39

In The Linux Security Circus: On GUI isolation - The Invisible Things Lab's blog, Joanna Rutkowska describes attacks from one X11 app on another and the general problem of the lack of GUI-level isolation, and how it essentially nullifies all the desktop security.

One application can sniff or inject keystrokes to another one, can take snapshots of the screen occupied by windows belonging to another one, etc.

The bit about how the X11 security model has changed over time and doesn't fit well with Linux was interesting. She pitches Qubes OS (Beta 1) as a secure alternative.

My questions:

  • Can passive (snooping) attacks be avoided? The passive attack she describes certainly works on my system, though I note that one of the comments says gksudo input can't be snooped.
  • Can active attacks (injecting keystrokes) be avoided? I seem to recall that active attacks was turned of by default a long time ago. But a quick google suggests that the XTest extension nullifies that (How to map a key-combination to a keyboard-button?).

  • Most Linux distros are moving to Wayland as a replacement for X11. Does it provide for good isolation between apps?

Is there hope for security on the desktop? :)

nealmcb
  • 20,693
  • 6
  • 71
  • 117

1 Answers1

25

Basically any process which can successfully connect to a X11 server has full access to what occurs on that server. The X11 security model assumes that attackers are rejected at connection time. The usual security system is that clients must send a specific "magic cookie" as part of their first message, the cookie being a random blob which is created when the server launches or as part of the login procedure; the cookie is also copied to a location which is accessible only to the "allowed" applications. On Unix-like systems, the cookie is traditionally in the $HOME/.Xauthority file, but may be elsewhere (on my recent Linux system, it seems to be somewhere in a sub-directory of /var/run/gdm/), the point being that the file is readable only to a single Unix user. When forwarding X11 connections, SSH uses the xauth command to transparently transport the current cookie from the client to the server (so that applications launched on the remote host can send the cookie when they connect back).

So there is isolation with X11 -- but it is between users (as controlled by the OS), not between applications executed on behalf of the same user.

In older times, the magic cookies were not very common, hence some applications (notably xterm) included countermeasures such as refusing synthetic events (i.e. events resulting from a XSendEvent() called, as opposed to events coming from the hardware). Such measures were before many of the extensions which have grown on the X11 protocol over years, such as XTest, which make them mostly obsolete and useless.

Qubes is an operating system which builds on Xen to isolate some applications from each other -- each VM having its own exclusive display, with no possible interactions with the X11 servers from other VM. I have trouble reading "Beta 1" and "secure" in the same sentence, though...

For the X11 part, the same kind of isolation has existed for many years as Xnest (with an updated successor called Xephyr): you run the potentially evil application under a specific, isolated user ID, and let it connect only to a Xephyr instance which itself connects to the main X11 server as if it was a simple application. To evade that isolation, the application should hijack Xephyr (e.g. through a buffer overflow). The Qubes solution is only more thorough in that it replaces the Unix basic isolation ("distinct user ID") with a much more massive VM layer.

Wayland does not seem to advertise anything about isolation so it is a safe bet that it does nothing in that respect. Also, Wayland tries to give almost-direct hardware access to applications when possible, so any security model in that situation would be relative to how the undocumented 3D hardware and closed-source driver collaborate to avoid a misplaced DMA transfer to gain extra rights -- this does not look like the best way to build security.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • 1
    In fact Wayland is better, it doesn't allow snooping on input to other applications, including mouse position isolation. For example, xeyes don't work in wayland without heavily patching the whole thing (though one dev did exactly that just for fun). I'm sure keylogging is disallowed too. – Shnatsel Nov 21 '12 at 00:41
  • @Shnatsel It would be great to have some reference to this "good news" regarding Wayland? Can you provide some? – humanityANDpeace Dec 30 '12 at 09:30
  • http://blogs.gnome.org/wjjt/2012/03/14/looking-around-wayland/ is the xeyes story. I couldn't find anything about it in official documentation right now. – Shnatsel Dec 31 '12 at 11:28
  • Excerpt from the link above: _"To the opposite Wayland’s decision to use ‘client side decoration’ allow a malicious client to create a fully transparent window covering the full screen to get all the input events..."_ How depressing... – Yatharth Agarwal Apr 22 '14 at 15:40
  • @YatharthROCK: But that window can't pass on the input events to other windows, so all your applications would become unresponsive, and you would know that something was up, right? – Zaz Aug 13 '14 at 13:01
  • @Josh Oh. Is there no way for an app to peek at but not 'consume' input events (i.e., have them passed along)? – Yatharth Agarwal Aug 14 '14 at 05:52
  • @YatharthROCK: From what I understand: No, apps can't create or pass on input events. They also can't capture input unless they're focused, or take screenshots. – Zaz Aug 15 '14 at 14:50
  • @Josh Well, the answerer mentions `XSendEvent()`; and I think that if the focusing requirement is true, the article is pointless. – Yatharth Agarwal Aug 16 '14 at 05:08
  • 4
    this answer comes up second when searching 'wayland' but is now five years old. might be time to write a newer answer, whilst retaining this one. – infinite-etcetera Dec 23 '16 at 12:12
  • As of 2019, there are many security features implemented in Wayland. For example, restricted "screenshot"-ing acces, mouse access, inability to send "key strokes" to other apps etc. I think this answer should be updated, as it is now incorrect. – VasyaNovikov Jun 08 '19 at 13:14
  • @VasyaNovikov: to what extent is Wayland implemented, say in the latest KDE Plasma (5.21)? Joanna's `xinput test` demo works just the same on KDE neon 5.21. – Dan Dascalescu Feb 23 '21 at 11:30
  • @DanDascalescu I don't know this, but I also think it's not relevant to the original question... – VasyaNovikov Feb 23 '21 at 17:07
  • @VasyaNovikov: the question asks specifically about Wayland. Anyway, I've filed an issue re. [GUI isolation for pkexec](https://bugs.kde.org/show_bug.cgi?id=433485). – Dan Dascalescu Feb 24 '21 at 01:04