The Pityfull State of Linux Desktop Security
Martin Gr¨aßlin
QtCon
03. September 2016 Let’s start with fun stuff: X11
default Keylogger on X11 Use XInput 2.1 or later Select for RawKeyPress and RawKeyRelease events Filter those through xkbcommon
Delivers all events! Even if another X client grabbed input (e.g. locked the screen)
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin But keyloggers don’t matter (to me)!
default Some evil things keyloggers can do Get your password when screen is locked Get your password when using su/sudo/kdesu/kdesudo Get your bank account number and pin Get your facebook password Get your GPG passphrase Get your ssh-key passphrase
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin More fun stuff: inject key events
default Hijack Dolphin running as root Demonstrated to Dolphin and Kate developers in January Opens embedded Konsole and starts typing in it see https://marc.info/?l=kfm-devel&m=145192452218315&w=2 Code at: git://anongit.kde.org/scratch/graesslin/exploit-dophin-root-x11.git
How does it work? Notifications about windows of other applications Read information about windows of other applications (e.g. PID) Inject input events
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin What can applications do against that?
default Never run as root! Graphical application shall not run as root Add checks for root and terminate Don’t wait till Q(Gui)Application is constructed, you might already be owned Don’t show a graphical warning that it’s not allowed to run as root, that’s too late Delegate to KAuth if a task needs to be performed as root
But FREEDOM! Users have to be able to shoot themselves in the foot and edit /etc/fstab in Kate running as root!
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin There are more problems on X, aren’t there?
default Xcomposite and Damage extensions Screenshot in the simple way Get a notification whenever a window changes content Get the XPixmap for free Take over rendering and replace X rendering
You just explained the basics of X11 compositing... Allows recording everything you do in every application Can render the desktop in different ways, e.g. remove a window
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Let’s combine to make real fun stuff
default Phishing Get screenshot of browser Put a window exactly above the address bar Use XTest extension to send broser to http://evilbank.com Render to fake address bar window that user is on https://bank.com
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Wayland will fix it
default
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Nope, sorry it won’t
default
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Wayland does fix some aspects
default Sane protocol No information about other applications No window properties at all No way to inject input events No way to screenshot No way to position windows manually No way to eavesdrop on input events Clipboard not broadcasted
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin So it’s also fixed with KWin/Wayland?
default KWin adds additional protocols which break it Injecting input events possible for kdeconnect Information about windows exposed to Plasma Protocoll to allow windows to position themselves
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin We can fix those protocols
default Introduce a security layer Ideas are floating around for quite some time There is Wayland Security Model Authentication protocol suggestion Authorize based on pid, uid, gid, etc.
But only moves the trust issue around How to trust the Plasmoid which accesses window information?
But it won’t fix the root problem
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin The Linux security mantra
default If it runs, it is trusted!
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin How did we get here?
default X11 is too broken Once a client is connected to Xserver it had to be trusted
Examples No point in securing lock screen if another client can just disable the lock screen No point in protecting against keylogger if X allows key logging
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin We concentrated on the wrong areas
default Prevent malicious application to get into system in first place Prevent malicious application to become root
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Beeing root is not what matters today
default
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin And what about getting malware into the system?
default We as a community don’t take security serious “Beware of hacked ISOs if you downloaded Linux Mint on February 20th!” “Manjaro forgot to upgrade their SSL certificate, suggest users get around it by changing their system clocks” “We regularly receive bug reports from users with very old versions of WebKit, who trust their distributors to handle security for them and might not even realize they are running ancient, unsafe versions of WebKit.” “Therefore, browsers built upon the webkit, qtwebkit and khtml engines are included in Jessie, but not covered by security support. These browsers should not be used against untrusted websites.”
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Let’s look at us!
default QtWebEngine 5.7 based on Chromium 49 with security backports up to 51 No update since then What about the 48 security issues fixed in Chromium 52.0.2743.82? And where can I see which issues are valid for QtWebEngine?
Other engines QtWebKit still used Khtml still used
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Can we trust our software?
default Our distributed software? Not all git tags are signed Not all tar balls are signed Info page on download.kde.org is not using https
Software at runtime? KPackages are not signed KPackages are loaded without integrity check Local overwriting of desktop files possible Local overwriting of KPackages possible
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin How to exploit?
default Write access to home directory is sufficient Drive-by download vulnerability in browser Or any other application exposed to the internet
Best targets $HOME/.profile $HOME/.bashrc $HOME/.config/autostart $HOME/.pam environment
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin LD PRELOAD and friends
default Startup process Shell scripts are sourced Env variables are set for all processes Allows to load custom binary data into all or dedicated processes Process have no idea that they are tampered with Session might be owned before the first Plasma script/binary is executed
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin What can one do if one is running in the session?
default Some examples Install a key logger into KWin/Wayland (example code on git.kde.org) Replace polkit-kde-authentication-agent and wait for the user to enter password ptrace applications to get their secrets Eavesdrop on DBus
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin How to fix this mess?
default
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Linux Kernel can help us to fix that!
default Linux security modules and syscall filtering AppArmor SELinux libseccomp
Taime your application Disallow write access, if it doesn’t need it Disallow network access, if it doesn’t need it Use AppArmor to restrict the DBus calls your app is allowed to do
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Disallow ptrace
default Where we added it KWin (Wayland) Polkit-kde-authentication-agent Lock screen kcheckpass kdesu(do)
Many distributions do that by default We should not wait for distros to fix that!
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Change startup
default Prevent env variable hacks! Distros need to stop sourcing $HOME/.pam environment Login managers need to stop sourcing bashrc and friends No sourcing of env variables before session starts At least get the session started in secure way
Yes, I know that this will break our dev workflows.
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Containers to the rescue!
default Flatpaks and Snaps a solution? Don’t allow writing to home E.g. filesystem portal Limit access to DBus Libertine: One X server per X application
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Bringing back the trust!
default If it runs, it’s trusted for real New session startup without sourcing env scripts Signing of KPackage (plasmoids, kwin scripts, etc.) Security relevant interfaces (e.g. taskmanager) only available for signed packages All user applications running in sandboxes Remember: sandbox is no excuse to not add security to other areas!
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Authenticate our apps to the user
default The lock screen problem Is it the lock screen? or a random fullscreen application looking like the lock screen?
Authenticate password prompts to user A shared secret between user and password prompt Dedicated key combo for password prompts (c.f. ctrl+alt+del) User Account Control
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Better password asking experience
default Problems with password dialogs Application does not set ptrace protection Windowing system does not know it’s asking for password Focus stealing is possible window stacking order attacks possible
Password asking service Plasma provides password dialog Application requests a password Service provides password back
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin A Mission!
default
Wayland gives us the possibility to have a secure desktop, let’s do it!
The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin