Is the Linux Desktop less secure than Windows 10?

Or how Super Mario music can own your system.

Hanno Böck
https://hboeck.de

This was too easy . It should not be possible to find a serious memory corruption vulnerability in the default Linux desktop attack surface with just a few minutes of looking. Although it’ s hard to say it, this is not the kind of situation that occurs with a latest Windows 10 default install. Is it possible that Linux desktop security has rotted? (Chris Evans)

Nintendo Sound Files (1)

Exploit against Gstreamer in Ubuntu 12.04 (LTS).

Thumbnail parser.

Nintendo Sound Files (2)

NSF players are mini-emulators - the attacker can execute code in an emulator.

Easier to bypass modern exploit mitigation techniques.

Fix

The fix is to delete the affected NSF gstreamer plugin.

No problem: Ubuntu shipped two different NSF player plugins.

FLIC exploit

Autodesk Animator

Automatic downloads

Some browsers automatically download files to ~/Downloads.

Any webpage can create files on your filesystem.

(Chrome/Chromium, Epiphany, ... - not Linux specific)

Tracker

GNOME Desktop search tool automatically indexes all new files in a user's home - including ~/Downloads.

Tracker parsers (1)

Gstreamer, ffmpeg, flac, totem-pl-parser, tiff, libvorbis, taglib, libpng, libexif, giflib, libjpeg-turbo, libosinfo, poppler, libxml2, exempi, libgxps, ghostscript, libitpcdata

Tracker parsers (2)

If you can exploit any of them you can exploit many Linux desktop users from the web without user interaction.

Not just Tracker

KDE has Baloo.

Thumbnail tools from file managers have similar issues.

Problems

Automation: Non-interactive downloads and automatic indexing creates a huge attack surface.

Support for a vast variety of file formats by using many libraries of varying quality.

What can be done?

Sandboxing

Isolated parser processes are good targets for sandboxing.

After these events Tracker implemented sandboxing based on libseccomp (KDE/Baloo hasn't yet).

Exploit mitigation

Stack Canaries, nonexecutable memory, Address Space Layout Randomization, Code-Flow Integrity.

Linux and ASLR (1)

ASLR is one of the strongest exploit mitigation techniques available.

Linux has ASLR support since kernel 2.6.12.

Linux and ASLR (2)

Proper ASLR needs position-independent code and executables (-fpic -pie).

Linux distributions have been extremely slow in adopting ASLR.

Status ASLR / PIE

Ubuntu: Introduced it in 16.10 (2016)

Fedora: Introduced it in 23 (2015).

Debian: Work in progress (Stretch / 2017).

openSUSE: No (only for few packages).

Gentoo: Only hardened Gentoo.

And Windows?

Microsoft introduced ASLR in Vista.

Modern Windows already has next-level mitigations like Code-Flow Integrity.

However: Exploit mitigations depend on applications and configuration.

Burn all C?

So let's rewrite everything in Rust or other memory safe languages?

Gstreamer already supports plugins written in Rust.

Or can we just fix all the bugs?

Gstreamer is extremely prone to memory safety bugs - C code, parsers for many different file formats.

Similar cases: ffmpeg, ImageMagick, browsers, wireshark, tcpdump, ...

Let's do some fuzzing

Most of these bugs can be trivially found with modern coverage-based fuzzing and sanitizing tools.

If they're still there it means nobody is trying to find and report them.

American Fuzzy Lop, LibFuzzer, Address Sanitizer.

Fuzzing Gstreamer

Result: 20 memory safety issues (crashes, invalid memory reads, not necessarily exploitable).

This is quite a bit, but it's doable.

But there are the dependencies...

  • libopus, flac, libvpx, libtheora, ffmpeg
  • wavpack, game-music-emu, schroedinger, libsidplay, faad, a52dec, libcdio.

Fuzzing Gstreamer conclusion

I think we can fix most of the security bugs in Gstreamer.

Not sure if the same is true for its dependencies.

Is Linux less secure than Windows?

Automatic indexing of files with a lot of questionable quality parser code.

Does something similar exist in Windows? Not by default, but there's Antivirus software.

Bug in apport (1)

Donncha O'Cearbhaill found a code injection vulnerability in apport, an Ubuntu tool to handle crashes.

No automation, requires user to click on .crash file.

Bug in apport (2)

An exploit dealer company offered the bug finder $ 10.000 for this bug.

There's someone out there who thinks it's worth $ 10.000 to exploit some Ubuntu users.

Linux Desktop security matters. We have to fix this!