Ubuntu
onboard package

Bug #1826273
Comment #3

Comment 3 for bug 1826273

Revision history for this message

Daimeng Wang (dwang030) wrote on 2019-04-25: Re: [Bug 1826273] Re: Potential Side-channel during Graphics Rendering

Thank you for your reply. The paper is recently published at NDSS 2019.
Please feel free to make this bug public.

On Thu, Apr 25, 2019 at 6:20 AM Marc Deslauriers <
<email address hidden>> wrote:

> Hi! Thanks for reporting this issue.
>
> That's an interesting paper, I assume it has been published already?
> Is there any reason to keep this bug private?
>
> I'm a bit puzzled why the Cairo team would think we would be able to
> correct this, though there are a lot of different components to the
> issue. Perhaps making the bug public would allow someone capable of
> solving this issue to comment in it.
>
> Can I make this bug public?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1826273
>
> Title:
> Potential Side-channel during Graphics Rendering
>
> Status in onboard package in Ubuntu:
> New
>
> Bug description:
> Dear Ubuntu Development Team,
>
> We're a group of researchers from University of California Riverside.
> We recently discovered that the Onboard keyboard application takes a
> variable amount of time to render the highlight effect depending on
> the input character. As a result, an unprivileged attacker could
> potentially utilize flush+reload cache side-channel attack to measure
> the execution time of said functions to infer users' text input. We
> verified this using the Onboard 1.2.0-0ubuntu5 that comes with Ubuntu
> 16.04.03 LTS.
>
> The side-channel resides in Cairo graphics library. We contacted the
> Cairo development team and they instruct us to contact you instead.
>
> For detailed information please refer to our paper in the link below.
> We would be very happy to work with you to address this issue. Please
> let us know what you think.
>
> https://www.cs.ucr.edu/~zhiyunq/pub/ndss19_cache_keystrokes.pdf
>
> Sincerely,
> Daimeng Wang
>
> ProblemType: Bug
> DistroRelease: Ubuntu 16.04
> Package: onboard 1.2.0-0ubuntu5
> ProcVersionSignature: Ubuntu 4.4.0-101.124-generic 4.4.95
> Uname: Linux 4.4.0-101-generic x86_64
> NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
> ApportVersion: 2.20.1-0ubuntu2.13
> Architecture: amd64
> CurrentDesktop: Unity
> Date: Wed Apr 24 14:19:48 2019
> InstallationDate: Installed on 2016-01-07 (1203 days ago)
> InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64
> (20140417)
> SourcePackage: onboard
> UpgradeStatus: Upgraded to xenial on 2017-11-21 (519 days ago)
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/onboard/+bug/1826273/+subscriptions
>

--
Daimeng (Desmond) Wang
Department of Computer Science & Engineering
University of California, Riverside

Thank you for your reply. The paper is recently published at NDSS 2019.
Please feel free to make this bug public.

On Thu, Apr 25, 2019 at 6:20 AM Marc Deslauriers <
marc.deslauriers@canonical.com> wrote:

> Hi! Thanks for reporting this issue.
>
> That's an interesting paper, I assume it has been published already?
> Is there any reason to keep this bug private?
>
> I'm a bit puzzled why the Cairo team would think we would be able to
> correct this, though there are a lot of different components to the
> issue. Perhaps making the bug public would allow someone capable of
> solving this issue to comment in it.
>
> Can I make this bug public?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1826273
>
> Title:
>   Potential Side-channel during Graphics Rendering
>
> Status in onboard package in Ubuntu:
>   New
>
> Bug description:
>   Dear Ubuntu Development Team,
>
>   We're a group of researchers from University of California Riverside.
>   We recently discovered that the Onboard keyboard application takes a
>   variable amount of time to render the highlight effect depending on
>   the input character. As a result, an unprivileged attacker could
>   potentially utilize flush+reload cache side-channel attack to measure
>   the execution time of said functions to infer users' text input. We
>   verified this using the Onboard 1.2.0-0ubuntu5 that comes with Ubuntu
>   16.04.03 LTS.
>
>   The side-channel resides in Cairo graphics library. We contacted the
>   Cairo development team and they instruct us to contact you instead.
>
>   For detailed information please refer to our paper in the link below.
>   We would be very happy to work with you to address this issue. Please
>   let us know what you think.
>
>   https://www.cs.ucr.edu/~zhiyunq/pub/ndss19_cache_keystrokes.pdf
>
>   Sincerely,
>   Daimeng Wang
>
>   ProblemType: Bug
>   DistroRelease: Ubuntu 16.04
>   Package: onboard 1.2.0-0ubuntu5
>   ProcVersionSignature: Ubuntu 4.4.0-101.124-generic 4.4.95
>   Uname: Linux 4.4.0-101-generic x86_64
>   NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
>   ApportVersion: 2.20.1-0ubuntu2.13
>   Architecture: amd64
>   CurrentDesktop: Unity
>   Date: Wed Apr 24 14:19:48 2019
>   InstallationDate: Installed on 2016-01-07 (1203 days ago)
>   InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64
> (20140417)
>   SourcePackage: onboard
>   UpgradeStatus: Upgraded to xenial on 2017-11-21 (519 days ago)
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/onboard/+bug/1826273/+subscriptions
>

-- 
Daimeng (Desmond) Wang
Department of Computer Science & Engineering
University of California, Riverside

Ubuntuonboard package

Comment 3 for bug 1826273

Ubuntu
onboard package