[pulseaudio-discuss] More on the native protocol complexity

Rafal Wojtczuk rafal at invisiblethingslab.com
Fri Apr 23 08:10:19 PDT 2010


On Fri, Apr 23, 2010 at 05:35:14PM +0300, Tanu Kaskinen wrote:
> On Fri, 2010-04-23 at 13:36 +0200, Rafal Wojtczuk wrote:
> > Hello,
> > On Apr 5, Lennart wrote (about native protocol):
> > > Note that the protocol is kinda complex, both because it grew
> > > historically and because some parts have to be complex. i.e. the
> > > timing/flow control logic is non-trivial. Reimplementing that won't be
> > > fun.
> > >
> > > tbh I don't think the native protocol while it works quite well these
> > > days is something that deserves to be reimplemented by other projects.
> > 
> > The problem is that for some tasks the complexity of the native protocol is
> > prohibitive. Consider the following scenario (that I am trying to solve
> > now):
> > There are two [virtual btw] machines, VM_USER and VM_HOST. We want to allow
> > users in VM_USER to play sound on the soundcard attached to VM_HOST. So, the
> > obvious method is to run pulseaudio daemon in VM_HOST, and prepare client.conf 
> > in VM_USER so that it connects pa clients to VM_HOST over the network. However,
> > VM_HOST does not want to trust VM_USER more than necessary. VM_HOST does not
> > want to give VM_USER full access to the native protocol capabilities (like
> > PA_COMMAND_LOAD_MODULE), nor to give it a chance to exploit a potential bug 
> > (logic one, or buffer overflow) in this 150K C-code protocol.
> 
> How about getting a cheap or free used computer running pulseaudio that
> you hook the speakers to? Then use that via TCP from VM_USER. 
Yes, almost good (although in the case of Xen/Qubes environment, you would say 
"dedicated driver domain" instead of "a cheap or free used computer").

Readers interested in pulseaudio discussion only are kindly advised to jump
to the 7th line from the bottom of this post.

> That way you don't need to run pulseaudio on a top security machine.
So, you have a third VM_PULSE [virtual] machine, that hosts the sound hardware 
and the pulseaudio daemon. This is definitely better. The problem arises 
when there are VM_USER1 and VM_USER2 machines, that both want to use sound. 
Now, if you accept that 
[*] "talking over native protocol" equals "unacceptable risk of getting 
compromised" 

then it means that you have to consider a scenario when
a) because of [*], rogue VM_USER1 can execute arbitrary code in context of 
pulseaudio daemon on VM_PULSE,
b) rogue pulseaudio daemon can wait for VM_USER2 to connect to it, and again
because of [*] (although now considering an attack against client side of
native protocol conversation) compromise VM_USER2

This is not good, VM_USERx machines should not be able to compromise each
other. 

> That way you don't need to run pulseaudio on a top security machine.
Yes, but the machine running pulseaudio may interact with other machines of
high security status, thus it is important to not make its security too weak.

Again, can I have a simple sound sharing over network protocol, pretty
pretty please ? Raw audio frames + simple synchronization, anyone ?

Regards,
Rafal Wojtczuk
The Qubes OS Project
http://qubes-os.org



More information about the pulseaudio-discuss mailing list