Skip to content

Latest commit

 

History

History
199 lines (154 loc) · 17.2 KB

Security.md

File metadata and controls

199 lines (154 loc) · 17.2 KB

Security considerations

A significant proportion of Xpra's development was sponsored by the security industry to provide a shield for users securely running applications that require network access - the xpra clients are only exposed to a tightly controlled and secure network flux, completely removed from the underlying protocols that those applications normally use to interact with the user.

As a result, the architecture, features and options are often directly related to the mechanisms that this fine-grained control requires. These defenses can be applied to a client protecting itself from a potentially hostile application or server and also in the opposite direction to confine users to the environment assigned to them. A default xpra installation should be quite secure by default, but there are trade-offs to be made.

Be aware that these defenses all count for nothing when using downstream out of date packages.

Architecture

The way xpra is structured into independent python submodules allows it to partition off each subsystem.
When features are disabled, they are not just unused, they are not even loaded into memory in the first place. Those subsystem interfaces cannot be abused since they don't even exist in that process space - very much like when features are not installed on the system at all.
When combined with fine-grained sub-packages, you can also do exactly that: install only what is strictly needed.
For technical details, see dynamic client connection class and completely skip server base classes
The same principle applies to codecs and all swappable components.
Moreover, the use of pure Python code for the vast majority of the data handling completely prevents whole classes of vulnerabilities. The parts of the code that do require high performance (data mangling, (de)compression, etc) use heavily optimized libraries (see audio and encodings below) - which are all optional.

Subsystems

Most of the features below have explicit command line switches which can be used to completely disable the subsystem, to start with the feature turned off or to restrict the feature in its scope or impact.
If a client or server turns off a subsystem then the remote end cannot enable the feature. Some switches only affect the on / off state of the feature instead, which does allow for the feature to be enabled through a user action once the connection is established.
These toggles may also be accessible through the server's control channel and dbus interface. \

Specific Subsystems

Obviously, from a security perspective, the safest clipboard is one that is disabled (--clipboard=no) but that is not always an acceptable compromise for end users, in which case limiting the --clipboard-direction may be enough. Beyond this, there are many other tunables in the clipboard subsystem and its various OS specific implementations. This can be used to restrict the rate and size of the data transferred, filter out certain types of contents, select which clipboards can be accessed (for platforms that support more than one clipboard type), the type of data exchanged, etc.. Pictures transferred using the clipboard from server to client are sanitized (re-encoded) and watermarked.

Very much like the clipboard, the safest way to handle audio is to not forward it at all. If audio forwarding has to be enabled, not all codecs are equal from a security point of view. Using a codec without a container reduces the complexity somewhat, but using a raw audio format like wav is the safest option since there is no parsing involved. The downside is that this is an uncompressed format, though xpra does offer the option to compress wav using lz4. That said, mp3 is now over 30 years old and the libraries parsing it are very mature. Other codecs have had a few issues in more recent times (ie: faac and faad2 security issues) xpra runs the audio processing in a separate process which does not have access to the display.

Xpra supports a large number of picture and video codecs as well as raw uncompressed pixel data. Each encoding option has different strengths and weaknesses. The raw options rgb and mmap are obviously the safest since they do not require any parsing, but they can require humongous amounts of bandwidth (ie: tens of Gbps for a 4K window). Older picture encodings like png and jpeg are probably the safests due to their maturity. Video encodings as well as newer picture encodings (often derived from the new generation of video compression techniques, like webp and avif) are probably less safe due to their level of complexity - see also hardware access below.

Printer forwarding presents security challenges for both the server and the client:

  • the server parses printer data from the client and then uses privileged commands to create a matching virtual printer. The client can also update the list of printers at any time, causing the whole setup process to be repeated.
  • the client receives Postscript or PDF files which are sent to the real printer, this is compartively safer - though parsing bugs for these formats have been found

This feature has potential for abuse in both directions which is why there are many options to restrict what can be done with it. File transfers can be disabled completely which is obviously the safest option. The default settings allow file transfers but a user confirmation is requested before accepting a file or opening it. The file size and number of concurrent file transfers can also be configured.

System Tray and Notifications forwarding

These features provide tighter desktop integration which can be seen as a security risk and can be turned off completely. However, the improved usability usually makes this an acceptable trade-off and these features are enabled by default.

Although this feature is never turned on by default, it is available. There are obvious privacy concerns here, and it may be desirable to turn off the feature completely.

DBus

"D-Bus is a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle." This makes dbus both a very useful desktop environment component and a wide attack target. The --dbus-control channel should be turned off if unused.

Hardware Access

Any subsystem that accesses hardware directly is an inherent security risk. This includes: the NVENC encoder (see also proxy server system integration), hardware OpenGL server and client acceleration, printer access and some authentication modules.


Operation

Running mode, network connections and diagnostics, malicious peers, specific options

Modes

Some features are harder to implement correctly in seamless mode because of the inherent complexity of handling windows client side and synchronizing their state. (ie: window resizing vs readonly mode) By definition, shadow mode gives access to the full desktop, without any kind of restriction - for better or worse. For these reasons, it may be worth considering desktop mode instead.

Xpra supports natively many different types of network connections (tcp, ssl, ws, wss, vnc, ssh, vsock, quic, etc) and most of these can be encrypted and multiplexed through a single port. The safest option will depend on the type of xpra client connecting - but generally speaking, ssl, quic and ssh are considered the safest as they provide host verification and encryption in one protocol. Each connection can also combine any number of authentication modules.

