The status of Wayland security
Unlike its predecessor, X, Wayland was created with an eye toward security. In part, that is due to the threat landscape present at the time each was created—the twenty-first century is a much more dangerous time. While Wayland is designed to provide confidentiality and integrity, there are times when applications will need or want to circumvent those protections. How to safely allow that is the topic of some recent postings to the wayland-devel mailing list.
The discussion started back at the end of December in a thread on authorizing clients to use restricted interfaces for accessibility and other tools, though it had been touched on in the context of screen-grabbing applications even earlier. In mid-February, Martin Peres summarized the discussion thus far both on the mailing list and on his blog. He also referred back to a talk that he and Timothée Ravier gave at the 2012 X.Org Developer Conference. The current state of Wayland input security is good, Peres said, and there is work in progress for its output security, but it is the mechanisms to allow applications to violate those security constraints (under user control) that are still being worked out.
Unlike X, the Wayland input stack doesn't allow applications to snoop on the input of other programs (preserving confidentiality), to generate input events that appear to come from the user (preserving input integrity), or to capture all the input events to the exclusion of the user's application (preserving availability). Wayland clients are still susceptible to LD_PRELOAD-style attacks, but that is not something the Wayland protocol itself can preclude. It is no different than the situation with X clients today, though, so existing solutions can presumably be reused.
On the output side, Wayland does a lot better than X, in general, but there is still some work to do. The use of "graphics execution manager" (GEM) buffers between the client and server is known to be problematic because buffers are identified by 32-bit handles; any program that can guess a buffer's handle can access the buffer itself. Work has been done in Wayland to use DMA-buf sharing, which does not suffer from the same confidentiality and integrity problems because it relies on file descriptor passing, rather than a globally visible handle. In Mesa 10.0, released in November 2013, the Wayland client EGL code does have support for secure DMA-buf sharing.
But there is still the question of what to do about programs that need to
circumvent some of those protections. For example, virtual keyboards need
to be able to generate input events, screen readers and screen shot
programs need to get access to the output buffers, screen lockers need to
capture all input, and so on. As Peres put it, if users don't have the
ability to allow these actions "people may refuse to use Wayland because it 'takes freedom away from them'
".
There are two different ways to achieve the goal of letting users (broadly defined to include distributions as well) break the security barriers: either static capability-like assignment to binaries, or determining the user's intent at runtime. Peres thinks that both should be implemented for Wayland. In addition, he sees a need for users to be able to determine whether any programs are currently running with elevated Wayland permissions (via static assignment) and to revoke those permissions if so.
Clients requiring extra privileges can be launched by the compositor so that it can provide a known, secure environment for those programs. A file descriptor of a socket that will allow the client to connect back to the compositor can be passed to the client using the WAYLAND_SOCKET environment variable. The actual descriptor is inherited by the client across the fork() and exec() calls, but its integer value is passed via the environment. Since the compositor has opened the socket to itself, and controls which client is executed, it can apply any privileges that have been assigned to the client to any operations made over that socket.
Handling the security policy for programs is a difficult problem. Different types of users and distributions will want to be able to implement their own policies. As we have seen with the Linux kernel, finding consensus on security policies is somewhere between really difficult and impossible. Peres expects to see the equivalent of the modular approach taken by Linux Security Modules (LSMs) for Wayland (perhaps Wayland Security Modules or WSMs). That way, different kinds of Wayland consumers will be able to choose a policy framework, much like distributions today choose SELinux, Smack, AppArmor, or to create their own.
Peres has plans to start working on WSMs (or whatever the name ends up being) soon. He has outlined some of the considerations that would need to go into a cross-compositor security framework as part of the discussion. It is a wide-open topic, in many ways, and one that is in its earliest planning stages; those interested in those kinds of problems (and their solutions) should probably get involved.
As can be seen, Wayland starts from a much stronger security position than X, but that doesn't mean that all of the work is done. Beyond the inevitable bugs, there are still some fundamental issues to consider—and work on.
| Index entries for this article | |
|---|---|
| Security | Wayland |
Posted Mar 13, 2014 10:31 UTC (Thu)
by SLi (subscriber, #53131)
[Link] (4 responses)
Treating a screen locker as "just another client" that just happens to capture all input is a hack that works to an extent as long as you don't want to do anything too unusual. It also opens surprising attack routes.
In my opinion screen locking is perhaps the one thing that Windows does right. In a multi-user environment, the user needs to be able to be sure he's typing his password into a genuine login prompt, not something that merely resembles it. Windows solves this by using a keyboard shortcut that cannot be captured by (non-privileged) programs, namely ctrl-alt-del. After pressing ctrl-alt-del you can be absolutely sure you are talking to an admin-sanctioned part of the OS installation.
Posted Mar 13, 2014 15:58 UTC (Thu)
by tialaramex (subscriber, #21167)
[Link] (1 responses)
Ctrl-Alt-Del is a SAK (Secure Attention Key)
Linux implements a SAK but it is rarely used for anything relevant here
However, the first thing that happens when you press the SAK in Windows is that it summons a separate desktop, and that means it captures all input. So I don't think Windows is behaving so differently as you think in this regard.
Posted Mar 13, 2014 16:29 UTC (Thu)
by raven667 (subscriber, #5198)
[Link]
I think this approach to work around key loggers has merit but only so far as the OS commits to it, and the user can identify when they are being phished, any password dialogs which happen in-band of the users desktop reduce the effectiveness of this design, even in Windows the local users password is accepted in dialogs, when changing privileged settings for example, that doesn't require a SAK to initiate the dialog.
Posted Mar 13, 2014 17:14 UTC (Thu)
by dgm (subscriber, #49227)
[Link] (1 responses)
Posted Mar 13, 2014 17:58 UTC (Thu)
by nybble41 (subscriber, #55106)
[Link]
I suppose that would depend on what you mean by "screen locker". I would define the screen locker as the program responsible for authenticating the user and unlocking the screen. Regardless of whether that task is built into the same binary as the compositor or outsourced to a privileged helper program, the "screen saver" portion could be left to an unprivileged process with no access to user input. There may well be good reason--privilege separate, flexibility, customization--to separate the authentication part from the compositor. That doesn't mean the purely decorative portion of the lock screen stack needs to be similarly privileged.
Posted Mar 14, 2014 4:39 UTC (Fri)
by idupree (guest, #71169)
[Link] (1 responses)
`pulseaudio --system`: http://www.freedesktop.org/wiki/Software/PulseAudio/Docum...
JACK_PROMISCUOUS_SERVER: see e.g. https://wiki.archlinux.org/index.php/JACK_Audio_Connectio...
Posted Mar 15, 2014 7:46 UTC (Sat)
by eean (subscriber, #50420)
[Link]
--system for sure isn't a prereq for properly handling a normal multiseat setup where there's one sound card per seat (though I'm not sure if Linux is multiseat aware enough to do it in practice.) But ideally you would just have one pulseaudio process per sound card and it would just work.
So what is your use case?
> On a tangent: Is there a plan for being able to securely mix *audio* from mutually mistrusting applications?
Isn't this a separate question from having only one sound server/system? Or are you assuming processes of the same user trust each other? The equivalent to the Wayland issue described would be PulseAudio granting special permission to access the mic or be pavucontrol.
The status of Wayland security
The status of Wayland security
The status of Wayland security
The status of Wayland security
The status of Wayland security
Audio security?
Audio security?