How to implement better security in Linux?

I’m just investigating the security and control of the Linux platform in comparison to Android.

In Android there seems to be a huge development around security – Applications are required to ask for system permissions, and if the user grants that permission, then the system allows that application to execute with those granted privileges.

It isn’t like that on vanilla Linux. Applications can access anything they want, albeit not granting them to modify files, but nevertheless. Users simply don’t know how applications work, and what information – sensitive information – they take and what they do with that information (upload it to a database and sell it to 3rd parties).

So what is this dealt with?

I’d imagine the Linux kernel has to be modified so it accepts access tokens per application basis or something similar.

Windows at least has some type of security system with it’s built in firewall and local authority service. (I know little about Windows.)

2

The goals of Android security are different than was traditionally with desktop operating systems like Linux or Windows.

Until recently, all systems assumed the administrator and user know and trust the applications they install. Or if the user can’t be expected to know, they need the administrator, who is presumably more knowledgeable, to do it for them. Security ensured primarily that users can’t read or damage each others data or prevent each other from working. That’s still the case of Linux and Windows in desktop mode.

For mobile phones the case is different. Mobile phones are single-user, but they don’t have administrator and are expected to be used by non-tech-savvy users. So the mobile phone (and tablet) security is supposed to give user some level of protection against malicious application, especially now the application shops provide thousands of applications.

The traditional security of isolating users is well understood after more than 30 years of experience. It is also well understood how to re-purpose the security mechanisms to separate services on server to limit damage that can be done by exploiting bug in one of them. The mechanisms for this end were greatly improved over time leading to very powerful and flexible SELinux, but it still requires a knowledgeable system administrator to set up.

On the other hand securing user against trojan horses (malicious applications they are fooled into installing) is new, largely unexplored and still severely lacking. The major problem is that if you (rightfully) don’t expect the user to be able to judge whether the application is trustworthy, you can’t really expect them to know what the permissions they are confirming mean and what the implication of granting them to the application are. Apple and Microsoft work around this by tightly controlling content of their application shops, but that has it’s own issues (it’s surprising no anti-trust bureau have forbidden it yet), Google mostly ignored it until lately and implemented some form of monitoring now. It should also be noted that the permission system exists at least since Symbian.

It should be noted that the Android security system uses the same underlying mechanisms as the one for desktop Linux. The difference is in how it is set up, not how it works.

1

Android security is almost a joke. Consider the “read phone state and identity” permission – this is nearly always used by apps to send your phone details to advertisers so they can target ads at you (and earn a little revenue by the app maker). Does the app really need access to all your sensitive data on the phone just to get a unique id off you? Apparently so!

Then there’s the way that the permissions are used, currently there’s been a bit of malware on the App Store where an legitimate app requested some permission, and subsequently updated the app to add some malware that exploited that permission – and no-one noticed as the permission was already granted.

I think the Android security model, that means you have to give permission to various settings up-front, and in such coarse-grained ways, means that no-one really looks at what the apps requires, you have to accept all security permissions to use the app.

I’d say all users don’t know how Android apps work either – once you’ve given an app network and file access, it can send all your files to a 3rd party without needing to trouble you for permission – you do have a file manager app on your phone what already has been given these permissions don’t you?

You can’t build security in in a way that stops all bad things without also stopping all the good things – security is more about run-time permissions and restricting apps from accessing parts of the system that it shouldn’t have access to. Now Linux security is mainly based around filesystem security in that you prevent 1 user’s running apps from accessing another user’s files (as a multi-user system, this is important, and even for a single-user system, you don’t want a rogue app from accessing sensitive ‘root’ system files).

BTW, Linux has iptables – a ‘built in’ firewall, and if the standard security system isn’t good enough, you can set SELinux going, which was designed by the NSA.

3

There is SELinux project which allows to fine-tune the interactions between processes (and filesystem). The system of permissions is a bit more flexible then Android at cost of increased complexity. Other possibility are, among others, TOMOYO Linux and AppArmor. There are desktop distributions which have them enabled by default like Fedora.

