<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} .ms-cui-menu {background-color:#ffffff;border:1px rgb(171, 171, 171) solid;font-family:'Segoe UI WPC', 'Segoe UI', Tahoma, 'Microsoft Sans Serif', Verdana, sans-serif;font-size:11pt;color:rgb(51, 51, 51);} .ms-cui-menusection-title {display:none;} .ms-cui-ctl {vertical-align:text-top;text-decoration:none;color:rgb(51, 51, 51);} .ms-cui-ctl-on {background-color:rgb(229, 235, 236);opacity: 0.8;} .ms-cui-img-cont-float {display:inline-block;margin-top:2px} .ms-cui-smenu-inner {padding-top:0px;} .ms-owa-paste-option-icon {margin: 2px 4px 0px 4px;vertical-align:sub;padding-bottom: 2px;display:inline-block;} .ms-rtePasteFlyout-option:hover {background-color:rgb(229, 235, 236) !important;opacity:1 !important;} .ms-rtePasteFlyout-option {padding:8px 4px 8px 4px;outline:none;} .ms-cui-menusection {float:left; width:85px;height:24px;overflow:hidden}--></style>
</head>
<body>
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div style="font-family: calibri, arial, helvetica, sans-serif; font-size: 16px;">
<div><span style="font-family: 'lucida console', monaco, monospace; font-size: 10pt;"></span></div>
</div>
<div><span style="font-size: 11pt;">Dear all,</span></div>
<div><br style="font-size: 11pt;">
</div>
<div><span style="font-size: 11pt;">This is in reply to a request for audit that was notified to me by Simon. Apologies for the separate post but I couldn't reply to original ones as I was not on any relevant ML (see <a href="http://seclists.org/oss-sec/2013/q2/613)"></a><a href="http://seclists.org/oss-sec/2013/q2/613).">http://seclists.org/oss-sec/2013/q2/613).</a> <span style="font-family: calibri, arial, helvetica, sans-serif; font-size: 15px; background-color: #ffffff;">Any
review/amend is greatly appreciated.</span></span></div>
<div><span style="font-size: 11pt;"><br>
</span></div>
<div><span style="font-size: 11pt;">When replying, please make sure to cc. the LightDM ML and myself.</span></div>
<div><br style="font-size: 11pt;">
</div>
<div><span style="font-size: 11pt;">Kind regards,</span></div>
<div><span style="font-size: 11pt;"><br>
</span></div>
<div><span style="font-size: 11pt;">--</span></div>
<div><span style="font-size: 11pt;">Light-locker Threat Model Draft</span></div>
<div><span style="font-size: 11pt;">Forward replies to:</span></div>
<div><span style="font-size: 11pt;"> Steve Dodier-Lazaro <s.dodier-lazaro@cs.ucl.ac.uk></span></div>
<div><span style="font-size: 11pt;"> Simon Steinbeiss <simon@xfce.org></span></div>
<div><span style="font-size: 11pt;"> Peter de Ridder <peter@xfce.org></span></div>
<div> </div>
<div><span style="font-size: 11pt;">Version information:</span></div>
<div><span style="font-size: 11pt;"> Draft 1.0</span></div>
<div><span style="font-size: 11pt;"> 2014-10-14</span></div>
<div><br style="font-size: 11pt;">
</div>
<div><span style="font-size: 11pt;">### Policy of sessions ###</span></div>
<div><span style="font-size: 11pt;">Principals: current user, other logged in and logged out users</span></div>
<div><span style="font-size: 11pt;">Assets: each user's data and sessions, and their authentication data, access to [capture] hardware</span></div>
<div><span style="font-size: 11pt;">Properties: Session integrity, availability, confidentiality, Data integrity and confidentiality (DAC, only owner can read/write session and only relevant *NIX DAC+LSM MAC users can read/write data)</span></div>
<div><br style="font-size: 11pt;">
</div>
<div><span style="font-size: 11pt;">Purpose of light-locker: implementating authentication for access to the session, preventing an unguarded session from being used to interact with any other asset</span></div>
<div><br style="font-size: 11pt;">
</div>
<div><br style="font-size: 11pt;">
</div>
<div><span style="font-size: 11pt;">### Input space for user and adversary, relevant to light-locker ###</span></div>
<div><span style="font-size: 11pt;">Greeter UI</span></div>
<div><span style="font-size: 11pt;">Greeter-locker IPC channel</span></div>
<div><span style="font-size: 11pt;">Other greeter IPC channels</span></div>
<div><span style="font-size: 11pt;">Hardware plugs of any kind, causing plug-n-play reactions</span></div>
<div><span style="font-size: 11pt;">Input devices</span></div>
