United We Fall, 2002-06-05
The United Linux distribution will introduce thousands of open-source fans to the security nightmare of a software monoculture.
“
If United Linux is successful, it will allow automated exploits to proceed with a ruthless efficiency reminiscent of CodeRed and Nimda.
”
United Linux is a
Companies using United Linux as the basis of their Linux distributions will include the United Linux CD, which will provide the base operating system, and optionally additional CDs providing their vendor-unique software. Although United Linux will include the base GNOME and KDE libraries, it is intended to be a server distribution, not a desktop distribution.
First, the good news: United Linux promises a number of features that may improve security. According to their white paper, the distribution will include IPSEC VPN capability, firewall capability (via standard IPTables), and an intrusion detection system based on the very capable
In addition, United Linux promises cryptographic signatures on update packages. As all four Linux distributors in the consortium already use
But all this good news is tempered by quite a bit of bad news. For starters, identical configurations, binary compatibility and identical libraries are good for hackers.
Identical configurations, if correct, present no security problem. But a misconfiguration, such as a Web permissions problem, when mandated by the core distribution, stands to hurt far more users, and much more quickly, than a similar error on any of the existing distributions.
Identical binary builds are an even more serious issue. Many exploits, such as buffer overflows, need to hard-code magic numbers like system calls and addresses that vary by Linux distribution, and by builds of the binaries.
This diversity of binaries, even when the sources are the same, has been a hidden strength of Linux: it means that exploits have to be customized not only for each distribution, but for each minor version as well, which is often enough to confound script kiddies and worms.
As United Linux will have identical binaries for base system software, an exploit that runs against one distribution built atop it will run against all other distributions.
Coordination Issues
That means if United Linux is successful, it will allow automated exploits to proceed with a ruthless efficiency, reminiscent of CodeRed, Nimda, and other worms targeting software monocultures. If Red Hat or Mandrake join the United Linux consortium, the risks would be even greater.
Another serious problem with United Linux will likely be coordination between vendors for security fixes. The four distributions that comprise United Linux have wildly different security records: SuSE and Connectiva seem quite responsive to security issues. TurboLinux has not released a security fix since January 24th, according to
If all vendors need to agree on a fix, and if all four distributions need to coordinate and approve fixes to the base operating system, it seems that the natural result will be to slow down the faster distributions, even if it does bring the slower players somewhat more up to speed. It's like not allowing the smartest kid in class to work to his potential, so that the slowest kid doesn't fall too far behind. (One way of mitigating this would be to have SuSE or Conectiva coordinate the security team, and allow their updates to the base distribution to go through without approval from the other vendors.)
Many other details remain to be seen: while the white paper specifies that security fixes will be announced via a mailing list and will be installed via automated system updaters, the update software is not specified. If the updater that United Linux ends up with does not check package signatures, a whole slew of boxes will suddenly be vulnerable to
Also questionable is United Linux's mandatory availability of SNMP (Simple Network Management Protocol) software. While most Linux distributions already include this, it is rarely installed by default. The default installation of SNMP is almost always insecure, and, in fact, unchanged SNMP community strings made number seven on SANS' list of
While the costs and benefits of United Linux appear to be fairly well balanced, I believe that the unified binaries and system libraries across such a large number of systems will allow automated attacks against Linux systems to increase in prominence and effectiveness. Linux distributors might find, as Microsoft has, that ubiquity and consistency have their price.
