Paranoid Penguin - Interview with Marcus Meissner

Insights from SUSE's Security Team Lead.
Operating System Architecture

MB: In the Linux world, we've seen less malware (viruses, trojans and worms) than the Microsoft Windows world has been subject to. Why is this, do you think?

MM: First, Microsoft Windows just has more installations, and so it is a more valuable target; thus, it gets more research into exploitability.

Second, Windows has quite a high integration level. You can do lots of stuff from everything, and this was seen as good thing—easy embedding of document/image viewing and so on. Although on the one hand, this is a good thing, it also exposes a lot more code to the attackers.

Plus, the Windows software development community before the Internet was not really programming with security in mind, and so there were large holes. The same goes for reviewing the code; it was hard without source for externals.

It's something like a mix of all those things, I guess.

MB: My own opinion for several years has been that Linux isn't inherently more or less secure than Windows; their underlying security models are very similar. What are your thoughts on this?

MM: UNIX/Linux has, for example, the advantage that we separated (the concept of) the user from the administrator right from beginning, which Windows still has problems with.

Due to less integration, or integration at different levels, Linux has perhaps a better chance of resisting those attacks.

Linux also has less of a monoculture in programs and libraries, and it is also more rapidly changing than perhaps on Windows.

MB: What kind of potential do you see in mandatory access control (MAC) systems, like AppArmor and SELinux, in improving Linux security for the masses? To what extent do you think they're already helping?

MM: It's difficult to say. I have no experience with SELinux, but with AppArmor, I see a bit of acceptance issues in default settings, and then it does not catch everything.

MB: When SUSE incorporated Novell AppArmor into its general releases, this caused a bit of controversy. It seemed like some people involved with SELinux felt that this undermined their efforts. As a SUSE employee, I assume you're pro AppArmor, but what do you think about the controversy? Isn't it healthier for multiple MAC options to be available to people?

MM: There surely was controversy, but most of it seems to have died down now.

It is healthier to have more than one MAC system, especially in exploring the MAC problem from different angles.

That AppArmor was much more usable than SELinux also has caused lots of thinking and usability improvements in SELinux (think targeted policies, booleans and so on), and the other way around. AppArmor now can contain more things than in earlier times. We currently see both as solutions that even could co-exist to some degree.

Other new MAC approaches, like SMACK and so forth, also are appearing now.

MB: So, are there any plans for SUSE to support SELinux, as an alternative to AppArmor?

MM: I cannot say at this time, especially since partner requirements are still open for future products.


MB: When Linux virtualization first started to emerge into the mainstream a few years ago, it seemed to me that the whole concept of a hypervisor—an intelligence logically above the guest-OS kernel that manages system resources and monitors VM behavior—has a lot of security potential. Nowadays, I wonder whether I wasn't overly optimistic. The additional layer of abstraction might introduce other attack vectors. Your thoughts?

MM: Virtualization environments, unfortunately, were/are sold as security solutions, but the breakout possibilities are only now being investigated, and there likely was no formal containment design from the ground up.

Several ways also have been found for almost all virtualization technologies to break out of confinement.

So yes, I think its being used as security containers is overly optimistic.

Embedded Linux

MB: One of the most remarkable developments in Linux, it seems to me, is its rapid inroads in the embedded systems market. All kinds of consumer electronic devices are now Linux-powered. Does SUSE ever show up in this space? Do the particular challenges and ramifications of embedded operations figure into your team's work?

And, from a security perspective, how good of an idea is it to use a general-purpose operating system like Linux (or Windows) for embedded applications?

MM: We are not really showing in this space, even though we are working to bring the enterprise desktop more into the thin-client space. But, it's not the real embedded market.

What matters most for security in those devices is how they get updates and what security processes are there from their vendors. If the vendor just gives up support after six months for a device, but the device lives for five years or longer, it's bad. You have lots of unpatched devices out there.