Do you trust X server?

Do you trust X server?

[Jun OKAJIMA]

Hello.

I am not sure that here is the proper place to discuss this issue,
but do you trust X server (or video driver), when you use your PC
with X window?.

Most ( and probably all) X server runs as root on Linux.
Then, if it has ( and it must have ) a buffer overflow or any vulnerability,
and it would execute some cruel code if a certain drawing commands set comes.
A cracker makes web sites contain htmls or SVG or ... to make a such commands
set to be displayed. Then, you can be cracked with just browsing the pages,
not being required to click untrusted contents explicitly.

Have you considered this risk? Is there any site about this issue?
And any measure to solve this issue with SE linux?

                 --- Okajima, Jun. Tokyo, Japan.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Do you trust X server?

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 1525 bytes --]

On Fri, 18 Mar 2005 07:28:58 +0900, Jun OKAJIMA said:

> Then, if it has ( and it must have ) a buffer overflow or any vulnerability,
> and it would execute some cruel code if a certain drawing commands set comes.
> A cracker makes web sites contain htmls or SVG or ... to make a such commands
> set to be displayed. Then, you can be cracked with just browsing the pages,
> not being required to click untrusted contents explicitly.

Much more likely, a malicious website will cause the *browser* to become
exploited due to a bug in the browser (which *is* a real threat, and the
reason there's a mozilla_t policy).

For a remote exploit of the X server itself, you'd have to find a way to
exploit the X protocol, which is *very* low-level - even something like a
scrollbar is just 10 or 20 "draw this set of pixels" requests, a button is
a request to draw the pixels in the face, then maybe write a string at a
given location on the screen (for the label), then several more requests for
drawing pixels for any highlights/shadows for a 3-d effect. Then the X server
sends back things like "mouse button 1 clicked at X,Y coordinates", and the
program has to figure out if it's on the scrollbar or button, and if it is, ask
the X server to draw *new* pixels for the "pushed in" button's border, and so on.

There's probably plenty of bugs left in the X protocol - but you'd have to find
a way to make a browser make the buggy request without also crashing the browser,
and the exploit would likely crash the X server as well.

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: Do you trust X server?

[Tom]

On Fri, Mar 18, 2005 at 12:26:04AM -0500, Valdis.Kletnieks@vt.edu wrote:
> For a remote exploit of the X server itself, you'd have to find a way to
> exploit the X protocol, 

Not true.

This was 2002, and it was a DoS, but it shows that the X server can be
attacked through remote applications:

http://web.lemuria.org/security/mozilla-dos.html

The short: A font-rendering bug in X can cause a system freeze if mozilla
is instructed to render a huge (like 1666666 pixels) font.


Don't trust X. Microsoft made the mistake of trusting the GUI system,
and we all know what shatter attacks are, don't we?


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Do you trust X server?

[Stephen Smalley]

On Fri, 2005-03-18 at 07:28 +0900, Jun OKAJIMA wrote:
> 
> Hello.
> 
> I am not sure that here is the proper place to discuss this issue,
> but do you trust X server (or video driver), when you use your PC
> with X window?.
> 
> Most ( and probably all) X server runs as root on Linux.
> Then, if it has ( and it must have ) a buffer overflow or any vulnerability,
> and it would execute some cruel code if a certain drawing commands set comes.
> A cracker makes web sites contain htmls or SVG or ... to make a such commands
> set to be displayed. Then, you can be cracked with just browsing the pages,
> not being required to click untrusted contents explicitly.
> 
> Have you considered this risk? Is there any site about this issue?
> And any measure to solve this issue with SE linux?

There are ways to run X with less privilege (unrelated to SELinux), and
SELinux can then be used to limit the capabilities granted to the X
server.  X is also a concern for SELinux because without modification,
it allows uncontrolled information flow among X clients, potentially
violating the security policy.  The latter concern (but not the former
one) is being addressed by the security enhanced X work, originally by
Eamon Walsh and now picked up by Trusted Computer Solutions.  See:
http://www.nsa.gov/selinux/papers/x11-abs.cfm
http://www.nsa.gov/selinux/list-archive/0405/7030.cfm
http://lists.freedesktop.org/pipermail/xorg/2005-February/006452.html
http://lists.freedesktop.org/archives/xorg/2005-March/006906.html

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Do you trust X server?

[Daniel J Walsh]

Stephen Smalley wrote:

>On Fri, 2005-03-18 at 07:28 +0900, Jun OKAJIMA wrote:
>  
>
>>Hello.
>>
>>I am not sure that here is the proper place to discuss this issue,
>>but do you trust X server (or video driver), when you use your PC
>>with X window?.
>>
>>Most ( and probably all) X server runs as root on Linux.
>>Then, if it has ( and it must have ) a buffer overflow or any vulnerability,
>>and it would execute some cruel code if a certain drawing commands set comes.
>>A cracker makes web sites contain htmls or SVG or ... to make a such commands
>>set to be displayed. Then, you can be cracked with just browsing the pages,
>>not being required to click untrusted contents explicitly.
>>
>>Have you considered this risk? Is there any site about this issue?
>>And any measure to solve this issue with SE linux?
>>    
>>
>
>There are ways to run X with less privilege (unrelated to SELinux), and
>SELinux can then be used to limit the capabilities granted to the X
>server.  X is also a concern for SELinux because without modification,
>it allows uncontrolled information flow among X clients, potentially
>violating the security policy.  The latter concern (but not the former
>one) is being addressed by the security enhanced X work, originally by
>Eamon Walsh and now picked up by Trusted Computer Solutions.  See:
>http://www.nsa.gov/selinux/papers/x11-abs.cfm
>http://www.nsa.gov/selinux/list-archive/0405/7030.cfm
>http://lists.freedesktop.org/pipermail/xorg/2005-February/006452.html
>http://lists.freedesktop.org/archives/xorg/2005-March/006906.html
>
>  
>
Jim Getty's also mentioned at the SELinux Symposium some effort to get X 
to not
need to run as Root (Or at least most of X).



