1<?xml version="1.0" encoding="UTF-8" ?> 2<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" 4[ 5<!ENTITY % defs SYSTEM "defs.ent"> %defs; 6]> 7 8 9<!-- by TeX4ht (http://www.cse.ohio-state.edu/~gurari/TeX4ht/) 10xhtml,docbook,html,refcaption 11--> 12 13<book id="analysis"> 14 15<bookinfo> 16 <title>Analysis of the X Protocol for Security Concerns</title> 17 <pubdate>May 10, 1996</pubdate> 18 <authorgroup> 19 <author> 20 <firstname>David</firstname><othername>P.</othername><surname>Wiggins</surname> 21 <affiliation><orgname>X Consortium</orgname></affiliation> 22 </author> 23 </authorgroup> 24 <releaseinfo>X Version 11, Release &fullrelvers;</releaseinfo> 25 <releaseinfo>Draft Version 2</releaseinfo> 26 <copyright><year>1996</year><holder>X Consortium</holder></copyright> 27 28<legalnotice> 29<para> 30Permission is hereby granted, free of charge, to any person obtaining 31a copy of this software and associated documentation files (the 32"Software"), to deal in the Software without restriction, including 33without limitation the rights to use, copy, modify, merge, publish, 34distribute, sublicense, and/or sell copies of the Software, and to 35permit persons to whom the Software is furnished to do so, subject to 36the following conditions: 37</para> 38<para> 39The above copyright notice and this permission notice shall be included 40in all copies or substantial portions of the Software. 41</para> 42<para> 43THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS 44OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 45MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 46IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR 47OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 48ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 49OTHER DEALINGS IN THE SOFTWARE. 50</para> 51<para> 52Except as contained in this notice, the name of the X Consortium shall 53not be used in advertising or otherwise to promote the sale, use or 54other dealings in this Software without prior written authorization 55from the X Consortium. 56</para> 57<para>X Window System is a trademark of The Open Group.</para> 58</legalnotice> 59 60<abstract> 61<para> 62This paper attempts to list all instances of certain types of security 63problems in the X Protocol. Issues with authorization are not addressed. 64We assume that a malicious client has already succeeded in connecting, 65and try to assess what harm it can then do. We propose modifications to 66the semantics of the X Protocol to reduce these risks. 67</para> 68</abstract> 69</bookinfo> 70 71<chapter id='Definition_of_Threats'> 72<title>Definition of Threats</title> 73 74<para> 75We analyze the X protocol for the following threats. 76</para> 77 78<variablelist> 79 <varlistentry> 80 <term>Theft</term> 81 <listitem> 82 <para> 83occurs when a client gains access to information owned by another client 84without explicit permission from that other client. For this analysis, 85we take a broad view of ownership: any information that exists in the 86server due to the actions of a client is considered owned by that client. 87Furthermore, the client that has input focus owns keyboard events, and the 88client that owns the window that the pointer is in owns mouse events. This 89view may reveal certain instances of "theft" that we don't care to stop, 90but we think it is better to identify all potential candidates up front and 91cull the list later than to do a partial analysis now and plan on reanalyzing 92for remaining holes later. 93 </para> 94 </listitem> 95 </varlistentry> 96 <varlistentry> 97 <term>Denial of service</term> 98 <listitem> 99 <para> 100occurs when a client causes another client or the user to lose the ability 101to perform some operation. 102 </para> 103 </listitem> 104 </varlistentry> 105 <varlistentry> 106 <term>Spoofing</term> 107 <listitem> 108 <para> 109occurs when a client attempts to mimic another client with the hope that 110the user will interact with it as if it really were the mimicked client. A 111wide variety of requests may be used in a spoofing attack; we will only 112point out a few likely candidates. 113 </para> 114 </listitem> 115 </varlistentry> 116 <varlistentry> 117 <term>Destruction</term> 118 <listitem> 119 <para> 120occurs when a client causes another client to lose information in a way 121that the client or user is likely to notice. (This does not count expected 122forms of destruction, e.g., exposures.) 123 </para> 124 </listitem> 125 </varlistentry> 126 <varlistentry> 127 <term>Alteration</term> 128 <listitem> 129 <para> 130occurs when a client causes another client to lose information in a way 131that the client or user is unlikely to notice. e.g., changing one pixel in a 132drawable. 133 </para> 134 </listitem> 135 </varlistentry> 136</variablelist> 137 138<para> 139The line between alteration and destruction is subjective. Security 140literature does often distinguish between them, though not always 141explicitly. Alteration is often considered more insidious because 142its effects may not be realized until long after it has occurred. In 143the intervening time, each time the altered data is used, it can cause 144more damage. 145</para> 146</chapter> 147 148<chapter id='General_security_concerns_and_remedies'> 149<title>General security concerns and remedies</title> 150 151<para> 152The following sections discuss security problems intrinsic to the X 153Protocol. A statement of each problem is usually followed by potential 154remedies. A few words here about possible remedies will help frame the 155specific ones described below. 156</para> 157 158<para> 159If a client attempts a threatening operation, the server may take one of 160the following actions, listed roughly in order of severity: 161</para> 162 163<orderedlist> 164 <listitem> 165 <para> 166Execute the request normally. This is the right choice when we decide that a 167particular threat is not serious enough to worry about. 168 </para> 169 </listitem> 170 <listitem> 171 <para> 172Execute the request in some modified form, e.g., substitute different 173values for some of the request fields, or edit the reply. 174 </para> 175 </listitem> 176 <listitem> 177 <para> 178Arrange to ask the user what to do, given some subset of the other choices 179in this list. This must be used sparingly because of the performance impact. 180 </para> 181 </listitem> 182 <listitem> 183 <para> 184Treat the request as a no-op. If the client will probably not notice, or 185if it seems likely that the intent was benign, this is a good choice. 186 </para> 187 </listitem> 188 <listitem> 189 <para> 190Send a protocol error to the client. If the client will be confused enough 191by the other options that it will probably crash or become useless anyway, 192or if it seems likely that the intent was malicious, this is a good choice. 193 </para> 194 <para> 195Kill the client. This might be the right action if there is no doubt 196that the client is hostile. 197 </para> 198 </listitem> 199</orderedlist> 200 201<para> 202In most cases we present the one option that seems most appropriate to 203counter the threat, taking into account the seriousness of the threat, the 204implementation difficulty, and the impact on applications. Our initial bias 205is to err on the side of stronger security, with the accompanying tighter 206restrictions. As we uncover important operations and applications that the new 207restrictions interfere with, we can apply selective loosening to allow 208the desired functionality. 209</para> 210 211<para> 212In some cases we will suggest returning an Access error where the X protocol 213does not explicitly allow one. These new Access errors arise when a client 214can only perform a (non-empty) subset of the defined operations on a 215resource. The disallowed operations cause Access errors. The resource at 216issue is usually a root window. 217</para> 218 219<sect1 id='Access_to_Server_Resources'> 220<title>Access to Server Resources</title> 221<para> 222The X protocol allows clients to manipulate resources (objects) belonging to 223other clients or to the server. Any request that specifies a resource ID is 224vulnerable to some of the above threats. Such requests also provide a way for a 225client to guess resource IDs of other clients. A client can make educated 226guesses for possible resource IDs, and if the request succeeds, it knows it has 227determined a valid resource ID. We call this "resource ID guessing" in the list 228below. 