Password field security and information leaking

Ivan Čukić ivan.cukic at kde.org
Sun Oct 14 17:59:39 BST 2018 

> Is this a problem at all?
> I mean, by default applications can't read other applications memory so the
> only one that can try this kind of attacks is the root user.

Yes it is a problem.

It would be like saying no need to encrypt the hard drive - the privilege 
system is enough.

Some of the recent side-channel attacks (like Spectre) allow partial memory 
dumps. Mostly in-process memory dumps, but this is just the beginning of side-
channel exploits. You can expect that these will evolve over the years in a 
similar fashion to buffer overflow attacks of yesteryear.

Also the potential of writing said data to the swap is another problem. Also 
cold-boot attacks.

And, if we want to be the software collection that needs to be a privacy 
heaven (see Privacy Goal https://phabricator.kde.org/T7050), we need to 
provide utilities as safe as possible even for people like Snowden.


> If your system is compromised to the fact that root is evil you have lost
> already, surely root can install a key logger or something that will make
> it easy for her to snoop your passwords than having the grep the memory for
> them, no? (Well on X11 any application can install a keylogger but let's
> assume you're under Wayland :D)

Having easier attack vectors (which are not always available - for example, in 
the cold-boot scenario etc.) does not give us the excuse to provide more 
attack vectors.


> AFAIR there's private dbus through apparmor, that'd be a simpler fix,
> unfortunately apparmor is not default on all distros so doesn't really
> solve much for us.



> Not sure if any other dbus or kernel security enhacements implement or plan
> to implement this.

As mentioned in the previous mail, the similar approach is used by Secret 
Service.

> but who cares about that? At this point i can just go to kwalletd and write
> a program that will say "Hey, I'm the network manager, give me this
> password" and there's no way for kwalletd to figure out if this is true or
> not, so it'll just give that program access to all my passwords without any
> need to snoop at the transport layer.

That is a completely separate issue. KWallet design is broken.


> I've been thinking about that for a while and the only solution i've found
> is signing the binaries.

I agree. It would be nice if someone wanted to work on that as well.

Cheers,
Ivan




dr Ivan Čukić
KDE, ivan.cukic at kde.org, https://cukic.co/
gpg key fingerprint: 8FE4 D32F 7061 EA9C 8232  07AE 01C6 CE2B FF04 1C12

More information about the Kde-frameworks-devel mailing list