Comment on global shortcuts security
piotr.rak at gmail.com
Tue Sep 25 09:07:51 PDT 2012
2012/9/25 Pekka Paalanen <ppaalanen at gmail.com>:
> On Tue, 25 Sep 2012 01:46:37 +0200
> Piotr Rak <piotr.rak at gmail.com> wrote:
>> Although I am not security expert, I'd like to share my input into
>> this topic, so putting on my black hat...
>> It is probably not great discovery, but I believe that minimal
>> requirement for given combination of keys, to be allowed as global
>> shortcut is that is not printable and not whitespace given currently
>> selected keyboard layout. Such combination should never be delivered
>> to application, that doesn't have active keyboard focus.
>> Two major reasons of that:
>> - security: reason is rather trivial, those may contain data, that
>> can be considered sensitive, like credit card number password, or
>> whatever. I can't imagine other sequences be consider sensitive
>> (beside SAK which is special in its way).
>> - usability: I really wouldn't be happy, if some app *steals*
>> character that I type in does something fancy, changing my online
>> presence to available any time I type in AltGr+A - ("a with ogonek" in
>> polish programmer's layout) for example...
>> It seems impossible ban key sequences for all possible keyboard layout
>> configs, considering that it's not that hard write own, so it seems
>> wise do this check at runtime.
>> I don't think that user will be very surprised by fact that shortcut
>> being dropped silently with changed layout. They may be, but for sure
>> not while typing url, texting, or editing text...
>> It also doesn't sound that terribly complicated to put words in code
>> (given XKB shares enough info, and decent enough isprint for unicode
>> is somewhere out there, which I haven't checked).
>> I don't see possible attack vector in allowing applications to check
>> if given sequence is available for them now or notification about
>> layout change, but possibly I am not creative enough.
>> @Semantic approach idea suggested during XDC "Security":
>> It sounds interesting, but it seems to be still leaving at least minor
>> attack vector, unless above requirement is met too.
>> Let's imagine that compositor Y becomes most popular compositor, or
>> even better, most of compositors use some library for their semantic
>> binding handling. It (compositor or library) is shipped usable enough
>> configuration for keys and their actions - (that's ofc one of reasons
>> that it is so popular :->). Now, most users or distros developers
>> won't be tempted to change this config - people are lazy, and that's
>> why civilization can progress at all :).
>> If I want sniff their input - I have knowledge what this semantic word
>> use for sniffing given sequence, using knowledge of default
>> That's just tiny bit harder, won't work in 100%, but hey, I am not
>> that greedy - just few passwords will do just fine; I don't have to
>> get them all, right? Bah, even parts of passwords can be helpful, and
>> cut loads of work I imagine.
>> What would make that potential attack even sweeter - *flaw* is shipped
>> by default. :-)
> Hi Piotr,
> it sounds like you make a fundamental assumption on something, that
> makes global shortcuts insecure, and so you set out to solve these
> What is it that you assume?
> What is the root of the problems?
> What are the problems you are trying to solve?
I should have state this more clearly, but the problem is - how to do
global shortcuts in application in secure way. The issue was raised
during XDC. Video of talk can be watched online
http://www.youtube.com/watch?v=hJpiJii44oo&feature=relmfu - discussion
about wayland input handling starts around 23:30s.
Those are my thoughts/comments after watching it, on one questions
that was left open there.
> Sorry, but I just couldn't understand anything you wrote.
Hope that explaination is sufficient.
More information about the wayland-devel