229</para> 230 231<para> 232One likely defense against these problems is to have the server send an 233appropriate protocol error to deny the existence of any resource specified 234by a client that doesn't belong to that client. A variation on this policy 235lets cooperating groups of clients access each other's resources, but not 236those of other groups. The Broadway project will initially use a less general 237form of this idea by having two groups, trusted and untrusted. Trusted 238clients can do everything that X clients can do today. They will be protected 239from untrusted clients in ways described below. Untrusted clients will 240not be protected from each other. Though this will be the initial design, 241we need to make sure there is a growth path to multiple (more than two) 242groups. 243</para> 244 245<para> 246Most of the time, applications never access server resources that aren't 247their own, so the impact of disallowing such accesses should be minimal. 248There are a few notable exceptions, most of which will be discussed under 249the relevant protocol requests. They are: ICCCM selection transfer, Motif 250drag and drop, and server-global resources like the root window and default 251colormap. Another major exception is the window manager, which routinely 252manipulates windows of other applications. The solution for window managers 253is to always run them as trusted applications. 254</para> 255 256<para> 257The implementation difficulty of limiting access to resources should not 258be large. All resource accesses eventually funnel down to one of two 259functions in <dix/resource.c>: 260<function>LookupIDByType</function> and 261<function>LookupIDByClass</function>. A few lines of checking at 262the top of these functions will form the heart of this defense. There is a 263small problem because these functions are not told which client is doing the 264lookup, but that can be solved either by adding a client parameter (probably 265as a new function to preserve compatibility), or by using the server global 266requestingClient. 267</para> 268 269<note> 270<para> 271ISSUE: are we really going to be able to get away with hiding trusted 272resources, or will things like Motif drag and drop force us to expose 273them? (Either way, the operations that untrusted clients can do to 274trusted resources will have to be limited.) Is there something in Xt 275or the ICCCM that breaks if you hide resources? 276</para> 277</note> 278 279</sect1> 280 281<sect1 id='Denial_of_Service'> 282<title>Denial of Service</title> 283 284<sect2 id='Memory_Exhaustion'> 285<title>Memory Exhaustion</title> 286 287<para> 288Any request that causes the server to consume resources (particularly 289memory) can be used in a denial of service attack. A client can use such 290requests repeatedly until the server runs out of memory. When that 291happens, the server will either crash or be forced to send Alloc errors. 292The most obvious candidates are resource creation requests, 293e.g., CreatePixmap, but in reality a large percentage of requests cause 294memory allocation, if only temporarily, depending on the server 295implementation. For this reason, the list of requests subject to this 296form of denial of service will be necessarily incomplete. 297</para> 298 299<para> 300To address this form of denial of service, the server could set 301per-client quotas on memory consumption. When the limit is surpassed, 302the server could return Alloc errors. The application impact is minimal 303as long as the application stays within quota. The implementation difficulty 304is another story. 305</para> 306 307<para> 308Conceptually, it seems easy: simply have a way to set the limit, and on 309every memory (de)allocation operation, update the client's current usage, 310and return an error if the client is over the limit. The first problem 311is something we've already touched on: the allocator functions aren't told 312which client the allocation belongs to. Unlike resource lookups, allocations 313are done in too many places to consider a new interface that passes the 314client, so using the global requestingClient is practically mandatory. 315</para> 316 317<para> 318The problems run deeper. The logical thing for the allocator to do if the 319client is over its limit is to return NULL, indicating allocation failure. 320Unfortunately, there are many places in the server that will react badly 321if this happens. Most of these places, but not all, are "protected" by 322setting the global variable Must_have_memory to True around the delicate 323code. We could help the problem by skipping the limit check if 324Must_have_memory is True. The best solution would be to bullet-proof the 325server against allocation failures, but that is beyond the scope of Broadway. 326Another consideration is that the additional checking may have a measurable 327performance impact, since the server does frequent allocations. 328</para> 329 330<para> 331A third problem is that there is no portable way to determine the size of 332a chunk of allocated memory given just a pointer to the chunk, and that's 333all you have inside <function>Xrealloc</function> and 334<function>Xfree</function>. The server could compensate by recording the 335sizes itself somewhere, but that would be wasteful of memory, since the 336malloc implementation also must be recording block sizes. On top of that, the 337redundant bookkeeping would hurt performance. One solution is to use a custom 338malloc that has the needed support, but that too seems beyond the scope of 339Broadway. 340</para> 341 342<para> 343Considering all of this, we think it is advisable to defer solving the memory 344exhaustion problem to a future release. Keep this in mind when you see quotas 345mentioned as a defense in the list below. 346</para> 347 348</sect2> 349 350 351<sect2 id='CPU_Monopolization'> 352<title>CPU Monopolization</title> 353 354<para> 355Another general way that a client can cause denial of service is to flood 356the server with requests. The server will spend a large percentage of its 357time servicing those requests, possibly starving other clients and certainly 358hurting performance. Every request can be used for flooding, so we will 359not bother to list flooding on every request. A variation on this attack is 360to flood the server with new connection attempts. 361</para> 362 363<para> 364To reduce the effectiveness of flooding, the server could use a different 365scheduling algorithm that throttles clients that are monopolizing the 366server, or it could simply favor trusted clients over untrusted ones. 367Applications cannot depend on a particular scheduling algorithm anyway, 368so changing it should not affect them. The Synchronization extension 369specifies a way to set client priorities, and a simple priority scheduler 370already exists in the server to support it, so this should be simple to add. 371</para> 372 373</sect2> 374</sect1> 375</chapter> 376 377 378<chapter id='Security_concerns_with_specific_window_attributes'> 379<title>Security concerns with specific window attributes</title> 380 381<sect1 id='Background_pixmap'> 382<title>Background-pixmap</title> 383<para> 384Clients can use windows with the background-pixmap attribute set to None 385(hereafter "background none windows") to obtain images of other windows. A 386background none window never paints its own background, so whatever happened 387to be on the screen when the window was mapped can be read from the 388background none window with GetImage. This may well contain data from other 389windows. The CreateWindow and ChangeWindowAttributes requests can set the 390background-pixmap attribute set to None, and many window operations can cause 391data from other windows to be left in a background none window, including 392<function>ReparentWindow</function>, 393<function>MapWindow</function>, 394<function>MapSubwindows</function>, 395<function>ConfigureWindow</function>, and 396<function>CirculateWindow</function>. 397</para> 398 399<para> 400Background none windows can also be used to cause apparent alteration. 401A client can create a window with background none and draw to it. The drawing 402will appear to the user to be in the windows below the background none window. 