Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Study Argues Monolithic OS Design Leads To Critical Exploits (osnews.com)

Posted by EditorDavid on from the seeking-CVEs dept.

Long-time Slashdot reader Mike Bouma shares a paper (via OS News) making the case for "a small microkernel as the core of the trusted computing base, with OS services separated into mutually-protected components (servers) -- in contrast to 'monolithic' designs such as Linux, Windows or MacOS." While intuitive, the benefits of the small trusted computing base have not been quantified to date. We address this by a study of critical Linux CVEs [PDF] where we examine whether they would be prevented or mitigated by a microkernel-based design. We find that almost all exploits are at least mitigated to less than critical severity, and 40% completely eliminated by an OS design based on a verified microkernel, such as seL4....

Our results provide very strong evidence that operating system structure has a strong effect on security. 96% of critical Linux exploits would not reach critical severity in a microkernel-based system, 57% would be reduced to low severity, the majority of which would be eliminated altogether if the system was based on a verified microkernel. Even without verification, a microkernel-based design alone would completely prevent 29% of exploits...

The conclusion is inevitable: From the security point of view, the monolithic OS design is flawed and a root cause of the majority of compromises. It is time for the world to move to an OS structure appropriate for 21st century security requirements.

14 of 198 comments (clear)

  1. Everything old is new again... by Strider- · · Score: 5, Insightful

    Maybe Tanenbaum was right. 26 years isn't that long for this debate to come back around again.

    --
    ...si hoc legere nimium eruditionis habes...
    1. Re:Everything old is new again... by Serif · · Score: 3, Insightful

      Exactly what I was thinking. Still, Linux might never have happened if Torvalds took that advice.

    2. Re:Everything old is new again... by Strider- · · Score: 3, Insightful

      He was right then. At the time CPUs were slow. Now we have pretty fast CPUs, faster than most people need. The overhead for a microkernel isn't so bad now.

      In a way, many people now are doing that. Running the kernel inside a virtual machine, on top of a hypervisor is likely less efficient than running against a microkernel.

      --
      ...si hoc legere nimium eruditionis habes...
    3. Re:Everything old is new again... by Anonymous Coward · · Score: 2, Insightful

      +1

      A bunch of security flaws were published in the last year that were directly related to favoring extreme performance over security

  2. Real-world examples by Artem+S.+Tashkinov · · Score: 5, Insightful

    Consider QNX and its vulnerabilities (the entire software stack) and here's what we have for the Linux kernel (again, kernel alone) whose source is ostensibly verified by millions of eyes.

    And here's another almost shameful development: Linux and Open Source are all the rage amongst Open Source fans, yet for some reasons it's been hinted that Google is transitioning from the monolithic Linux kernel (lacking internal stable API/ABI) to its own microkernel, Fuchsia (with stable API/ABI).

    1. Re:Real-world examples by iggymanz · · Score: 2, Insightful

      Utterly irrelevant to bring up a little embedded OS fit for cars and blackberries and compare it to Linux. You have no point,

    2. Re:Real-world examples by iggymanz · · Score: 2, Insightful

      means nothing, there are reactors being "run" by logic arrays with no microprocessors at all.

      get it through your head, embedded real time OS is different thing than Linux

    3. Re:Real-world examples by Misagon · · Score: 4, Insightful

      I think Google's transition from Linux to the Zircon microkernel (Fuchsia) is still quite some time in the future.

      I believe that Google's reason for Fuchsia is mostly to do with Linux' security model being a bad match for Android. In Android, every app is running as its own Linux user. In Zircon, there is instead the "Job" abstraction that can contain processes, and access rights are based on capabilities that the mainline Linux kernel does not have. ("Posix Capabilities" are not capabilities :-P)

      --
      "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
  3. Year of the Hurd desktop by jfdavis668 · · Score: 3, Insightful

    After 28 years, you think someone would have finished the GNU Hurd kernel. By now, it is so old it is probably full of potential exploits, too.

  4. Probably irrelevant by Waffle+Iron · · Score: 4, Insightful

    These days, the largest security threat is probably web browsers: They usually have direct access to the most critical information a user has (passwords, all personal files under their user account, data from all the external services the user accesses, etc.) Under the very same OS user account, web browsers also download and run thousands of untrusted programs from random locations on the internet every day (we'll ignore the handful of hardcore geeks who run Noscript).

    The boundary separating these two realms is enormous and incredibly convoluted, involves many layers of abstraction (some of which can be breached by a single misplaced bracket or quote character), and is enforced entirely by the web browser itself. It presents a massive attack surface that dwarfs even the most monolithic OS API.

    1. Re:Probably irrelevant by Waffle+Iron · · Score: 3, Insightful

      the idea that a sandboxed in the browser website is a potential risk, and a compiled binary program installed with full access to the CPU/RAM/HDD and OS is somehow less of a risk

      You do realize that modern web browsers compile downloaded programs to binary?

      The whole problem is the nebulous nature of the browser "sandbox" you mention. New exploits for these are published on a daily basis. Even as these are fixed, all of the major browsers add new features and complexity at a breakneck pace (unlike most OSes). So sandbox exploits will keep appearing daily. Also unlike OSes, browser sandboxes are ill-defined and constantly in flux. OS security boundaries are usually clearly documented and defined.

      Like I mentioned, most all of a user's important data reside within one OS account which also runs the browser, so the OS is of little help here.

      (For servers as opposed to clients, replace "browser" with "web server, middleware stack and database" for a similar huge and ill-defined attack surface)

  5. Re: Broken clock still right twice a day by Anonymous Coward · · Score: 3, Insightful

    NTOSKRNL runs its filesystems, object manager, executive, etc. in kernel space. In what way was this ever a microkernel design by any commonly accepted definition of the term?

  6. "doesn't work at all" is a bug by raymorris · · Score: 4, Insightful

    Security isn't just confidentiality. It's Confidentiality, Integrity, and Availably (CIA). If the machine isn't running, it isn't provide secure services to the users.

    The micro-kernel architecture ala Tanenbaum fails the security requirement of Availability; micro-kernel systems don't provide what people need. People use Linux because the design works well for building what people need.

  7. Congrats, you find one of application by raymorris · · Score: 1, Insightful

    Congratulations on finding one oddball application for which someone decided to use a micro-kernel. Specifically where it's not a general-purpose computer, performance doesn't matter, and there's no need to run more than one application at a time.

    The next time I'm trying to build a slow as hell access KVM on specially designed hardware, I'll consider a micro-kernel. Only, of course, if I can't use a GPL kernel because I'm trying to keep everything secret.