mirror of
https://github.com/xpipe-io/xpipe.git
synced 2024-11-25 09:00:26 +00:00
175 lines
9.7 KiB
Markdown
175 lines
9.7 KiB
Markdown
# Security
|
|
|
|
Due to its nature, X-Pipe has to handle a lot of sensitive information.
|
|
This can range from passwords for all kinds of servers, to SSH keys, and more.
|
|
Therefore, the security model of X-Pipe plays a very important role.
|
|
|
|
This document summarizes the approach of X-Pipe when it comes to the security of your sensitive information.
|
|
If any of your questions are left unanswered by this document, feel free to file an
|
|
issue report so your question can be answered individually and can also potentially be included in this document.
|
|
|
|
## Reporting a security vulnerability
|
|
|
|
If you believe that you found a security vulnerability in X-Pipe,
|
|
you can make use of
|
|
the [private security report feature](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability)
|
|
of GitHub.
|
|
|
|
## Security assumptions
|
|
|
|
The general assumption is that the system on which X-Pipe runs on is not badly infected.
|
|
This refers to your local system on which you installed X-Pipe, not any remote systems that you then connect to.
|
|
If your local system is infected to an extent where malicious programs can modify the
|
|
file system and other installed programs like X-Pipe,
|
|
then there is no technical way of preventing malicious programs to also infect X-Pipe and the connected systems as well.
|
|
|
|
## Reliance on other programs
|
|
|
|
X-Pipe essentially outsources any form of connection and shell handling to your existing command-line tools.
|
|
It does not come with any remote handling capabilities of its own.
|
|
Therefore, any used command-line program should be secure.
|
|
If for example your `ssh` command-line program or its connections are susceptible to MITM attacks or
|
|
vulnerable in any other way, there is no way for X-Pipe to keep the sensitive information secure.
|
|
It is your responsibility to use the programs in a secure environment and keep them up to date with security patches and
|
|
more.
|
|
X-Pipe can only be as secure as your underlying command-line tools itself.
|
|
|
|
X-Pipe calls these programs almost exactly as you would do manually in your terminal
|
|
with some a few additional parameters to automatically pass login information
|
|
and adapt the environment to make it work properly.
|
|
The called program therefore automatically uses your
|
|
system configuration for it, e.g. your system SSH configs.
|
|
|
|
X-Pipe does not perform any validation or version checking for the programs it calls.
|
|
For example, when establishing an ssh connection through X-Pipe, it will straight up call `ssh user@host <options>`.
|
|
It is assumed that this `ssh` executable is secure and the one that you actually want to use.
|
|
|
|
## Data security and privacy
|
|
|
|
The general approach of X-Pipe can be summarized as follows:
|
|
|
|
- Any sensitive information should be kept as secure as possible exclusively on your local machine,
|
|
both while X-Pipe is running and also not running
|
|
- When sensitive information is required on another remote system that is connected through X-Pipe, that information
|
|
should be transferred and
|
|
remain there as briefly and securely as possible
|
|
- No sensitive information should be sent to any other server outside your network of trusted connections
|
|
|
|
### Storage of sensitive information
|
|
|
|
All X-Pipe data is exclusively stored on your local machine at `~/.xpipe/storage`.
|
|
You can choose to change this storage location in the settings menu.
|
|
|
|
All sensitive information is encrypted when it is saved to disk on your local machine using AES
|
|
with either:
|
|
|
|
- A custom master lock key that can be set by you in the settings menu
|
|
(This option is only as secure as the password you choose)
|
|
- A somewhat dynamically generated key (This option can be reverse
|
|
engineered though, there is no way of perfectly securing your data without any custom key)
|
|
|
|
It is also planned that you will be able to
|
|
source passwords and more directly from other external sources such as password managers in the future.
|
|
|
|
### Passing of sensitive information
|
|
|
|
When any kind of login information is required by a command-line program, it has to be passed to it somehow.
|
|
If the program runs on your local system, the data does not leave your local system.
|
|
If login information is required on a remote system, then that data must be transferred to that remote system.
|
|
|
|
In case a program accepts password input via stdin, this process is relatively straightforward.
|
|
Then the passed sensitive information is just written into the stdin of the program and does not show up in any history
|
|
or file system.
|
|
|
|
When a program only accepts password input via an environment variable or an askpass program,
|
|
a self deleting password supplier script file is generated by X-Pipe.
|
|
This script contains the encrypted password and will supply
|
|
the password to the target program exactly once when invoked and immediately deletes itself afterwards.
|
|
This behavior ensures that there is no leftover password script after an operation is performed.
