[LightDM] light-locker security

Dodier-Lazaro, Steve s.dodier-lazaro.12 at ucl.ac.uk
Fri Feb 14 01:58:15 CET 2014 

Dear all,

This is in reply to a request for audit that was notified to me by Simon. Apologies for the separate post but I couldn't reply to original ones as I was not on any relevant ML (see <http://seclists.org/oss-sec/2013/q2/613)> http://seclists.org/oss-sec/2013/q2/613). Any review/amend is greatly appreciated.

When replying, please make sure to cc. the LightDM ML and myself.

Kind regards,?

--
Light-locker Threat Model Draft
Forward replies to:
  Steve Dodier-Lazaro <s.dodier-lazaro at cs.ucl.ac.uk>
  Simon Steinbeiss <simon at xfce.org>
  Peter de Ridder <peter at xfce.org>

Version information:
  Draft 1.0
  2014-10-14

### Policy of sessions ###
Principals: current user, other logged in and logged out users
Assets: each user's data and sessions, and their authentication data, access to [capture] hardware
Properties: Session integrity, availability, confidentiality, Data integrity and confidentiality (DAC, only owner can read/write session and only relevant *NIX DAC+LSM MAC users can read/write data)

Purpose of light-locker: implementating authentication for access to the session, preventing an unguarded session from being used to interact with any other asset


### Input space for user and adversary, relevant to light-locker ###
Greeter UI
Greeter-locker IPC channel
Other greeter IPC channels
Hardware plugs of any kind, causing plug-n-play reactions
Input devices


### Threat model ###
Adversary 1: physical attacker with restricted time (less than to copy your HDD or execute a Evil Maid attack if FDE) and no willingness to carry out attacks involving theft
Caps:    - log in normally through brute force or password guessing
         - log in by causing memory corruptions and code injection in the auth form
         - insert hardware to exploit a kernel bug
         - insert hardware to exploit a bug in whatever desktop environment code reacts to it
         - interact with IPC protocols with music player, a11y apps, main DM

Threats: - successful login from adversary
         - RCE with root access (kernel bugs)
         - RCE with user access in one of the user's X11 sessions (kernel+DE bugs)
         - crashing the session through misformed input on any interface

Adversary 2: attacker who controls an app run by the current user
Caps:    - read and write virtually any data on the user's session
         - replace user's apps with own malware by prioritising own malware in the PATH
         - any IPC with any other app
         - attempt privilege escalation
         - interact with IPC protocols with music player, a11y apps, main DM
         - interact with greeter as a fake locker on the main VT
         - use the capture hardware

Threats: - successful login from adversary
         - RCE with root access (kernel bugs)
         - RCE with user access in one of the user's X11 sessions (kernel+DE bugs)
         - crashing the session through misformed input on any interface
         - spy on the user when ACPI reports the user is away


### Useful reads ###
https://plus.google.com/106086509626546157534/posts/VbcxrUaxQ35
http://www.webupd8.org/2013/07/light-locker-new-session-locker-for.html
http://theinvisiblethings.blogspot.co.uk/2011/04/linux-security-circus-on-gui-isolation.html
http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.html
http://seclists.org/oss-sec/2014/q1/327
https://bugs.launchpad.net/ubuntu/+source/lxsession/+bug/1205384
?
--
Steve Dodier-Lazaro
PhD student in Information Security
University College London
Dept. of Computer Science
Malet Place Engineering, 6.07
Gower Street, London WC1E 6BT
OpenPGP : 1B6B1670?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/lightdm/attachments/20140214/a3f2c4e1/attachment-0001.html>

More information about the LightDM mailing list