[Dev] Cynara

Carsten Haitzler c.haitzler at samsung.com
Thu Apr 10 10:21:26 GMT 2014



On 04/10/2014 07:08 PM, Jussi Laako wrote:
> On 10.4.2014 12:21, Carsten Haitzler wrote:
>> weston (or the display server) can just remote control your pim app,
>> monitor all keyboard input for passwords and more and just control the
>> app to export the data one way or another. it has to be assumed that
>> something like a displayserver etc. is already priveleged as everything
>> you see and all you input goes through it.
> 
> At least from gSSO perspective, display server only has narrow time
> window when it can capture the input. After that point it cannot access

all input goes thru the display server. thus it has all the time in the
world to capture anything it likes. if it's malicious you're up the
creek without a paddle. the input goes THROUGH it via the display server
protocol (socket) it actively reads input devices and
munges/passes/routes data onto gui clients.

> the data unless it can impersonate it's kernel process as being some
> other process. And it may not be sufficient anyway like entering PIN
> code for smart card, since display server process wouldn't be allowed
> have access to the smart card.

if a user can input it. the display server can fake it. if ths smart
card is already plugged in (incredibly likely) it'll work fine.

> This because in typical cases applications cannot retrieve the stored
> data, only ask operations to be performed using the stored data and this
> is still subject to per-process access control enforced on the IPC.
> 
> Think this as similar to popping up pinentry (used by gpg) and then
> performing write to a write-only database. Or similar to fusing
> properties to hardware. Only attack surface it at the point of
> performing the write.
> 
> But email application shouldn't be able to read your PayPal password,
> should it?

it wouldnt need the password. if the paypal app can transfer money (lets
say any useful app can do things like this as thats the job - to do such
things for a user), then the display server, if it so chooses, can just
trigger the launch of the paypall app (while you're not looking and
screen is off). it can go punch in a pin number or password. click on
the buttons needed to start a transfer, enter numbers for destination
account, amunt etc, then close off the app without you being any the
wiser. the display server can get access to display pixel data and ocr
the data if it really wants, so it can read like you can. the smarter
and more dedicated the programmer behind a malicious display server, the
more he can do.

the display server is by its sheer nature and the data that goes through
it, a trusted process that you'd better hope you trust, and if yuou
don't, then tell me - how do you trust the kernel not to sanoop in on
all of this too? if you can trust the kernel, you can grant trust to
other elements of the system necessary for making it work.

-- 
The above message is intended solely for the named addressee and may
contain trade secret, industrial technology or privileged and
confidential information otherwise protected under applicable law
including the Unfair Competition Prevention and Trade Secret Protection
Act. Any unauthorized dissemination, distribution, copying or use of the
information contained in this communication is strictly prohibited. If
you have received this communication in error, please notify the sender
by email and delete this communication immediately.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.tizen.org/pipermail/dev/attachments/20140410/a2ac1365/attachment.asc>


More information about the Dev mailing list