Story 3J4 Lack of GUI Isolation as Linux security flaw

Lack of GUI Isolation as Linux security flaw

by
in security on (#3J4)
Here's a little something to sour your morning coffee with the acid taste of anxiety: an interesting piece by Joanna Rutkowska pointing out what she claims is an inherent security flaw in the X Window GUI model :
... Start another terminal window, and switch to root (e.g. using su, or sudo). Notice how the xinput running as user is able to sniff all your keystrokes, including root password (for su), and then all the keystrokes you enter in your root session. Start some GUI app as root, or as different user, again notice how your xinput can sniff all the keystrokes you enter to this other app!

I never knew this and am not aware of much discussion going on about the issue. Is this a fundamental flaw that Windows Vista addresses more successfully, as the author claims, or has the time truly come to do away with the X Window model and develop something else? Did the UNIX-Haters Handbook get this one right?
Reply 12 comments

X is from a different time (Score: 5, Interesting)

by mth@pipedot.org on 2014-04-18 13:47 (#146)

X is from a time when flexibility was considered more important than security. So I'm not surprised it is weak in this respect.

If you create a second login session at the display manager, I think that would be shielded from the first: they would be talking to the same X server, but to different displays. If I understand X correctly, snooping is possible between applications connected to the same display (X display, not a physical monitor).

Re: X is from a different time (Score: 3, Informative)

by Anonymous Coward on 2014-04-18 14:03 (#147)

That's kind of the issue: the author points out you can use the xtest application to essentially record keystrokes as they happen, even from someone typing into a root terminal. Her preference is for apps to be unable to communicate with each other, as I understand it, and she claims Windows Vista and up do a better job of addressing this weakness.

Re: X is from a different time (Score: 4, Informative)

by Anonymous Coward on 2014-04-21 07:35 (#14V)

It's true, and fixing this problem is one of the main motivations of wayland. Actually, wayland also fixes screengrabbing spyware, as graphics buffers are private to the applications and must be explicitly shared by them if desired.

In X there is no security, whatever has access to the server is fully trusted.

Re: X is from a different time (Score: 1, Insightful)

by Anonymous Coward on 2014-04-22 06:31 (#14Y)

No screenshots then.

Not new (Score: 4, Interesting)

by tristram@pipedot.org on 2014-04-18 17:01 (#14B)

This sort of thing has been known for a very long time -- for instance, the reason why most modern login managers restart the X server when you log out is to prevent somebody from leaving a program running that can access the next user's screen or keystrokes. Since the X Window protocol allows applications to find out about keypress events, it's not surprising that if you can run an arbitrary application then you can run a keylogger.

There are lots of keyloggers available for Windows, too; I'm not sure why the author thinks that this is somehow Linux-specific. She obviously is pushing her pet "Qubes OS" project.

Working as intended (Score: 3, Informative)

by bryan@pipedot.org on 2014-04-18 21:56 (#14E)

She's describing expected behavior. I don't see anything resembling "an inherent security flaw" in either X or Windows. If you don't trust the programs running in your user environment, you surely shouldn't expect additional security in an elevated privilege window inside that environment.

Also, the part about Windows doing anything different is complete BS. The article "Running Vista Every Day!" shows her clear lack of understanding on what UAC is doing.

Re: Working as intended (Score: 5, Interesting)

by genkernel@pipedot.org on 2014-04-19 16:40 (#14N)

Eh, I disagree. It is expected behavior, and it is indeed well known. Nonetheless, it is wrong. An application with user privilege should never have such complete control of an application running with root privileges in a sane, secure environment. Allowing that is asking for privilege escalation. The fact that input information is made so readily available to otherwise unrelated programs just makes it worse.

Back in ~2009 there was a bit of a stir involving the sheer ease of getting the window managers KDE and GNOME to run unintended programs using .desktop files . As far as I can tell, it still works. This is a real problem, with potentially nasty consequences.

Re: Working as intended (Score: 2, Insightful)

by genkernel@pipedot.org on 2014-04-19 16:47 (#14P)

Hrm. While what I wrote makes sense, I should have added that ultimately it is highly difficult and truly unreasonable to retain control of every single piece of code that runs on your machine. All that needs to happen in this case is for some code somewhere to write a single line into an easily writable file in someone's home directory to start logging. That is a flaw, we can do better than that.

Re: Working as intended (Score: 3, Funny)

by bryan@pipedot.org on 2014-04-20 02:54 (#14Q)

Interestingly, the Thunar file manager under xfce (Xubuntu 8.10) is doing something that Gnome's and KDE's file managers are not doing: It will flag the desktop launcher file as potential malware and thus prevent execution via a simple click.
XFCE ftw! And that was back in 2008!

X and Windows use different models (Score: 2, Informative)

by tomp@pipedot.org on 2014-04-19 02:22 (#14F)

X and Windows are different. Under X the display belongs to the user not the system. That's not a security flaw, it's a design decision. It's also why it's so easy for X to display programs that are running on other systems and so hard to view desktops running on other systems.

Sure things like VNC blur the distinction, but it's still there.

Uhm someting newer than x windows? (Score: 1)

by billshooterofbul@pipedot.org on 2014-04-21 02:55 (#14T)

Like, uhm, brainstorming fro the top of my head... Wayland ... or ... Mir?

article from 2011 (Score: 0)

by Anonymous Coward on 2014-04-27 22:58 (#16Z)

Subject says it all...