Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upClear automatically the clipboard of an AppVM after a delay when using Ctrl-Shift-V #3415
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Dec 21, 2017
Member
Generally it is a good idea, but there is one technical limitation right now: target VM don't know from where the content was pasted. And clearing the clipboard unconditionally from dom0 may not be a good idea - you might copied something else there already.
|
Generally it is a good idea, but there is one technical limitation right now: target VM don't know from where the content was pasted. And clearing the clipboard unconditionally from dom0 may not be a good idea - you might copied something else there already. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
SkypLabs
Dec 22, 2017
I don't really see the problem of cleaning the clipboard unconditionally from dom0. It's actually what KeePassX does. In addition, it would be an optional policy so people having configured it are aware of this behaviour.
SkypLabs
commented
Dec 22, 2017
|
I don't really see the problem of cleaning the clipboard unconditionally from dom0. It's actually what KeePassX does. In addition, it would be an optional policy so people having configured it are aware of this behaviour. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Does it clear the clipboard even if you copy something else already? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
SkypLabs
commented
Dec 22, 2017
|
I just tested and it seems that no. I didn't know that it was so "smart". |
andrewdavidwong
added
C: core
enhancement
security
UX
labels
Dec 22, 2017
andrewdavidwong
added this to the Far in the future milestone
Dec 22, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
80tf3262p8
Dec 23, 2017
I just accidentally pasted a password into the URL bar and pressed enter, LOL. Will have to be very careful.
It's too bad this is set as far in the future because it's the sort of problem I haven't had in less "reasonably secure" operating systems.
80tf3262p8
commented
Dec 23, 2017
•
edited
Edited 1 time
-
80tf3262p8
edited Dec 23, 2017 (most recent)
edited
-
Dec 23, 2017 (most recent)
|
I just accidentally pasted a password into the URL bar and pressed enter, LOL. Will have to be very careful. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
andrewdavidwong
Dec 23, 2017
Member
I just accidentally pasted a password into the URL bar and pressed enter, LOL. Will have to be very careful.
It's too bad this is set as far in the future because it's the sort of problem I haven't had in less "reasonably secure" operating systems.
That's because most of those other operating systems just have a single global clipboard, not an inter-VM clipboard system. Instead of this problem, though, you probably had a much bigger one: Every app could sniff the contents of your clipboard.
To put it another way: In most other OSes, the password in your clipboard was vulnerable all the time. In Qubes, it's only vulnerable when you accidentally paste it somewhere you didn't mean to.
So, sure, it's true that you didn't have this problem before, but that's because this problem is only made possible by a high level of underlying security that you probably didn't have before.
As for the milestone, this could be addressed sooner if we had a solution to the the technical limitation discussed above. Do you have a solution?
andrewdavidwong
commented
Dec 23, 2017
•
edited
Edited 1 time
-
andrewdavidwong
edited Dec 23, 2017 (most recent)
edited
-
Dec 23, 2017 (most recent)
That's because most of those other operating systems just have a single global clipboard, not an inter-VM clipboard system. Instead of this problem, though, you probably had a much bigger one: Every app could sniff the contents of your clipboard. To put it another way: In most other OSes, the password in your clipboard was vulnerable all the time. In Qubes, it's only vulnerable when you accidentally paste it somewhere you didn't mean to. So, sure, it's true that you didn't have this problem before, but that's because this problem is only made possible by a high level of underlying security that you probably didn't have before. As for the milestone, this could be addressed sooner if we had a solution to the the technical limitation discussed above. Do you have a solution? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
SkypLabs
Dec 24, 2017
In Qubes, it's only vulnerable when you accidentally paste it somewhere you didn't mean to.
Actually, it's not totally correct. The global copy feature is made in a way that only the target AppVM will receive what's contained in the global copy buffer. No other AppVM can access it and its content is cleared once copied into the target AppVM's clipboard. However, this clipboard will never be cleared automatically, allowing any software to read its content. As a result, the security issue described above is not eradicate in Qubes OS, just limited to the related security domain.
As for the milestone, this could be addressed sooner if we had a solution to the the technical limitation discussed above. Do you have a solution?
A short-term solution would be to clear automatically the target AppVM's clipboard from dom0 after a delay.
SkypLabs
commented
Dec 24, 2017
Actually, it's not totally correct. The global copy feature is made in a way that only the target AppVM will receive what's contained in the global copy buffer. No other AppVM can access it and its content is cleared once copied into the target AppVM's clipboard. However, this clipboard will never be cleared automatically, allowing any software to read its content. As a result, the security issue described above is not eradicate in Qubes OS, just limited to the related security domain.
A short-term solution would be to clear automatically the target AppVM's clipboard from dom0 after a delay. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
andrewdavidwong
Dec 24, 2017
Member
In Qubes, it's only vulnerable when you accidentally paste it somewhere you didn't mean to.
Actually, it's not totally correct. The global copy feature is made in a way that only the target AppVM will receive what's contained in the global copy buffer. No other AppVM can access it and its content is cleared once copied into the target AppVM's clipboard. However, this clipboard will never be cleared automatically, allowing any software to read its content. As a result, the security issue described above is not eradicate in Qubes OS, just limited to the related security domain.
