1) Kernel Patch Protection

a) Windows provides a robust kernel security mechanism that is subject to

changes. This is called kernel patch protection and informally known as
PatchGuard. KPP protects structures such as kernel stacks, the system
service dispatch table, global descriptor table, and the interrupt descriptor
table from modifications, as well as many other types of structures. KPP
also protects certain system routines from modification.
b) KPP Contexts and buffers are encrypted and also do self-checks on the
security mechanism, KPP also has a series of timed checks which can
occur at any time.
c) This deters and prevents malware such as rootkits from completely
compromising your system through the kernel.
d) There is no Linux equivalent
2) ASLR
a) ASLR does not have an impact on the runtime performance for Windows
systems
b) ASLR does have an impact on the runtime performance for Linux
systems "Aanalysis shows that the overhead for PIE on 32bit x86 is
up to 26% for some benchmarks with an (arithmetic) average of 10%
and a geometric mean of 9.4%."
c) Due to this, many GNU/Linux developers do not use ASLR as
opposed to Windows where developers enable it with ease.
3) Driver Signature Enforcement
a) Windows has Driver Signature Enforcement (DSE) which requires all
drivers to be digitally signed before they can be ran. This prevents
malicious drivers from being signed and exploitable signed drivers are
compensated through anti-malware software such as Windows Defender.
Certs can also be revoked.
b) On Linux systems, kernel modules don’t have to be signed, they can be
executed and have privileges to your entire system as long as you run
them with root privileges. This makes users vulnerable to social
engineering, it also widens the attack vector for processor privilege
escalation exploits

4) System Calls
 a) Windows used to use interrupts for system calls, but now it universally
uses MSRs (model/machine-specific registers) through the use of sysenter
which is optimized for calls that transition from user-mode to kernel-mode.
b) Variations of GNU/Linux implementations will use sysenter, but many still
use int 0x80 - they use an interrupt for a system call, regardless of it being
legacy. Developers also still do this.
c) Linux system calls that run long can cause priority inversion in threads
5) Control Flow Guard / Kernel Control Flow Guard
a) Windows has feature that is enabled in the kernel by default called control
flow guard (CFG). It’s optimized and works to prevent memory corruption
vulnerabilities while also tightly restricting code execution.
b) There is no equivalent for the Linux kernel; however, some compilers can
implement a feature called control flow integrity
6) Mandatory Security Controls
a) Windows uniformly implements mandatory integrity control - this controls
and mandates access for securable objects in Windows such as files.
b) Linux does not inherently have this feature, but SELinux is included in
distributions such as Fedora which implements mandatory access control,
this functions similar to MIC.
7) Security Access Control Lists
a) On Windows, security descriptors have DACLs (discretionary access
control lists) and SACLs (system access control lists)
b) DACLs describe permissions that certain users and groups have to
securable objects
c) SACLs are used for auditing users that try different types of access
requests to securable objects
d) ACLs and security descriptors are versatile on Windows. Files, processes,
threads, and even pipes are securable! There are of course, many other
securable objects on Windows.
e) Linux does have DACLs but they are not as extensive for objects as
Windows is
8) Graphical User Interface
a) Windows has a native GUI framework that is integrated with the operating
system. It handles all graphics operations in the kernel and has a dedicated
subsystem for processing graphics. This for performance reasons, avoids
constant kernel transitions.
b) Linux systems do have GUI frameworks such as the X Window System, but
they are not as performant as Windows due to the lack of total integration.

9) Kernel stacks
 a) Windows has a more complex implementation and will swap kernel
memory such as kernel stacks to optimize system performance and
experience
b) Variations of Linux will prioritize kernel memory over anything else, when
memory is lacking, the system will begin terminating tasks - it may end up
crashing the system.
10) AppLocker
a) Windows has AppLocker which can restrict access and execution to
certain programs. AppLocker is used with rules which can be configured to
the specifications of the file such as it’s hash.
b) AppLocker can prevent users and groups from executing specific
programs.
c) AppLocker also allows policies which can let the administrator audit
access to certain files
d) There is no equivalent for Linux systems, but there are certain aspects of
the feature that exist in Linux
11) AppContainer Environment
a) Windows provides a highly powerful feature called AppContainer which
acts as a sandbox. AppContainer can isolate applications from the rest of
your working environment
b) Microsoft documented that AppContainer can isolate software from other
processes, files, networks, devices, credentials, and windows.
c) There is no Linux equivalent.
12) Processor Scheduling
a) The NT thread scheduler is quantum-based and is a preemptive priority
scheduling algorithm.
b) The scheduler optimizes thread quantums for the processor that it belongs
to. Running threads are not exactly given intervals per se, but must meet a
quantum target which is determined by the amount of CPU cycles a thread
has executed.
c) The NT thread scheduler is a queue that always takes a constant amount of
time to schedule a thread, making it an O(1) best case algorithm. A thread
will always be ready for scheduling.
d) GUI threads and foreground processes are given priority and quantum
boosts to increase the performance for user interaction.
e) Linux uses the Completely Fair Scheduler (CFS) which is an O(n) algorithm
that uses red-black trees. Since the Linux scheduler has to search through
a list of running tasks, it spends more time in the scheduler lock.
f) Real-time threads in Linux can starve lower-priority threads (which are
favored).

13) Virtual Memory Model

 a) Windows uses an AVL tree in virtual memory management for handling
pages. Each virtual process has a virtual address descriptor (VAD) tree.
b) The average case complexity for AVL tree insertions, deletions, and
searches is O(log n). Lookup operations can be less than half the time it is
for linked lists.
c) Windows does intensify the usage of the TLB cache to increase the
performance of virtual address translations such as using large pages to
cache an entire buffer
d) Windows compresses RAM which is prioritized over paging it. Paging still
happens, but compression is favored. The memory compression algorithm
is lightweight and reduces time consuming disk I/O so that memory can
readily be swapped back with high performance.
e) Linux uses linked lists for memory management which have an average
case of O(n), although traversal may be slower than on Windows,
insertions can be faster.
f) Linux over commits memory and can badly thrash, leading to system
instability. This does not happen on Windows. Linux does have the OOM to
try​ to prevent bad memory usage which is good though.
14) Windows Subsystem for Linux
a) Windows provides a Linux subsystem which is a Linux-kernel interface that
can have a userland distribution installed on it such as Ubuntu. It’s capable
of running ELF binaries as well. It can contain the bash shell and other CLI
features.
b) Linux has WINE, but this emulation layer is developed through clean-room
reverse engineering Windows. The performance and features will not be the
same as what you’d get through WSL. There is a natural advantage for
Windows in this case.
15) WoW64
a) Windows has WoW64 which is a compatibility layer that can execute a
32-bit process on a 64-bit operating system.
b) 64-bit Windows users that transition to Linux may not be aware of the
abstract ease WoW64 provides and will be troubled as to why they can’t
execute 32-bit programs in a 64-bit environment. Luckily, most GNU/Linux
distributes are starting to provide MultiArch which is similar to WoW64.