 Hello and welcome to the security dev room Hope you had a nice lunch and are ready for talk by Hanno Beck who's going to talk about desktop security Please welcome Hanno Hello Yeah, so I hope you have like your pitchforks ready and are really angry because I chose this very provocative talk title But I want to yeah, I want to talk about a few issues that I think they are Hello like Like do you hear me? Hello, hello, okay Okay, yeah, I want to talk about a few issues with linux desktop security And I mainly want to get you angry, but not angry at me But angry at the situation and you should do something about it So Kind of the the the idea for this talk I got when there was a this is a quote from Chris Evans who found a couple of security issues with common linux desktop systems Where he said yeah, this was too easy It should not be possible to find a serious memory corruption vulnerability in the default linux desktop and there he said that like Yeah, this is not the kind of situation that occurs with the latest Windows 10 default install Is it possible that linux desktop security has rotten? So So he published a couple of blog posts and the first one was an exploit against the parser of nintendo sound files so nintendo sound files that is like this Sorry, it's not so loud, but yeah so It was an exploit against G streamer which has a parser for nintendo sound files which are file extracted from nes games Which is of course important because like we like to be able to listen to this super mario music Interesting there was that it was in the thumbnail parser So even if you're just opening a folder in the file manager with such a file that had this exploit it could Exploit your system and an attacker could gain control over your system It was in Ubuntu 1204 which is kind of old, but it's still supported Also interesting here is that these these nintendo sound files the player here is basically a mini emulator That's emulating the functionality of the nintendo sound chip And that means an attacker who like sends you such a sound file He can basically Execute some kind of code and that makes it much easier to bypass certain exploit mitigation techniques And also interesting to fix this you could just delete the the plug-in like the file And you could still play these nintendo sound files because there were two decoders for them in G streamer So yeah Then the the next exploit was against flick files does anyone know what flick files is have you generated them or Very few hands. So they come from a software called Autodesk animator It's actually free software. So the code is available under a BSD license It's a tool that was popular in the 90s in DOS to create animations I Have such an animation for you So this was em player and now but the exploit was in G streamer, but if I try to play this with Totem, which is using G streamer. It doesn't work So it had a decoder for it Which had an exploitable bark, but it seems it doesn't work. So Yeah But em player can play it. Yeah Um Now there are a few of interesting things came together. So first of all, there are a couple of browsers That automatically download files without asking any questions. So if you click on a download, they will just place them in the downloads folder This is for example chrome and epiphany and conqueror Conqueror I tested earlier today. It doesn't even show you any kind of dialogue So it just downloads the file and you don't see anything And if you don't even have to click on the download because that a JavaScript can do for you so what that basically means that If you're using one of these browsers, then any web page can create a file on your on your file system We're just interesting and I think also something where you could think more about it like Whether that could be exploited in interesting ways Also, but important here is also this is not linux specific chrome does the same thing in any operating system But then There's a tool called tracker, which is part of the desktop search functionality in GNOME and it automatically Indexes new files created in your home directory, which includes your downloads directory So the exploit was basically yeah a web page could give you this Flick file It gets automatically downloaded. It gets automatically indexed by tracker and then the exploit can run And There was a comment from the tracker developer Below this blog post where he said yeah, the G streamer guys were extremely fast in fixing it. Okay, great You could claim that other libraries used for metadata extraction are just as insecure But that really be bugs in these libraries to fix now From a security perspective I have a problem with this way of seeing these things because like if you look at the the libraries tracker is using It's like G streamer ffmpeg flag. Okay. These are more popular But also things like I don't know I didn't know what lip IPPC data does I looked it up. It's actually seems to be some kind of tagging functionality for JPEGs that's non-started or Yeah, so there are a lot of libraries and and like Maybe half of them have decent security and the other half like nobody ever looked for security So I think if you're writing a tool that's using all these libraries and Exposing them to untrust the data You kind of have a responsibility to care about that and you cannot just say yeah, this is a bugging We'll fix it because like there there will always be another bug in one of these libraries that can be exploited Yeah, so like if you can any exploit any of these you basically Can can exploit the system of Linux user right away from a website? It's not just tracker like KDE has a similar tool which is called baloo and it basically has the same issue And also as I already mentioned earlier like a thumbnail creators or I have kind of a similar problem They are not getting executed automatically, but they are getting executed as soon as you open a folder With your file manager. So also the