[Am-info] Nicholas Petry on Security Report: Windows vs Linux

[Gene Gaines]

If you have not seen this, worth a read.

Better than most of the "you are more insecure than me, nah nah
nah" that has been going around.

At:
http://www.theregister.co.uk/security/security_report_windows_vs_linux/

Covers CERT, quotes lots of stuff from others, but does some
direct analysis of Windows / Linux / BSD, I'll quote one piece
of this long article below.

Gene Gaines
gene.gaines@gainesgroup.com
Sterling, Virginia


-- excerpt --

"Windows is Monolithic by Design, not Modular
--------------------------------------------

A monolithic system is one where most features are integrated
into a single unit. The antithesis of a monolithic system is one
where features are separated out into distinct layers, each
layer having limited access to the other layers.

While some of the shortcomings of Windows are due to its ties to
its original single-user design, other shortcomings are the
direct result of deliberate design decisions, such as its
monolithic design (integrating too many features into the core
of the operating system). Microsoft made the Netscape browser
irrelevant by integrating Internet Explorer so tightly into its
operating system that it is almost impossible not to use IE.
Like it or not, you invoke Internet Explorer when you use the
Windows help system, Outlook, and many other Microsoft and
third-party applications. Granted, it is in the best business
interest of Microsoft to make it difficult to use anything but
Internet Explorer. Microsoft successfully makes competing
products irrelevant by integrating more and more of the services
they provide into its operating system. But this approach
creates a monster of inextricably interdependent services (which
is, by definition, a monolithic system).

Interdependencies like these have two unfortunate cascading side
effects. First, in a monolithic system, every flaw in a piece of
that system is exposed through all of the services and
applications that depend on that piece of the system. When
Microsoft integrated Internet Explorer into the operating
system, Microsoft created a system where any flaw in Internet
Explorer could expose your Windows desktop to risks that go far
beyond what you do with your browser. A single flaw in Internet
Explorer is therefore exposed in countless other applications,
many of which may use Internet Explorer in a way that is not
obvious to the user, giving the user a false sense of security.

This architectural model has far deeper implications that most
people may find difficult to grasp, one being that a monolithic
system tends to make security vulnerabilities more critical than
they need to be.

Perhaps an admittedly oversimplified visual analogy may help.
Think of an ideally designed operating system as being comprised
of three spheres, one in the center, another larger sphere that
envelops the first, and a third sphere that envelope the inner
two. The end-user only sees the outermost sphere. This is the
layer where you run applications, like word processors. The word
processors make use of commonly needed features provided by the
second sphere, such as the ability to render graphical images or
format text. This second sphere (usually referred to as
"userland" by technical geeks) cannot access vulnerable parts of
the system directly. It must request permission from the
innermost sphere in order to do its work. The innermost sphere
has the most important job, and therefore has the most direct
access to all the vulnerable parts of your system. It controls
your computer's disks, memory, and everything else. This sphere
is called the "kernel"., and is the heart of the operating
system.

In the above architecture, a flaw in the graphics rendering
routines cannot do global damage to your computer because the
rendering functions do not have direct access to the most
vulnerable system areas. So even if you can convince a user to
load an image with an embedded virus into the word processor,
the virus cannot damage anything except the user's own files,
because the graphical rendering feature lies outside the
innermost sphere, and does not have permission to access any of
the critical system areas.

The problem with Windows is that it does not follow sensible
design practices in separating out its features into the
appropriate layers represented by the spheres described above.
Windows puts far too many features into the core, central
sphere, where the most damage can be done. For example, if one
integrates the graphics rendering features into the innermost
sphere (the kernel), it gives the graphical rendering feature
the ability to damage the entire system. Thus, when someone
finds a flaw in a graphics-rendering scheme, the overly
integrated architecture of Windows makes it easy to exploit that
flaw to take complete control of the system, or destroy the
entire system.

Finally, a monolithic system is unstable by nature. When you
design a system that has too many interdependencies, you
introduce numerous risks when you change one piece of the
system. One change may (and usually does) have a cascading
effect on all of the services and applications that depend on
that piece of the system. This is why Windows users cringe at
the thought of applying patches and updates. Updates that fix
one part of Windows often break other existing services and
applications. Case and point: The Windows XP service pack 2
already has a growing history of causing existing third-party
applications to fail. This is the natural consequence of a
monolithic system - any changes to one part of the machine
affect the whole machine, and all of the applications that
depend on the machine.


Windows Depends Too Heavily on the RPC model "
--------------------------------------------

[Petry continues with discussion of Windows use of
Remote Procedures calls ... interesting. -Gene Gaines]