8

I have been getting a bit paranoid regarding some of my old TrueCrypt containers. The paranoia has got nothing to do with suspicions regarding TrueCrypt itself (after the shut-down last year), rather it is regarding keyloggers sniffing my containers' passwords.

And then I came across Joanna's post regarding how X server is very unsafe and different applications can snoop into each other: http://theinvisiblethings.blogspot.in/2011/04/linux-security-circus-on-gui-isolation.html. It is an old post (2011), but there has been a lot of discussions regarding this all over the net. Just see this HackerNews post: https://news.ycombinator.com/item?id=7607082

Anyways, I found that xterm offers GUI isolation. Also, gksudo allegedly doesn't allow snooping in to the password being entered.

Now, my question is this: can I somehow implement GUI isolation for TrueCrypt when it is asking for a password?

PS:

I do have keyfiles. So, please don't suggest that.

S.L. Barth
  • 5,504
  • 8
  • 39
  • 47
shivams
  • 221
  • 1
  • 5

2 Answers2

7

Xterm does not allow isolation unless you set it to run as another user, in another tty. Gksu and Gksudo do not provide any sort of isolation at all. The same applies to all other password entry utilities, like kdesu/kdesudo, pinentry, etc. They are regular windows, like any others.

Wayland supports isolating Windows, but only for applications which support the protocol, which Truecrypt does not. All programs which do not support Wayland fall back to the legacy X11 protocol, which Wayland supports as a fallback, but which it cannot provide any window isolation for. As a result, using it with a bunch of legacy applications does not provide you with extra security, and your Truecrypt password can still be snooped.

There are two viable solutions I can think of:

  • Open a new Xorg session in a new tty as a new user, and open Truecrypt there.
  • Go into a tty without Xorg running, log in as root, and mount Truecrypt using command line.

Note that unless you are very careful, a determined attacker can almost always gain such a password if they have access to your regular user. For example, if you ever use sudo or su to get root, they can keylog that. If you do not do it in an X session, they can still hijack it using functions, aliases, LD_PRELOAD on your shell, etc. If you are ever root and you use su to lower yourself to your regular user, then root can be hijacked with a tty pushback attack. If you try to switch to a different tty to log in as root so your possibly compromised regular user can't sniff your Truecrypt password as you enter it as root or a safe user, you might actually be presented with a fake login console where you give it your root password, instead of agetty (or logind). The only way to mitigate that is by remembering to use the SAK combo every single time you switch to a new tty to log in as root. So you see, there are a lot of things you will have to remember, and you only have to slip up once for a determined attacker who has access to your regular user to grab your Truecrypt password.

My personal security procedures are very robust but can be a bit tiring if you are very GUI-oriented. I do almost everything in the terminal, without using Xorg. I use grsecurity with RBAC to isolate individual programs so they cannot mess with my $HOME or any configuration files if they get hijacked, I always use SAK when switching to a different tty to log in, and when I do need to use Xorg, I only keep one or two programs open at a time. I only ever need to use a browser, a few video games I run under Wine, and Gimp for photo editing. Xorg runs under a different user. This may seem excessive, but it's pretty much the minimum that assures that, if my regular user is compromised, then nothing short of me slipping up and forgetting to use SAK or using su to get root instead of logging in as root in a new tty, or a kernel 0day will be able to initiate keylogging to get something like my encryption key.

forest
  • 65,613
  • 20
  • 208
  • 262
4

Ok, here are some ideas.

Replace X with Wayland. It has gone a long way and should patch some problems. Utilize mandatory access control to suppress other actions(Specifically attacks that exploit software to key log). Browse in a VM and run all unnecessary software there. You could try using a virtual keyboard as well.(quite effective when paired with Wayland) Of note Wayland blocks the standard screen grab.

These will isolate your GUI application. Though only accessing the data from a live usb is a considerable precaution.

Of course if you machine is comprised it isn't yours anymore.

keepass_fan
  • 358
  • 2
  • 7
  • Thank you for your suggestion. I will look into Wayland :) – shivams Dec 13 '15 at 06:06
  • 1
    Running Firefox/Chromium, PDF viewers, or LibreOffice should be in isolation(Virtualbox? Firejail?). It could shield against exploits keylogging. I found Wayland to be much more stable, so I hope it can assist you. – keepass_fan Dec 13 '15 at 06:16
  • Actually, this is not entirely true. Wayland only protects you if all applications running on it support Wayland, otherwise they fall back to XWayland, which allows apps to read keystrokes inputted into each other. – forest Apr 03 '16 at 06:47