Debunking Madaidan's Insecurities [EN]

Madaidan is a self-proclaimed security "genius", and wrote an article about supposed 'insecurities' in Linux. In some areas, i fully agree with them, but in others, we disagree. I'll analyse their article with the objective of debunking the lies, as well as generating more discussion and interest in linux.

Their article can be found here

Sandboxing

"there is no resemblance of a strong sandboxing architecture or permission model in the standard Linux desktop — current sandboxing solutions are either nonexistent or insufficient. All applications have access to each other’s data and can snoop on your personal information. "

I fully agree with his opinion. Linux lacks the sandboxing systems that exist in other OSs. However, the most secure way of sandboxing is creating virtual machines. There exists a linux distro called QubesOS which creates virtual machines for different apps, which makes it the most secure OS. We're fortunate that recently, talented programmers are working on improvements and alternatives to QubesOS (eg: SpectrumOS), and this is progressing and developing security in linux.

Madaidan points out that current forms of sandboxing in linux (with the exception of VMs) are not very secure, and still need a lot of work to be made secure.

Flatpack

Madaidan bases his "research" on the thourouly-debunked Flatkill.org here. Madaidan thinks that a flatpack program can exfiltrate data. But for some reason completely forgets to think about how many millions of apps contain malware on the Microsoft,Google and Apple stores, compared to flatpack.

Although the author invents problems with flatpack, they seem to think that bubblewrap is the only secure method of sandboxing. The only problem with their "genius"? Bubblewrap was specifically created for flatpack, and flatpack uses bubblewrap for it's sandboxing.

Exploit Mitigations

"Most programs on Linux are written in memory unsafe languages, such as C or C++, which causes the majority of discovered security vulnerabilities. Other operating systems have made more progress on adopting memory safe languages, such as Windows, which is leaning heavily towards Rust, a memory safe language, or macOS which is adopting Swift."

What they write is partially correct. It's true that 'memory-safe' languages can be more secure for the OS, as it's less likely that there will be bugs in over/underflows of memory. However, this is not the full story. Lots of 'high-level' programs can be written in 'memory-save' languages, and this will reduce the chance of bugs, but the kernel is different. The kernel is extremely low-level, and works directly with the CPU and machine-code. Thus, the kernel has to work fast. If (eg) we have a chess game written in Java/Rust/any other memory-safe language, and thus it takes some milliseconds extra, and runs a bit slower, it's not an issue. However, if the kernel runs slower, then the whole system is basically bricked.

Let's say we use Rust, which promises to be fast. We still have a problem, because the kernel and other programs that must run super fast, regularly the programers use clever tricks and optimisations for the program to run some code faster. If we use Rust, we have 2 options:

Write it in a secure, but very slow manner, or;
Implement the same memory trick in Rust, and tell the compiler to ignore the errors/warnings.

This is not always the case. There are many areas+programs where it's better to use Rust, and fortunately, in the linux kernel, Rust is being introduced. Hopefully more programers will write their drivers etc in Rust.

Control Flow Integrity

What rubbish!. Linux implemented it in 5.14.

PTEs are fixed. Linux uses Kernel-self protection

"On Linux, there is currently no equivalent to VBS." Incorrect, there exists Linux Kernel Runtime Guard

Kernel

"The Linux kernel itself is also extremely lacking in security. It is a monolithic kernel, which means that it contains a colossal amount of code all within the most privileged part of the operating system and has no isolation between internal components whatsoever."

No proof that Windows or Mac do any better.

"The kernel has huge attack surface and is constantly adding new and dangerous features."

You don't say!. They're adding new features!!!??? XDXD and... they don't think that Windows and Macos are adding more features??...

"One example of such dangerous features is eBPF. In a nutshell, eBPF is a very powerful framework within the Linux kernel that allows unprivileged user space to execute arbitrary code within the kernel in order to dynamically extend kernel functionality. eBPF also includes a JIT compiler, which is fundamentally a W^X violation and opens up the possibility of JIT spraying. The kernel does perform a number of checks on the code that is executed, but these are routinely bypassed, and this feature has still caused numerous security vulnerabilities."

There is also JIT in Windows. It's possible to attack the kernel with the same method

"The kernel is written entirely in a memory unsafe language and has hundreds of bugs, many being security vulnerabilities, discovered each month."

