Version 2.0

30min: The pity state of Linux desktop security


The Linux community is proud about their secure system. It laughs at the competitors, their security problems, the malware for those systems and praises itself for being awesome as there is no malware.

But the reality is different.

Our desktop is designed around the security of X11 which means it's non-existent. X11 has no security model and many severe security flaws from allowing keyloggers to just take over the complete windowing system. Given the non-existent security on X11, it's normal that applications trust applications running as the same user. This is known as "if it runs, it is trusted!" There is no point trying to protect against malware on the same system, it can just talk to X11.

With Wayland we have the chance to create a secure system from a windowing system perspective. The protocol doesn't allow key loggers, doesn't allow grabbing window content, etc. etc. So one would think that Wayland improves the situation.

Alas that's not the case. Installing a key logger on Wayland is still trivial, taking over the complete session is still trivial.

All the problems of X11 are still there, because the system is not secure. Everything is trusted, everything can modify every aspect of the running or the next running session. Fixing this is difficult, it's an uphill battle against the mentality of "if it runs, it is trusted".

In this talk we will look at how bad the security of X11 is and how one can take over a (KWin) Wayland session. We will look at the various efforts in Plasma to fix these problems and to make it more difficult for malware to get into the system.


Day: 2016-09-03
Start time: 16:30
Duration: 00:10
Track: Platforms and Integration




Click here to let us know how you liked this event.