• X11ProxySpike

X11 proxy spike

Implementation: scratch/x11-proxy

This will be an X11 proxy written in Python. See X11Security and X11SecurityImplementation for discussion. It consists of a client/server X library based on the XCB protocol definitions.

See X11ProxyNotes for implementation notes.

Features

• Encode and decode X messages (requests, replies, events and errors) for the core X11 protocol and most extensions
• Supports little endian and big endian byte orders
• Can read Xauthority files
• Can proxy a normal X connection, logging the data to a file. Can replay the log file and output the messages as text or display in a GUI.
• Generates parse trees showing how encoded messages are decoded
• Can pretty-print decoded messages
• Test suite:
  • Can generate examples of each X message and struct
  • Checks that encodings of example messages are reversible
  • Checks that all integers are properly aligned

  • Checks encodings against golden files (see scratch/x11-proxy/golden_test_data)

How to build

svn co svn://svn.gna.org/svn/plash/scratch/x11-proxy
cd x11-proxy
sudo apt-get install libx11-dev xvfb
./make.sh
python run_tests.py

Protocol monitor tool

The first half of this tool proxies an X connection, dumping the request and response streams into a single file. The dumped file can then be decoded.

Usage:

python log_proxy.py <log_file> <prog> <args>...
python decode_dump.py <log_file>
python dump_viewer.py <log_file>

Example:

python log_proxy.py log xclock
python decode_dump.py log
python dump_viewer.py log

Tasks

• Have test cases pass on:

  • Client: connect to real X server and decode connection setup reply

  • Server: handle connection from Xlib client that just does XOpenDisplay

• Be able to encode/decode all requests, replies and events for core X11 protocol

• Connect mock client and server together and transfer all requests/replies/events

• Be able to run X clients through proxy using command line wrapper program

• Support big endian connections (currently assumes little endian machine/connection)

• Handle Xauthority files without calling out to xauth

  • Format is documented in libXau's README file

  • Implement reading and looking up the cookie for the current DISPLAY

  • Implement writing and generating cookies

• Write example X clients that do dubious things (convert from x11-security-tests), runnable in unit tests

  • Write security checks, test that example X clients are caught and blocked

• Update/merge with XCB's current protocol definitions

• Handle all X extensions supported by XCB
• Add XCB definition for XKEYBOARD, also known as XKB (XCB doesn't seem to cover it)

  • Thomas Hunger has written an XCB definition

  • This is mostly done. Tasks remaining:

    • GetNames reply

    • SetNames request

    • SelectEvents request

    • GetKbdByName reply

    • KB_DOODAD union
    • Find/write a program that independently uses non-XCB Xlib to generate the above, to use as a test case
• Add XCB definition for XInputExtension; XCB doesn't cover it yet. Versions that have been posted are:

  • Minimal version by Eamon Walsh covering a small subset

  • Version by Peter Hutterer, posted by Thomas Hunger

  • Version by Peter Hutterer, posted by Eamon Walsh

  • Substantially revised by Eamon Walsh

  • Specifications can be found here (Postscript format, not searchable in Evince unfortunately)

X protocol monitor tool:

• Save the request/response streams into a single file, interleaved

  • Previously, the request and response streams were saved into separate files, which loses information about the ordering of requests and replies/events/errors and is also awkward to decode.

• Write Gtk GUI for viewing the contents of a connection log

• Extend the dump decoder to be able to filter output by extension. For speed, it should not decode messages that are not going to be displayed.

• Import the plash.comms module and use its event loop

  • Change log_proxy to use plash.comms.stream. This allows it to handle multiple connections and handle corner cases properly.

• Create a proxy that can disable extensions

  • Make sure that it refuses to forward unknown opcodes
• Provide a working synchronous client library and an example client that opens a window
• Make the monitor programs work with active connections, not just dump files. Unify them into a single command.
• Provide a tool that extracts all the padding bytes from a connection dump, as a novelty
• Add coverage tracker. This would track what parts of the protocol definition have been exercised by messages that have been seen. Examples:
  • Which requests, replies, events and errors have been seen
  • Whether optional fields have been present or absent
  • Whether enumeration values have been seen

Performance issues:

• InputBuffer would take O(n^2) time when dealing with a pipelined series of requests or responses of length n. Now fixed.

• Switch to using the newer struct.unpack_from/pack_into() functions instead of struct.unpack/pack(). The former require Python 2.5.

• Change ResponseQueue and ResponseDispatcher so that they do not use linear space in the length of the pipeline when responses are being simply forwarded by the proxy

• Look into the "hot buffer" object mentioned here: http://wiki.python.org/moin/NeedForSpeed/Successes

See also

• The XCB Wiki

• Xorg bug #11080: X attempts to use shared memory even for ssh-proxied connections. This could be fixed in ssh without changing X by using a proxy to disable the MIT-SHM extension.

• Xscreensaver will not kick in while an X client has a menu open: http://lists.opensuse.org/opensuse-factory/2006-10/msg00500.html

• xspy is a program which demonstrates security vulnerabilities in X11