By enabling Secure Boot, and making sure their UEFI firmware is up to date, end users can protect themselves against attack, Vachon said.
This rootkit is *NOT* a bypass of secure boot. If UEFI Secure Boot is enabled, unsigned UEFI modules cannot be installed into the UEFI firmware configuration.
We've seen BIOS rootkits before. This is just an UEFI version of the same concept, except UEFI Secure Boot does exactly what it is supposed to do: Prevent unauthorized updating of the firmware.
Uhm, the tariff would only apply to iPhones imported *into* the US. It would only increase the cost of iPhones within the US. Apple would probably pass the tariff on to the US consumer.
Tariffs on goods imported into US will only affect the rest of the world if they are re-exported. The rest of the World can happily keep buying iPhones from apple "assembled in China" at the same price as before.
That is just misdirection Nunes was part of a committee, they could only pick one guy to read it and the committee decided the best guy to read it, he then analysed it for the committee.
Gowdy was the only republican to read the FISA applications. IOW Gowdy is the only source Nunes has for his claims. Gowdy does not assert the same claims as Nunes' memo.
So Nunes asserts claims for which he has no source. Claims that have now been refuted by actual facts.
They played a game of semantics. The Nunes memo claimed that the FISA court has not been informed that the Clinton campaign was (part of) the funding behind the research that led to the Steele dossier.
That is technically correct. Only now we have learned that the FBI *did* inform the FISA court that the dossier was produced by political adversaries. The did not use the name *Clinton*, but did quote the source as political.
Privilege escalation is the Windows way of doing things
Nope. Windows does not escalate any privileges. When you log in it creates *two* tokens, one for regular use and one for "elevated" processes. Windows *never* escalates to "root " (or the equivalent "system" on Windows) only to drop down. The "elevated" token is simply the default user token. The "normal" token - the one used for all processes by default - is the user default token stripped for any administrative or super privileges. So even if the user is a member of the local administrators group, the normal user token describes a user *without* this group - and consequently without administrative permissions/privileges.
This is because Windows has proper fine-grained tokens instead of the stupid 70-era byte-saving Unix way of "effective userid" coded in a single word. It does not need to "escalate".
In fact, every process under Windows can has its own token. This *may* be a copy of the user token or it may be more restricted. A so-called "elevated" process is simply a process started with the user's non-stripped token. Under windows, there is no equivalent feature to SUID. As a user you simply cannot start processes as other users without providing full credentials (username/password). You cannot start *any* process as "System" because the system account is not allowed to run interactively.
Why would Dutch intelligence infiltrate a random hacker space nor associated with Kremlin.....
Let's see: Dutch *counterintelligence* may want to infiltrate an organization who tries to infiltrate Dutch (or allied) information systems. The same group were active in France and Sweden. It is not a stretch to think that they may have tripped some wires in the Netherlands, causing the counterintelligence to start investigating.
The treason is so real it's already proven and known to the IC community.
I don't think it is proven (yet) in neither the legal sense or as in there is a "smoking gun". The june 2016 meeting with Donny jr. and a number of Russians comes pretty close, though: The Trump campaign were offered "dirt" as "part of Russias help to get Trump elected" - and then wanted to talk Magnitsky act.
In other words, both quid and qou were discussed at that meeting.
We still need to see evidence that anything came of it - or if Russia simply went it alone.
Oh - I get it - It was only the *African* countries that were shitholes. He just has a bigger button than NK.
Trump is an embarrassment to the US. The sentiment that because the Netherlands are not the US they cannot *possibly* have scored an intelligence success on a front which the US leader does not even recognize exists.
Clickbait article does mention that "newer" office versions may offer yet another barrier to infection. However, it conveniently omits to mention that the feature which prevents the script from running even if you view the file in Powerpoint is called Protected View, and has been available and enabled by default since Office 2010!!!
When downloading files through a browser or receiving it through an email client, the file is "tainted" with a zone identifier that indicates that the file has been received from the Internet.
When an office app opens a tainted file, it drops to run in a process with a restricted token in "low integrity" mode. I.e. the process itself is prevented from writing anywhere on the system (except some cache locations). Yes, it's running in a sandbox. Note that the restricted token is created *before* the process starts - it's not like a *nix SUID root process that must drop itself. If the user choses to "elevate", powerpoint restarts in a new process with the current user token instead of the restricted token.
So, if you have Office 2010 or later you should be protected against this.
You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.
Not only that. Since it's Windows 7 he would also need to either switch off the built-in firewall or allow "sharing of resources" across "public networks". The latter will issue a number of warning dialogs before exposing the SMB port.
Since Windows Vista (may even XP with SP3?) Windows comes with a firewall automatically enabled.
The firewall has multiple profiles: Work, private and public. On "public" networks it is far more strict than on a "work" network. A work network is a network with a domain controller to which the PC is domain-joined. The private network is somewhere in between.
So if you have not explicitly commanded Windows to be "discoverable" across the Internet (a bad idea) you will not become infected.
The worm capabilities is really only effective on corporate networks. First the virus needs to get inside via email+social engineering+other exploits. Once it has taken over one computer on a corporate (domain controlled) network, it can use the SMB attack vector to spread to unpatched computers.
Only pre-sp2 XP computers are vulnerable to infection across the Internet. And only if they are not behind some other form of firewall.
Updates for iPhones come direct from Apple. There's no gating by carrier, because Apple had the clout to tell the carriers to shove it when it came to customizing it with their particular crapware.
It's called a "cloud", not a "clout". Use a spellchecker, dude!
clout When you speak of someone having clout, it usually means that they communicate a sense of power or influence, particularly in the political sense. "You’ll wanna talk to that big guy over there if you want me to let you in. He’s got clout."
Clinton and Pence both hired a law firm to determine which emails would be considered private and which emails would be subject to the records keeping act. It was not illegal for neither Pence nor Clinton to use a private (non-gov) account, as long as they submitted all "official business" emails for record-keeping. Both did.
There is no material difference between using an AOL account or using a private server. Indeed, one could argue that using a private server you can at least account for who have had access to the emails. In the AOL case, there is no way of knowing. A private account - on AOL or a private server - cannot be used for classified material.
In the Clinton case it *was* determined that she had sent - some emails where the contents was retroactively classified. This is not criminal, as Clinton the material *was not* classified at the time. - A total of 3 emails which contained classified information at the time. However, the "classfied" markings were non-standard which could explain why Clinton did not notice them.
It was not illegal to set up at private server. Clinton was clearly aware that she should not use it for classified material; otherwise you would see a lot of classified material with standard markings on the server. Which there was not.
Maybe she should have realized that there was a risk that she may accidentally send classified material. IMO the greater risk was that state dept. employees would send classified material *to* her account. Was it reckless? Possibly. Criminal? No.
If Pence has sent classified material from his AOL account, it is equally illegal, regardless of whether the account was "official". If he did not instruct aides to avoid sending classified material *to* his account, it would be equally reckless.
Fun fact: Pence was hacked. Clintons email server was not.
What they're trying to say is that there are situations where this will not work, where Windows will not ask you for the password, but just fail instead, thus concluding that for some things your account MUST have admin rights.
Oh you mean how apt-get will fail if I forget to run through sudo? Is that a Linux problem
They can't make it work. Windows core architecture is fundamentally broken and insecure. See MS's documentation about security tokens and permissions. You can only unmask permissions since 2008R2. This means that your process starts with max permissions and is masked to reduce it. Totally unlike the authentication/authorization and security elevation process in pretty much every other system out there.
No, your process starts with a *masked* token. The security subsystem creates *two* tokens when you log in: One with all of your privileges and one where "admin" privileges has been masked out. Switching from the masked token to the unmasked token is called *elevation*.
