State of Linux Desktop Security

I made a tweet claiming that Linux is behind on security mitigations. This post is to outline mitigations added to platforms such as Windows, MacOS, and even ChromeOS that have yet to see the light of day on the linux desktop.

(Btw, Andrew Kelley is my hero!)

Linux distros are behind on implementing modern binary exploit mitigations. The last thing Linux userspace has done is ASLR/PIE and stack canaries: this hasen't changed for years. Windows and MacOS enforce signature checking on all binaries. glibc's allocator is primitive compared to LLVM's Scudo allocator, which mitigates use-after-frees and heap overflows.

Windows signs heap pages to ensure they're immutable, in addition to hardware-enforced control flow protection. Modern iOS does this too. Windows also implemented something exciting called a shadow stack, which stores return addresses in a secret, seperate stack from local variables. This is both faster and more secure than stack cookies.

Linux distros have no concept of sandboxing, or any meaningful application security model. Any app running under Xorg can see the contents of any other app runing under Xorg. Flatpack and snap are both security nightmares, fundamentally flawed and poorly implemented. The only good sandoxing API provided by the Linux kernel is seccomp-bpf, and the only program that uses it is Google Chrome/Chromium. To compare, ChromeOS requires every service to have its own seccomp filter.

Also a friendly reminder that Debian is always behind on CVEs, and I'm sure that most distros don't fare any better.

Inspiration

Daniel Micay's stance on Linux Desktop Security

I'm just a student interested in security, if any of the above info is wrong I will be glad to change it!

Update (June 28, 2020)

Wow, this blew up! For the sake of factual accuracy, I wanted to correct some small things. This is an excellent comment from woodruffw on Hacker News that does this better than I could.

I think the author is generally right (especially about sandboxing!), but picked a few funny examples:

Windows page signing is a feature of Authenticode, and applies specifically to "high integrity" kernel drivers. It's basically a niche of normal code signing and should be treated as such.

Windows just (as in, within the last 6 months) got hardware-backed control flow protection, via Intel CET. They had to add a new debug type (`IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS`) to the debug section to make space for it in the PE format. It'll probably take a few years to become popular, assuming that Microsoft hasn't badly broken it the way they did RFG.

Modern iOS/Apple mobile hardware is generally a poor contrast: it's homogenous in terms of CPU features in ways that Linux can only dream of, and benefits from Apple's walled garden approach. Linux distros can barely get people to fetch automatic updates; getting them to buy CPUs with hardware CFI features (a la Apple's PAC) is a pipe dream.

But overall, this article is generally correct. Linux desktop security cannot be compared to ChromeOS, Windows, or MacOS security, in order from most to least secure.

Especially concerning security, there's a lot of misinformation out there. I confidently know the basics. If you want to learn about security, do it from the experts.