals?

Re:Big, fat, NO FREAKIN' DUH!

Ummm no, this is explicitly /not/ what Cygwin does. Cygwin provides a Unix-style /API/, not a Linux /ABI/. You can't run an unmodified Linux binary under Cygwin, you get to recompile your source.

Re: Big, fat, NO FREAKIN' DUH!

[Vitus+Wagner]

It is really a GNU subsystem for Windows.

Re: Big, fat, NO FREAKIN' DUH!

[Junta]

Actually, it's not GNU either. It's an implementation of Linux kernel system calls. It only becomes GNU-ish after installation of Ubuntu libraries.

It's not a Linux kernel, it's not an emulator, it's an alternative implementation of Linux system calls.

*yawn*

[jargonburn]

The Server Application in Windows 10 isn't running inside of a hypervisor; it's "running on the OS, getting all the benefits of performance and system access, as well as expanding the potential attack surface." eWeek reports on a new threat discovered by Alex Ionescu, the chief architect at cybersecurity company Crowdstrike, which begins with the fact that "The Windows file system is also mapped to the Server Application, such that the Server Application will get access to [...] files and directories."

Ionescu says "There are a number of ways that Windows applications could inject code, modify memory and add new threats to the Server Application running on Windows." According to eWeek, "The modified Server Application code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated."

I'll Tell you what else increase your attack surface: Turning the computer on.
Didn't RTFA (naturally!), but the summary fails to convince me that this is more than incrementally worse than running...well...MOST applications that do anything useful on Windows.

Re: *yawn*

[Drumhellar]

This is how UIDs are mapped: Each windows user gets their own copy of Ubuntu installed, located in %LOCALAPPDATA%\lxss. Users exist entirely within the individual Ubuntu installs, so a Windows user can have multiple Linux users within his own virtual Linux filesystem. Files created outside of the Linux environment all have a UID and GID of 0, while the initial default user has a UID and GID of 1000. Only files created within that Windows Users's Ubuntu install have UIDs known to their own Linux install. Of course, this is just how it looks to Linux programs. It is still ultimately limited by the Windows User's own individual permissions throughout the rest of the Windows system.

While in the Real World, WSL is contained

[CrashNBrn]

Windows Subsystem for Linux processes cannot directly interact with either the win32 subsystem or processes.

Windows Subsystem for Linux Overview [img] :: https://msdnshared.blob.core.windows.net/media/2016/04/LXSS-diagram-1024x472.jpg or WSL System Calls & [img] :: https://msdnshared.blob.core.windows.net/media/2016/06/syscall_graphic.png

Not the whole POSIX.

[DrYak]

So is it essentially a new POSIX interface?

No it's not the whole POSIX interface (that used to exist and be called something along the lines like "Unix Services for Windows", but got in practice over taken in popularity by Cygwin - a translation layer between POSIX source code and regular Win32 interface).

WSL implements only a very small subset of Linux kernel's API calls.
Just barely enough to get some Ubuntu user space running, so you can still use Windows to write and test your code before deploying to some Linux cloud.
(instead of using Mac OS X or a real Linux desktop or a VM like everybody else.

There currently nearly no filesystem support (except for the special drivers that Microsoft has written to support passing Windows's local drivers under Linux).
There is very limited network support (you can run apache and even SSH. But forget about NFS)
There's no media at all (no X. no audio. no USBHID/libinput. nowayland/DRM/Mesa hardware/Whatever. no nothing. Its main purpose is to test linux code before deploying to the cluster, so don't expect anything fancy).
No even fabric dummy drivers (that's a bit limiting for the intended purpose...)
Nothing from the Linux kernel internals (no scheduler, etc.)

So maybe with some extensive hacking you could write a zombie node that can take part in some mass spamming or DDOS.
(Basically, anything that you could implement as a not so fancy network daemon under any other OS).
But that's about it. Don't except to circumvent some Windows protection by calling into WSL, it has no access to anything low-level.
(e.g.: Forget about trying to reflash the firmware using some linux sysadmins tools under WSL, or making some advanced stealth keylogger)