2023-09-26
Have you ever needed to use administrator privileges? Unlock an encrypted volume? Put a digital signature? Or maybe connect to SSH or Wi-Fi? When you use your computer, sometimes you need to authenticate youself to the system. Usually it's done by entering you super-secret-password. A dialog telling what's happening right now appears, having a sensitive input field hiding typed characters. We immedietely jump through well known key sequence and press 'return'. The operation is not going to take place without our approval.
But... what if I told you that you could just be a victim of cyberattack? That somebody tricked you to type a password into fake dialog to gain privileges or know your secrets? In fact, programs are capable of displaying absolutely everything on the screen. Therefore they can imitate system dialogs and users cannot distinguish them from the real ones. Same thing with CLI programs: if you're not careful enough, a malicious program can alter your .bashrc to replace terminal commands.
This is not a security guide. Some things like not running untrusted software is obvious (well, it should be). I would like to introduce you some idea that came to my mind, about how operating systems could help us detect fakes.
At the low level they could separate a small portion of the screen for the sake of displaying status. It would be controlled exclusively by the OS, which means, nothing can overlap it. Let's say, it's a horizontal gray bar at the top of the screen. When a system password prompt appears, it changes colour to green, which gives a user green light, saying „you can safely enter you password”. A user should always notice the colour of the bar. And the bar is visible all the time, including fullscreen windows and even a virtual console.
„Why the bar”, you may ask. Simply because it's the simpliest possible solution. Apart bar there's a rectangle area, so if a display previously had size 1080x720px and the bar's height is 10 pixels, we're left with 1080x710px. If it's a different shape, e.g. notch as in modern smartphones, then either desktop environments have to adapt by leaving room for them, or it overlaps the view, or everything moves by the height of the shape, thus resulting in bar anyway.
„And how the system knows that the displaying window is legit”? Well, that's a good question. Pinentry, a common system tool for entering passwords, associated with GnuPG (yet it's used by SSH, among others), freezes the whole session: global keyboard shortcuts doesn't work, dragging windows and opening programs doesn't work. It's seems like all keyboard and mouse events goes straightly to pinentry and other programs (e.g. keyloggers) are not able to know what user's typing. For me it seems secure, but I don't know technical details, how that effect is achieved. On the other side, I didn't observe such behaviour with polkit, the authentication software (like graphical sudo). Polkit delegates unprivileged process – polkit agent – for gathering user password. I believe, it's trivial to replace it without root access, but, as I said, I don't know technical details.
As you can see, I don't know the topic very well and all that is about speculation, but... let's keep going. If I was designing this, I would export a kernel interface controlling security bar through virtual file somewhere in /sys. Only processes with cap_trusted_input capability can use it. The same mechanism could be used by lockscreens and login program. This is in my opinion the simpliest solution, yet maybe not so visually attractive. Who knows, perhaps when Wayland is finally stable and used by default everywhere, compositors will function as security bar and display icon at taskbar or a screen notch – places controlled exclusivelly by the compositor. Time will reveal the future for us.