file manager here creates a huge attack surface So I think we have two problems here running like we have some automation here That's I think sometimes done a bit in a thoughtless way like okay if you click on a download It's nice if it's just gets downloaded no more dialogue. That's confusing people And you have this desktop search and you automatically index stuff which may be an interesting feature but it creates a huge attack surface and then The other issue here we have is that there's a tendency and I think in the free software community that people tend to use All kinds of libraries to support as many different file formats as possible And many of these libraries are just a very varying quality So what could we do about this? So one idea is to use some kind of sandboxing so that you're kind of isolating the process so even if there's some Exploited it is kind of limited in the impact it can create and These things something like such a desktop search where you have a very isolated process That's just getting some input file and extracted extracting some data is It's a very good target for sandboxing and actually after these events tracker implemented sandboxing, which I think is great. It happened really fast based on Lix lip sec comp and Yeah, that's one way of reducing the impact and as long as like the sandbox doesn't have vulnerabilities Which unfortunately often happen also happens very often this Yeah, creates better security for these situations But as I said, yeah, KDE has a very similar tool and they haven't they have no sandboxing yet And also the same thing needs to happen for thumb nailers and similar stuff, which has a larger tech surface Then there are several exploit mitigation techniques so based on the idea that there will always be Security vulnerabilities a lot of technologies have been developed to just make it harder to write exploits and typical things are stack canaries Non-executable memory pages address base layout randomization and kind of a newer idea is called control control flow integrity So the first two we usually have them today So stack canaries that's with GCC you have a flag f stack protector and I think all major distributions use this by default these days and non executable memory that these days is a feature of Intel CPUs so that that's usually available With ASLR, it's a bit more complicated So ASLR the idea there is that you're just loading code and data on random addresses into memory and the the reason for that is that many exploits rely on the idea that you're You can override me some address For some code and then jump into to some area in the code and If the addresses are random, then the attacker doesn't know where there's any valid code in memory, so That's a pretty strong protection and the Linux kernel had ASLR support since 2 6 12 so quite a while ago but If you want to if you want the ASLR to work you need The code needs to be compiled in a certain way that it's possible to load this code into random places in memory So there and the executable also needs some special properties So you need so-called position independent code and position independent executables Which again our compiler flag and PAE the linker flag and Here that's a bit of a sad story because like Linux distributions have been extremely slow in adopting this so The current state it's gotten much better in the last couple of years like Ubuntu introduced it last year Fedora in 2015 Debian is working on it and as far as I heard for the next version. It should be enabled by default Open so the only enables it for a few packages Gen 2 only if you use hard and gen 2 so This is something that should just be enabled by default everywhere. It has like On 32 bits. There was a bit of a problem that it had a significant performance cost on 64-bit it basically doesn't matter. This is The performance impact is very low and it provides a very strong protection against many kinds of exploits So for other distributions that haven't enabled it yet by default, please do that Yeah, Windows had this since Windows Vista so quite a while And modern Windows is already a Microsoft is experimenting a lot with more modern exploit mitigation techniques I'm not an expert in this but so I cannot tell a lot of details, but a lot is happening there however These are Similar to the Linux situation. These are things that depend on on things like compiler flags so not all applications use this so It depends on the application it depends on configuration Sometimes you also have things like that antivirus applications disable this because whatever Yeah, so a mixed situation is well there Yeah, then there's the idea of Yeah With all the C codes, maybe we should use other programming languages and rust gained a lot of traction lately so Yeah, some people say yeah, let's just stop using the C because like C is just full of these memory corruption issues And we should just rewrite everything in rust or maybe some other language Which Maybe this is the right thing to do right but It will take some time and we'll probably have this C code laying around for a while longer So yeah, but actually G streamer already supports writing plugins in rust so That's a good thing. So maybe someone wants to rewrite the Nintendo sound file parser or the flick parser in rust That would be good Yeah, or can we just like the as the tracker developer proposed just fix all these bugs so And like I looked a bit at G streamer and G streamer is a software that's extremely prone to memory corruption bugs It's it's written in C Okay, and it has parsers for a lot of complicated file formats like really a lot I don't know like a hundred or something and We have a lot of similar software like okay FF Mpeg is also media parser image magic which supports all kinds of image formats Also browsers, but browsers tend to have bug bounty programs and better security teams So usually this stuff is but also things like wire