The desktop process (explorer.exe) and any process that you launch will *by default* use the non-elevated token. This means that by default none of your user processes have admin privileges, even if you logged in using a admin account. It is understandable that someone only familiar with the Linux/Unix model does not get this at first, because Linux/Unix do not have *tokens*. The *nix model can only describe the permissions of a process through an "effective user" - i.e, a reference to an account. No token.
On Windows, each process has a security token which by default is inherited from the parent process, but may differ. This is not possible on *nix where you need to refer to some user id to describe the privileges indirectly.
An executable's manifest may indicate that the it needs certain admin privileges when executed. In that case, Windows will look up to see if your *unmasked* token fits the required privileges. If it does, Windows will prompt you for consent to use the elevated token. If you approve, the new process is launched with the elevated token that was created and stored when you logged in.
No. The GUI runs under the logged-in users non-elevated account, i.e. even if you log in as an administrator, the administrator privileges are stripped from the user token that is used for the desktop (GUI) process. (the explorer.exe process).
On the driver level, graphics drivers are split in two: A (hopefully) smaller kernel part as well as a user-mode part. This split is for reliability and security. By keeping the kernel mode small, the developer can limit the attack surface and maximize reliability. A memory corruption bug in the user-mode part can at the most cause the specific application to fail.
Note also that the study supporting the move back to WIndows was carried out by Accenture (some of us know them better by their old name, Andersen Consulting). Accenture was Microsoft's Alliance Partner of the Year in 2016, so I'm sure that they have a neutral, objective reason for recommending Microsoft software.
Yes, well, Accenture is also a Red Hat strategic partner, as well as partner of Google, Salesforce etc. Studies like these are not carried out by the same branch that specializes in a partner technology.
An alternative to conspiracy theories could be that the employees of Munich actually want to switch to another system with less problems with standard software and drivers. Maybe they want to be able to use fingerprint readers, ID/chip card printers etc. Or maybe maintaining your own distro (Limux) was not such a good idea.
Windows kernel exploits are worth more because they're worth more on the open market (because that's where the corporate data is and corporations pay ransoms). pwn2own has to compete with the black market, after all.
Wrong. All of these prizes are far below what a zero-day exploit is worth on the black market. This contest is not a way to overbid the black market; rather it is a way for white-hats to showcase their skills and bring attention to vulnerabilities.
The prizes a set to reflect the expected difficulty; the hardest target - the ones that involves the most work - pays most. Virtual machine escapes are considered really hard because of the very limited attack surface.
Windows 10 is considerably harder to crack than Linux and OS/X. The latter 2 still have *far* to many services running as root and still exposes a lot of SUID root executables. Windows 10 has also adopted many of the EMET anti-exploit techniques. You'd have to harden Linux with grsecurity to achieve the same level.
Ok - I fail to see how this is news. Cygwin has provided Gnu tools in windows forever. Cygwin-X has provided X11 in Windows forever.
SFL and Cygwin have drastically different performance profiles.
SFL is syscall translation in kernel space running on pico processes; Cygwin is syscall emulation in userspace running Windows processes and Windows threads.
Windows is built around an object oriented philosophy (handles) where, for instance, access rights are established upon handle creation. Handles covers many more types of resources in Windows compared to e.g. file descriptors or inodes in Linux. But the key difference is in lifetime. Under Linux access rights are checked on each access. Under Windows you request access rights on handle creation, a jump table is established with an entry for each operation - some of them pointing to "access denied" - and hence Windows does *not need* to check rights on each access. Now, if you want to emulate Linux inodes/fds, you would need to create/dispose the handle on each access, or design some system with cache/sweep. Either way you are going to sacrifice some performance. And this is just one example.
SFL uses pico processes which do not own Windows handles the way Windows processes do. It is Linux like processes running on top of pico processes. I believe the real work for MS has been in the areas where those processes touch the same interfaces (such as file system) which must allow for the Linux way of accessing resources.