However my guess is that on Linux the applications are trusted and protection is done rather to:

  • Minimize the effect of security holes (for example to prevent hijacked Apache process from messing with PostgreSQL)
  • Don’t allow user to get outside his/her boundaries and access other users’ data

It is somehow justified as most of applications are open source and well-known so it is likely that such code would be discovered.

1

Trang chủ Giới thiệu Sinh nhật bé trai Sinh nhật bé gái Tổ chức sự kiện Biểu diễn giải trí Dịch vụ khác Trang trí tiệc cưới Tổ chức khai trương Tư vấn dịch vụ Thư viện ảnh Tin tức - sự kiện Liên hệ Chú hề sinh nhật Trang trí YEAR END PARTY công ty Trang trí tất niên cuối năm Trang trí tất niên xu hướng mới nhất Trang trí sinh nhật bé trai Hải Đăng Trang trí sinh nhật bé Khánh Vân Trang trí sinh nhật Bích Ngân Trang trí sinh nhật bé Thanh Trang Thuê ông già Noel phát quà Biểu diễn xiếc khỉ Xiếc quay đĩa Dịch vụ tổ chức sự kiện 5 sao Thông tin về chúng tôi Dịch vụ sinh nhật bé trai Dịch vụ sinh nhật bé gái Sự kiện trọn gói Các tiết mục giải trí Dịch vụ bổ trợ Tiệc cưới sang trọng Dịch vụ khai trương Tư vấn tổ chức sự kiện Hình ảnh sự kiện Cập nhật tin tức Liên hệ ngay Thuê chú hề chuyên nghiệp Tiệc tất niên cho công ty Trang trí tiệc cuối năm Tiệc tất niên độc đáo Sinh nhật bé Hải Đăng Sinh nhật đáng yêu bé Khánh Vân Sinh nhật sang trọng Bích Ngân Tiệc sinh nhật bé Thanh Trang Dịch vụ ông già Noel Xiếc thú vui nhộn Biểu diễn xiếc quay đĩa Dịch vụ tổ chức tiệc uy tín Khám phá dịch vụ của chúng tôi Tiệc sinh nhật cho bé trai Trang trí tiệc cho bé gái Gói sự kiện chuyên nghiệp Chương trình giải trí hấp dẫn Dịch vụ hỗ trợ sự kiện Trang trí tiệc cưới đẹp Khởi đầu thành công với khai trương Chuyên gia tư vấn sự kiện Xem ảnh các sự kiện đẹp Tin mới về sự kiện Kết nối với đội ngũ chuyên gia Chú hề vui nhộn cho tiệc sinh nhật Ý tưởng tiệc cuối năm Tất niên độc đáo Trang trí tiệc hiện đại Tổ chức sinh nhật cho Hải Đăng Sinh nhật độc quyền Khánh Vân Phong cách tiệc Bích Ngân Trang trí tiệc bé Thanh Trang Thuê dịch vụ ông già Noel chuyên nghiệp Xem xiếc khỉ đặc sắc Xiếc quay đĩa thú vị
Trang chủ Giới thiệu Sinh nhật bé trai Sinh nhật bé gái Tổ chức sự kiện Biểu diễn giải trí Dịch vụ khác Trang trí tiệc cưới Tổ chức khai trương Tư vấn dịch vụ Thư viện ảnh Tin tức - sự kiện Liên hệ Chú hề sinh nhật Trang trí YEAR END PARTY công ty Trang trí tất niên cuối năm Trang trí tất niên xu hướng mới nhất Trang trí sinh nhật bé trai Hải Đăng Trang trí sinh nhật bé Khánh Vân Trang trí sinh nhật Bích Ngân Trang trí sinh nhật bé Thanh Trang Thuê ông già Noel phát quà Biểu diễn xiếc khỉ Xiếc quay đĩa
Thiết kế website Thiết kế website Thiết kế website Cách kháng tài khoản quảng cáo Mua bán Fanpage Facebook Dịch vụ SEO Tổ chức sinh nhật