[Plash] Re: X11 proxy related questions

[Liraz]

Hi Mark,

> I have since found a tool which should be able to provide most of the
> X security requirements very quickly: Xpra.  It takes quite a
> different approach to my X proxy.  It runs applications under a
> separate X server (Xvfb).  It forwards window contents to the real X
> server, and forwards keyboard and mouse input and window positions in
> the other direction to the Xvfb server.  It was not originally
> intended a security tool, but as an X equivalent of "screen".
> See <http://partiwm.org> and
> <http://lists.partiwm.org/pipermail/parti-discuss/2008-April/000014.html>.
>
> I am not actively working on the X proxy, so I can't say when it will
> be usable.  I will probably try improving Xpra first.

Xpra looks very interesting. I didn't realize it could be used for this purpose 
when I first came across it. Thanks for the reference!

> What security properties are you interested in?  Preventing input
> injection, for example, is much easier than preventing keyboard
> snooping.  Preventing denial of service is hard.  You might want to
> stop applications from stealing the input focus, for example, which
> really requires window mangaer support; it can't easily be done by
> Xpra or an X proxy on its own.

I don't really care about preventing denial of service, but I do care about 
keyboard snooping which could reveal confidential data and also about allowing 
an untrusted application (e.g., firefox) to inject events into arbitrary windows 
on my desktop.

Stealing input focus is a borderline concern as I believe it would be harder to 
exploit in practice.

> > 3) Will secure selections between trusted and untrusted applications be
> >     possible?
>
> I believe it will be possible to forward the X selection between
> trusted and sandboxed applications with the X proxy or Xpra.  x2x and
> Synergy already do this.

Yes, I've used x2x to forward X selections between a trusted X server and an 
untrusted nested X server. I'll have to experiment to see how well this works 
with Xpra/Xvfb.

> The harder part is what it might mean to do that securely.  There are
> some notes on the wiki about that:
> <http://plash.beasts.org/wiki/TrustedPathButtons>
> and a thread here:
> <http://lists.laptop.org/pipermail/security/2008-April/000391.html>.
> In brief, doing copy and paste via the keyboard shortcuts Ctrl-C and
> Ctrl-V can be made secure without changing X applications, but making
> Copy and Paste menu items secure will require modifying applications.

Good idea. I've read the links and I understand the principles, but does an 
implementation already exist that I could try out?