[Nottingham] Security Circus

[VM]

On 05/25/2017 04:06 PM, Martin via Nottingham wrote:
> On 18/05/17 18:36, VM wrote:
>> oh, I thought security meant removing capabilities rather than adding. :) i find the topic quite interesting so I'm already impatiently waiting at the Angel.
> 
> In summary:
> 
> Overly convoluted into impractical complexity.
> 

Dear Linux users,

You may have heard about the new Android vulnerability branded "Cloak
and Dagger" (https://cloak-and-dagger.org go and laugh about their
domain certificate :). It's a good example of how security was
compromised for the sake of Facebook user experience, and Google refused
to fix it...

This has reminded me that most Linux desktops suffer from an even worse
security hole named X server. If I could brand that vulnerability I'd
call it "Security Circus" (well, I nicked the phrase from Joanna
Rutkowska [1]). Just because if you run one X server then restricting
capabilities, SELinux, unprivileged containers, namespaces, running web
browser as a different user, seccomp, apparmor, capsicum etc. won't save
you. Period.

Just to prove the point, open a graphical terminal right now and run
$ xinput list
There will be a list of all input devices connected to the X server.
Install it if it's not already installed. Find your keyboard there and
note its id number. Then run

$ xinput test <id>

with the id number of the keyboard. Now start another terminal window
and run something like

$ sudo date

sudo will ask for your password (if it doesn't then you may stop reading
:)). Note how every keypress is registered in the first terminal when
you enter the password.

EVERY client of the X server can receive all input events even when they
are not the active window, inject keystrokes into other applications,
grab contents of other windows and record every mouse click while
grabbing screen contents around the pointer... Now go on and launch a
browser, log into some website - credentials get recorded by xinput,
lock the session, unlock it with you password. Great! You've just given
your password to every running graphical application. :(

Wayland is supposed to solve the security problem but there's still way
to go until all software is rewritten to support it [2]. Firejail with
X11 sandboxing [3] should help in the meantime. Qubes OS [5] and
Subgraph OS [4] offer complex solutions addressing this and other
security and anonymity issues, each in its own way. Choose your
protection and use it! Or switch to the console. :)

===========
References:

[1]
https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html
[2] https://lwn.net/Articles/517375/
[3] https://firejail.wordpress.com/documentation-2/x11-guide/
[4] https://subgraph.com/
[5] https://www.qubes-os.org/intro/

Questions? Comments? Other solutions?

Vadim