-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Do you trust X server?

[Casey Schaufler]

--- Tom <tom@lemuria.org> wrote:
> On Fri, Mar 18, 2005 at 12:26:04AM -0500,
> Valdis.Kletnieks@vt.edu wrote:
> > For a remote exploit of the X server itself, you'd
> have to find a way to
> > exploit the X protocol, 
> 
> Not true.

Let us be clear. The X consortium has always
made it plain the the X server provides mechanism,
not policy. You can trust the X server to the same
degree you can trust any part of the system that
does not implement or enforce policy. If you
chose to use the X server as a component of
your policy enforcement that is your affair,
but the appropriate use of that code is your
responsibility, not that of the X server.

> This was 2002, and it was a DoS, but it shows that
> the X server can be
> attacked through remote applications:
> 
> http://web.lemuria.org/security/mozilla-dos.html
> 
> The short: A font-rendering bug in X can cause a
> system freeze if mozilla
> is instructed to render a huge (like 1666666 pixels)
> font.

There are bugs in code that provides mechanism.
The security consequences of these problems are
one reason why systems are evalauted as a whole,
not by their individual components.

> Don't trust X.

The case mentioned above requires breakdowns
in the browser, font manager, and system admin.
None of these are X server problems. Further,
the "system" is not damaged at all. The DoS
"attack" is a programming flaw, or "bug" in
the jargon.


Casey Schaufler
casey@schaufler-ca.com


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Do you trust X server?

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 868 bytes --]

On Fri, 18 Mar 2005 09:35:12 +0100, Tom said:
> On Fri, Mar 18, 2005 at 12:26:04AM -0500, Valdis.Kletnieks@vt.edu wrote:
> > For a remote exploit of the X server itself, you'd have to find a way to
> > exploit the X protocol, 
> 
> Not true.
> 
> This was 2002, and it was a DoS, but it shows that the X server can be
> attacked through remote applications:
> 
> http://web.lemuria.org/security/mozilla-dos.html
> 
> The short: A font-rendering bug in X can cause a system freeze if mozilla
> is instructed to render a huge (like 1666666 pixels) font.

Which is what I said - you'd have to find a bug that you can exploit through
the client.  And as I *also* said, even if you *found* such a bug, it would
*probably* result in a crash of either the browser or X.

And how many issues have there been with Mozilla and Firefox since 2002?

I'd worry more about those...

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: Do you trust X server?

[Tom]

On Fri, Mar 18, 2005 at 08:21:44AM -0800, Casey Schaufler wrote:
> Let us be clear. The X consortium has always
> made it plain the the X server provides mechanism,
> not policy. 

That it does. Nevertheless, its impact on the policy needs to be
evaluated if you want to use X on an SELinux system. There's no point
in saying "sure, it breaks all my security, but hey, it wasn't designed
to keep the policy intact".

Of course X is policy-ignorant. Most of the programs that SELinux has
policies for are.



> You can trust the X server to the same
> degree you can trust any part of the system that
> does not implement or enforce policy. 

i.e. ca. 90% of the applications we've written .te files for so far.



> If you
> chose to use the X server as a component of
> your policy enforcement that is your affair,
> but the appropriate use of that code is your
> responsibility, not that of the X server.

That depends. As far as we can provide policy enforcement externally,
the X server doesn't have to care. However, it has been noted in past
discussions that the X server is, like login or ssh, one of the
programs that cannot fulfill their role within an SELinux environment
without either endangering said environment or becoming policy-aware.



> the "system" is not damaged at all. The DoS
> "attack" is a programming flaw, or "bug" in
> the jargon.

Most security issues are the consequence of from programming flaws. ;)



-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Do you trust X server?

[Casey Schaufler]

--- Tom <tom@lemuria.org> wrote:

> > If you
> > chose to use the X server as a component of
> > your policy enforcement that is your affair,
> > but the appropriate use of that code is your
> > responsibility, not that of the X server.
> 
> That depends. As far as we can provide policy
> enforcement externally,
> the X server doesn't have to care.

Yes, that is correct.

> However, it has
> been noted in past
> discussions that the X server is, like login or ssh,

Excuse me, but the X server is not like login or ssh.
Login and ssh are policy enforcing programs. As I
noted above, the X server is not.

> one of the
> programs that cannot fulfill their role within an
> SELinux environment
> without either endangering said environment or
> becoming policy-aware.

If this is true it is a problem with the SELinux
environment, not the X server. The SGI Irix B1
evaluation of 1995 used an unmodified X server
that did no policy enforcement. The environment
was not endangered by the presence of the X server.


Casey Schaufler
casey@schaufler-ca.com


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Do you trust X server?

[Tom]

On Thu, Mar 24, 2005 at 12:41:00PM -0800, Casey Schaufler wrote:
> Login and ssh are policy enforcing programs. As I
> noted above, the X server is not.

No, but it may nevertheless be "like login or ssh" in the respect that
it needs to be modified.

Please refer to the archives for the in-depths discussion of the
necessity and its reasons.


> If this is true it is a problem with the SELinux
> environment, not the X server. The SGI Irix B1
> evaluation of 1995 used an unmodified X server
> that did no policy enforcement. The environment
> was not endangered by the presence of the X server.

I am not familiar with the details of the evaluation, so I can not
argue about it.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.