diff --git a/COPYING b/COPYING new file mode 100644 index 0000000..8ce1b9e --- /dev/null +++ b/COPYING @@ -0,0 +1,32 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ + +Files: * +Copyright: Copyright (c) 2016, Vinnie Monaco +License: BSD-3-clause + Copyright (c) 2016, Vinnie Monaco + All rights reserved. + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + . + * Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + . + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + . + * Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/Makefile b/Makefile index b95b43b..f817b37 100644 --- a/Makefile +++ b/Makefile @@ -1,12 +1,46 @@ #!/usr/bin/make -f +TARGETARCH=$(shell gcc -dumpmachine) + +# https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html +# +# Omitted the following flags: +# -D_GLIBCXX_ASSERTIONS # application is not written in C++ +# -fstrict-flex-arrays=3 # not supported in Debian Bookworm's GCC version (12) +# -fPIC -shared # not a shared library +# -fexceptions # not multithreaded +# -fhardened # not supported in Debian Bookworm's GCC version (12) +# +# Added the following flags: +# -fsanitize=address,undefined # enable ASan/UBSan +CFLAGS = -O2 -Wall -Wformat -Wformat=2 -Wconversion -Wimplicit-fallthrough \ + -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \ + -fstack-clash-protection \ + -fstack-protector-strong -Wl,-z,nodlopen -Wl,-z,noexecstack -Wl,-z,relro \ + -Wl,-z,now -Wl,--as-needed -Wl,--no-copy-dt-needed-entries -Wtrampolines \ + -Wbidi-chars=any -fPIE -pie -Werror=implicit \ + -Werror=incompatible-pointer-types -Werror=int-conversion \ + -fno-delete-null-pointer-checks -fno-strict-overflow -fno-strict-aliasing \ + -fsanitize=undefined + +ifeq ($(TARGETARCH), x86_64-linux-gnu) +CFLAGS += -fcf-protection=full # only supported on x86_64 +endif +ifeq ($(TARGETARCH), aarch64-linux-gnu) +CFLAGS += -mbranch-protection=standard # only supported on aarch64 +endif + +ifeq (, $(shell which pkg-config)) +$(error pkg-config not installed!) +endif + all : kloak eventcap kloak : src/main.c src/keycodes.c src/keycodes.h - gcc src/main.c src/keycodes.c -o kloak -lm $(shell pkg-config --cflags --libs libevdev) $(shell pkg-config --cflags --libs libsodium) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) + gcc -g src/main.c src/keycodes.c -o kloak -lm $(shell pkg-config --cflags --libs libevdev) $(shell pkg-config --cflags --libs libsodium) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) eventcap : src/eventcap.c - gcc src/eventcap.c -o eventcap $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) + gcc -g src/eventcap.c -o eventcap $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) clean : rm -f kloak eventcap diff --git a/README.md b/README.md index 4c7a48a..20f82b1 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# anti keystroke deanonymization tool # +# anti keystroke deanonymization tool kloak: *Keystroke-level online anonymization kernel* @@ -23,8 +23,7 @@ Fedora: Debian: - $ sudo apt install devscripts - $ sudo mk-build-deps --remove --install + $ sudo apt install make pkg-config libsodium-dev libevdev-dev First, compile `kloak` and the event capture tool `eventcap`: @@ -60,24 +59,24 @@ Notice that the lower bound on the random delay has to be raised when keys are p How to install `kloak` using apt-get -1\. Download [Whonix's Signing Key](). +1\. Download the APT Signing Key. ``` -wget https://www.whonix.org/patrick.asc +wget https://www.whonix.org/keys/derivative.asc ``` -Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security. +Users can [check the Signing Key](https://www.whonix.org/wiki/Signing_Key) for better security. -2\. Add Whonix's signing key. +2\. Add the APT Signing Key. ``` -sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc +sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc ``` -3\. Add Whonix's APT repository. +3\. Add the derivative repository. ``` -echo "deb https://deb.whonix.org bullseye main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list +echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.whonix.org bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list ``` 4\. Update your package lists. @@ -94,7 +93,7 @@ sudo apt-get install kloak ### How to build deb package -Replace `apparmor-profile-torbrowser` with the actual name of this package with `kloak` and see [instructions](https://www.whonix.org/wiki/Dev/Build_Documentation/apparmor-profile-torbrowser). +See the [Whonix package build documentation](https://www.whonix.org/wiki/Dev/Build_Documentation/security-misc). Replace the sample package name `security-misc` with `kloak` to download, build, and install kloak. ### Whonix contact and support @@ -105,30 +104,8 @@ Replace `apparmor-profile-torbrowser` with the actual name of this package with `kloak` requires [donations](https://www.whonix.org/wiki/Donate) to stay alive! - ### Troubleshooting -#### Can't open input/output device - -`kloak` will attempt to find your keyboard device to read events from and the location of `uinput` to write events to. If `kloak` cannot find either the input device or output device, these must be specified with the `-r` and `-w` options, respectively. - -To find the keyboard device for reading events: determine which device file corresponds to the physical keyboard. Use `eventcap` (or some other event capture tool) and look for the device that generates events when keys are pressed. This will typically be one of `/dev/input/event[0-7]`. In this example, it's `/dev/input/event4`: - - $ sudo ./eventcap /dev/input/event4 - Reading From : /dev/input/event4 (AT Translated Set 2 keyboard) - Type: 4 Code: 4 Value: 15 - Type: 1 Code: 15 Value: 0 - Type: 0 Code: 0 Value: 0 - Type: 4 Code: 4 Value: 56 - Type: 1 Code: 56 Value: 0 - Type: 0 Code: 0 Value: 0 - -`uinput` is the [kernel module](http://thiemonge.org/getting-started-with-uinput) that allows user-land applications to create input devices. This is typically located at either `/dev/uinput` or `/dev/input/uinput`. - -Start `kloak` by specifying the input and output device files: - - $ sudo ./kloak -r /dev/input/event4 -w /dev/uinput - #### My keyboard seems very slow `kloak` works by introducing a random delay to each key press and release event. This requires temporarily buffering the event before it reaches the application (e.g., a text editor). @@ -150,38 +127,17 @@ The full usage and options are: -s startup_timeout: time to wait (milliseconds) before startup. Default 100. -k csv_string: csv list of rescue key names to exit kloak in case the keyboard becomes unresponsive. Default is 'KEY_LEFTSHIFT,KEY_RIGHTSHIFT,KEY_ESC'. + -p: persistent mode (disable rescue key sequence) -v: verbose mode ## Try it out -Consider these three different scenarios: -* Train normal, test normal -* Train normal, test kloak -* Train `kloak`, test `kloak` - -*Train normal* means to train with normal typing behavior, i.e., without `kloak` running. At the enrollment page on the KeyTrac demo (demo no longer available), enter a username and password without `kloak` running, and then on the authenticate page, try authenticating. For example, the train normal/test normal result is: - -
-

-
- -Start `kloak` and then try authenticating again. These results were obtained using a maximum delay of 200 ms (`-d 200`). The train normal/test `kloak` result is: - -
-

-
- -Enroll With `kloak` running and then try authenticating with `kloak` still running. Again, this is with a 200 ms maximum delay. The train `kloak`/test `kloak` result is: - -
-

-
- -Your results may differ, especially in the train `kloak`/test `kloak` scenario. The train `kloak`/test `kloak` scenario is more difficult to anonymize than the train normal/test `kloak` scenario. This is because *kloak obfuscates your typing behavior, but does not make your typing behavior similar to other users*. This dilemma relates to the problem of user cooperation. It's easy to make your typing behavior look like something that it's not, but what should that be? If it's too unique, then the change does more harm then good, allowing you to be easily identified. Without the cooperation of other users, it's difficult to choose a behavior that's hard to distinguish. +See the [kloak defense testing](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak) instructions. ## Background `kloak` has two goals in mind: + * Make it difficult for an adversary to identify a user * Make it difficult for an adversary to replicate a user's typing behavior diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..3ca421b --- /dev/null +++ b/build.