Yeah, pretty much. The NT kernel was designed from the start to support multiple subsystems (think OS/2, POSIX, Windows). Hence, there's an abstraction layer that lay dormant but came in handy for something like this.
SFL builds upon something called "pico processes" - which is derived from the initial idea of multiple subsystems. A pico process is a process that is stripped for everything OS specific. It can be used to build "Linux-like" processes on top instead of Windows processes. But it seems that it really is just realizing the original design idea.
Cygwin was pure userspace, as in the syscalls were implemented as userland services. SFL is implemented as kernel-level syscalls from processes/threads that are not Windows processes/threads.
It is not Linux underneath. It's Windows. It is only Linux in userspace. This allows Linux developer tooling - which was the actual point of Subsystem for Linux.
The subsystem for Linux (SFL) implements a (large) subset of Linux syscalls.It allows unmodified ELF64 binaries to run. The syscalls are implemented in kernel, but acts upon Windows resources.
Slashdot Mirror
Whatever happened to requiring the insertion of a jumper on the motherboard to update the BIOS? That would stop this thing in its tracks.
The jumper (which only a few motherboards ever featured) has been replaced with a digital signature. Secure Boot stops this thing in its track.
The summary conveniently skips arguably one of the most important takeaways from TFA:
By enabling Secure Boot, and making sure their UEFI firmware is up to date, end users can protect themselves against attack, Vachon said.
By enabling Secure Boot, and making sure their UEFI firmware is up to date, end users can protect themselves against attack, Vachon said.
This rootkit is *NOT* a bypass of secure boot. If UEFI Secure Boot is enabled, unsigned UEFI modules cannot be installed into the UEFI firmware configuration.
We've seen BIOS rootkits before. This is just an UEFI version of the same concept, except UEFI Secure Boot does exactly what it is supposed to do: Prevent unauthorized updating of the firmware.
Uhm, the tariff would only apply to iPhones imported *into* the US. It would only increase the cost of iPhones within the US. Apple would probably pass the tariff on to the US consumer.
Tariffs on goods imported into US will only affect the rest of the world if they are re-exported. The rest of the World can happily keep buying iPhones from apple "assembled in China" at the same price as before.
Clippy was "beloved?"
Whooooosh
That is just misdirection Nunes was part of a committee, they could only pick one guy to read it and the committee decided the best guy to read it, he then analysed it for the committee.
Gowdy was the only republican to read the FISA applications. IOW Gowdy is the only source Nunes has for his claims. Gowdy does not assert the same claims as Nunes' memo.
So Nunes asserts claims for which he has no source. Claims that have now been refuted by actual facts.
They played a game of semantics. The Nunes memo claimed that the FISA court has not been informed that the Clinton campaign was (part of) the funding behind the research that led to the Steele dossier.
That is technically correct. Only now we have learned that the FBI *did* inform the FISA court that the dossier was produced by political adversaries. The did not use the name *Clinton*, but did quote the source as political.
Privilege escalation is the Windows way of doing things
Nope. Windows does not escalate any privileges. When you log in it creates *two* tokens, one for regular use and one for "elevated" processes. Windows *never* escalates to "root " (or the equivalent "system" on Windows) only to drop down. The "elevated" token is simply the default user token. The "normal" token - the one used for all processes by default - is the user default token stripped for any administrative or super privileges. So even if the user is a member of the local administrators group, the normal user token describes a user *without* this group - and consequently without administrative permissions/privileges.
This is because Windows has proper fine-grained tokens instead of the stupid 70-era byte-saving Unix way of "effective userid" coded in a single word. It does not need to "escalate".
In fact, every process under Windows can has its own token. This *may* be a copy of the user token or it may be more restricted. A so-called "elevated" process is simply a process started with the user's non-stripped token. Under windows, there is no equivalent feature to SUID. As a user you simply cannot start processes as other users without providing full credentials (username/password). You cannot start *any* process as "System" because the system account is not allowed to run interactively.
Why would Dutch intelligence infiltrate a random hacker space nor associated with Kremlin.....
Let's see: Dutch *counterintelligence* may want to infiltrate an organization who tries to infiltrate Dutch (or allied) information systems. The same group were active in France and Sweden. It is not a stretch to think that they may have tripped some wires in the Netherlands, causing the counterintelligence to start investigating.
The treason is so real it's already proven and known to the IC community.
I don't think it is proven (yet) in neither the legal sense or as in there is a "smoking gun". The june 2016 meeting with Donny jr. and a number of Russians comes pretty close, though: The Trump campaign were offered "dirt" as "part of Russias help to get Trump elected" - and then wanted to talk Magnitsky act.
In other words, both quid and qou were discussed at that meeting.
We still need to see evidence that anything came of it - or if Russia simply went it alone.
North Korea
Oh - I get it - It was only the *African* countries that were shitholes. He just has a bigger button than NK.
Trump is an embarrassment to the US. The sentiment that because the Netherlands are not the US they cannot *possibly* have scored an intelligence success on a front which the US leader does not even recognize exists.
Clickbait article does mention that "newer" office versions may offer yet another barrier to infection. However, it conveniently omits to mention that the feature which prevents the script from running even if you view the file in Powerpoint is called Protected View, and has been available and enabled by default since Office 2010 !!!
When downloading files through a browser or receiving it through an email client, the file is "tainted" with a zone identifier that indicates that the file has been received from the Internet.
When an office app opens a tainted file, it drops to run in a process with a restricted token in "low integrity" mode. I.e. the process itself is prevented from writing anywhere on the system (except some cache locations). Yes, it's running in a sandbox. Note that the restricted token is created *before* the process starts - it's not like a *nix SUID root process that must drop itself. If the user choses to "elevate", powerpoint restarts in a new process with the current user token instead of the restricted token.
So, if you have Office 2010 or later you should be protected against this.
You would probably have to directly plug your PC into your ISP's connection as opposed to using a router of which any decent model should block unsolicited incoming traffic by default.
Not only that. Since it's Windows 7 he would also need to either switch off the built-in firewall or allow "sharing of resources" across "public networks". The latter will issue a number of warning dialogs before exposing the SMB port.
Since Windows Vista (may even XP with SP3?) Windows comes with a firewall automatically enabled.
The firewall has multiple profiles: Work, private and public. On "public" networks it is far more strict than on a "work" network. A work network is a network with a domain controller to which the PC is domain-joined. The private network is somewhere in between.
So if you have not explicitly commanded Windows to be "discoverable" across the Internet (a bad idea) you will not become infected.
The worm capabilities is really only effective on corporate networks. First the virus needs to get inside via email+social engineering+other exploits. Once it has taken over one computer on a corporate (domain controlled) network, it can use the SMB attack vector to spread to unpatched computers.
Only pre-sp2 XP computers are vulnerable to infection across the Internet. And only if they are not behind some other form of firewall.
Updates for iPhones come direct from Apple. There's no gating by carrier, because Apple had the clout to tell the carriers to shove it when it came to customizing it with their particular crapware.
It's called a "cloud", not a "clout".
Use a spellchecker, dude!
From https://www.vocabulary.com/dictionary/clout
clout
When you speak of someone having clout, it usually means that they communicate a sense of power or influence, particularly in the political sense. "You’ll wanna talk to that big guy over there if you want me to let you in. He’s got clout."
Use a dictionary, dude!
Clinton and Pence both hired a law firm to determine which emails would be considered private and which emails would be subject to the records keeping act. It was not illegal for neither Pence nor Clinton to use a private (non-gov) account, as long as they submitted all "official business" emails for record-keeping. Both did.