403</para> 404 405<para> 406To remedy these problems, the server could substitute a well-defined 407background when a client specifies None. Ideally the substituted background 408would look different enough from other windows that the user wouldn't be 409confused. A tile depicting some appropriate international symbol might be 410reasonable. We believe that there are few applications that actually rely on 411background none semantics, and those that do will be easy for the user to 412identify because of the distinctive tile. Implementation should not be a 413problem either. Luckily, the window background cannot be retrieved through 414the X protocol, so we won't have to maintain any illusions about its value. 415</para> 416 417<note> 418<para> 419ISSUE: Some vendors have extensions to let you query the window background. Do 420we need to accommodate that? 421</para> 422</note> 423 424<note> 425<para> 426ISSUE: Will this lead to unacceptable application breakage? Could the server be 427smarter, only painting with the well-defined background when the window actually 428contains bits from trusted windows? 429</para> 430</note> 431 432</sect1> 433 434<sect1 id='ParentRelative_and_CopyFromParent'> 435<title>ParentRelative and CopyFromParent</title> 436 437<para> 438Several window attributes can take on special values that cause them to 439reference (ParentRelative) or copy (CopyFromParent) the same attribute from 440the window's parent. This fits our definition of theft. The window 441attributes are class, background-pixmap, border-pixmap, and colormap. All 442of these can be set with <function>CreateWindow</function>; all but class 443can be set with <function>ChangeWindowAttributes</function>. 444</para> 445 446<para> 447These forms of theft aren't particularly serious, so sending an error 448doesn't seem appropriate. Substitution of different attribute values seems 449to be the only reasonable option, and even that is likely to cause trouble 450for clients. Untrusted clients are already going to be prevented from 451creating windows that are children of trusted clients (see CreateWindow 452below). We recommend that nothing more be done to counter this threat. 453</para> 454 455</sect1> 456 457<sect1 id='Override_redirect'> 458<title>Override-redirect</title> 459<para> 460Windows with the override-redirect bit set to True are generally ignored by 461the window manager. A client can map an override-redirect window that covers 462most or all of the screen, causing denial of service since other applications 463won't be visible. 464</para> 465 466<para> 467To prevent this, the server could prevent more than a certain percentage 468(configurable) the of screen area from being covered by override-redirect 469windows of untrusted clients. 470</para> 471 472<para> 473Override-redirect windows also make some spoofing attacks easier since the 474client can more carefully control the presentation of the window to mimic 475another client. Defenses against spoofing will be given under 476<xref linkend='MapWindow' xrefstyle='select: title'/> 477. 478</para> 479 480</sect1> 481</chapter> 482 483<chapter id='Security_concerns_with_specific_requests'> 484<title>Security concerns with specific requests</title> 485 486<para> 487To reduce the space needed to discuss 120 requests, most of the following 488sections use a stylized format. A threat is given, followed by an 489imperative statement. The implied subject is an untrusted client, and the 490object is usually a trusted client. Following that, another statement 491starting with "Defense:" recommends a countermeasure for the preceding 492threat(s). 493</para> 494 495<para> 496Resources owned by the server, such as the root window and the default 497colormap, are considered to be owned by a trusted client. 498</para> 499 500<sect1 id='CreateWindow'> 501<title>CreateWindow</title> 502 503<para> 504Alteration: create a window as a child of another client's window, altering 505its list of children. 506</para> 507 508<para> 509Defense: send Window error. Specifying the root window as the parent will 510have to be allowed, though. 511</para> 512 513<para> 514Theft: create an InputOnly window or a window with background none on top 515of other clients' windows, select for keyboard/mouse input on that window, 516and steal the input. The input can be resent using SendEvent or an input 517synthesis extension so that the snooped application continues to function, 518though this won't work convincingly with the background none case because the 519drawing will be clipped. 520</para> 521 522<para> 523Defense: send an error if a top-level InputOnly window is created 524(or reparented to the root). Countermeasures for background none and 525SendEvent are discussed elsewhere. 526</para> 527 528<note> 529<para> 530ISSUE: The Motif drag and drop protocol creates and maps such a window (at 531-100, -100, size 10x10) to "cache frequently needed data on window properties 532to reduce roundtrip server requests." Proposed solution: we could only send an 533error if the window is visible, which would require checking in, MapWindow, 534ConfigureWindow, and ReparentWindow. 535</para> 536</note> 537 538<para> 539Theft: resource ID guessing (parent, background-pixmap, border-pixmap, colormap, 540and cursor). 541</para> 542<para> 543Defense: send Window, Pixmap, Colormap, or Cursor error. 544</para> 545<para> 546Denial of service: create windows until the server runs out of memory. 547</para> 548<para> 549Defense: quotas. 550</para> 551<para> 552Also 553<xref linkend='Security_concerns_with_specific_window_attributes' xrefstyle='select: title'/> 554</para> 555</sect1> 556 557 558<sect1 id='ChangeWindowAttributes'> 559<title>ChangeWindowAttributes</title> 560 561<para> 562Alteration: change the attributes of another client's window. 563</para> 564<para> 565Theft: select for events on another client's window. 566</para> 567<para> 568Defense for both of the above: send Window error. 569</para> 570 571<note> 572<para> 573ISSUE: The Motif drop protocol states that "the initiator should select for 574DestroyNotify on the destination window such that it is aware of a potential 575receiver crash." This will be a problem if the initiator is an untrusted 576window and the destination is trusted. Can the server, perhaps with the help 577of the security manager, recognize that a drop is in progress and allow the 578DestroyNotify event selection in this limited case? 579</para> 580</note> 581 582<note> 583<para> 584ISSUE: The Motif pre-register drag protocol probably requires the initiator 585to select for Enter/LeaveNotify on all top-level windows. Same problem as 586the previous issue. 587</para> 588</note> 589 590<para> 591Theft: resource ID guessing (background-pixmap, border-pixmap, colormap, and 592cursor). 593</para> 594 595<para> 596Defense: send Pixmap, Colormap, or Cursor error. 597</para> 598<para> 599Also 600<xref linkend='Security_concerns_with_specific_window_attributes' xrefstyle='select: title'/> 601</para> 602 603</sect1> 604 605<sect1 id='GetWindowAttributes'> 606<title>GetWindowAttributes</title> 607 608<para> 609Theft: get the attributes of another client's window. 610</para> 611<para> 612Theft: resource ID guessing (window). 613</para> 614<para> 615Defense for both of the above: send Window error. 616</para> 617 618</sect1> 619 620<sect1 id='DestroyWindow_DestroySubwindows'> 621<title>DestroyWindow, DestroySubwindows</title> 622 623<para> 624Destruction: destroy another client's window. 625</para> 626<para> 627Theft: resource ID guessing (window). 628</para> 629<para> 630Defense for both of the above: send Window error. 631</para> 632</sect1> 633 634<sect1 id='ChangeSaveSet'> 635<title>ChangeSaveSet</title> 636 637<para> 638Alteration: cause another client's windows to be reparented to the root when 639this client disconnects (only if the other client's windows are subwindows of 640this client's windows). 641</para> 642 643<para> 644Defense: process the request normally. The trusted client gives away some of 645its protection by creating a subwindow of an untrusted window. 646</para> 647 648<para> 649Theft: resource ID guessing (window). 650</para> 651 652<para> 653Defense: send Window error. 654</para> 655</sect1> 656 657 658<sect1 id='MapWindow'> 659<title>MapWindow</title> 660 661<para> 662Spoofing: map a window that is designed to resemble a window of another client. 