Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add authentication/encryption when using pipes for IPC #19109

Merged
merged 7 commits into from Apr 5, 2019

Conversation

Projects
None yet
1 participant
@rafeca
Copy link
Contributor

commented Apr 5, 2019

This fixes a potential Atom security issue caused by the fact that in Windows machines there are no ACL mechanisms for named pipes

Context

Atom has some logic to share the same main process when opening different instances (or windows) of the editor.

Currently, this is done in Windows by creating a named pipe the first time that Atom is launched, so subsequent launches can check if the pipe exists and if so they pass the needed information to launch the new Window through the pipe to the main process.

The created pipe name contains some additional information (the Atom version, local username who's launching Atom, cpu architecture), this way multiple users can have different instances of Atom opened without affecting each other.

Security issue

In Windows, named pipes are global and available system wide: any user can create a named pipe, list all the named pipes that exist on the system, connect to any named pipe or sniff messages that travel through any named pipe.

Solution

This solution provides 3 different takes:

  1. The named pipe created by the server is not constant between executions but varies randomly, so a malicious user cannot guess what's going to be the name of the pipe and impersonate the server.
  2. The payload sent from the client to the server is now encrypted, so a potential attacker cannot find out the env variables of another user by sniffing the named pipe information.
  3. Clients authenticate themselves to the server when sending the options, so the server can ignore messages from untrusted clients.

In order to implement this whole flow, the server and the clients share a single secret which gets stored in the ATOM_HOME folder on a file only accessible to the current user. This secret gets randomly regenerated every time the server is started.

The secret file name contains the username and the Atom version (e.g ~/.atom/.atom-socket-secret-rafeca-1.35.1, so if either multiple users share the same ATOM_HOME folder or a user launches multiple versions of Atom the different instances are kept isolated and secure.

Implementation details

  • The secret has a length of 32 bytes and is represented in hexadecimal on the secret file.
  • The pipe name is generated from the secret, by using the HMAC authentication with a sha256 hash function and a message fixed to socketName and stripped to 12 chars (to ensure that pipe names are not too long). This avoids leaking the secret through the pipe name.
  • The authentication and encryption of messages from clients to the server is done using GCM encryption with AES-256. The initialization vector is generated randomly for each message and passed in clear text as part of the message.

@rafeca rafeca force-pushed the use-random-socketname branch 2 times, most recently from 26c3520 to a7eb7de Apr 5, 2019

@rafeca rafeca changed the title WIP: Add authentication/encryption when using pipes for IPC Add authentication/encryption when using pipes for IPC Apr 5, 2019

@rafeca rafeca marked this pull request as ready for review Apr 5, 2019

@rafeca rafeca force-pushed the use-random-socketname branch from 011eb29 to 7ad8976 Apr 5, 2019

@rafeca rafeca merged commit 551fa08 into master Apr 5, 2019

2 checks passed

Atom Pull Requests #20190405.9 succeeded
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details

@rafeca rafeca deleted the use-random-socketname branch Apr 5, 2019

smashwilson added a commit that referenced this pull request Apr 23, 2019

Merge pull request #19109 from atom/use-random-socketname
Add authentication/encryption when using pipes for IPC
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.