There is no material difference between using an AOL account or using a private server. Indeed, one could argue that using a private server you can at least account for who have had access to the emails. In the AOL case, there is no way of knowing. A private account - on AOL or a private server - cannot be used for classified material.
In the Clinton case it *was* determined that she had sent
- some emails where the contents was retroactively classified. This is not criminal, as Clinton the material *was not* classified at the time.
- A total of 3 emails which contained classified information at the time. However, the "classfied" markings were non-standard which could explain why Clinton did not notice them.
It was not illegal to set up at private server. Clinton was clearly aware that she should not use it for classified material; otherwise you would see a lot of classified material with standard markings on the server. Which there was not.
Maybe she should have realized that there was a risk that she may accidentally send classified material. IMO the greater risk was that state dept. employees would send classified material *to* her account. Was it reckless? Possibly. Criminal? No.
If Pence has sent classified material from his AOL account, it is equally illegal, regardless of whether the account was "official". If he did not instruct aides to avoid sending classified material *to* his account, it would be equally reckless.
Fun fact: Pence was hacked. Clintons email server was not.
What they're trying to say is that there are situations where this will not work, where Windows will not ask you for the password, but just fail instead, thus concluding that for some things your account MUST have admin rights.
Oh you mean how apt-get will fail if I forget to run through sudo? Is that a Linux problem
They can't make it work. Windows core architecture is fundamentally broken and insecure. See MS's documentation about security tokens and permissions. You can only unmask permissions since 2008R2. This means that your process starts with max permissions and is masked to reduce it. Totally unlike the authentication/authorization and security elevation process in pretty much every other system out there.
No, your process starts with a *masked* token. The security subsystem creates *two* tokens when you log in: One with all of your privileges and one where "admin" privileges has been masked out. Switching from the masked token to the unmasked token is called *elevation*.
The desktop process (explorer.exe) and any process that you launch will *by default* use the non-elevated token. This means that by default none of your user processes have admin privileges, even if you logged in using a admin account. It is understandable that someone only familiar with the Linux/Unix model does not get this at first, because Linux/Unix do not have *tokens*. The *nix model can only describe the permissions of a process through an "effective user" - i.e, a reference to an account. No token.
On Windows, each process has a security token which by default is inherited from the parent process, but may differ. This is not possible on *nix where you need to refer to some user id to describe the privileges indirectly.
An executable's manifest may indicate that the it needs certain admin privileges when executed. In that case, Windows will look up to see if your *unmasked* token fits the required privileges. If it does, Windows will prompt you for consent to use the elevated token. If you approve, the new process is launched with the elevated token that was created and stored when you logged in.
Windows still runs the GUI as part of the kernel?
No. The GUI runs under the logged-in users non-elevated account, i.e. even if you log in as an administrator, the administrator privileges are stripped from the user token that is used for the desktop (GUI) process. (the explorer.exe process).
On the driver level, graphics drivers are split in two: A (hopefully) smaller kernel part as well as a user-mode part. This split is for reliability and security. By keeping the kernel mode small, the developer can limit the attack surface and maximize reliability. A memory corruption bug in the user-mode part can at the most cause the specific application to fail.
No, it was a deal.
MS: Oh, Munich, we're considering moving our HQ to Munich.
Munich: Oh, that's great!
MS: But of course it would look a bit, eh, silly no? Munich running Linux with our HQ there.
Munich: Don't worry, we'll fix that!.
It would have to me more like:
MS: Oh, Munich, we're considering moving our HQ to Munich.
Munich: Oh, that's great, but your HQ is already in Munich?
MS: Oh? ok, then we'll consider not moving our HQ *away* from Munich.
Munich: Oh no, please don't do that! We'll do anything to keep you here!
MS: About that: It does look silly Munich running Linux with our HQ here
Munich: Don't worry, we'll fix that!.
Hint: Microsoft was already in Munich. They simply moved from the outskirts to a new building.