663Additional requests will probably be needed to complete the illusion. 664</para> 665 666<para> 667Defense: 668</para> 669 670<para> 671We consider spoofing to be a significant danger only if the user is convinced 672to interact with the spoof window. The defense centers on providing enough 673information to enable the user to know where keyboard, mouse, and extension 674device input is going. To accomplish this, the server will cooperate with the 675security manager, an external process. The server will provide the following 676facilities to the security manager: 677</para> 678 679<para> 6801. A way to create a single window that is unobscurable by any window of any 681other client, trusted or untrusted. It needs to be unobscurable so that it is 682spoof-proof. 683</para> 684 685<note> 686<para> 687ISSUE: is a weaker form of unobscurability better? Should the window be 688obscurable by trusted windows, for example? 689</para> 690</note> 691 692<note> 693<para> 694ISSUE: does unobscurable mean that it is a child of the root that is always 695on top in the stacking order? 696</para> 697</note> 698 699<para> 7002. A way to determine if a given window ID belongs to an untrusted client. 701</para> 702 703<para> 704The security manager will need to select for the existing events 705FocusIn, FocusOut, EnterNotify, LeaveNotify, DeviceFocusIn, and 706DeviceFocusOut on all windows to track what window(s) the user's input is 707going to. Using the above server facilities, it can reliably display the 708trusted/untrusted status of all clients currently receiving input. 709</para> 710 711<note> 712<para> 713ISSUE: is it too much to ask the security manager to select for all these 714events on every window? Do we need to provide new events that you select 715for *on the device* that tell where the device is focused? 716</para> 717</note> 718 719<para> 720None of this should have any application impact. 721</para> 722 723<para> 724The unobscurable window may be tricky to implement. There is already some 725machinery in the server to make an unobscurable window for the screen saver, 726which may help but may also get in the way now that we have to deal with two 727unobscurable windows. 728</para> 729 730</sect1> 731 732 733<sect1 id='Window_Operations'> 734<title>Window Operations</title> 735 736<para> 737Specifically, ReparentWindow, MapWindow, MapSubwindows, UnmapWindow, 738UnmapSubwindows, ConfigureWindow, and CirculateWindow. 739</para> 740 741<para> 742Alteration: manipulate another client's window. 743</para> 744 745<para> 746Theft: resource ID guessing (window, sibling). 747</para> 748 749<para> 750Defense for both of the above: send a Window error unless it is a root 751window, in which case we should send an Access error. 752</para> 753 754</sect1> 755 756<sect1 id='GetGeometry'> 757<title>GetGeometry</title> 758 759<para> 760Theft: get the geometry of another client's drawable. 761</para> 762 763<para> 764Theft: resource ID guessing (drawable). 765</para> 766<para> 767Defense for both of the above: send Drawable error. However, root windows 768will be allowed. 769</para> 770 771</sect1> 772 773<sect1 id='QueryTree'> 774<title>QueryTree</title> 775 776<para> 777Theft: resource ID guessing (window). 778</para> 779 780<para> 781Defense: send Window error. 782</para> 783 784<para> 785Theft: discover window IDs that belong to other clients. 786</para> 787 788<para> 789Defense: For the child windows, censor the reply by removing window IDs that 790belong to trusted clients. Allow the root window to be returned. For the parent 791window, if it belongs to a trusted client, return the closest ancestor window 792that belongs to an untrusted client, or if such a window does not exist, 793return the root window for the parent window. 794</para> 795 796<note> 797<para> 798ISSUE: will some applications be confused if we filter out the window manager 799frame window(s), or other windows between the queried window and the root 800window? 801</para> 802</note> 803 804<note> 805<para> 806ISSUE: the Motif drag protocol (both preregister and dynamic) needs to be able 807to locate other top-level windows for potential drop sites. See also 808<xref linkend='Access_to_Server_Resources' xrefstyle='select: title'/> 809. 810</para> 811</note> 812 813</sect1> 814 815<sect1 id='InternAtom'> 816<title>InternAtom</title> 817 818<para> 819Theft: discover atom values of atoms interned by other clients. This lets you 820determine if a specific set of atoms has been interned, which may lead to other 821inferences. 822</para> 823<para> 824Defense: This is a minor form of theft. Blocking it will interfere with many 825types of inter-client communication. We propose to do nothing about this 826threat. 827</para> 828 829<para> 830Denial of service: intern atoms until the server runs out of memory. 831</para> 832 833<para> 834Defense: quotas. 835</para> 836 837 838</sect1> 839 840<sect1 id='GetAtomName'> 841<title>GetAtomName</title> 842 843<para> 844Theft: discover atom names of atoms interned by other clients. This lets you 845determine if a specific set of atoms has been interned, which may lead to other 846inferences. 847</para> 848 849<para> 850Defense: This is a minor form of theft. We propose to do nothing about this 851threat. 852</para> 853 854</sect1> 855 856<sect1 id='ChangeProperty'> 857<title>ChangeProperty</title> 858 859<para> 860Alteration: change a property on another client's window or one that was 861stored by another client. 862</para> 863 864<para> 865Theft: resource ID guessing (window). 866</para> 867 868<para> 869Defense for both of the above: send Window error. 870</para> 871 872<note> 873<para> 874ISSUE: Selection transfer requires the selection owner to change a property 875on the requestor's window. Does the security manager get us out of this? 876Does the server notice the property name and window passed in 877ConvertSelection and temporarily allow that window property to be written? 878</para> 879</note> 880 881<note> 882<para> 883ISSUE: should certain root window properties be writable? 884</para> 885</note> 886 887<para> 888Denial of service: store additional property data until the server 889runs out of memory. 890</para> 891 892<para> 893Defense: quotas. 894</para> 895</sect1> 896 897<sect1 id='DeleteProperty'> 898<title>DeleteProperty</title> 899 900<para> 901Destruction: delete a property stored by another client. 902</para> 903 904<para> 905Theft: resource ID guessing (window). 906</para> 907 908<para> 909Defense for both of the above: send Window error. 910</para> 911 912</sect1> 913 914<sect1 id='GetProperty'> 915<title>GetProperty</title> 916 917<para> 918Theft: get a property stored by another client. 919</para> 920 921<para> 922Theft: resource ID guessing (window). 923</para> 924 925<para> 926Defense for both of the above: send Window error. 927</para> 928 929<note> 930<para> 931ISSUE: should certain root window properties be readable? Proposed answer: yes, 932some configurable list. Do those properties need to be polyinstantiated? 933</para> 934</note> 935 936<note> 937<para> 938ISSUE: Motif drag and drop needs to be able to read the following properties: 939WM_STATE to identify top-level windows, _MOTIF_DRAG_WINDOW on 940the root window, _MOTIF_DRAG_TARGETS on the window given in the 941_MOTIF_DRAG_WINDOW property, and _MOTIF_DRAG_RECEIVER_INFO on 942windows with drop sites. Additionally, some properties are needed that do not 943have fixed names. 944</para> 945</note> 946 947</sect1> 948 949<sect1 id='RotateProperties'> 950<title>RotateProperties</title> 951 952<para> 953Alteration: rotate properties stored by another client. 954</para> 955 956<para> 957Theft: resource ID guessing (window). 958</para> 959 960<para> 961Defense for both of the above: send Window error. 962</para> 963</sect1> 964 965<sect1 id='ListProperties'> 966<title>ListProperties</title> 967 968<para> 969Theft: list properties stored by another client. 970</para> 971 972<para> 973Theft: resource ID guessing (window). 974</para> 975 976<para> 977Defense for both of the above: send Window error. 978</para> 979 980<note> 981<para> 982ISSUE: should certain root window properties be listable? 983</para> 984</note> 985</sect1> 986 987<sect1 id='SetSelectionOwner'> 988<title>SetSelectionOwner</title> 989 990<para> 991Theft: Steal ownership of a selection. 