The previous email contained a stupid copy/paste error. Here is the version for
which we're looking to have comments. Apologies to whomever had read the
first email already.
Kind regards,
--
Light-locker Threat Model Draft
Forward replies to:
Steve Dodier-Lazaro <s.dodier-lazaro at cs.ucl.ac.uk>
Simon Steinbeiss <simon at xfce.org>
Peter de Ridder <peter at xfce.org>
Version information:
Draft 1.1
2014-10-14
### Policy of sessions ###
Principals: current user, other logged in and logged out users
Assets: each user's data and sessions, and their authentication data, access
to [capture] hardware
Properties: Session integrity, availability, confidentiality, Data integrity and
confidentiality (DAC, only owner can read/write session and only relevant *NIX
DAC+LSM MAC users can read/write data)
Purpose of light-locker: implementating authentication for access to the
session, preventing an unguarded session from being used to interact with any
other asset
### Input space for user and adversary, relevant to light-locker ###
Greeter UI
Greeter-locker IPC channel
Other greeter IPC channels
Hardware plugs of any kind, causing plug-n-play reactions
Input devices
### Threat model ###
Adversary 1: physical attacker with restricted time (less than to copy your HDD
or execute a Evil Maid attack if FDE) and no willingness to carry out attacks
involving theft
Caps: - log in normally through brute force or password guessing
- log in by causing memory corruptions and code injection in the auth
form
- insert hardware to exploit a kernel bug
- insert hardware to exploit a bug in whatever desktop environment code
reacts to it
- interact with IPC protocols between greeter and music player, a11y
apps, locker and login greeter
Threats: - successful login from adversary
- RCE with root privilege (kernel bugs)
- RCE with user privilege in one of the user's X11 sessions
(kernel+DE bugs)
- crashing the greeter/locker through misformed input on any available
interface
Adversary 2: attacker who controls an app run by the current user (previously
compromised, or malware installed by user)
Caps: - read and write virtually any data on the user's session
- modify environment variables or config keys relevant to locker
- replace user's apps with own malware by prioritising own malware
in the PATH
- any IPC with any other user-run app
- potentially, knowledge of zero-day in lightdm/light-locker/the
kernel/PAM modules
- interact with greeter as a fake locker on the main VT
- using the capture hardware (webcam, microphone)
Threats: - privilege escalation to root account or lightdm account
- spying on the user when ACPI reports the user is away
- replacing the locker with a fake and stealing the password when
it's typed
- intrusion into locker/greeter through any code vulnerability
- through IPC channels with greeter/locker, crashing them to prevent
them from enforcing whatever restrictions they may enforce on the session
### Useful reads ###
https://plus.google.com/106086509626546157534/posts/VbcxrUaxQ35
http://www.webupd8.org/2013/07/light-locker-new-session-locker-for.html
http://theinvisiblethings.blogspot.co.uk/2011/04/linux-security-circus-on-gui-isolation.html
http://www.x.org/releases/X11R7.5/doc/security/XACE-Spec.html
http://seclists.org/oss-sec/2014/q1/327
https://bugs.launchpad.net/ubuntu/+source/lxsession/+bug/1205384
--
Steve Dodier-Lazaro
PhD student in Information Security
University College London
Dept. of Computer Science
Malet Place Engineering, 6.07
Gower Street, London WC1E 6BT
OpenPGP : 1B6B1670
________________________________
From: Dodier-Lazaro, Steve <s.dodier-lazaro.12 at ucl.ac.uk>
Sent: 14 February 2014 00:58
To: simon at xfce.org; peter at xfce.org; lightdm at lists.freedesktop.org;
oss-security at lists.openwall.com
Cc: s.dodier-lazaro at cs.ucl.ac.uk
Subject: light-locker security
Dear all,
This is in reply to a request for audit that was notified to me by Simon.
Apologies for the separate post but I couldn't reply to original ones as I
was not on any relevant ML (see <http://seclists.org/oss-sec/2013/q2/613)>
http://seclists.org/oss-sec/2013/q2/613). Any review/amend is greatly
appreciated.
When replying, please make sure to cc. the LightDM ML and myself.
Kind regards,?
--
Light-locker Threat Model Draft
Forward replies to:
Steve Dodier-Lazaro <s.dodier-lazaro at cs.ucl.ac.uk>
Simon Steinbeiss <simon at xfce.org>
Peter de Ridder <peter at xfce.org>
Version information:
Draft 1.0
2014-10-14
[...]
?
--
Steve Dodier-Lazaro
PhD student in Information Security
University College London
Dept. of Computer Science
Malet Place Engineering, 6.07
Gower Street, London WC1E 6BT
OpenPGP : 1B6B1670?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.freedesktop.org/archives/lightdm/attachments/20140214/16ad2dbb/attachment.html>