Global shortkeys and keyboard focus

Dodier-Lazaro, Steve s.dodier-lazaro.12 at ucl.ac.uk
Fri Jul 4 07:04:03 PDT 2014 

Hi Michael,

> Is there any reason global shortcuts should lie with an application?
>Wouldn't it make more sense to provide an interface on the compositor
> side, where clients can register a global shortcut and the compositor
> sends an event back in case of the shortcut being pressed.
>
> In that case the compositor could follow predefined rules switching
> focus etc.

The problem is: what are the allowed global shortcuts leaking about users?

If it's any key that can be listened to, then we've just gotten ourselves an API
for implementing keyloggers.

If it's any key + some modifier (Ctrl, Alt, etc) then we need to see DE by DE
what listening to all available key combinations lets me learn about the user:

- Can I listen to Alt+Tab or to the shortcut used to maximise windows? If so can
  I learn the window layout of the user (or at least whether a window is being
  displayed or not)? For instance Martin proposed to use an "Expose" like view
  of the desktop as a background for modal authentication dialogs, so that the
  user knows it's a compositor (that is capable of moving windows around) that is
  asking for your password. If I know that no windows are being displayed because
  the user hasn't Alt+Tab'd for a while and just Alt+F4'd then I can spoof that
  UI directly and steal your password.

- Can I learn if you're playing music? If you're browsing the Web? If you're
  typing some document? Is that information alone useful to profile your activities?

- Can listening to Ctrl+C allow me to know when you're using the clipboard
  despite it being a privileged interface? If I'm sniffing your network traffic
  I may know that you've just landed on a site's authentication page, and you're
  using the clipboard. You're probably one of those users who have a password
  file that they use to copy credentials from. I may now serve you an exploit on
  the clipboard API or an exploit allowing me to scan your FS as I know there's
  something that can be monetized.

Generally speaking, there'll always be someone smarter and more motivated than us
to figure out how to build composite attacks from seemingly innocuous APIs. So
I'd rather lock down what is not strictly necessary. How many apps need global
shortcuts other than the ones that have a semantic attached to them? How are the
GUIs for handling custom global shortcuts and Preferred handlers for those
semantic keys not enough?

If we can cater for all common needs without exposing all your keyboard shortcuts
to potential malware, then we've done a great job.

Regards,
--
Steve Dodier-Lazaro
PhD student in Information Security
University College London
Dept. of Computer Science
Malet Place Engineering, 6.07
Gower Street, London WC1E 6BT
OpenPGP : 1B6B1670

More information about the wayland-devel mailing list