992</para> 993 994<para> 995Denial of service: do this repeatedly so that no other client can own the 996selection. 997</para> 998 999<para> 1000Defense for both of the above: have a configurable list of selections that 1001untrusted clients can own. For other selections, treat this request as a no-op. 1002</para> 1003 1004<note> 1005<para> 1006ISSUE: how does the security manager get involved here? Is it the one that 1007has the configurable list of selections instead of the server? 1008</para> 1009</note> 1010 1011<para> 1012Theft: resource ID guessing (window). 1013</para> 1014 1015<para> 1016Defense: send Window error. 1017</para> 1018</sect1> 1019 1020<sect1 id='GetSelectionOwner'> 1021<title>GetSelectionOwner</title> 1022 1023<para> 1024Theft: discover the ID of another client's window via the owner field of the 1025reply. 1026</para> 1027 1028<para> 1029Defense: if the selection is on the configurable list mentioned above, 1030return the root window ID, else return None. 1031</para> 1032 1033<note> 1034<para> 1035ISSUE: how does the security manager get involved here? 1036</para> 1037</note> 1038</sect1> 1039 1040<sect1 id='ConvertSelection'> 1041<title>ConvertSelection</title> 1042 1043<para> 1044Theft: this initiates a selection transfer (see the ICCCM) which sends 1045the selection contents from the selection owner, which may be another 1046client, to the requesting client. 1047</para> 1048 1049<para> 1050Defense: since in many cases ConvertSelection is done in direct response 1051to user interaction, it is probably best not to force it to fail, either 1052silently or with an error. The server should rely on the security manager 1053to assist in handling the selection transfer. 1054</para> 1055 1056<para> 1057Theft: resource ID guessing (requestor). 1058</para> 1059 1060<para> 1061Defense: send Window error. 1062</para> 1063</sect1> 1064 1065 1066<sect1 id='SendEvent'> 1067<title>SendEvent</title> 1068 1069<para> 1070A client can use SendEvent to cause events of any type to be sent to windows 1071of other clients. Similarly, a client could SendEvent to one of its own 1072windows with propagate set to True and arrange for the event to be propagated 1073up to a window it does not own. Clients can detect events generated by 1074SendEvent, but we cannot assume that they will. 1075</para> 1076 1077<para> 1078Defense: ignore this request unless the event being sent is a ClientMessage 1079event, which should be sent normally so that selection transfer, Motif drag 1080and drop, and certain input methods have a chance at working. 1081</para> 1082 1083<note> 1084<para> 1085ISSUE: does allowing all ClientMessages open up too big a hole? 1086</para> 1087</note> 1088 1089<para> 1090Theft: resource ID guessing (window). 1091</para> 1092 1093<para> 1094Defense: send Window error. 1095</para> 1096 1097</sect1> 1098 1099 1100<sect1 id='Keyboard_and_Pointer_Grabs'> 1101<title>Keyboard and Pointer Grabs</title> 1102 1103<para> 1104Specifically, GrabKeyboard, GrabPointer, GrabKey, and GrabButton. 1105</para> 1106 1107<para> 1108Denial of service/Theft: take over the keyboard and pointer. This could 1109be viewed as denial of service since it prevents other clients from getting 1110keyboard or mouse input, or it could be viewed as theft since the user 1111input may not have been intended for the grabbing client. 1112</para> 1113 1114<para> 1115Defense: provide a way to break grabs via some keystroke combination, and 1116have a status area that shows which client is getting input. (See 1117<xref linkend='MapWindow' xrefstyle='select: title'/> 1118). 1119</para> 1120 1121<para> 1122Theft: resource ID guessing (grab-window, confine-to, cursor). 1123</para> 1124 1125<para> 1126Defense: send Window or Cursor error. 1127</para> 1128 1129</sect1> 1130 1131 1132 1133<sect1 id='ChangeActivePointerGrab'> 1134<title>ChangeActivePointerGrab</title> 1135 1136<para> 1137Theft: resource ID guessing (cursor). 1138</para> 1139 1140<para> 1141Defense: send Cursor error. 1142</para> 1143</sect1> 1144 1145 1146<sect1 id='GrabServer'> 1147<title>GrabServer</title> 1148 1149<para> 1150Denial of service: a client can grab the server and not let go, locking 1151out all other clients. 1152</para> 1153 1154<para> 1155Defense: provide a way to break grabs via some keystroke combination. 1156</para> 1157</sect1> 1158 1159 1160<sect1 id='QueryPointer'> 1161<title>QueryPointer</title> 1162 1163<para> 1164Theft: A client can steal pointer motion and position, button input, 1165modifier key state, and possibly a window of another client with this request. 1166</para> 1167 1168<para> 1169Defense: if the querying client doesn't have the pointer grabbed, and 1170the pointer is not in one of its windows, the information can be zeroed. 1171</para> 1172 1173<para> 1174Theft: resource ID guessing (window). 1175</para> 1176 1177<para> 1178Defense: send Window error. 1179</para> 1180</sect1> 1181 1182<sect1 id='GetMotionEvents'> 1183<title>GetMotionEvents</title> 1184 1185<para> 1186Theft: steal pointer motion input that went to other clients. 1187</para> 1188 1189<para> 1190Defense: ideally, the server would return only pointer input that was not 1191delivered to any trusted client. The implementation effort to do that 1192probably outweighs the marginal benefits. Instead, we will always return 1193an empty list of motion events to untrusted clients. 1194</para> 1195 1196<para> 1197Theft: resource ID guessing (window). 1198</para> 1199 1200<para> 1201Defense: send Window error. 1202</para> 1203</sect1> 1204 1205<sect1 id='TranslateCoordinates'> 1206<title>TranslateCoordinates</title> 1207 1208<para> 1209Theft: discover information about other clients' windows: position, 1210screen, and possibly the ID of one of their subwindows. 1211</para> 1212 1213<para> 1214Defense: send an error if src-window or dst-window do not belong to 1215the requesting client. 1216</para> 1217 1218<para> 1219Theft: resource ID guessing (src-window, dst-window). 1220</para> 1221 1222<para> 1223Defense: send Window error. 1224</para> 1225</sect1> 1226 1227<sect1 id='WarpPointer'> 1228<title>WarpPointer</title> 1229 1230<para> 1231A client can cause pointer motion to occur in another client's window. 1232</para> 1233 1234<para> 1235Denial of service: repeated pointer warping prevents the user from using 1236the mouse normally. 1237</para> 1238 1239<para> 1240Defense for both of the above: if the querying client doesn't have the pointer 1241grabbed, and the pointer is not in one of its windows, treat the request as a 1242no-op. 1243</para> 1244 1245<para> 1246Theft: resource ID guessing (src-window, dst-window). 1247</para> 1248 1249<para> 1250Defense: send Window error. 1251</para> 1252</sect1> 1253 1254<sect1 id='SetInputFocus'> 1255<title>SetInputFocus</title> 1256 1257<para> 1258Theft: a client can use this request to make one of its own windows have 1259the input focus (keyboard focus). The user may be unaware that keystrokes 1260are now going to a different window. 1261</para> 1262 1263<para> 1264Denial of service: repeatedly setting input focus prevents normal use of the 1265keyboard. 1266</para> 1267 1268<para> 1269Defense for both of the above: only allow untrusted clients to 1270SetInputFocus if input focus is currently held by another untrusted client. 1271</para> 1272 1273<note> 1274<para> 1275ISSUE: this will break clients using the Globally Active Input model 1276described in section 4.1.7 of the ICCCM. 1277</para> 1278</note> 1279 1280<para> 1281Theft: resource ID guessing (focus). 1282</para> 1283 1284<para> 1285Defense: send Window error. 1286</para> 1287</sect1> 1288 1289 1290<sect1 id='GetInputFocus'> 1291<title>GetInputFocus</title> 1292 1293<para> 1294Theft: the reply may contain the ID of another client's window. 1295</para> 1296<para> 1297Defense: return a focus window of None if a trusted client currently has 1298the input focus. 1299</para> 1300</sect1> 1301 1302 1303<sect1 id='QueryKeymap'> 1304<title>QueryKeymap</title> 1305 1306<para> 1307Theft: poll the keyboard with this to see which keys are being pressed. 1308</para> 1309 1310<para> 1311Defense: zero the returned bit vector if a trusted client currently has 1312the input focus. 1313</para> 1314</sect1> 1315 1316<sect1 id='Font_Requests'> 1317<title>Font Requests</title> 1318 1319<para> 1320Specifically, OpenFont, QueryFont, ListFonts, ListFontsWithInfo, and 1321QueryTextExtents. 