tag:blogger.com,1999:blog-24586388.post1548152289459004392..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: The Linux Security Circus: On GUI isolationJoanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-24586388.post-21944878908211671762011-04-25T11:23:47.007+02:002011-04-25T11:23:47.007+02:00Correction: I was wrong about Xace being dead -- i...Correction: I was wrong about Xace being dead -- it has been apparently merged into the mainstream Xorg. Its just that... apparently nobody uses it, because it just not suited to solve the problems we talk about here. See e.g. this presentation from Dan Walsh (SELinux maintainer), slide #12:<br /><br />http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/sandbox.pdf<br /><br />...which shows how he decided to use a nested X server instead of Xace to implement SELinux sandbox (see comments above), because... "Xace doesn't work" ;)Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-66085121102607530442011-04-24T21:58:47.042+02:002011-04-24T21:58:47.042+02:00:):)Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-44598567925530407972011-04-24T21:52:43.405+02:002011-04-24T21:52:43.405+02:00Nice post and you're probably right, but your ...Nice post and you're probably right, but your attitude needs some work kid.<br /><br />Maybe it's a researcher thing.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-82117741985191941012011-04-24T20:59:32.725+02:002011-04-24T20:59:32.725+02:00@KimTijk: your assumption about easiness of exploi...@KimTijk: your assumption about easiness of exploiting any system that is connected to the network, regardless of what apps are running there, is simply flawed.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-30128031073459558392011-04-24T20:56:05.180+02:002011-04-24T20:56:05.180+02:00I don't ask you to waste time on an explanatio...I don't ask you to waste time on an explanation; you could as well just direct me to a source of information. What I wonder is: what's the real danger of the current sloppy model?<br /><br />My question is based on the fact that all network connected systems can be remotely compromised, with or without a window system. What priority does this in theory sane improvement get in relation to established precautions?<br /><br />I understand it's difficult to objectively answer that, while you at the same time invest time in a project addressing described issue.KimTjikhttps://www.blogger.com/profile/06159367184391537599noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-29431704516700165942011-04-24T20:36:34.939+02:002011-04-24T20:36:34.939+02:00About gksudo: perhaps it somehow owns the input on...About gksudo: perhaps it somehow owns the input only to itself for the period of displying its prompt window? I bet you cannot use other apps until the window is present?<br /><br />But that's probably irrelevant, because I bet that once you switch to a different user and start some apps as this new user, then xinput will be able to sniff all those keystrokes without any problem (and you could also easily write a program that could be injecting keystrokes to those apps).Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-6446496205016507732011-04-24T20:07:39.694+02:002011-04-24T20:07:39.694+02:00I ran gksudo and its input was not collected by xi...I ran gksudo and its input was <b>not</b> collected by xinput test. What kind of magic is it doing?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-2617388297699681102011-04-24T12:50:56.918+02:002011-04-24T12:50:56.918+02:00@Tom: The XACE project seems to be dead for at lea...@Tom: The XACE project seems to be dead for at least 3 years now...<br /><br />http://www.selinuxproject.org/page/XACEJoanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-5049853006813485652011-04-24T12:45:03.546+02:002011-04-24T12:45:03.546+02:00There is an extension called XACE that when integr...There is an extension called XACE that when integrated with selinux fixes these problems. I think it was developed by Eamon Walsh for the NSA.<br /><br />I don't know how well that works, but it is clear that this is a problem for other people, too.Tomnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-82177444631569045132011-04-24T11:54:42.551+02:002011-04-24T11:54:42.551+02:00*they at least attempt to prevent this at the arch...*they at least attempt to prevent this at the architecture level.*<br /><br />I'm not sure that trying and failing is better than not trying, in the case of security :)<br /><br />That said, I agree application-level isolation on desktop OS is a problem that deserves solving. It is very very hard, though. <br /><br />As X is going the way of the dodo, have you examined the case with Unity?Wladimirhttp://www.visucore.com/noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-79851454462205865472011-04-24T11:23:13.771+02:002011-04-24T11:23:13.771+02:00@phocean: Don't kid me, kid! What I did here w...@phocean: Don't kid me, kid! What I did here was not a "research" (you might want to check some real research we did at ITL on our website). That was just a Saturday morning blog post with an aim to save some lost souls, like yours... And I really don't have time to go and test all the software in the development that is out there. I do have real job, that among other things includes doing *real* research...Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-10930629508054990472011-04-24T11:16:49.932+02:002011-04-24T11:16:49.932+02:00So I will when I have some free time.
But as it is...So I will when I have some free time.<br />But as it is your research topic, I expected you had already done that or even contacted the developers to inform them.<br />As it is still under heavy development, I guess it is a good timing to implement good stuff and for expert like you to advise them.phoceanhttp://www.phocean.netnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-89844992467560016402011-04-24T11:05:46.395+02:002011-04-24T11:05:46.395+02:00@phocean: good question about Wayland, why don'...@phocean: good question about Wayland, why don't you check for yourself? ;)Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-56544612434550673372011-04-24T11:00:44.720+02:002011-04-24T11:00:44.720+02:00Instructive article.
But what about Wayland?