|
|
As a secondary measure, for cases in which the calling program crashes
|
|
and is not able to execute the script and therefore doesn't delete the password script,
|
|
the generated script directory is also frequently cleaned.
|
|
As a result, no sensitive information of yours should show
|
|
up in any kind of shell history or on any file system.
|
|
|
|
### The purpose of shell scripts
|
|
|
|
Whenever you open a remote connection in a terminal from X-Pipe, you will notice that your terminal shows
|
|
the name of a script located in your temp directory in the title bar to indicate that you're currently executing it.
|
|
The naming scheme of these scripts is usually something like `xpipe/exec-<id>.(bat|sh|ps1)`
|
|
This is intended as these scripts contain all commands that are required
|
|
to realize the functionality of connecting and initializing the shell environment.
|
|
These scripts do not contain any sensitive information,
|
|
you are free to inspect them yourselves in the temp directory.
|
|
|
|
In case a script connects to a remote system and passes login information to a program via variables or askpass
|
|
programs,
|
|
it automatically becomes useless after being invoked once (See [above](#passing-of-sensitive-information)).
|
|
As the script is run immediately after it is created initially, e.g.
|
|
when using the `Open in terminal` functionality, it becomes useless pretty much
|
|
instantly so any attacker doesn't obtain any sensitive information from it.
|
|
|
|
### Logging
|
|
|
|
By default, X-Pipe creates log files located in `~/.xpipe/logs`.
|
|
Under normal conditions these log files do not contain any sensitive information.
|
|
If you choose to alter the log level in the settings menu or launch X-Pipe in debug mode,
|
|
these log files will contain a lot more and finer grained information, some of which might be sensitive.
|
|
|
|
### Issue reports
|
|
|
|
Whenever an error occurs within X-Pipe or you choose to open the error reporter dialog,
|
|
you have the option to automatically send an error report with optional feedback and attachments.
|
|
This error report does not contain any sensitive information unless
|
|
you explicitly choose to attach debug mode log files (See above).
|
|
|
|
## Isolation
|
|
|
|
Any infected remote system should be isolated enough such that any infection can't spread through X-Pipe.
|
|
|
|
### User isolation
|
|
|
|
All relevant files like configuration files and other required temporary files
|
|
are only accessible by the current user.
|
|
Any other user on a system can't read or write them unless they have root/Administrator privileges.
|
|
|
|
### Isolation of remote systems
|
|
|
|
When you add a remote system as a host within X-Pipe, it is implicitly assumed that you trust this system.
|
|
Any required login information is sent to and handled on that remote host when required,
|
|
so it would be possible for malicious program with sufficient privileges to obtain any information sent to that host.
|
|
This would require an attacker to be able to access files of the user that is used to log into the remote system.
|
|
It should however not be possible for any malicious program on the remote host to obtain
|
|
other information stored by X-Pipe that is not explicitly sent to that host.
|
|
|
|
## Antivirus programs
|
|
|
|
### Windows
|
|
|
|
It may occasionally happen that Windows Defender warns and
|
|
even sometimes deletes X-Pipe due to it identifying the application as malware.
|
|
The reason for this is simple: The application is not signed with an EV code signing
|
|
certificate as this would require a company for X-Pipe to be set up and would also cost around 600$+ per year.
|
|
If X-Pipe was signed with such a certificate, as are most Windows applications distributed by companies, all warnings
|
|
would go away automatically.
|
|
The Windows Defender / Windows SmartScreen system is essentially pay-to-win here.
|
|
Just paying the appropriate amount will automatically whitelist your application (even it is unsafe / essentially
|
|
malware)
|
|
while not paying will often blacklist it, bullying you into buying it.
|
|
You can read more about this system in [this StackExchange post](https://security.stackexchange.com/a/139520).
|
|
The manual whitelisting process without an EV certificate is purposely made difficult and essentially useless.
|
|
The Windows Defender detection rules are garbage and not deterministic, i.e.
|
|
an identical application can be flagged on one system but not the other, even though both are connected to the internet
|
|
and the Microsoft services.
|
|
In summary, don't rely on Windows Defender to be accurate when it comes to false-positives.
|
|
|
|
All artifacts of every release are automatically analyzed on VirusTotal
|
|
and you can find the results linked at the bottom of every release.
|
|
From there you should be able to get a better overview over the actual
|
|
threat level of X-Pipe instead of purely relying on Windows Defender.
|
|
|
|
### macOS
|
|
|
|
On macOS the application bundle is signed and notarized and will therefore not emit any warnings.
|
|
For macOS this process does not require a company to be
|
|
set up and also only costs 125$ per year and is therefore much easier to accomplish.
|