1322</para> 1323 1324<para> 1325Theft: discover font name, glyph, and metric information about fonts that were 1326provided by another client (by setting the font path). Whether it is theft 1327to retrieve information about fonts from the server's initial font path 1328depends on whether or not you believe those fonts, by their existence in the 1329initial font path, are intended to be globally accessible by all clients. 1330</para> 1331 1332<para> 1333Defense: 1334</para> 1335 1336<para> 1337Maintain two separate font paths, one for trusted clients and one for untrusted 1338clients. They are both initialized to the default font path at server reset. 1339Subsequently, changes to one do not affect the other. Since untrusted clients 1340will not see font path elements added by trusted clients, they will not be 1341able to access any fonts provided by those font path elements. 1342</para> 1343 1344<para> 1345Theft: resource ID guessing (font) (QueryFont and QueryTextExtents only). 1346</para> 1347 1348<para> 1349Defense: send Font error. 1350</para> 1351 1352<para> 1353Denial of service: open fonts until the server runs out of memory (OpenFont 1354only). 1355</para> 1356 1357<para> 1358Defense: quotas. 1359</para> 1360 1361</sect1> 1362 1363 1364<sect1 id='CloseFont'> 1365<title>CloseFont</title> 1366 1367<para> 1368Destruction: close another client's font. 1369</para> 1370<para> 1371Defense: send Font error. 1372</para> 1373</sect1> 1374 1375<sect1 id='SetFontPath'> 1376<title>SetFontPath</title> 1377 1378<para> 1379Denial of service: change the font path so that other clients cannot 1380find their fonts. 1381</para> 1382 1383<para> 1384Alteration: change the font path so that other clients get different 1385fonts than they expected. 1386</para> 1387<para> 1388Defense for both of the above: separate font paths for trusted and 1389untrusted clients, as described in the Font Requests section. 1390</para> 1391<note> 1392<para> 1393ISSUE: the printing project considered per-client font paths and concluded 1394that it was very difficult to do. We should look at this aspect of the print 1395server design to see if we can reuse the same scheme. We should also try to 1396reconstruct what was so difficult about this; it doesn't seem that hard on the 1397surface. 1398</para> 1399</note> 1400</sect1> 1401 1402<sect1 id='GetFontPath'> 1403<title>GetFontPath</title> 1404 1405<para> 1406Theft: retrieve font path elements that were set by other clients. 1407</para> 1408<para> 1409Use knowledge from font path elements to mount other attacks, e.g., 1410attack a font server found in the font path. 1411</para> 1412<para> 1413Defense for both of the above: separate font paths for trusted and 1414untrusted clients, as described in the Font Requests section. 1415</para> 1416</sect1> 1417 1418 1419<sect1 id='CreatePixmap'> 1420<title>CreatePixmap</title> 1421 1422<para> 1423Theft: resource ID guessing (drawable). 1424</para> 1425<para> 1426Defense: send Drawable error. 1427</para> 1428<para> 1429Denial of service: create pixmaps until the server runs out of memory. 1430</para> 1431<para> 1432Defense: quotas. 1433</para> 1434</sect1> 1435 1436<sect1 id='FreePixmap'> 1437<title>FreePixmap</title> 1438 1439<para> 1440Destruction: destroy another client's pixmap. 1441</para> 1442<para> 1443Defense: send Pixmap error. 1444</para> 1445</sect1> 1446 1447<sect1 id='CreateGC'> 1448<title>CreateGC</title> 1449 1450<para> 1451Theft: resource ID guessing (drawable, tile, stipple, font, clip-mask). 1452</para> 1453<para> 1454Defense: send Drawable, Pixmap, or Font error. 1455</para> 1456<para> 1457Denial of service: create GCs until the server runs out of memory. 1458</para> 1459<para> 1460Defense: quotas. 1461</para> 1462</sect1> 1463 1464 1465<sect1 id='CopyGC'> 1466<title>CopyGC</title> 1467 1468<para> 1469Theft: copy GC values of another client's GC. 1470</para> 1471<para> 1472Alteration: copy GC values to another client's GC. 1473</para> 1474<para> 1475Defense for both of the above: send GC error. 1476</para> 1477</sect1> 1478 1479 1480<sect1 id='ChangeGC_SetDashes_SetClipRectangles'> 1481<title>ChangeGC, SetDashes, SetClipRectangles</title> 1482 1483<para> 1484Alteration: change values of another client's GC. 1485</para> 1486<para> 1487Theft: resource ID guessing (gc, tile, stipple, font, clip-mask) 1488(last four for ChangeGC only). 1489</para> 1490<para> 1491Defense for both of the above: send GC error. 1492</para> 1493</sect1> 1494 1495<sect1 id='FreeGC'> 1496<title>FreeGC</title> 1497 1498<para> 1499Destruction: destroy another client's GC. 1500</para> 1501<para> 1502Defense: send GC error. 1503 1504</para> 1505</sect1> 1506 1507 1508<sect1 id='Drawing_Requests'> 1509<title>Drawing Requests</title> 1510 1511<para> 1512Specifically, ClearArea, CopyArea, CopyPlane, PolyPoint, PolyLine, PolySegment, 1513PolyRectangle, PolyArc, FillPoly, PolyFillRectangle, PolyFillArc, PutImage, 1514PolyText8, PolyText16, ImageText8, and ImageText16. 1515</para> 1516<para> 1517Alteration: draw to another client's drawable. 1518</para> 1519<para> 1520Theft: resource ID guessing: ClearArea - window; CopyArea, CopyPlane - 1521src-drawable, dst-drawable, gc; all others - drawable, gc. 1522</para> 1523<para> 1524Defense for both of the above: send appropriate error. 1525</para> 1526<note> 1527<para> 1528ISSUE: The Motif preregister drag protocol requires clients to draw 1529into windows of other clients for drag-over/under effects. 1530</para> 1531</note> 1532<para> 1533Spoofing: draw to a window to make it resemble a window of another client. 1534</para> 1535<para> 1536Defense: see 1537<xref linkend='MapWindow' xrefstyle='select: title'/> 1538. 1539</para> 1540</sect1> 1541 1542 1543<sect1 id='GetImage'> 1544<title>GetImage</title> 1545 1546<para> 1547Theft: get the image of another client's drawable. 1548</para> 1549<para> 1550Theft: resource ID guessing (drawable). 1551</para> 1552<para> 1553Defense: send Drawable error. 1554</para> 1555<para> 1556Theft: get the image of your own window, which may contain pieces of other 1557overlapping windows. 1558</para> 1559<para> 1560Defense: censor returned images by blotting out areas that contain data 1561from trusted windows. 1562</para> 1563</sect1> 1564 1565<sect1 id='CreateColormap'> 1566<title>CreateColormap</title> 1567 1568<para> 1569Theft: resource ID guessing (window). 1570</para> 1571<para> 1572Defense: send Colormap error. 1573 1574</para> 1575<para> 1576Denial of service: create colormaps with this request until the server 1577runs out of memory. 1578</para> 1579<para> 1580Defense: quotas. 1581</para> 1582</sect1> 1583 1584<sect1 id='FreeColormap'> 1585<title>FreeColormap</title> 1586 1587<para> 1588Destruction: destroy another client's colormap. 1589</para> 1590<para> 1591Defense: send Colormap error. 1592</para> 1593</sect1> 1594 1595 1596<sect1 id='CopyColormapAndFree'> 1597<title>CopyColormapAndFree</title> 1598 1599<para> 1600Theft: resource ID guessing (src-map). 1601</para> 1602<para> 1603Defense: send Colormap error. However, default colormaps will be allowed. 1604</para> 1605<note> 1606<para> 1607ISSUE: must untrusted applications be allowed to use standard colormaps? 1608(Same issue for ListInstalledColormaps, Color Allocation Requests, 1609FreeColors, StoreColors, StoreNamedColor, QueryColors, and LookupColor.) 1610</para> 1611</note> 1612<para> 1613Denial of service: create colormaps with this request until the server 1614runs out of memory. 1615</para> 1616<para> 1617Defense: quotas. 1618</para> 1619</sect1> 1620 1621<sect1 id='InstallColormap_UninstallColormap'> 1622<title>InstallColormap, UninstallColormap</title> 1623 1624<para> 1625Theft: resource ID guessing. 1626</para> 1627<para> 1628Defense: send Colormap error. 1629</para> 1630<para> 1631Denial of service: (un)install any colormap, potentially preventing 1632windows from displaying correct colors. 1633</para> 1634<para> 1635Defense: treat this request as a no-op. Section 4.1.8 of the ICCCM states 1636that (un)installing colormaps is the responsibility of the window manager 1637alone. 1638</para> 1639 1640<note> 1641<para> 1642ISSUE: the ICCCM also allows clients to do colormap installs if the client 1643has the pointer grabbed. Do we need to allow that too? 1644</para> 1645</note> 1646</sect1> 1647 1648<sect1 id='ListInstalledColormaps'> 1649<title>ListInstalledColormaps</title> 1650 1651<para> 1652Theft: resource ID guessing (window). 