Linux GUI Vulnerability from the Past

We often write about Linux and its security settings, but there’s one thing most Linux users don’t consider. The fact is, Linux lacks isolation at the GUI level, which can undermine all your efforts to secure your system. Let’s explain why.

The Problem with X.Org Server

There’s a system called X.Org Server that handles displaying images on your screen, managing your keyboard, mouse, and more. It starts up early in the boot process (right after you log in, unless you’re resuming from sleep). “X” or “X11,” as it’s often called, is a very old system, and fewer people each year fully understand how it works. X was not originally created for Linux; combining these technologies came later. Security wasn’t a major concern back then. No one expected personal computers to become so widespread, or that digital life would become more important than real life, forcing regular users to worry about hackers.

If you have two GUI applications open in an X.Org session—say, LibreOffice and a browser—each has full access to your screen. There’s no isolation between these (or any) applications, even if they’re running under different user accounts. No tricks, bugs, or exploits are needed—this is all “by design.” One application can listen to or inject keystrokes into another without restriction, take screenshots of windows belonging to other apps, and more.

How to Test This Yourself

It’s easy to check. Open a terminal window as any user and install xinput, a standard X.Org diagnostic tool. In Arch Linux, for example, use:

sudo pacman -S xorg-xinput

After installing, run:

xinput list

You’ll see a list of devices and their IDs. Find the one labeled “AT keyboard” and enter its ID in the following command (as a regular user):

xinput test id

If you’re in an X.Org session and entered the correct ID, the command will start showing the key codes for every key you press. To test, open a new terminal and run a command as superuser (sudo). As you type your password in the second terminal, the first terminal will display the key codes in real time. The same happens if you launch any GUI app as superuser—the first terminal will show all keystrokes.

Virtual Machines and Isolation

This problem isn’t solved by using a virtual machine—keystrokes and display information from the VM can still be transmitted to the host system. The reverse isn’t true, since the guest VM runs its own X.Org server, isolated from the host and other guests. That’s why we use virtualization: to separate risks. If one VM is compromised, it’s hard (but not impossible) for an attacker to reach the host or other VMs. But if the host is compromised, all VMs are vulnerable. So, be very careful when installing applications on your host Linux system, especially those from unofficial repositories (like AUR) or GitHub.

Other Operating Systems

Other OSes also lack perfect GUI isolation. Microsoft has tried to implement GUI-level isolation since Windows Vista, but these protections can be bypassed, as shown by the endless reports of stealers and keyloggers affecting users. Mobile platforms are different: they’re more monolithic and less customizable, making it easier to enforce security policies. For example, on Android, each app runs with unique identifiers and is fully (or almost fully) isolated from the rest of the system.

Solutions

1. Wayland

The first solution is Wayland, a protocol replacing X.Org. It’s actively supported and gradually being adopted in modern systems. Wayland integrates with the window manager as a shared library, allowing the manager to control permissions for individual windows. Each window can request permissions, and the manager can grant or deny them. Wayland’s architecture is very different from Xorg, with many internal differences not directly related to security (for example, Wayland doesn’t render itself; the client window does the rendering). From a security perspective, Wayland is better: it provides confidentiality, integrity, and availability for the desktop, even with untrusted graphical apps, and works with a simpler protocol requiring fewer privileges.

At the login screen after rebooting or logging out, most distributions let you choose which protocol to use. Here’s an example of how to enable Wayland in Ubuntu. This would be the ideal solution, but Wayland hasn’t fully replaced X.Org yet. It doesn’t work well with 2K, 4K, or 8K displays and lacks support for some features. If an app (especially an older one) isn’t compatible with Wayland, it runs through “Xwayland” and remains vulnerable.

2. Virtualization: Qubes OS

The second solution is virtualization, specifically Qubes OS. In Qubes, each application has its own isolated X server. The main X server, which controls the real display, doesn’t send information to other X servers. If you repeat the xinput experiment in a Qubes virtual app (AppVM), you’ll only see keystrokes and mouse movements for that specific AppVM. You can read more about how this complex system works in their technical overview.

3. Sandboxing and Partial Solutions

The third (almost) solution is to disable the abstract socket so not all apps can listen to each other, and to use different sandboxes to run at least important programs in isolated environments. For example, you can use Firejail together with Xephyr. This is less convenient than virtualization and still doesn’t prevent keylogging. Firejail itself is a great tool, which we’ll discuss more in the future. Using SELinux sandboxes in distributions like Fedora also partially addresses the problem.

General Recommendations

• Be extremely cautious when installing programs on your host system.
• Use virtualization—ideally Qubes OS—to separate activities.
• Avoid installing browsers on your host, as advanced JavaScript attacks can bypass even complex security systems. Install the NoScript extension.
• Try not to enter passwords in the terminal when you have many browser tabs open.

Someday—this is a common phrase among Linux users—Wayland will replace X.Org, and this attack vector will be less of a concern.

Onion Market – a free P2P exchange on Telegram.