Or maybe the HQ location did not actually play into this.
Note also that the study supporting the move back to WIndows was carried out by Accenture (some of us know them better by their old name, Andersen Consulting). Accenture was Microsoft's Alliance Partner of the Year in 2016, so I'm sure that they have a neutral, objective reason for recommending Microsoft software.
Yes, well, Accenture is also a Red Hat strategic partner, as well as partner of Google, Salesforce etc. Studies like these are not carried out by the same branch that specializes in a partner technology.
An alternative to conspiracy theories could be that the employees of Munich actually want to switch to another system with less problems with standard software and drivers. Maybe they want to be able to use fingerprint readers, ID/chip card printers etc. Or maybe maintaining your own distro (Limux) was not such a good idea.
Windows kernel exploits are worth more because they're worth more on the open market (because that's where the corporate data is and corporations pay ransoms). pwn2own has to compete with the black market, after all.
Wrong. All of these prizes are far below what a zero-day exploit is worth on the black market. This contest is not a way to overbid the black market; rather it is a way for white-hats to showcase their skills and bring attention to vulnerabilities.
The prizes a set to reflect the expected difficulty; the hardest target - the ones that involves the most work - pays most. Virtual machine escapes are considered really hard because of the very limited attack surface.
Windows 10 is considerably harder to crack than Linux and OS/X. The latter 2 still have *far* to many services running as root and still exposes a lot of SUID root executables. Windows 10 has also adopted many of the EMET anti-exploit techniques. You'd have to harden Linux with grsecurity to achieve the same level.
But even though C# isn't as good and strict as Java .....
"Good" is subjective, but how is C# not as "strict" as Java? Is it because C# has a dynamic type? Honestly curious here,
Ok - I fail to see how this is news. Cygwin has provided Gnu tools in windows forever. Cygwin-X has provided X11 in Windows forever.
SFL and Cygwin have drastically different performance profiles.
SFL is syscall translation in kernel space running on pico processes; Cygwin is syscall emulation in userspace running Windows processes and Windows threads.
Windows is built around an object oriented philosophy (handles) where, for instance, access rights are established upon handle creation. Handles covers many more types of resources in Windows compared to e.g. file descriptors or inodes in Linux. But the key difference is in lifetime. Under Linux access rights are checked on each access. Under Windows you request access rights on handle creation, a jump table is established with an entry for each operation - some of them pointing to "access denied" - and hence Windows does *not need* to check rights on each access. Now, if you want to emulate Linux inodes/fds, you would need to create/dispose the handle on each access, or design some system with cache/sweep. Either way you are going to sacrifice some performance. And this is just one example.
SFL uses pico processes which do not own Windows handles the way Windows processes do. It is Linux like processes running on top of pico processes. I believe the real work for MS has been in the areas where those processes touch the same interfaces (such as file system) which must allow for the Linux way of accessing resources.
So it's Line as in "Line is not an emulator"?
Yeah, pretty much. The NT kernel was designed from the start to support multiple subsystems (think OS/2, POSIX, Windows). Hence, there's an abstraction layer that lay dormant but came in handy for something like this.
SFL builds upon something called "pico processes" - which is derived from the initial idea of multiple subsystems. A pico process is a process that is stripped for everything OS specific. It can be used to build "Linux-like" processes on top instead of Windows processes. But it seems that it really is just realizing the original design idea.
Cygwin was pure userspace, as in the syscalls were implemented as userland services. SFL is implemented as kernel-level syscalls from processes/threads that are not Windows processes/threads.
It is not Linux underneath. It's Windows. It is only Linux in userspace. This allows Linux developer tooling - which was the actual point of Subsystem for Linux.
The subsystem for Linux (SFL) implements a (large) subset of Linux syscalls.It allows unmodified ELF64 binaries to run. The syscalls are implemented in kernel, but acts upon Windows resources.