1653</para> 1654 1655<para> 1656Defense: send Colormap error. 1657</para> 1658<para> 1659Theft: discover the resource ID of another client's colormap from the reply. 1660</para> 1661<para> 1662Defense: remove the returned colormap IDs; only let through default 1663colormaps and colormaps of untrusted clients. 1664</para> 1665</sect1> 1666 1667<sect1 id='Color_Allocation_Requests'> 1668<title>Color Allocation Requests</title> 1669 1670<para> 1671Specifically, AllocColor, AllocNamedColor, AllocColorCells, and 1672AllocColorPlanes. 1673</para> 1674<para> 1675Alteration/Denial of service: allocate colors in another client's 1676colormap. It is denial of service if the owning client's color allocations 1677fail because there are no cells available. Otherwise it is just alteration. 1678</para> 1679<para> 1680Theft: resource ID guessing (cmap). 1681</para> 1682<para> 1683Defense for both of the above: send Colormap error. However, default 1684colormaps will be allowed. 1685</para> 1686</sect1> 1687 1688<sect1 id='FreeColors'> 1689<title>FreeColors</title> 1690 1691<para> 1692Theft: resource ID guessing (cmap). 1693</para> 1694<para> 1695Defense: send Colormap error. However, default colormaps will be allowed. 1696</para> 1697</sect1> 1698 1699<sect1 id='StoreColors_StoreNamedColor'> 1700<title>StoreColors, StoreNamedColor</title> 1701 1702<para> 1703Alteration: change the colors in another client's colormap. 1704</para> 1705<para> 1706Theft: resource ID guessing (cmap). 1707</para> 1708<para> 1709Defense for both of the above: send Colormap error. However, default 1710colormaps will be allowed. 1711</para> 1712</sect1> 1713 1714 1715<sect1 id='QueryColors_LookupColor'> 1716<title>QueryColors, LookupColor</title> 1717 1718<para> 1719Theft: retrieve information about the colors in another client's colormap. 1720</para> 1721<para> 1722Theft: resource ID guessing (cmap). 1723</para> 1724<para> 1725Defense for both of the above: send Colormap error. However, default 1726colormaps will be allowed. 1727</para> 1728</sect1> 1729 1730<sect1 id='CreateCursor_CreateGlyphCursor'> 1731<title>CreateCursor, CreateGlyphCursor</title> 1732 1733<para> 1734Theft: resource ID guessing (source, mask or source-font, mask-font). 1735</para> 1736<para> 1737Defense: send Pixmap or Font error. However, the default font will be allowed. 1738</para> 1739<para> 1740Denial of service: create cursors until the server runs out of memory. 1741</para> 1742<para> 1743Defense: quotas. 1744</para> 1745</sect1> 1746 1747<sect1 id='FreeCursor'> 1748<title>FreeCursor</title> 1749 1750<para> 1751Destruction: free another client's cursor. 1752</para> 1753<para> 1754Defense: send Cursor error. 1755</para> 1756</sect1> 1757 1758<sect1 id='RecolorCursor'> 1759<title>RecolorCursor</title> 1760 1761<para> 1762Alteration: recolor another client's cursor. 1763</para> 1764<para> 1765Theft: resource ID guessing (cursor). 1766</para> 1767<para> 1768Defense for both of the above: send Cursor error. 1769</para> 1770</sect1> 1771 1772<sect1 id='QueryBestSize'> 1773<title>QueryBestSize</title> 1774 1775<para> 1776Theft: resource ID guessing (drawable). 1777</para> 1778<para> 1779Defense: send Drawable error. 1780</para> 1781</sect1> 1782 1783<sect1 id='ListExtensions_QueryExtension'> 1784<title>ListExtensions, QueryExtension</title> 1785 1786<para> 1787Determine the extensions supported by the server, and use the list to choose 1788extension-specific attacks to attempt. 1789</para> 1790<para> 1791Defense: extensions will have a way to tell the server whether it is safe 1792for untrusted clients to use them. These requests will only return information 1793about extensions that claim to be safe. 1794</para> 1795</sect1> 1796 1797<sect1 id='Keyboard_configuration_requests'> 1798<title>Keyboard configuration requests</title> 1799 1800<para> 1801Specifically, ChangeKeyboardControl, ChangeKeyboardMapping, and 1802SetModifierMapping. 1803</para> 1804<para> 1805Alteration: change the keyboard parameters that were established by another 1806client. 1807</para> 1808<para> 1809Denial of service: with ChangeKeyboardControl, disable auto-repeat, key 1810click, or the bell. With ChangeKeyboardMapping or SetModifierMapping, 1811change the key mappings so that the keyboard is difficult or impossible to 1812use. 1813</para> 1814<para> 1815Defense for both of the above: treat these requests as a no-op. 1816</para> 1817</sect1> 1818 1819 1820<sect1 id='Keyboard_query_requests'> 1821<title>Keyboard query requests</title> 1822 1823<para> 1824Specifically, GetKeyboardControl, GetKeyboardMapping, and GetModifierMapping. 1825</para> 1826<para> 1827Theft: get keyboard information that was established by another client. 1828</para> 1829<para> 1830Defense: This is a minor form of theft. We propose to do nothing about this 1831threat. 1832</para> 1833</sect1> 1834 1835 1836<sect1 id='ChangePointerControl_SetPointerMapping'> 1837<title>ChangePointerControl, SetPointerMapping</title> 1838 1839<para> 1840Alteration: change the pointer parameters that were established by another 1841client. 1842</para> 1843<para> 1844Denial of service: set the pointer parameters so that the pointer is 1845difficult or impossible to use. 1846</para> 1847<para> 1848Defense for both of the above: treat these requests as a no-op. 1849</para> 1850</sect1> 1851 1852<sect1 id='GetPointerControl_GetPointerMapping'> 1853<title>GetPointerControl, GetPointerMapping</title> 1854 1855<para> 1856Theft: get pointer parameters that were established by another client. 1857</para> 1858<para> 1859Defense: This is a minor form of theft. We propose to do nothing about this 1860threat. 1861</para> 1862</sect1> 1863 1864<sect1 id='SetScreenSaver'> 1865<title>SetScreenSaver</title> 1866 1867<para> 1868Alteration: change the screen saver parameters that were established by 1869another client. 1870</para> 1871<para> 1872Denial of service: set the screen saver parameters so that the screen saver 1873is always on or always off. 1874</para> 1875<para> 1876Defense for both of the above: treat these requests as a no-op. 1877</para> 1878</sect1> 1879 1880 1881<sect1 id='GetScreenSaver'> 1882<title>GetScreenSaver</title> 1883 1884<para> 1885Theft: get screen saver parameters that were established by another client. 1886</para> 1887<para> 1888Defense: This is a minor form of theft. We propose to do nothing about this 1889threat. 1890</para> 1891</sect1> 1892 1893<sect1 id='ForceScreenSaver'> 1894<title>ForceScreenSaver</title> 1895 1896<para> 1897Denial of service: repeatedly activate the screen saver so that the user 1898cannot see the screen as it would look when the screen saver is off. 1899</para> 1900<para> 1901Denial of service: repeatedly reset the screen saver, preventing it from 1902activating. 1903</para> 1904<para> 1905Defense for both of the above: treat these requests as a no-op. 1906</para> 1907</sect1> 1908 1909<sect1 id='ChangeHost'> 1910<title>ChangeHost</title> 1911 1912<para> 1913Most servers already have some restrictions on which clients can use this 1914request, so whether the following list applies is implementation dependent. 1915</para> 1916<para> 1917Denial of service: remove a host from the list, preventing clients from 1918connecting from that host. 1919</para> 1920<para> 1921Add a host to the list. Clients from that host may then launch other 1922attacks of any type. 1923</para> 1924<para> 1925Defense for both of the above: return Access error. 1926</para> 1927</sect1> 1928 1929 1930<sect1 id='ListHosts'> 1931<title>ListHosts</title> 1932 1933<para> 1934Theft: steal host identities and possibly even user identities that are 1935allowed to connect. 1936</para> 1937<para> 1938Launch attacks of any type against the stolen host/user identities. 1939</para> 1940<para> 1941Defense for both of the above: return only untrusted hosts. 1942</para> 1943</sect1> 1944 1945 1946<sect1 id='SetAccessControl'> 1947<title>SetAccessControl</title> 1948 1949<para> 1950Most servers already have some restrictions on which clients can use this 1951request, so whether the following list applies is implementation dependent. 1952</para> 1953<para> 1954Alteration: change the access control value established by some other client. 