Pondering the X client vulnerabilities

I think perhaps this went unfixed for so long because many people just don't see the value in it (compared to other work at least). But with open source I guess all it takes is one person to do it!

Any distro daft enough to package a setuid binary that links a GUI needs to buck their ideas up too.

I'm using Linux and Unix since many decades, and I'm not aware of them, but willing to learn more. (I've got daemons that bind to ports, but they are not suid, they are started by root. Even an X server is most often not suid nowadays, with xdm and friends.)

The problem reported against Qt was simply someone using something incorrectly, and being told they've done so, then complaining it doesn't work. A couple of the issues spotted were genuine bugs, and should be addressed (I'm not aware that they actually filed them btw) but they aren't security holes in Qt.

While we’d like to hope so, we know it’s not true amongst the application developer population in general. Besides the KDE issues mentioned in the CanSecWest preso, and GTK’s prohibition of setuid use (though that’s not about not trusting Xlib, but not wanting to have to block or sandbox user-specified loadable modules), we know there’s other examples out there.

There’s even a few claims to the contrary:

> The amount of code in Xlib is very small, and has been extensively security audited.
> It is very unlikely that there are crashing bugs lurking in Xlib itself.
— http://www.jwz.org/xscreensaver/toolkits.html

which sounds like someone who never looked at the XKB & XIM portions of Xlib. I never thought it would make me so unhappy to prove jwz wrong.

It also goes to show that extensive security audits in the past are no match for either evolving code bases or evolving attack profiles, and anything that hasn't been audited recently, by someone with the latest code and knowledge of the latest advances in security vulnerabilities and exploits, is likely to have some issues.

Yes, the code is open, but it really was under the very tight control of one organization for a very long time. By the time it 'escaped', it was huge, requiring nonstandard tools to deal with it.

In recent years, it's also suffered from the fact that many of the core developers are publicly calling it obsolete, that Wayland should replace it and therefor that's where all the effort should be spent.

All of this has discouraged people from digging into the code (although the x.org project has made progress in getting the codebase to be easier for people to deal with, it's still a monster)

People need to realize that even if Wayland does take over the desktop, the X libraries and protocol are still going to be used.

Not only that. X11 code and history is full of lessons on what does and doesn't work in a graphics subsystem. What leads to simple and elegant solutions, and what to ugly piles of hack-over-hack.

I bet Wayland would not be possible without the experience gained maintaining X.org. The main developers are, after all, X.org maintainers.

... What we probably need much more crucially is a way of preventing false security claims; or more specifically in this case a way to remember (for a long time) that this code has *not* been reviewed or taken care of from the security point of view.
Many people, especially *very serious people* (to paraphrase a famous blogger), falsely claim that security is a given on specific device, when they try to advance on their own project (or career). We need to change the way we look at these claims (and these people knowledge probably) in order to prevent them from simply waiting that a software gets wide usage in order to claim any security (or risk management as they call it).
These false claims are a pain to counter. We all know in this technical field that: either pieces of evidence are available (usually a lot) to demonstrate that some security effort has been done, either the device is not secure.

Let's change our default motto! Unless we can provide hundred of logs of activity, let's say frankly: "of course it's not secure".
(Furthermore, sometimes, this is preferable... but that would another topic.)

So doing these checks at runtime would make the code run half as fast? So what? The X client library is hardly a bottleneck for most applications and it wasn't one twenty years ago either. If there are performance-critical sections of code they can be audited carefully and checks can be disabled there.

The saddest part is that today it is still just as easy to put these bugs into your code.

Because the project started in 1984. What else would they have used -- Ada?

That social inertia is what keeps certain languages in place even after you would think they should have been put away 20-30 years ago.

The low-level stuff can't be ignored, but I'm a lot more comfortable having the base libraries be written in C, since they're written by someone who presumably knows what they're doing, and having the programs running on that code written in Java.

As for the browser, you're talking about a tool that deals with a sustained barrage of untrusted material, and it's not hard to feed a web browser compromised material. Looking at Chrome's recent vulnerabilities, in May we had 8 use-after-frees and one out-of-bounds read (and four other), and in March we had 6 use-after-frees and 1 out-of-bounds read (and 15 other, including some "memory corruptions"). (Counts of CVEs listed in Debian's changelog.)

As hummassa says, there's other standard security errors that Python and Java as well as C and C++ get up to. But 45% of Chrome's recent CVEs wouldn't have existed in Java or similar systems. Pick the low-hanging fruit first.

By all means profile the code, find the hot sections, and after careful review turn off safety for those. That does not justify running without bounds checking or overflow checking for the rest of the code.

Please define 'thick pointers', the opposite of 'thin pointers'.
An address plus a size? The size of what?
OK, for a structure, a thick pointer to that structure is { pointer + size of structure}.
For an array of structures, a thick pointer to that array is { pointer + size of complete array}. To get a thick pointer to an element of that array, you now need the size of that element - possible.
Now you want to scan through an array, you do not want a thick pointer to an element of the array (because you will not be able to increment this thick pointer to point to the next element), you want a thick pointer to an array of element, each times you increment the thick pointer you decrement the size of this thick pointer by the size of the structure of the array.
Now someone wants to search something in the array from the end of the array, each times you decrement the thick pointer you increment this thick pointer size by the size of the structure of the array. But then what stops you to go below the start of the array? You need to include a minimum base address into the thick pointer?
Now imagine all this is about chars and array of chars - your thick pointer is bigger than the string you are manipulating, and you code initially only prints an hexadecimal value into an array of 256 bytes, you know it will not overflow.
You think the compiler will be able to optimise and remove a field of a structure (thick pointer size) when it is obvious there will not be any problem? It is not going to happen if the function is not static inside the C file.
The "thick pointer size" can also be a variable inside the compiler (range analysis) instead of inside the compiled function, but that has its limits.

In any case, C doesn't need to become a safe language. There are plenty of safe languages to code in, you need at least one unsafe language to code all the safe languages in. It may as well be C.

What I think would really make a difference is if someone actually implemented a working C-like language (you couldn't call it C) that had a few extra restrictions, like: 'a pointer assigned an address in array X cannot point outside that array by pointer arithmetic'. And then demonstrated that it (a) performed ok and (b) ran >99% of existing C code.

I think the easiest way to achieve this would be code a C interpreter in PyPy where you could implement the restrictions, and you get a JIT to make it perform. If you could make this work, my guess is you could convince a lot of people run most C programs under such an interpreter and you would have solved the problems for a significant portion of the codebase.

But whether its actually achievable....

The major obstacle would be that you'd need an ABI change to pass around the necessary object extent data to enforce this everywhere.

That is, when different team members expect something to be fixed in different ways because they have differing expectations. In a small group you talk it out and get a solution that everybody agrees with.

This I think makes it much more difficult for open source projects because you don't get the real time feedback and when disagreements arise you don't have the offline high-bandwidth, low-latency channel to discuss the problem and come up with better solutions. Nothing is more demotivating that having your patch stuck in review phase.

Fortunately many larger projects do successful patch review and it works reasonably well, but it's not always easy.