<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <style type="text/css" style="display:none"> --></style> </head> <body> <div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;"> <p>The previous email contained a stupid copy/paste error. Here is the version for which we're looking to have comments. Apologies to whomever had read the first email already.<br> </p> <p><br> </p> <div>Kind regards,<br> </div> <div><br> </div> <div>--<br> </div> <div>Light-locker Threat Model Draft</div> <div>Forward replies to:</div> <div> Steve Dodier-Lazaro <s.dodier-lazaro@cs.ucl.ac.uk></div> <div> Simon Steinbeiss <simon@xfce.org></div> <div> Peter de Ridder <peter@xfce.org></div> <div> </div> <div>Version information:</div> <div> Draft 1.1</div> <div> 2014-10-14</div> <div><br> </div> <div>### Policy of sessions ###</div> <div>Principals: current user, other logged in and logged out users</div> <div>Assets: each user's data and sessions, and their authentication data, access to [capture] hardware</div> <div>Properties: Session integrity, availability, confidentiality, Data integrity and confidentiality (DAC, only owner can read/write session and only relevant *NIX DAC+LSM MAC users can read/write data)</div> <div><br> </div> <div>Purpose of light-locker: implementating authentication for access to the session, preventing an unguarded session from being used to interact with any other asset</div> <div><br> </div> <div><br> </div> <div>### Input space for user and adversary, relevant to light-locker ###</div> <div>Greeter UI</div> <div>Greeter-locker IPC channel</div> <div>Other greeter IPC channels</div> <div>Hardware plugs of any kind, causing plug-n-play reactions</div> <div>Input devices</div> <div><br> </div> <div><br> </div> <div>### Threat model ###</div> <div>Adversary 1: physical attacker with restricted time (less than to copy your HDD or execute a Evil Maid attack if FDE) and no willingness to carry out attacks involving theft</div> <div>Caps: - log in normally through brute force or password guessing</div> <div> - log in by causing memory corruptions and code injection in the auth form</div> <div> - insert hardware to exploit a kernel bug</div> <div> - insert hardware to exploit a bug in whatever desktop environment code reacts to it</div> <div> - interact with IPC protocols between greeter and music player, a11y apps, locker and login greeter</div> <div><br> </div> <div>Threats: - successful login from adversary</div> <div> - RCE with root privilege (kernel bugs)</div> <div> - RCE with user privilege in one of the user's X11 sessions (kernel+DE bugs)</div> <div> - crashing the greeter/locker through misformed input on any available interface</div> <div><br> </div> <div>Adversary 2: attacker who controls an app run by the current user (previously compromised, or malware installed by user)</div> <div>Caps: - read and write virtually any data on the user's session</div> <div> - modify environment variables or config keys relevant to locker</div> <div> - replace user's apps with own malware by prioritising own malware in the PATH</div> <div> - any IPC with any other user-run app</div> <div> - potentially, knowledge of zero-day in lightdm/light-locker/the kernel/PAM modules</div> <div> - interact with greeter as a fake locker on the main VT</div> <div> - using the capture hardware (webcam, microphone)</div> <div><br> </div> <div>Threats: - privilege escalation to root account or lightdm account<br> </div> <div> - spying on the user when ACPI reports the user is away</div> <div> - replacing the locker with a fake and stealing the password when it's typed</div> <div> - intrusion into locker/greeter through any code vulnerability</div> <div> - through IPC channels with greeter/locker, crashing them to prevent them from enforcing whatever restrictions they may enforce on the session</div> <div> </div> <div><br> </div> <div><br> </div> <div>### Useful reads ###</div> <div>https://plus.google.com/106086509626546157534/posts/VbcxrUaxQ35</div> <div>http://www.webupd8.org/2013/07/light-locker-new-session-locker-for.html</div> <div>http://theinvisiblethings.blogspot.co.uk/2011/04/linux-security-circus-on-gui-isolation.html</div> <div>http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.html</div> <div>http://seclists.org/oss-sec/2014/q1/327</div> <div>https://bugs.launchpad.net/ubuntu/+source/lxsession/+bug/1205384</div> <div><br> <br> </div> <p><br> </p> <div> <div class="BodyFragment"><font size="2"><span style="font-size: 10pt;"> <div class="PlainText">--<br> Steve Dodier-Lazaro<br> PhD student in Information Security<br> University College London<br> Dept. of Computer Science<br> Malet Place Engineering, 6.07<br> Gower Street, London WC1E 6BT<br> OpenPGP : 1B6B1670</div> </span></font></div> </div> <div style="color: #282828;"> <hr tabindex="-1" style="display: inline-block; width: 98%;"> <div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size: 11pt;"><b>From:</b> Dodier-Lazaro, Steve <s.dodier-lazaro.12@ucl.ac.uk><br> <b>Sent:</b> 14 February 2014 00:58<br> <b>To:</b> simon@xfce.org; peter@xfce.org; lightdm@lists.freedesktop.org; oss-security@lists.openwall.com<br> <b>Cc:</b> s.dodier-lazaro@cs.ucl.ac.uk<br> <b>Subject:</b> light-locker security</font> <div> </div> </div> <div> <div style="color: #000000; background-color: #ffffff; font-family: calibri, arial, helvetica, sans-serif;"> <div style="font-size: 16px; font-family: calibri, arial, helvetica, sans-serif;"> <div><span style="font-family: 'lucida console', monaco, monospace; font-size: 10pt;"></span></div> </div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">Dear all,</span></div> <div style="font-size: 12pt;"><br style="font-size: 11pt;"> </div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">This is in reply to a request for audit that was notified to me by Simon. Apologies for the separate post but I couldn't reply to original ones as I was not on any relevant ML (see <a href="http://seclists.org/oss-sec/2013/q2/613)"></a><a href="http://seclists.org/oss-sec/2013/q2/613).">http://seclists.org/oss-sec/2013/q2/613).</a> <span style="font-family: calibri, arial, helvetica, sans-serif; font-size: 15px; background-color: #ffffff;">Any review/amend is greatly appreciated.</span></span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;"><br> </span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">When replying, please make sure to cc. the LightDM ML and myself.</span></div> <div style="font-size: 12pt;"><br style="font-size: 11pt;"> </div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">Kind regards,</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;"><br> </span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">--</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">Light-locker Threat Model Draft</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">Forward replies to:</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;"> Steve Dodier-Lazaro <s.dodier-lazaro@cs.ucl.ac.uk></span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;"> Simon Steinbeiss <simon@xfce.org></span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;"> Peter de Ridder <peter@xfce.org></span></div> <div style="font-size: 12pt;"> </div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">Version information:</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;"> Draft 1.0</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;"> 2014-10-14</span></div> <div style="font-size: 12pt;"><br style="font-size: 11pt;"> </div> <div><span style="font-size: 15px;">[...]</span></div> <div style="font-size: 12pt;"><br> </div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">--</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">Steve Dodier-Lazaro</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">PhD student in Information Security</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">University College London</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">Dept. of Computer Science</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">Malet Place Engineering, 6.07</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">Gower Street, London WC1E 6BT</span></div> <div style="font-size: 12pt;"><span style="font-size: 11pt;">OpenPGP : 1B6B1670</span></div> <br> </div> </div> </div> </div> </body> </html>