Is Linux Security by Obscurity?

I have often heard computer users toss around the notion that Linux is “Security by Obscurity“. So what exactly do they mean by this? What they mean is Linux users are only secure because Linux does not have a majority share in the market. This statement could not be more untrue. It is a fact that Linux has the majority of the Server market share. In September 2008 Microsoft CEO Steve Ballmer admitted that 60% of web-servers run Linux So since most web servers run Linux, then why are they so secure?

Granted, No operating system is bullet-proof be it Windows, Linux, or BSD. However, Linux in general is much more hardened against attack then its Windows counter-part. There are many reasons for this that i will get into further into this article that will show Most Linux distros follow a strict security model.

Sudo

Most Linux distros follow a strict security model and incorporate what is called “Sudo”.  Sudo is a way to allow a regular user to “assume” some root permissions after providing a correct password.  This process protects the user from executing programs, and untrusted code on behalf of the root account. This feature pretty much puts the kabosh on drive-by downloads that install malicious software without interaction from the user that has been predominant on Windows in recent years.  It is the use of Sudo that doesn’t allow the user to run as root(Administrator) that greatly protects the system from attack.

Design

Linux was designed from the beginning to be a true multi-user system. Windows is still recovering from its monolithic roots. The Windows 9x design was designed as a monolithic system where one user, the administrator, had full blown access to the entire system. It is a fact that portions of that legacy code still exist in Windows 2000, XP, Vista, and the newly released Windows 7. For example, in Windows XP Fast-User Switching is not available if the Windows XP computer is joined to a domain. However, this has been over-come with Windows Vista onwards. It is these design decisions that show Windows is still over-coming its monolithic roots.

Also, Windows is monolithic in how many components rely on each other. The biggest example of this is Internet Explorer. Internet Explorer is more than just a web browser, it is an integral part of the operating system itself. Even though in Windows 7 you can finally uninstall the browser, the Internet Explorer core components and rendering engine are still left behind for 3rd party app developers, and of course the other Windows systems that depend on Internet Explorer.

Security

In most Windows Installations, the defacto security methods involve the Firewall, Anti-Virus software, and some kind of Anti-Spyware application. With the exception of the Firewall, all these methods rely some sort of signature black-list type of approach. This system can be good for detecting known baddies however, what about the unknown ones? This is where this type of approach fails. Its failings become more apparent because windows makes it very easy to just execute code, many times without user intervention.

Also what about Zero-Day exploits? where part of the OS or application has a security hole that could be exploited remotely? Most times, there is no signature for such attacks until well after the fact. This is where Linux shines. On Linux, one can use AppArmor or SE-Linux which are MAC(Mandatory Access Controls)which can define exactly what resources an application is allowed to access specifically and that’s all. This allows Linux to be flexible and can stop many zero-day exploits from using an vulnerable application to gain access to critical parts of the system.

Conclusion

Linux is not security by obscurity. Linux is security by the way it was designed from the ground up to be a multi-user system. Since the user is separated from the system, it makes it much harder to be penetrated with the endless waves of malware garbage that Windows users face. I will say Windows Vista and Windows 7 has taken steps in the right direction with User Access Control, and ASLR(which was first available in Linux) however, more needs to be done to lock the system up a bit. I l think Active X needs to be severely neutered or got rid of all together, but that is a tail for another blog.

So if your not currently using Linux, give it a shot. Ubuntu is a great distro. take care.