← Back to context

Comment by Gigachad

6 days ago

If your computer has any kind of secure boot / boot chain attestation stuff going on, like all phones do now, rebooting clears out pretty much all malware. Software bugs can put the system in to a bad state which can be abused by malware, but none of it can persist through a reboot since everything is checked and measured from scratch during the boot.

> any kind of secure boot / boot chain attestation [...] rebooting clears out pretty much all malware

IMHO "pretty much" understates the risk.

Malware can easily install itself as a system service, timer unit, XDG autostart or your shell profile among other places. I'll be the first to admit I never check all these places regularly.

The only thing that should be putting minds at ease is regular OS installs from fresh images.

Resist the temptation to do an "in place" upgrade and go with a clean ISO each time your distro comes out with a new major version.

It's a pain but thanks to configuration management or even shell scripts it's manageable for me now.

Admittedly six months is probably too long as well but at least it stops something lurking on a server or my desktop for years.

  • If you go with an immutable OS like Fedora Silverblue or Bazzite, every single update is a clean ISO install. And then in your user only install things through Flatpak while checking there aren't dangerous permissions enabled you will be much better off than a normal linux setup were mutations can be placed all over the place in a way that is impossible to audit or secure.

This feels rather overstated. Your firmware check isn't going to tell you if a repo package installed/updated by your package manager got compromised, which is apparently increasingly common.

  • It's more relevant on ios/Android where you can't through normal means install malware at the system level. Linux is moving in this direction with immutable OSs and better secure boot support but there isn't an easy way to have a secure linux desktop setup currently.

Most methods of persisting state have absolutely nothing whatosoever with kernel or modules which are a powerful way to hide malicious activity but far from the only way to persist state including malicious state. The only sane response to being infected with malicious software is to reinstall everything starting with the OS and scan user files AFTER reinstalling.

It is possible even plausible that you can disinfect many sorts of malware from inside a compromised machine but it is inherently less trustworthy and installing from scratch barely takes any more time.

  • If you know for sure you have been infected with malware then it’s better to reinstall. But on iOS/Android and any other OS with strong boot chain security you can proactively reboot your device periodically and wipe out malware you weren’t aware of.

    It’s borderline impossible to persist malware across reboots on iOS these days.

    • The topic is computers which is normally casually this means PCs, laptops desktops and other form factors none of which share this character.

> Software bugs can put the system in to a bad state which can be abused by malware, but none of it can persist through a reboot since everything is checked and measured from scratch during the boot.

This does not account for supply chain attacks nor trojan attacks which seek consensual installation. A reboot will not eradicate these threat vectors.

  • It relies on your software to be properly sandboxed and permissioned.

    What we have seen is state funded hacking groups can often exploit bugs which break out of sandboxes and embed themselves in the system. But the malicious code only exists in memory, it can’t persist between reboots because the next boot would fail the checksum and signature checks.

    Which is why security focused OSs will periodically reboot themselves to flush out possible malware and why jailbreaks and hacks for phones and game consoles usually have to be reinitiated after every boot.

    MacOS has a few measures including SIP and boot chain security to implement this, though it’s currently hard to set up a properly secure Linux desktop.

    • > It relies on your software to be properly sandboxed and permissioned.

      And organizations rely on their employees not falling for phishing email. How well has that worked?

      > What we have seen is state funded hacking groups can often exploit bugs which break out of sandboxes and embed themselves in the system. But the malicious code only exists in memory, it can’t persist between reboots because the next boot would fail the checksum and signature checks.

      "Malicious code existing only in memory" is patently false by not addressing supply chain attacks previously mentioned. To wit, the npm left-pad attack[0]. See also the thousands of PHP CVEs.

      0 - https://en.wikipedia.org/wiki/Npm_left-pad_incident

      1 reply →