Some malware doing something that isn't even working properly on linux doesn't matter in this context.

What is important that Linux now lacks many security features that Windows actually has. I remembered watching stream of Adam Zabrocki​ - creator of LKRG and one of main reasons he did so, is because Linux kernel nowadays lacks a ton of anti-exploit features that simply exist in Windows.

Let me know when they fix UAC being trivially bypassable (a.k.a. admin privilege escalation, would be considered a severe vulnerability in any other OS). Until they fix the obvious gaping holes, the other security features are little more than a placebo.

I'm not sure if you actually watched what I linked, but between their adminless default behavior (8 minutes in) and mandatory app signing (around 29 minutes in), I think it'd be extraordinarily hard to continue to abuse UAC bypass methods.

If they actually fix UAC bypassing, then that's good, but it's frankly embarrassing that it's taken, what, 17+ years after the introduction of UAC? An admin/root privilege escalation exploit, especially ones as easy to perform as the UAC exploits, would be considered a high-priority CVE in any other OS and fixed within months at most.

Hey great idea Microsoft!

When you get done, can likely call it systemd!

In serious companies and institutions, employees work with user accounts, not local administrator so the UAC problem does not exist.

Instead, there is a problem with malware invisible to the system - invisible to Linux. And with HVCL you can be sure that all running components are signed. Linux does not provide that.

There is a difference here. Linux high security systems don't in fact depend on signing. Integrity Measurement Architecture has your company running server with approved list of files this covers kernel modules. Greater Script Execution control would close up a weakness.

Yes whitelist model for approved software at play here.

https://github.com/heki-linux Yes heki on Linux what will be Linux equal to HVCL will be different because use of the IMA system will be option with heki instead of signed.

HEL88 lot of the attacks against windows and EFI have malware using exploitable parts that are signed. IMA system parts can be blacklisted without need to revoke signatures. Please note coreboot can use IMA system supporting connecting to company approved server for list of approved UEFI parts.

IMA is another way to do the is this file approved logic.

EVM is a kernel module. If the kernel is compromised the EVM can no longer be trusted.


HVCL runs on higher privileges than the kernel therefore it is able to 100% check kernel integrations. If the kernel is compromised HVCL is able to detect this.


You are comparing two completely different things (files integrity vs kernel runtime integrity).

Linux, even with EVM, has no way to check its own integrity. And confirm whether it is clean or infected.

Besides, are you using EVM with IMA? Do you know companies that do this??? Because already millions of users and companies are using HVCL without problems and in Windows 11 it is enabled by default. Do you see the difference?

​

A hypervisor still need a kernel of some form like it or not.

Signed is really file integrity.



IMA setups the core kernel does not need to validate its own integrity as that should have been either checked by the firmware or by the boot loader. Yes of course boot loader

Remember HVCL you still have the problem that the HVCL cannot check it own integrity either.


Its also simple to forget that linux kernel happen to firmware in many servers. HEL88 you find IMA/EVA from firmware all the way up in different companies server setups. Of course those companies are using Linuxboot as the motherboard firmware validate by motherboard key unique to company..

HEL88 what safer at the bottom some vendor made UEFI solution or a Linux kernel. Do note the early Linux kernel in firmware does not stay running it kexec it self out of running after it validated what it loading.

Basically there is a different solution for Linux systems out there.

Heki is Linux kernel has the hypervisor doing the HVCL things. Linuxboot Linux kernel as the firmware validating all the boot loaders and loaded kernels...

HEL88 yes Linux all the way down.
1) Linux firmware that protected by motherboard chipset.
2) Linux hypervisor validated by Linux firmware.
3) Guest OS validate by Linux hypervisor.
This stack there does not need to be a bootloader in the mix.

Anything can be improved by rewriting it in rust. The broken moped of my son runs again since I've rewritten it in rust. Even the stale fatty xmas cookies from aunt margaret taste better now.