Passive and active attacks via X11. Is Wayland any better?
Tiago Vignatti
tiago.vignatti at linux.intel.com
Fri Feb 17 00:43:26 PST 2012
Hi,
On 02/16/2012 08:36 PM, frqb4td wrote:
> In "The Linux Security Circus: On GUI isolation" (link:
> http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html
> ) - The Invisible Things Lab's blog, Joanna Rutkowska describes attacks
> from one X11 app on another and the general problem of the lack of
> GUI-level isolation, and how it essentially nullifies all the desktop
> security.
well, she's initially totally missed the motivations of XACE initially
and designed her own "security" mechanism then. It doesn't sound quite
right in terms of research, just to begin with... anyways: "New comments
have been disabled for this post by a blog administrator." :(
> Can passive (snooping) attacks be avoided? The passive attack she
> describes certainly works on my system, though I note that one of the
> comments says gksudo input can't be snooped.
Input delivery for Wayland clients works in a different way from the X:
while in X the events are broadcasted to all clients interested, on
Wayland this happens by the compositor choosing the correct client
surface (weston_compositor_pick_surface, on Weston). So I don't see any
way to a client sniff another with Wayland's current model. One could
eavesdrop UNIX sockets though, but that's a different story.
> Can active attacks (injecting keystrokes) be avoided? I seem to recall
> that active attacks was turned of by default a long time ago. But a
> quick google suggests that the XTest extension nullifies that (How to
> map a key-combination to a keyboard-button?).
Wayland doesn't provide any way to inject artificial events at the
moment. But definitely it will be designed with security on mind. So
yeah, we're safe on this side now as well :)
Tiago
More information about the wayland-devel
mailing list