shark or TCP dump Maybe you've read it that TCP dump recently had a release with I think like 50 CVE's I think most of them were reported by me two years ago So we could do some fuzzing and because many of these bugs can be trivially found if you use a modern fuzzing tool By definition, you can never find all the bugs with fuzzing But it's really like I rarely see a memory corruption bug where I run a fuzzer on it, and I don't find it so if you have many memory corruption box the bugs then it basically means nobody ever used a fuzzer on this software and Yeah, the typical tools you use these days American fuzzy lobe is very popular another one is lip fuzzer which is from the LLVM developers and And the tool that can very well be used in combination with fuzzing is address sanitizer which Finds memory safety issues that don't crash your application So I Found 20 memory safety issues. So some of them were crashes. Some of them were invalid memory reads I should say here that they are not not necessarily all exploitable Probably most of them are not and I had a bit of the discussion with the G streamer developers who said hey Why does did you did we get 20 Cve's for G streamer and I said yeah Well today the policy for Cve's is that they get assigned very easily and basically every time a library Does some invalid memory access it gets assigned to Cve and is considered a security vulnerability Which does not mean that it's necessarily exploitable So this is quite a bit, but it's also a message I want to give here is that this is doable like you can make a software like G streamer much more secure and Like I ran I continued running the fuzzer and it I think now it ran for seven days without finding another bug so You can get to a state where it gets much harder to find these memory corruption bugs But there are dependencies like G streamer is not just the G streamer software itself It's using a lot of third-party media libraries Like slip opos flag lip vpx or also things like rough pack game music emu lip-sit play So do you notice the difference between these two lines? Like the upper ones are libraries that are used by browsers Which usually means they are much safer because browsers pay you like very pay you a lot of money if you find security vulnerabilities in these libraries the lower line are more the obscure stuff like rough pack is the old basically pre-flug lossless file format game music emu is for all these Nintendo sound files and other gaming consoles Schrödinger that was a Format by the BBC they've basically abandoned it it has security vulnerabilities, but nobody's maintaining it Lip-sit play is for C64 5 so so the these lower ones are much more problematic from a security perspective So why I think we can probably fix most security bugs in G streamer Doing the same thing for other dependencies is really hard and I'm I'm not sure like I'm trying but it's really a lot of stuff. I want you to help me So It's Linux less secure than Windows Someone made an interesting comment below an article. I wrote about this saying that yeah You don't have something like tracker in Windows except if you install an antivirus software Because an antivirus software also has a lot of parsers for complex file formats And usually the code quality is also really bad Usually so maybe the conclusion could be if you install an antivirus on the windows You get the same insecurities you have for Linux and then this This shocked me a bit. There was a bug found by a guy. I cannot Say his name correctly, so I won't even try it. He found a code injection vulnerability in upward it's a tool from Ubuntu which is used to handle crashes and It produces a crash file and you can like if you double click on that such a crash file It gives you some info Okay, I'll do it quick and then He asked some exploit dealing company who is like selling exploits to Governments or whoever and they offered him $10,000 for this buck and So this means basically there's someone who thinks it's worth $10,000 to attack Ubuntu users So you could many people may think Linux desktop that doesn't really matter. I mean nobody's using a Linux desktop I mean I do but not a lot of people But this really means like this matters. So Yeah Linux desktop security matters and we have to fix this. Thank you Thank you, Heno. We have time for questions raise your hand if you want to ask something or comment Hello Do you have any thoughts concerning the cubes desktop? Okay, the question was if I've thoughts to concerning cubes I haven't looked at it personally, but the idea of cubes is to have a very strong concept of sandboxing Maybe that's the right way to go What I what I don't think is sometimes people think Sandboxing is the whole solution and I don't think that's the case because even if you have sandboxing you will always have Potential to exploit things that run in the same context. So even if we have sandboxing we should still Make our software more secure more questions Raise your hand Maybe we can have a poll How many people think linux desktop is more secure than Windows 10? Not even half so interesting So about tracker does it run does it run with? Permissions enough to do a lot of harm to the system does that count? Yeah, so like the old version of tracker ran with just the user accounts permission So it had full access to all the everything the user does like as I said the new version now is sandbox using mix lipsec Comp, I hope that's done in a proper way and will restrict it to just this process Thank you. There's another question raise your hand if you want to ask something More a comment than a question. Thanks, Hanno for a very interesting talk And thanks for reassuring me that using my set shell as my main file manager is a very good idea actually Yeah, but I wanted linux desktop to be an option for average users and they won't use a shell as their file manager anyone else Okay, let's thanks Hanno for the talk