-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, May 21, 2015 at 12:56:48AM -0700, Vít Šesták wrote:
> Well, there is one more security consideration. Some notification daemons
> parse HTML in some cases. The KNotify does this. This is very nasty, as
> this is not properly documented. I am not sure if this is fail of
> notify-send notification (which does not mention HTML) or if it is just
> some nasty extension of some notification daemons.
Actually we use this feature/bug in some places - for example gpg
backend has name of calling VM bold. Also I'm not sure if this is a
feature or a bug.
Maybe there could be two services: Notify and NotifyHTML and you can
setup policy to allow the later one only for more trusted VMs?
>
> Regards,
> Vít Šesták 'v6ak'
>
> On Thursday, May 21, 2015 at 9:37:51 AM UTC+2, Vít Šesták wrote:
> >
> > I've made a proof-of-concept. I've significantly modified statnot (just
> > few of the original Python code remained) to forward all notifications to a
> > RPC endpoint in dom0. Just title, appname and message body are supported.
> > The fields are separated by newline, which allows injection. Maybe this is
> > not critical, but I'd like to fix it. There is, of course, also a RPC,
> > which is currently written in Bash and which sanitizes (or probably
> > rejects) the input if there is invalid UTF-8 sequence, parses the input and
> > passes it to notify-send.
> >
> >
https://gist.github.com/v6ak/6ef6768103587bc273fb
Nice prototype.
As you've guessed, I vote for Python :)
> > ## 2. Make a better protocol and fix the injection
> >
> > The current protocol does not handle newlines in notification title and so
> > on. We need a better serialization.
Maybe just as now - 3 lines. But each encoded with base64? Of course
later it needs some sanitization:
- validate UTF-8
- filter/drop HTML tags and maybe some control characters
- some length limit
> In Scala, I could just use
> > DataInputStream, which should be safe and valid UTF-8 strings would be
> > guaranteed. In Python, I am not sure what to use. Maybe a JSON? But that
> > might be too large attack surface. Maybe struct.pack/unpack? I am not sure
> > about security and safety, I just found it was vulnerable in the past (see
> >
https://www.exploit-db.com/exploits/31762/ ), but not sure about the
> > present.
> >
> > ## 3. Write some more friendly installation manual and/or create a pull
> > request to Qubes
> >
> > At this stage, it would be likely mature enough for either being merged
> > with Qubes or published with some installation manual.
> >
> > I just published two scripts, but the installation is slightly more
> > complicated. The *q6-notification-proxy*
> > <
https://gist.github.com/v6ak/6ef6768103587bc273fb#file-q6-notification-proxy>
> > is intended to replace the notification daemon (e.g. notify-osd,
> > mate-notification-daemon or whatever) in the AppVM. The *rpc* script is
> > intended to be an endpoint in Dom0, but installing an endpoint requires
> > adding a policy and a one-line service file. This is not complicated and if
> > you would like to develop this, I can provide you some hints.
> >
> > ## 4. Support more fields and libnotify options, including actions
> >
> > Actions would complicate the protocol, but I think it is reasonable to
> > want a support for them.n't think
I'm not sure if this is good idea to have actions in this protocol.
Maybe if the application requests some actions, just handle such notify
locally?
> > ## 5. Support images (tricky to make it secure)
> >
> > Nice to have and relatively complicated. We need to convert the image to
> > RGB (in order to minimize attack surface) and somehow mix with the AppVM
> > lock or AppVM color.
There is already such image converter, take a look at
linux-utils/core/imgconverter.py (or
/usr/lib64/python2.7/site-packages/qubes/imgconverted.py in VM).
But as above - I think it isn't high priority.
> > # Some general security considerations
> >
> > * Notifications are transferred to Dom0 at this moment. I don't think to
> > be bad. First, the LibnotifyVM gets inherently *some* trust, as
> > notifications might contain something sensitive and it would likely allowed
> > (in future) to perform some actions on AppVMs. But more importantly, I
> > don't see a simple protocol handled by a memory-safe language with some
> > utf-8 sanitization to be a significant attack surface. I don't think that
> > the security benefits of a separate LibnotifyVM outweight all the overhead,
> > but it is technically possible.
Even if we decide that we need LibnotifyVM, it's trivial change because
RPC policy supports redirection (so every notify RPC could be redirected
to notify VM, without any configuration in the calling VM.
> > * Proper string encoding should be enforced in the RPC endpoint. It is in
> > the current bash version and it should be enforced in the future version.
> > * Active/idle detection. If we implement some handlers of cancelled
> > notification, any AppVM with permission to use notifications could make a
> > notification with some short expiration. Some notification daemons (e.g.
> > mate-notification-daemon) seem to start counting after some activity is
> > detected, which would allow any AppVM with permission to use notifications
> > to detect activity. Such malicious activity is however likely to be seen by
> > user and assigned to the malicious AppVM. We can help the user by setting a
> > minimal timeout.
Maybe we can just don't give any feedback to the calling VM? Just like
do not support actions. But I'm not sure if this is a big problem.
> > * Notification flood. In KDE, a notification flood causes older
> > notifications to be forgotten. But such attack is usually not high-risk and
> > there is very high chance to find the malicious AppVM.
We can implement some per-VM rate-limit (like 20/min). But IMO we can
ignore the problem in first version.
> > * Extremely large payloads. They could cause either a DoS (e.g. swapping
> > and running Dom0 out of memory) or buffer overflow. None of these is
> > desirable, but it should cause at most DoS with a correct notification
> > daemon. Do we care? Note that there are some other opportunities for such
> > attacks, like X11 windows.
Size surely needs to be limited. Does dbus notification API specify any
size limit? Maybe we can use the same?
> >
> > Regards,
> > Vít Šesták 'v6ak'
> >
> > On Saturday, August 18, 2012 at 3:12:37 PM UTC+2, Radosław Szkodziński
> > wrote:
> >>
> >>
> >>
> >> Jan Beerden <
j...@janbeerden.be> napisał:
> >>
> >> >Hello
> >> >
> >> >I'm wondering if it would be possible to have libnotify-like
> >> >notifications
> >> >from the different appvm's?
> >> >Maybe even passing notifications to dom0's notification daemon?
> >> >
> >> >
> >> >Kind regards
> >> >
> >> >Jan Beerden
> >>
> >> Normal notifications work well, but they might overlap if more than one
> >> is present at the same time.
> >>
> >> If a really central mechanism is desired, the protocol will have to be
> >> pretty restrictive, more so than clipboard one.
> >>
> >> R.Sz.
> >>
> >
>
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVXa/gAAoJENuP0xzK19csvUEH/0169aCTtLJyZCSYAKtGmqAv
u6hO5vWf1i5Z/tU/KyuAuhW2Gv9CgzQvmhb1EtTKVcYv9xyT/axCK64eILgmjaau
RvLwNa8YnZaV/IUkyPW7V/1vgdyPF0QUscQBFDNnc/mJVegB6e8kpzq1HOXTULVW
V6qxVJHnE/uJwcgB23FyvLUgluIDRJATP0vIXmSOWpDIlQts49PyV60iKLIeTmoq
6gydzTFxQfXDNGkq/qrnbdzaOYuxIdoVeAnUNLhYy3F69O7m1O8PTRIC6LGftNwV
+jA1tzU7hpUCBtFX1IBoTQtOys4dw3sYQ0ftis+yqVT8Lbfe6Xgd1ykqOKxamgw=
=uR4q
-----END PGP SIGNATURE-----