The Pityfull State of Linux Desktop Security

Martin Gr¨aßlin

QtCon

03. September 2016 Let’s start with fun stuff: X11

default Keylogger on X11 Use XInput 2.1 or later Select for RawKeyPress and RawKeyRelease events Filter those through xkbcommon

Delivers all events! Even if another X client grabbed input (e.g. locked the screen)

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin But keyloggers don’t matter (to me)!

default Some evil things keyloggers can do Get your password when screen is locked Get your password when using su/sudo/kdesu/kdesudo Get your bank account number and pin Get your facebook password Get your GPG passphrase Get your ssh-key passphrase

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin More fun stuff: inject key events

default Hijack Dolphin running as root Demonstrated to Dolphin and Kate developers in January Opens embedded Konsole and starts typing in it see https://marc.info/?l=kfm-devel&m=145192452218315&w=2 Code at: git://anongit.kde.org/scratch/graesslin/exploit-dophin-root-x11.git

How does it work? Notifications about windows of other applications Read information about windows of other applications (e.g. PID) Inject input events

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin What can applications do against that?

default Never run as root! Graphical application shall not run as root Add checks for root and terminate Don’t wait till Q(Gui)Application is constructed, you might already be owned Don’t show a graphical warning that it’s not allowed to run as root, that’s too late Delegate to KAuth if a task needs to be performed as root

But FREEDOM! Users have to be able to shoot themselves in the foot and edit /etc/fstab in Kate running as root!

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin There are more problems on X, aren’t there?

default Xcomposite and Damage extensions Screenshot in the simple way Get a notification whenever a window changes content Get the XPixmap for free Take over rendering and replace X rendering

You just explained the basics of X11 compositing... Allows recording everything you do in every application Can render the desktop in different ways, e.g. remove a window

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Let’s combine to make real fun stuff

default Phishing Get screenshot of browser Put a window exactly above the address bar Use XTest extension to send broser to http://evilbank.com Render to fake address bar window that user is on https://bank.com

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Wayland will fix it

default

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Nope, sorry it won’t

default

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Wayland does fix some aspects

default Sane protocol No information about other applications No window properties at all No way to inject input events No way to screenshot No way to position windows manually No way to eavesdrop on input events Clipboard not broadcasted

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin So it’s also fixed with KWin/Wayland?

default KWin adds additional protocols which break it Injecting input events possible for kdeconnect Information about windows exposed to Plasma Protocoll to allow windows to position themselves

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin We can fix those protocols

default Introduce a security layer Ideas are floating around for quite some time There is Wayland Security Model Authentication protocol suggestion Authorize based on pid, uid, gid, etc.

But only moves the trust issue around How to trust the Plasmoid which accesses window information?

But it won’t fix the root problem

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin The Linux security mantra

default If it runs, it is trusted!

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin How did we get here?

default X11 is too broken Once a client is connected to Xserver it had to be trusted

Examples No point in securing lock screen if another client can just disable the lock screen No point in protecting against keylogger if X allows key logging

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin We concentrated on the wrong areas

default Prevent malicious application to get into system in first place Prevent malicious application to become root

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Beeing root is not what matters today

default

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin And what about getting malware into the system?

default We as a community don’t take security serious “Beware of hacked ISOs if you downloaded Linux Mint on February 20th!” “Manjaro forgot to upgrade their SSL certificate, suggest users get around it by changing their system clocks” “We regularly receive bug reports from users with very old versions of WebKit, who trust their distributors to handle security for them and might not even realize they are running ancient, unsafe versions of WebKit.” “Therefore, browsers built upon the webkit, qtwebkit and khtml engines are included in Jessie, but not covered by security support. These browsers should not be used against untrusted websites.”

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Let’s look at us!

default QtWebEngine 5.7 based on Chromium 49 with security backports up to 51 No update since then What about the 48 security issues fixed in Chromium 52.0.2743.82? And where can I see which issues are valid for QtWebEngine?

Other engines QtWebKit still used Khtml still used

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Can we trust our software?

default Our distributed software? Not all git tags are signed Not all tar balls are signed Info page on download.kde.org is not using https

Software at runtime? KPackages are not signed KPackages are loaded without integrity check Local overwriting of desktop files possible Local overwriting of KPackages possible

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin How to exploit?

default Write access to home directory is sufficient Drive-by download vulnerability in browser Or any other application exposed to the internet

Best targets $HOME/.profile $HOME/.bashrc $HOME/.config/autostart $HOME/.pam environment

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin LD PRELOAD and friends

default Startup process Shell scripts are sourced Env variables are set for all processes Allows to load custom binary data into all or dedicated processes Process have no idea that they are tampered with Session might be owned before the first Plasma script/binary is executed

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin What can one do if one is running in the session?

default Some examples Install a key logger into KWin/Wayland (example code on git.kde.org) Replace polkit-kde-authentication-agent and wait for the user to enter password ptrace applications to get their secrets Eavesdrop on DBus

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin How to fix this mess?

default

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Linux Kernel can help us to fix that!

default Linux security modules and syscall filtering AppArmor SELinux libseccomp

Taime your application Disallow write access, if it doesn’t need it Disallow network access, if it doesn’t need it Use AppArmor to restrict the DBus calls your app is allowed to do

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Disallow ptrace

default Where we added it KWin (Wayland) Polkit-kde-authentication-agent Lock screen kcheckpass kdesu(do)

Many distributions do that by default We should not wait for distros to fix that!

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Change startup

default Prevent env variable hacks! Distros need to stop sourcing $HOME/.pam environment Login managers need to stop sourcing bashrc and friends No sourcing of env variables before session starts At least get the session started in secure way

Yes, I know that this will break our dev workflows.

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Containers to the rescue!

default Flatpaks and Snaps a solution? Don’t allow writing to home E.g. filesystem portal Limit access to DBus Libertine: One X server per X application

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Bringing back the trust!

default If it runs, it’s trusted for real New session startup without sourcing env scripts Signing of KPackage (plasmoids, kwin scripts, etc.) Security relevant interfaces (e.g. taskmanager) only available for signed packages All user applications running in sandboxes Remember: sandbox is no excuse to not add security to other areas!

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Authenticate our apps to the user

default The lock screen problem Is it the lock screen? or a random fullscreen application looking like the lock screen?

Authenticate password prompts to user A shared secret between user and password prompt Dedicated key combo for password prompts (c.f. ctrl+alt+del) User Account Control

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin Better password asking experience

default Problems with password dialogs Application does not set ptrace protection Windowing system does not know it’s asking for password Focus stealing is possible window stacking order attacks possible

Password asking service Plasma provides password dialog Application requests a password Service provides password back

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin A Mission!

default

Wayland gives us the possibility to have a secure desktop, let’s do it!

The Pityfull State of Linux Desktop Security — Martin Gr¨aßlin