<div><br style="font-size: 11pt;">
</div>
<div><br style="font-size: 11pt;">
</div>
<div><span style="font-size: 11pt;">### Threat model ###</span></div>
<div><span style="font-size: 11pt;">Adversary 1: physical attacker with restricted time (less than to copy your HDD or execute a Evil Maid attack if FDE) and no willingness to carry out attacks involving theft</span></div>
<div><span style="font-size: 11pt;">Caps: - log in normally through brute force or password guessing</span></div>
<div><span style="font-size: 11pt;"> - log in by causing memory corruptions and code injection in the auth form</span></div>
<div><span style="font-size: 11pt;"> - insert hardware to exploit a kernel bug</span></div>
<div><span style="font-size: 11pt;"> - insert hardware to exploit a bug in whatever desktop environment code reacts to it</span></div>
<div><span style="font-size: 11pt;"> - interact with IPC protocols with music player, a11y apps, main DM</span></div>
<div><br style="font-size: 11pt;">
</div>
<div><span style="font-size: 11pt;">Threats: - successful login from adversary</span></div>
<div><span style="font-size: 11pt;"> - RCE with root access (kernel bugs)</span></div>
<div><span style="font-size: 11pt;"> - RCE with user access in one of the user's X11 sessions (kernel+DE bugs)</span></div>
<div><span style="font-size: 11pt;"> - crashing the session through misformed input on any interface</span></div>
<div><br style="font-size: 11pt;">
</div>
<div><span style="font-size: 11pt;">Adversary 2: attacker who controls an app run by the current user</span></div>
<div><span style="font-size: 11pt;">Caps: - read and write virtually any data on the user's session</span></div>
<div><span style="font-size: 11pt;"> - replace user's apps with own malware by prioritising own malware in the PATH</span></div>
<div><span style="font-size: 11pt;"> - any IPC with any other app</span></div>
<div><span style="font-size: 11pt;"> - attempt privilege escalation</span></div>
<div><span style="font-size: 11pt;"> - interact with IPC protocols with music player, a11y apps, main DM</span></div>
<div><span style="font-size: 11pt;"> - interact with greeter as a fake locker on the main VT</span></div>
<div><span style="font-size: 11pt;"> - use the capture hardware</span></div>
<div><br style="font-size: 11pt;">
</div>
<div><span style="font-size: 11pt;">Threats: - successful login from adversary</span></div>
<div><span style="font-size: 11pt;"> - RCE with root access (kernel bugs)</span></div>
<div><span style="font-size: 11pt;"> - RCE with user access in one of the user's X11 sessions (kernel+DE bugs)</span></div>
<div><span style="font-size: 11pt;"> - crashing the session through misformed input on any interface</span></div>
<div><span style="font-size: 11pt;"> - spy on the user when ACPI reports the user is away</span></div>
<div><br style="font-size: 11pt;">
</div>
<div><br style="font-size: 11pt;">
</div>
<div><span style="font-size: 11pt;">### Useful reads ###</span></div>
<div><span style="font-size: 11pt;">https://plus.google.com/106086509626546157534/posts/VbcxrUaxQ35</span></div>
<div><span style="font-size: 11pt;">http://www.webupd8.org/2013/07/light-locker-new-session-locker-for.html</span></div>
<div><span style="font-size: 11pt;">http://theinvisiblethings.blogspot.co.uk/2011/04/linux-security-circus-on-gui-isolation.html</span></div>
<div><span style="font-size: 11pt;">http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.html</span></div>
<div><span style="font-size: 11pt;">http://seclists.org/oss-sec/2014/q1/327</span></div>
<div><span style="font-size: 11pt;">https://bugs.launchpad.net/ubuntu/+source/lxsession/+bug/1205384</span></div>
<div><br>
</div>
<div><span style="font-size: 11pt;">--</span></div>
<div><span style="font-size: 11pt;">Steve Dodier-Lazaro</span></div>
<div><span style="font-size: 11pt;">PhD student in Information Security</span></div>
<div><span style="font-size: 11pt;">University College London</span></div>
<div><span style="font-size: 11pt;">Dept. of Computer Science</span></div>
<div><span style="font-size: 11pt;">Malet Place Engineering, 6.07</span></div>
<div><span style="font-size: 11pt;">Gower Street, London WC1E 6BT</span></div>
<div><span style="font-size: 11pt;">OpenPGP : 1B6B1670</span></div>
<br>
</div>
</body>
</html>