Logging and diagnostics

Debugging tools and diagnostics can sometimes be at odds with good security practices. When that happens, we usually err on the side of caution but not always when it affects usability: http scripts information disclosure The extensive debug logging capabilities normally obfuscate sensitive information like passwords and keys, but it may still be possible to glean enough data to be present a real risk. A good preventative measure is to disable remote logging and turn off the server's control channel (#3573). The xpra shell is a very powerful debugging feature which allows full access to all the data structures held in the client and server. It is disabled by default.

Malicious clients and servers

Servers should be using authentication, so typically this means that malicious clients have had their authentication credentials compromised or perhaps the whole clients is compromised. Clients should be using SSL certificates or SSH host keys to verify the identity of a server. A malicious server would be one that has been compromised or which is running a compromised application (ie: a browser).

As per the list above, if the specific subsystem is not disabled, a malicious actor may be able to:

  • collect information about the remote peer: xpra and library versions, network connection, etc
  • send malicious files to be downloaded or opened by the client, documents to be printed
  • send notifications trying to impersonate local applications or to mislead the client
  • monitor all application or client clipboard transfers and copy the data
  • play a misleading audio stream, etc Moreover, a malicious server would be able to easily take screen captures of all applications, record all pointer events and keystrokes - making it relatively easy to capture any credentials typed into the session.

Options

Some specific options have a direct impact on the security of the system:

  • start-new-commands this is precisely a remote command execution and should be disabled if the client is not trusted
  • terminate-children should be used to prevent child commands from lingering - most commands are killed when their connection to the display is terminated, but some may survive
  • exit-with-children to terminate servers when applications are closed
  • exit-with-client to terminate when clients exit
  • idle-timeout to prevent unused client sessions from consuming server resources
  • server-idle-timeout to prevent unused servers from consuming resources
  • start-via-proxy causes the sessions to be registered with the system's login service, which usually has the effect of moving them to their own session control group
  • systemd-run runs the server in a transient systemd scope unit
  • proxy-start-sessions=yes|no should be disabled if only existing sessions should be accessed via the proxy server
  • daemon, chdir, pidfile, log-dir and log-file: the server's filesystem context
  • remote-xpra the command executed from client SSH connections
  • source=SOURCE and env=ENV: anything that modifies the server's environment variables can potentially be used to subvert the server process
  • source-start=SOURCE_START, start-env=START_ENV: as above, but for commands started by the server
  • mdns will advertise sessions on local networks
  • readonly sessions are unable to receive any keyboard or pointer input
  • sharing and lock control if and when sessions are transferred between clients
  • border, min-size, max-size, modal-windows: to distinguish and constrain remote windows
  • challenge-handlers to restrict the type of authentication mechanisms the client will use (ie: prevent password prompts)
  • uinput virtual devices should be avoided as they can be used to inject input events into a system at a lower level

Platforms

binaries, anti-viruses, system-integration, etc

By default, xpra is built using strict compilation options and any warning will cause the build to fail (-Werror). Whenever needed or required (libraries missing in a specific distribution or variant thereof), the xpra project provides up-to-date versions of key libraries on many platforms: https://github.com/Xpra-org/xpra/tree/master/packaging/ and not just xpra. That said, binaries..

Binaries - MS Windows and MacOS

The distribution of binary bundles applies to MS Windows, MacOS builds and also on Linux when using formats like appimage, flatpak, snap (these formats are not currently supported, in part because of this particular problem) or - to a lesser extent - with container builds. The issue here is that by bundling all these libraries into one container format (ie: EXE or DMG), it becomes impossible to propagate library updates in a timely manner. This means that it may take weeks or months before the patch for a zero-day exploit is deployed. Sadly, this is not a theoretical issue: pdfium 0-day, putty vulnerability, tortoisesvn unpatched security fix and many many more. The MS Windows libraries are maintained by MSYS2, the MacOS libraries are maintained using our fork of gtk-osx-build

Anti-viruses

Because of the way xpra intercepts and injects pointer and keyboard events - and the API it uses to perform these tasks, it is regularly misidentified as malware: f-secure and bitdefender false-positive, Microsoft AI

The builtin web server ships with fairly restrictive http headers and content security policy, even blocking some valid use cases by default - though we could go even further. For security issues related to the html5 client, please refer to xpra-html5 project issues

SELinux

On Linux systems that support it, xpra includes an SELinux policy to properly confine its server process whilst still giving it access to the paths and sockets it needs to function: https://github.com/Xpra-org/xpra/tree/master/fs/share/selinux

System Integration

The xpra server and client(s) can both be embedded with or integrated into other sotware components, this completely changes the security profile of the solution. For example:

  • By using an external websocket proxy (ie: Apache HTTP Proxy) one can shield the xpra server from potentially hostile external traffic and add a separately configured authentication layer with only minimal latency costs (when configured properly)
  • Xpra's own proxy server can be used to provide hardware acceleration within a different context than the one that is executing user applications.
  • Running the system-wide proxy server provides tighter integration into the system's session service, which has both pros and cons: potentially better session accounting and control, at the cost of running a privileged service
  • OpenGL hardware acceleration via WSL - Windows Subsystem for Linux

Containers - VM

Using containers or virtual machines is a very popular way of deploying xpra, both offer a strong extra security layer which can also be used to restrict access to system resources - though this limited access to the underlying hardware also restricts hardware acceleration options.


Vulnerabilities

It is difficult to keep track of all the security related issues that have affected the project over the years.
Some have been assigned CVEs, most have not.
Likewise, it is quite hard to keep track of all the bugs affecting the libraries xpra is built on. But here are some examples:

(see also the "binaries" paragraph above which has more platform specific examples)

By and large, the biggest concern is the complete lack of security updates from downstream distributions - even when faced with serious system crashes.