1955</para> 1956<para> 1957Disable access control, allowing clients to connect who would normally not be 1958able to connect. Those clients may then launch other attacks of any type. 1959</para> 1960<para> 1961Defense for both of the above: return Access error. 1962</para> 1963</sect1> 1964 1965<sect1 id='SetCloseDownMode'> 1966<title>SetCloseDownMode</title> 1967 1968<para> 1969Denial of service: set the close-down mode to RetainPermanent or 1970RetainTemporary, then disconnect. The server cannot reuse the 1971resource-id-base of the disconnected client, or the memory used by the 1972retained resources, unless another client issues an appropriate KillClient 1973to cancel the retainment. The server has a limited number of 1974resource-id-bases, and when they are exhausted, it will be unable to accept 1975new client connections. 1976</para> 1977<para> 1978Defense: treat this request as a no-op. 1979</para> 1980</sect1> 1981 1982<sect1 id='KillClient'> 1983<title>KillClient</title> 1984 1985<para> 1986Destruction/Denial of service: kill another currently connected client. 1987</para> 1988<para> 1989Destruction: kill a client that has terminated with close-down mode of 1990RetainTemporary or RetainPermanent, destroying all its retained resources. 1991</para> 1992<para> 1993Destruction: specify AllTemporary as the resource, destroying all resources 1994of clients that have terminated with close-down mode RetainTemporary. 1995</para> 1996<para> 1997Defense for all of the above: return Value error. 1998</para> 1999</sect1> 2000 2001<sect1 id='Clean_Requests'> 2002<title>Clean Requests</title> 2003 2004<para> 2005Other than denial of service caused by flooding, these requests have no known 2006security concerns: AllowEvents, UngrabPointer, UngrabButton, UngrabKeyboard, 2007UngrabKey, UngrabServer, NoOperation, and Bell. 2008</para> 2009</sect1> 2010</chapter> 2011 2012<chapter id='Events'> 2013<title>Events</title> 2014 2015<para> 2016The only threat posed by events is theft. Selecting for events on another 2017client's resources is always theft. We restrict further analysis by 2018assuming that the client only selects for events on its own resources, 2019then asking whether the events provide information about other clients. 2020</para> 2021 2022<sect1 id='KeymapNotify'> 2023<title>KeymapNotify</title> 2024 2025<para> 2026Theft: the state of the keyboard can be seen when the client does not have 2027the input focus. This is possible because a KeymapNotify is sent to a 2028window after every EnterNotify even if the window does not have input focus. 2029</para> 2030<para> 2031Defense: zero the returned bit vector if a trusted client currently has the 2032input focus. 2033</para> 2034</sect1> 2035 2036<sect1 id='Expose'> 2037<title>Expose</title> 2038 2039<para> 2040Theft: discover where other clients' windows overlap your own. For 2041instance, map a full-screen window, lower it, then raise it. The resulting 2042exposes tell you where other windows are. 2043</para> 2044 2045<para> 2046Defense: about the only thing you could do here is force backing store to be 2047used on untrusted windows, but that would probably use too much server 2048memory. We propose to do nothing about this threat. 2049</para> 2050</sect1> 2051 2052<sect1 id='GraphicsExposure'> 2053<title>GraphicsExposure</title> 2054 2055<para> 2056Theft: discover where other clients' windows overlap your own. For instance, 2057use CopyArea to copy the entire window's area exactly on top of itself. The 2058resulting GraphicsExposures tell you where the window was obscured. 2059</para> 2060<para> 2061Defense: see Expose above. We propose to do nothing about this threat. 2062</para> 2063</sect1> 2064 2065<sect1 id='VisibilityNotify'> 2066<title>VisibilityNotify</title> 2067 2068<para> 2069Theft: this event provides crude positional information about other 2070clients, though the receiver cannot tell which other clients. 2071</para> 2072<para> 2073Defense: The information content of this event is very low. We propose to 2074do nothing about this threat. 2075</para> 2076</sect1> 2077 2078<sect1 id='ReparentNotify'> 2079<title>ReparentNotify</title> 2080 2081<para> 2082Theft: the parent window may belong to some other client (probably the 2083window manager). 2084</para> 2085<para> 2086Defense: If the parent window belongs to a trusted client, return the 2087closest ancestor window that belongs to an untrusted client, or if such a 2088window does not exist, return the root window for the parent window. 2089</para> 2090<note> 2091<para> 2092ISSUE: what is the application impact? 2093</para> 2094</note> 2095 2096</sect1> 2097 2098 2099<sect1 id='ConfigureNotify'> 2100<title>ConfigureNotify</title> 2101 2102 2103<para> 2104Theft: the above-sibling window may belong to some other client. 2105</para> 2106<para> 2107Defense: return None for the above-sibling window if it belongs to a trusted 2108client. 2109</para> 2110<note> 2111<para> 2112ISSUE: what is the application impact? 2113</para> 2114</note> 2115 2116</sect1> 2117 2118 2119<sect1 id='ConfigureRequest'> 2120<title>ConfigureRequest</title> 2121 2122<para> 2123Theft: the sibling window may belong to some other client. 2124</para> 2125<para> 2126Defense: return None for the sibling window if it belongs to a trusted client. 2127</para> 2128<para> 2129ISSUE: what is the application impact? 2130</para> 2131</sect1> 2132 2133 2134<sect1 id='SelectionClear'> 2135<title>SelectionClear</title> 2136 2137<para> 2138Theft: the owner window may belong to some other client. 2139</para> 2140<para> 2141Defense: return None for the owner window if it belongs to a trusted client. 2142</para> 2143</sect1> 2144 2145<sect1 id='SelectionRequest'> 2146<title>SelectionRequest</title> 2147 2148<para> 2149Theft: the requestor window may belong to some other client. 2150</para> 2151<para> 2152Defense: Blocking this event or censoring the window would prevent selection 2153transfers from untrusted clients to trusted clients from working. We propose 2154to do nothing in the server about this threat. The security manager may 2155reduce the exposure of trusted window IDs by becoming the owner of all 2156selections. 2157</para> 2158</sect1> 2159 2160 2161<sect1 id='MappingNotify'> 2162<title>MappingNotify</title> 2163 2164<para> 2165Theft: discover keyboard, pointer, or modifier mapping information set 2166by another client. 2167</para> 2168<para> 2169Defense: Any tampering with this event will cause clients to have an 2170inconsistent view of the keyboard or pointer button configuration, which is 2171likely to confuse the user. We propose to do nothing about this threat. 2172</para> 2173</sect1> 2174</chapter> 2175 2176<chapter id='Errors'> 2177<title>Errors</title> 2178 2179<para> 2180There appear to be no threats related to protocol errors. 2181</para> 2182 2183</chapter> 2184 2185 2186 2187 2188<chapter id='Future_Work'> 2189<title>Future Work</title> 2190 2191<para> 2192The next steps are resolve the items marked ISSUE and to decide if the 2193defenses proposed are reasonable. Discussion on the security@x.org mailing list, 2194prototyping, and/or starting the implementation should help answer these 2195questions. 2196</para> 2197</chapter> 2198 2199 2200<chapter id='References'> 2201<title>References</title> 2202 2203<para> 2204Bellcore, "Framework Generic Requirements for X Window System Security," 2205Technical Advisory FA-STS-001324, Issue 1, August 1992. 2206</para> 2207<para> 2208Dardailler, Daniel, "Motif Drag And Drop Protocol," unpublished design 2209notes. 2210</para> 2211<para> 2212Kahn, Brian L., "Safe Use of X WINDOW SYSTEM protocol Across a Firewall", 2213unpublished draft, The MITRE Corporation, 1995. 2214</para> 2215<para> 2216Rosenthal, David S. H., "LINX - a Less INsecure X server," Sun Microsystems, 221729th April 1989. 2218</para> 2219<para> 2220Rosenthal, David and Marks, Stuart W., "Inter-Client Communication Conventions 2221Manual Version 2.0," ftp://ftp.x.org/pub/R6.1/xc/doc/hardcopy/ICCCM/icccm.PS.Z 2222 2223</para> 2224<para> 2225Scheifler, Robert W., "X Window System Protocol," 2226ftp://ftp.x.org/pub/R6.1/xc/doc/hardcopy/XProtocol/proto.PS.Z 2227</para> 2228<para> 2229Treese, G. Winfield and Wolman, Alec, "X Through the Firewall, and Other 2230Application Relays," Digital Equipment Corporation Cambridge Research Lab, 2231Technical Report Series, CRL 93/10, May 3, 1993. 2232</para> 2233</chapter> 2234</book> 2235