Passive and active attacks via X11. Is Wayland any better?

Joanna Rutkowska joanna at
Fri Feb 17 10:39:28 PST 2012

On 02/17/12 09:43, Tiago Vignatti wrote:
> Hi,
> On 02/16/2012 08:36 PM, frqb4td wrote:
>> In "The Linux Security Circus: On GUI isolation" (link:
>> ) - The Invisible Things Lab's blog, Joanna Rutkowska describes attacks
>> from one X11 app on another and the general problem of the lack of
>> GUI-level isolation, and how it essentially nullifies all the desktop
>> security.
> well, she's initially totally missed the motivations of XACE initially
> and designed her own "security" mechanism then. It doesn't sound quite
> right in terms of research, just to begin with... anyways: "New comments
> have been disabled for this post by a blog administrator." :(


>> Can passive (snooping) attacks be avoided? The passive attack she
>> describes certainly works on my system, though I note that one of the
>> comments says gksudo input can't be snooped.
> Input delivery for Wayland clients works in a different way from the X:
> while in X the events are broadcasted to all clients interested, on
> Wayland this happens by the compositor choosing the correct client
> surface (weston_compositor_pick_surface, on Weston). So I don't see any
> way to a client sniff another with Wayland's current model. One could
> eavesdrop UNIX sockets though, but that's a different story.
>> Can active attacks (injecting keystrokes) be avoided? I seem to recall
>> that active attacks was turned of by default a long time ago. But a
>> quick google suggests that the XTest extension nullifies that (How to
>> map a key-combination to a keyboard-button?).
> Wayland doesn't provide any way to inject artificial events at the
> moment. But definitely it will be designed with security on mind. So
> yeah, we're safe on this side now  as well :)

That's a very comforting statement! However, being a nasty person as I
am, let me ask a few more questions:

1) Are you planning to support on-screen keyboard apps? If so, how this
is going to be implemented, so that a malicious/compromised app couldn't
act as such "on-screen keyboard" and inject keystrokes to other apps?

2) Are you planning to support screenshot-taking apps, or
jigsaw-puzzle-like screensavers? If so, how are you planning to prevent
malicous/compromised apps from sniffing the content of other apps? E.g.
I might not be happy seeing Tetris being able to take screenshots of my
Thunderbird's windows and send them back to China...

3) How is Wayland going to protect the clipboard from being
sniffed/modified by 3rd party apps? E.g. I want to copy my bank password
from KeepassX to Firefox, and don't want Tetris to be able to eavesdrop
on that...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the wayland-devel mailing list