Post · bonfire.cafe

David Chisnall (*Now with 50% more sarcasm!*)

@david_chisnall@infosec.exchange · 4 hours ago

Hopefully the recent flurry of Linux vulnerabilities will remind people that monocultures are bad for security. Replacing a Windows monoculture with a Linux monoculture may be a small improvement but does not fix the problem. Both systems are well past the complexity level where you can guarantee no security vulnerabilities.

A local privilege elevation bug combined with a sandboxed arbitrary-code execution bug in some widely deployed userspace software lets an attacker take complete control of all of your infrastructure if you have a single OS. If you have a mix of different systems, it is much harder to build exploits that will work on all of them.

This is part of the reason I strongly encourage digital sovereignty movements to focus on small, composable systems rather than huge monoliths. If every company and government service is running a different mix of modular systems, it’s much harder to create a portable attack that works on all of them.

Edwin Török

@edwintorok@discuss.systems · 1 hour ago

@david_chisnall probably also run a mix of hypervisors (not just different versions, completely different ones), and a mix of CPU vendors (multiple hypervisors don't help when they're all affected by the same Intel or AMD bug) and a mix of CPU architectures. Although that still doesn't protect you against bugs that affect all or most architectures (like some of the side-channel attacks). If you run an unpopular OS, hypervisor, or architecture you may have some protection against widely used exploits until your OS/hypervisor/architecture becomes widely used and targeted by exploits.
Having said that if we ever get to live in a CHERI monoculture that wouldn't be so bad, it'd significantly raise the complexity and likelihood of attacks :)

David Chisnall (*Now with 50% more sarcasm!*)

@david_chisnall@infosec.exchange · 1 hour ago

@edwintorok

I'd prefer a mixture of different CHERI vendors!

But, yes, completely agreed on all other points. Amazon, for example, runs KVM and Xen in their cloud for precisely this kind of reason and they've implemented live migration between Xen and KVM hosts. This means that, in an emergency (i.e. a Xen or KVM bug that's being actively exploited with no fix) they could move VMs from the vulnerable hypervisor to the other one and stop the spread.

Ray McCarthy

@raymaccarthy@mastodon.ie · 1 hour ago

@david_chisnall
Potatoes.
See famines in 19th C. Not just Ireland, but other places too.

I wrote a story about it.
https://www.corvidspress.com/fiction/otherworld-series/no-silver-lining/

I could have written a darker post-apocalyptic tale.

There is a bigger problem with people using the so called Cloud (someone else's server) instead of their own servers.

No Silver Lining

autumnwinds

@autumnwinds@mathstodon.xyz · 1 hour ago

@david_chisnall finally me running both Solaris and Plan 9 servers pays off

tsk

@tasket@infosec.exchange · 2 hours ago

@david_chisnall Down with monolithic kernels.

☮ ♥ ♬ 🧑‍💻

@peterrenshaw@ioc.exchange · 2 hours ago

@david_chisnall Permissive Linux;

You get a sense of why Linux is the goto OS when installing “Foo” applications; Coming from say OBSD where if you can find “Foo”, it’s the oldest version and secure beyond usage. 🤣

clonedhuman

@clonedhuman@mastodon.social · 2 hours ago

@david_chisnall Anything that has a fundamentally cloud-based infrastructure is rife with weak points and not wholly under the user's control.

Random9

@Random9@101010.pl · 3 hours ago

@david_chisnall the most microslop shilling thing I've read today. Ofc microslop doesn't want one big competitor, but many small ones.

Anyway, that is not true. All of the servers run on Linux for decades now. That was never the problem, but just now, when microslop is losing desktop market? Very curious indeed.

Joseph Salmon

@josephsalmon@sigmoid.social · 3 hours ago

@david_chisnall indeed, sounds like the very same issue in agriculture monoculture.

Serge Matveenko ♻️☮️ ⩜⃝

@lig@fosstodon.org · 4 hours ago

@david_chisnall We've been in the Linux monoculture for some time already. It is the most popular operating system in the world powering the vast part of the entire World's IT-infrastructure for decades.

m_eiman

@mikaeleiman@mastodon.sdf.org · 4 hours ago

@david_chisnall Also don't enable all the features, just the ones you actually use