Windows y Macos have the same problem, or even worse

Root attacks

"On ordinary Linux desktops, a compromised non-root user account with access to sudo is equal to full root compromise"

Of course, if the user has admin/root access, and that user is compromised, then kaput. But this problem exists in each OS. If we have a user with root/admin permissions (either in Windows or MacOS), and we run a malware in that account, well, kaput. Nothing can save you.

What Madaidan doesn't tell is the way you might get infected with a virus, as that's a crucial example of why linux is much more secure than other OS's (Windows+Mac)

Let's say we want to install a program like htop. In linux, with a simple 'sudo apt install htop' we're done in an easy and secure+safe manner. In windows/macos: We go to google, and type 'download htop', and click on the first result and... brrr we're already infected with a virus. Instad of the real website, we found a phishing website which looks identical to the original, but contains malware.

*And the supposed 'security' of windows/macos of the 'User Account Control (UAC)' y 'secure event input' worked... right up until we clicked on "Yes".

(And isn't it strange that in windows/mac, to install a new program, we need to run the installing program as root? instead of running something secure like apt in root?)*

And what about Mac/Android/IOS? Well, a bit better, because they have an 'app store'. Let's look at this example: We want to install a new aplication eg to analise wifi. We go to the appstore/playstore and search for it. We find an app that we like and install it and... brr, we just got infected with a virus. Throughout the dozens of wifi aplications, each with almost-identical names and pictures, we installed a version that contained a virus. The problem is that, as opposed to linux, where to include an app in the repositories there is an exhaustive process to verify that the app is legitimate, secure, and open source, this doesn't exist in the 'app stores' of Mac/Android/IOS, and any Tom, Dick and Harry can upload their version that contains viruses.

Stable release model

Madaidan has a problem with the stable release model, and thinks it's insecure. Fortunately, the heroes in the Security Teams of Debian, Ubuntu, and other distributions work day and night to patch vulnerabilities in the stable repositories, so Madaidan can relax and calm down. The world won't end that fast.

In a more serious note, the stable and rolling-release models have their pros and cons in terms of security. Is it possible that the security teams of the distribution don't notice an important bug/patch? of course it's possible. But it's also possible that new bugs and vulnerabilities enter the source repositories, and the rolling-release distros include the new vulnerable version before other programmers notice. Eg, we can see the recent example of the XZ backdoor, which entered some rolling-release distributions, but luckily (almost miraculously) was detected before the vulnerable version was included in the stable version.

Additionally, it's extremely easy to switch from the stable to rolling-release version, eg in debian, by using the testing repository.

What seems strange to me is that they don't mention the Windows/Mac/Android/IOS etc models. In windows, the automatic updates are switched on by default, and distribute patches for vulnerabilities in the most inopportune moments... Well, at least the system is updated, but with a crucial flaw. Only windows is updated (well, windows+some drivers). If there is a vulnerable app like... oh idunno chrome/firefox, then, we have a problem, as we have to pray that the user miraculously decides to update the program quickly and not postpone it...

And the same problem exists for the other OS's: the apps don't update in an efficient and secure manner.

Linux hardening

Madaidan has the opinion that it's super hard to make linux secure, and thinks that it's necessary to: "completely redesign how the operating system functions and implement full system MAC policies, full verified boot (not just for the kernel but the entire base system), a strong sandboxing architecture, a hardened kernel, widespread use of modern exploit mitigations and plenty more."

Fortunately, it's actually very simple to secure linux. The only thing that you need to do is install a super-secure distribution like QubesOS and away you go!

You don't have to implement full verified boot (in reality it's completely useless), and the virtualisation will handle the rest.

Other "geniuses" that fell into the same trap as Madaidan:

developer of grsecurity, the most useless product for the kernel. Doesn't surprise me that someone that tries to sell useless patches to supposedly make the kernel 'more secure', found 'insecurities' in linux...
lead developer of GrapheneOS: Is involved in multiple scandals with other security experts. Their cult (community) is filled with disinformation about security. Eg, they say that niether F-Droid nor Aurora store are secure, and it's better to use... the malware-infested google play! (really, those "geniuses" are spreading that rubbish)