On 04/10/2014 07:08 PM, Jussi Laako wrote: > On 10.4.2014 12:21, Carsten Haitzler wrote: >> weston (or the display server) can just remote control your pim app, >> monitor all keyboard input for passwords and more and just control the >> app to export the data one way or another. it has to be assumed that >> something like a displayserver etc. is already priveleged as everything >> you see and all you input goes through it. > > At least from gSSO perspective, display server only has narrow time > window when it can capture the input. After that point it cannot access
all input goes thru the display server. thus it has all the time in the world to capture anything it likes. if it's malicious you're up the creek without a paddle. the input goes THROUGH it via the display server protocol (socket) it actively reads input devices and munges/passes/routes data onto gui clients. > the data unless it can impersonate it's kernel process as being some > other process. And it may not be sufficient anyway like entering PIN > code for smart card, since display server process wouldn't be allowed > have access to the smart card. if a user can input it. the display server can fake it. if ths smart card is already plugged in (incredibly likely) it'll work fine. > This because in typical cases applications cannot retrieve the stored > data, only ask operations to be performed using the stored data and this > is still subject to per-process access control enforced on the IPC. > > Think this as similar to popping up pinentry (used by gpg) and then > performing write to a write-only database. Or similar to fusing > properties to hardware. Only attack surface it at the point of > performing the write. > > But email application shouldn't be able to read your PayPal password, > should it? it wouldnt need the password. if the paypal app can transfer money (lets say any useful app can do things like this as thats the job - to do such things for a user), then the display server, if it so chooses, can just trigger the launch of the paypall app (while you're not looking and screen is off). it can go punch in a pin number or password. click on the buttons needed to start a transfer, enter numbers for destination account, amunt etc, then close off the app without you being any the wiser. the display server can get access to display pixel data and ocr the data if it really wants, so it can read like you can. the smarter and more dedicated the programmer behind a malicious display server, the more he can do. the display server is by its sheer nature and the data that goes through it, a trusted process that you'd better hope you trust, and if yuou don't, then tell me - how do you trust the kernel not to sanoop in on all of this too? if you can trust the kernel, you can grant trust to other elements of the system necessary for making it work. -- The above message is intended solely for the named addressee and may contain trade secret, industrial technology or privileged and confidential information otherwise protected under applicable law including the Unfair Competition Prevention and Trade Secret Protection Act. Any unauthorized dissemination, distribution, copying or use of the information contained in this communication is strictly prohibited. If you have received this communication in error, please notify the sender by email and delete this communication immediately.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list Dev@lists.tizen.org https://lists.tizen.org/listinfo/dev