I don't think we actually disagree, but I think you took that statement out of context. The context was a comparison between the single global clipboard in standard OSes and the Qubes inter-VM clipboard system, so "paste" refers to pasting from the inter-VM clipboard. I'm saying that the password is only vulnerable when you accidentally paste it from the inter-VM clipboard into a VM that you didn't mean to. In a standard OS, where there's only one global clipboard that any app can sniff, any password that gets copied to the clipboard is vulnerable. In Qubes, if you copy a password to the inter-VM clipboard, it's safe from all potential receiving VMs unless/until you paste it into one of them. If you paste it into a receiving VM intentionally, then you're trusting the VM to have that password. If you accidentally paste it into a receiving VM, then you may not trust that VM to have that password. Either way, though, the password is safe in your inter-VM clipboard until you perform the paste action, which is a big security gain over the standard model.
Of course, I agree that after the password is pasted from the inter-VM clipboard into the VM's normal clipboard, it's then vulnerable to everything in that VM, including accidentally pasting it again into some unintended place, which is why it would be nice to have the auto-clipboard-clearing feature in VMs.
I don't think we actually disagree, but I think you took that statement out of context. The context was a comparison between the single global clipboard in standard OSes and the Qubes inter-VM clipboard system, so "paste" refers to pasting from the inter-VM clipboard. I'm saying that the password is only vulnerable when you accidentally paste it from the inter-VM clipboard into a VM that you didn't mean to. In a standard OS, where there's only one global clipboard that any app can sniff, any password that gets copied to the clipboard is vulnerable. In Qubes, if you copy a password to the inter-VM clipboard, it's safe from all potential receiving VMs unless/until you paste it into one of them. If you paste it into a receiving VM intentionally, then you're trusting the VM to have that password. If you accidentally paste it into a receiving VM, then you may not trust that VM to have that password. Either way, though, the password is safe in your inter-VM clipboard until you perform the paste action, which is a big security gain over the standard model. Of course, I agree that after the password is pasted from the inter-VM clipboard into the VM's normal clipboard, it's then vulnerable to everything in that VM, including accidentally pasting it again into some unintended place, which is why it would be nice to have the auto-clipboard-clearing feature in VMs. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
SkypLabs
Dec 26, 2017
I don't think we actually disagree, but I think you took that statement out of context. The context was a comparison between the single global clipboard in standard OSes and the Qubes inter-VM clipboard system, so "paste" refers to pasting from the inter-VM clipboard. I'm saying that the password is only vulnerable when you accidentally paste it from the inter-VM clipboard into a VM that you didn't mean to. In a standard OS, where there's only one global clipboard that any app can sniff, any password that gets copied to the clipboard is vulnerable. In Qubes, if you copy a password to the inter-VM clipboard, it's safe from all potential receiving VMs unless/until you paste it into one of them. If you paste it into a receiving VM intentionally, then you're trusting the VM to have that password. If you accidentally paste it into a receiving VM, then you may not trust that VM to have that password. Either way, though, the password is safe in your inter-VM clipboard until you perform the paste action, which is a big security gain over the standard model.
Of course, I agree that after the password is pasted from the inter-VM clipboard into the VM's normal clipboard, it's then vulnerable to everything in that VM, including accidentally pasting it again into some unintended place, which is why it would be nice to have the auto-clipboard-clearing feature in VMs.
I actually misunderstood your first statement. Thank you for the clarification :)
SkypLabs
commented
Dec 26, 2017
I actually misunderstood your first statement. Thank you for the clarification :) |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
tasket
Jan 3, 2018
You could take a pragmatic approach: When Ctrl-V is pressed, inform the user that the guest clipboard will be cleared in X seconds, and then clear it at the designated time.
tasket
commented
Jan 3, 2018
|
You could take a pragmatic approach: When Ctrl-V is pressed, inform the user that the guest clipboard will be cleared in X seconds, and then clear it at the designated time. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
SkypLabs
Jan 3, 2018
You could take a pragmatic approach: When Ctrl-V is pressed, inform the user that the guest clipboard will be cleared in X seconds, and then clear it at the designated time.
Don't you mean Ctrl-Shift-V? I'm not sure that dom0 is able to detect if Ctrl-V has been pressed inside an AppVM. But yes it's a good idea.
SkypLabs
commented
Jan 3, 2018
Don't you mean Ctrl-Shift-V? I'm not sure that dom0 is able to detect if Ctrl-V has been pressed inside an AppVM. But yes it's a good idea. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
artemist
Jan 28, 2018
dom0 can determine if Ctrl-V has been pressed in the VM, but can't determine if Ctrl-V means paste. For example, most terminals use some other binding. By adding complexity, however, we could clear it a certain amount of time after the clipboard is read by messing with the X11 stub in the AppVM
artemist
commented
Jan 28, 2018
|
dom0 can determine if Ctrl-V has been pressed in the VM, but can't determine if Ctrl-V means paste. For example, most terminals use some other binding. By adding complexity, however, we could clear it a certain amount of time after the clipboard is read by messing with the X11 stub in the AppVM |
SkypLabs commentedDec 21, 2017
KeePassX clears automatically the sensitive data contained in the clipboard after a specified delay for evident security reasons.
With Qubes OS, KeePassX (or any equivalent software) is supposed to be used inside the vault AppVM. Passwords are copied from the vault AppVM's clipboard into the targeted AppVM's clipboard through the buffer of the global copy feature. As a result, the vault AppVM's clipboard is cleared by KeePassX but the one of the targeted AppVM is not.
It would be nice to introduce a policy to clear automatically, after a specified delay, the clipboard of an AppVM when using Ctrl-Shift-V and when its content comes from the one of a sensitive AppVM such as vault.