Wayla...Instructive article.<br />But what about Wayland?<br />Wayland is claimed to replace X soon. Major distros are already working on its integration.<br />Are the authors aware of it or does it have the same design flaws?phoceanhttp://www.phocean.netnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-82630439468705831602011-04-24T10:30:43.478+02:002011-04-24T10:30:43.478+02:00@fliebel: In Qubes all the keystrokes are first pr...@fliebel: In Qubes all the keystrokes are first processed byt he *trusted* window manger running in Dom0 (the trusted partition). Then, they might be consumed by Qubes (e.g. if this is a global clipboard management sequence, or perhaps the "Expose" sequence), or passed down to the *active* domain's local X server.<br /><br />VNC is just a regular app running in one of the domains. No special VNC for Qubes is needed.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-5773773085714465442011-04-24T10:27:46.563+02:002011-04-24T10:27:46.563+02:00@Ashish: the security mechanisms you mention have ...@Ashish: the security mechanisms you mention have been designed for a totally different security model than the "desktop GUI security" that is prevalent today.<br /><br />The point is, as correctly made by some other commenter, that X have been designed long, long, time ago, in different realities, for solving different problems, but the Linux community has blindly adopted it to current conditions, failing to see that it really doesn't fit today. Why do you think the title of this post is "*Linux* Security Circus" instead of "X Security Circus"? (Yes, I know, the problem also affects other OSes, such as e.g. *BSD, etc).Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-80809070470587245972011-04-24T09:26:31.144+02:002011-04-24T09:26:31.144+02:00So, how does Qubes implement global keyboard short...So, how does Qubes implement global keyboard shortcuts or applications like VNC?Unknownhttps://www.blogger.com/profile/02537508544588815164noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-68577483400169881482011-04-24T06:36:33.703+02:002011-04-24T06:36:33.703+02:00Very interesting indeed. I didn't know about t...Very interesting indeed. I didn't know about this threat and doesn't seem to be fixable. Nevertheless I wanted to know if this is the case for wayland. It would be interesting to run your experiment in it and post the findings on the wayland-devel mailing list.josericardohttps://www.blogger.com/profile/16054408183511995721noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-34601922920395047412011-04-24T06:32:19.766+02:002011-04-24T06:32:19.766+02:00Yes the same hippies who built X11 before you were...Yes the same hippies who built X11 before you were born....<br /><br />Please read the man page on Xsecurity<br />http://www.manpagez.com/man/7/Xsecurity/<br /><br />While you are at it also read up on xhost, xauth.<br />Linux is not representative of how X11 really is supposed to work.Ashishhttps://www.blogger.com/profile/03245280252760734079noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-56464592497846927442011-04-24T04:44:40.744+02:002011-04-24T04:44:40.744+02:00How old/young has somebody to be to write ".....How old/young has somebody to be to write "....designed long time ago by some happy hippies who just thought all the people apps are good and non-malicious..." ?<br /><br />The problem is the other way around. These guys created some awesome software tailored to their problems and means. Using it 20 years later in a different environment/world is the fault, not their initial design.<br /><br />Blame the actual generation, respect and praise the founder.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-56256375945325772482011-04-24T01:36:14.527+02:002011-04-24T01:36:14.527+02:00Why can't we just fix/modify the X-Server to m...Why can't we just fix/modify the X-Server to make GUI level isolation easier?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-80656646970869269862011-04-24T01:17:53.309+02:002011-04-24T01:17:53.309+02:00That is something I didn't know about... but v...That is something I didn't know about... but very interesting. Good Post.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-19880894032822715902011-04-24T00:36:23.621+02:002011-04-24T00:36:23.621+02:00Welcome to 1987.Welcome to 1987.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-88227570243156241342011-04-23T22:32:35.991+02:002011-04-23T22:32:35.991+02:00@rinaku: Capsicum currently doesn't support GU...@rinaku: Capsicum currently doesn't support GUI-level isolation, but I think they're planning to add it at some point in time. When this happens we would seriously consider using it inside our domains, to bring some isolation into each domain as well (currently there is no isolation between apps running in the same domain, specifically for reasons given in the blog article above).<br /><br />Capability-based systems, as you pointed out, require application modifications. This also means they cannot protect against intentionally malicious apps. Thus I see them as complementing Qubes, but never replacing it. Also, note that capsicum works only on app-level, but cannot protect against e.g. network subsystem compromises (cannot isolate the networking subsystem or other drivers). In Qubes we can easily do that e.g. via NetVM. Another reason to think about it as something to complement Qubes (and to run it inside a domain).Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-4911172417393081242011-04-23T21:38:05.071+02:002011-04-23T21:38:05.071+02:00I would be interested to know what you think about...I would be interested to know what you think about capability-based security (as in the Capsicum project), and how it compares to what you do in Qubes.<br /><br />From what I understand (but I know very little about security), capabilities allow the same level of security as Qubes, or even better, but they need the applications to be modified, which seems unrealistic. Is that correct ?<br /><br />Anyway, I'm not good enough to beta test, but I can't wait for a stable release, to see what it is like to use a system like Qubes.rinakunoreply@blogger.com