A fascinating but ominous software story dropped on Friday: a widely used file compression software package called “xz utils” has a cleverly embedded system for backdooring shell login connections, and it’s unclear how far this dangerous package got into countless internet-enabled devices. It appears the persona that injected this played a long game, gaining the […]
Maybe Linux and some other software projects just fundamentally don’t have enough isolation. That is, maybe the typical software package should be expected to run in a sandbox
Some of it is that a lot of desktop software paradigms weren’t built to operate in that kind of environment, and you can’t just break backwards compatibility without enormous costs.
Wayland’s been banging on that, but there’s a lot to change.
Like, the clipboard is designed so that software packages can query its contents, rather than having the contents pushed to it.
What’s on the screen and a lot of system state like keys that are down and where the mouse pointer is and so forth wasn’t treated as information that needed to be kept private from an application.
I don’t think that there’s a great way to run isolated game-level 3d graphics in a VM unless you’re gonna have separate hardware.
Something that I’ve wondered about is potential vulnerability via Steam. None of the software there is isolated in a “this might be malicious” sense – not from the rest of the system, not from other software sold via Steam. And Steam is used to distribute free software…I haven’t looked into it, but I don’t think that the bar to get something into Steam is likely super high. And then consider that there are free-to-play games that have to make money however they can, and some of that is going to be selling data, and some of how they do that may be to just offer to run whatever libraries with their game the highest bidder offers. How secure are those supply chains? And on Steam, most of the software is closed source, which makes inspecting what’s going on harder. And that’s before we even get to mods and stuff like that, which are from all over the place.
I mean, let’s say that random library from ad company used by a free-to-play game is sending up the identity of the user on the computer. It has some functionality that slurps in a payload from the network telling it to grab credentials off the existing system, and does so for ten critical users. Would anyone notice? I have a really hard time believing that there’d be any way to pick up on that. Even if you wanted to, you can’t isolate many of these games from the network without breaking their functionality, and there’s no mechanism in in place today isolating them from the user’s storage or other identity information.
XKCD 1200
Qubes OS
LinuxCon + CloudOpen Europe 2014 - Qubes OS - Joanna Rutkowska
It’s been over 10 years already, the desktop is only timidly adding containers, disposable VMs, per-program access permissions, and all that.
FreeBSD jails were way ahead of their time
Some of it is that a lot of desktop software paradigms weren’t built to operate in that kind of environment, and you can’t just break backwards compatibility without enormous costs.
Wayland’s been banging on that, but there’s a lot to change.
Like, the clipboard is designed so that software packages can query its contents, rather than having the contents pushed to it.
What’s on the screen and a lot of system state like keys that are down and where the mouse pointer is and so forth wasn’t treated as information that needed to be kept private from an application.
I don’t think that there’s a great way to run isolated game-level 3d graphics in a VM unless you’re gonna have separate hardware.
Something that I’ve wondered about is potential vulnerability via Steam. None of the software there is isolated in a “this might be malicious” sense – not from the rest of the system, not from other software sold via Steam. And Steam is used to distribute free software…I haven’t looked into it, but I don’t think that the bar to get something into Steam is likely super high. And then consider that there are free-to-play games that have to make money however they can, and some of that is going to be selling data, and some of how they do that may be to just offer to run whatever libraries with their game the highest bidder offers. How secure are those supply chains? And on Steam, most of the software is closed source, which makes inspecting what’s going on harder. And that’s before we even get to mods and stuff like that, which are from all over the place.
I mean, let’s say that random library from ad company used by a free-to-play game is sending up the identity of the user on the computer. It has some functionality that slurps in a payload from the network telling it to grab credentials off the existing system, and does so for ten critical users. Would anyone notice? I have a really hard time believing that there’d be any way to pick up on that. Even if you wanted to, you can’t isolate many of these games from the network without breaking their functionality, and there’s no mechanism in in place today isolating them from the user’s storage or other identity information.