• DessalinesA
    link
    fedilink
    arrow-up
    14
    arrow-down
    2
    ·
    3 years ago

    Other kernels, such as the Windows and macOS kernels, are somewhat similar too, in that they are also large and bloated monolithic kernels with huge attack surface, but they at least realise that these issues exist and take further steps to mitigate them. As an example of this, Windows has historically been plagued by vulnerabilities within its font parsing code so in response, Microsoft moved all font parsing out of the kernel and into a separate, heavily sandboxed user space process, restricted via AppContainer. Windows also implemented a mitigation to block untrusted fonts from specific processes to reduce attack surface. Similarly, macOS moved a substantial portion of its networking stack — the transport layer — from the kernel into user space, thereby significantly reducing remote kernel attack surface and the impact of vulnerabilities in the networking stack. Linux, however, does not focus on such systemic approaches to security.

    This one is particularly funny, combined with the idea that they think windows or macOS is more sandboxed than linux. For years, internet explorer was so tightly integrated into windows, that clicking a browser link could install malware that would affect your entire filesystem, steal all your regex and system data, and even cause your OS not to boot. In the mid 1990s, identity theft was exacerbated by the fact that microsoft, rather than fix bugs, would sue the people publishing the bugs.

    • snek_boi
      link
      fedilink
      arrow-up
      8
      ·
      3 years ago

      Ouch. Microsoft used to sue people instead of fixing bugs? What a way of guaranteeing insecurity in the long run!

      I wonder if the whole “Microsoft moved all font parsing out of the kernel” as well as the “macOS moved a substantial portion of its networking stack - the transport layer- from the kernel into user space” happened after the “years [in which] internet explorer was so tightly integrated into windows”. You could both be right. The quote of his actually supports your point: “Windows and Mac kernels are somewhat similar too, in that they are also large and bloated kernels. […] Windows has historically been plagued by vulnerabilities within its font parsing code.”

      So what I understand is that you’re right that it’s funny to think that macOS and Windows were more sandboxed than Linux. Based on his quote, it appears as if this has recently changed, at least in the examples given and the general “systemic approach” to security.