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +## For CodeQL autobuild + +set -x +set -e + +sudo --non-interactive apt-get update --error-on=any +sudo --non-interactive apt-get install --yes libevdev2 libevdev-dev libsodium23 libsodium-dev pkg-config + +make diff --git a/changelog.upstream b/changelog.upstream index a637278..a4ed2f3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,425 @@ +commit 222994ec63c36898b8a89fca2f0210384da2a0c3 +Merge: f5ee77e 29477f9 +Author: Patrick Schleizer +Date: Thu Sep 26 20:47:43 2024 -0400 + + Merge remote-tracking branch 'ArrayBolt3/master' + +commit 29477f98d1192ced4fb0e630c07dbd8b97942d22 +Author: Aaron Rainbolt +Date: Thu Sep 26 14:08:48 2024 -0500 + + Generate debugging info + +commit f5ee77ee73f90c02fede10cdc510a1a6417dd74f +Author: Patrick Schleizer +Date: Thu Sep 26 11:07:01 2024 +0000 + + bumped changelog version + +commit 9b96a2330e5dd9d2829bb662f0f01ff9c1e5b505 +Merge: 3cbe8b2 4bbdf38 +Author: Patrick Schleizer +Date: Thu Sep 26 06:53:11 2024 -0400 + + Merge remote-tracking branch 'ArrayBolt3/master' + +commit 4bbdf38cc6c6f9162348d9b23deef3169f8465b8 +Author: Aaron Rainbolt +Date: Wed Sep 25 15:17:27 2024 -0500 + + Update README.md + +commit c3500fc38cea3d69c96765f6691688e4079ecd67 +Author: Aaron Rainbolt +Date: Wed Sep 25 13:43:06 2024 -0500 + + Don't use AddressSanitizer, incompatible with Whonix's vm.mmap_rnd_bits setting + +commit 38604467ed76f6d236e5c207913d9533bdab05ab +Author: Aaron Rainbolt +Date: Wed Sep 25 12:41:58 2024 -0500 + + Don't set the output device name under Qubes OS, it causes a scary notification to appear + +commit 3cbe8b2ba4d50f6d23823736a90109e89a5c07c4 +Author: Patrick Schleizer +Date: Wed Sep 25 04:23:39 2024 +0000 + + bumped changelog version + +commit db54b34d50df8ffd0b9c6c55338aecea07de6928 +Author: Patrick Schleizer +Date: Wed Sep 25 00:23:29 2024 -0400 + + apparmor + +commit cec549dbfa81a927775a0f7b1d7c9a8116a45694 +Author: Patrick Schleizer +Date: Wed Sep 25 00:19:52 2024 -0400 + + add open syscall (required in VirtualBox) + +commit b7831111dfc305ed7fbaa60f69163df38746af51 +Author: Patrick Schleizer +Date: Wed Sep 25 04:16:46 2024 +0000 + + bumped changelog version + +commit aad35c7038ae645e27af125f5c0b1adf59d0f063 +Author: Patrick Schleizer +Date: Wed Sep 25 00:16:22 2024 -0400 + + add readlink syscall (required in VirtualBox) + +commit fb6cff17fe950846a1af6c3e4edc323c0bfb56fe +Author: Patrick Schleizer +Date: Wed Sep 25 01:04:05 2024 +0000 + + bumped changelog version + +commit 47e67bad20c321a8556e4256ad473e0a97ef3971 +Merge: b085979 a290f5f +Author: Patrick Schleizer +Date: Tue Sep 24 20:59:42 2024 -0400 + + Merge remote-tracking branch 'ArrayBolt3/master' + +commit a290f5f0fd864ea459e1c3e75a424fe7dd33cca8 +Author: Aaron Rainbolt +Date: Tue Sep 24 15:25:56 2024 -0500 + + Fix minor bug in makefile, add check for pkg-config + +commit ac9d1fc2712966a5ae834a690a885db9f10b2b0b +Author: Aaron Rainbolt +Date: Tue Sep 24 13:41:35 2024 -0500 + + Add -p option for disabling rescue key sequence + +commit b08597935959a9a37d96ec49f372d08084e6a82a +Author: Patrick Schleizer +Date: Tue Sep 24 05:03:38 2024 +0000 + + bumped changelog version + +commit 0f3ae73fc107e4103f2e9933960bdedce63df7cf +Author: Patrick Schleizer +Date: Tue Sep 24 01:02:28 2024 -0400 + + fork of kloak from upstream + + from now, doing normal version bump with reach rebuild + + since version numbers are now managed by Whonix + +commit 98febd4ffde18ff2d37f6882cf0e1f6d03bfc53a +Author: Patrick Schleizer +Date: Tue Sep 24 05:00:47 2024 +0000 + + bumped changelog version + +commit 81a5ef129afff70ca3683ac393031ed51170378c +Merge: e937174 e1e03d7 +Author: Patrick Schleizer +Date: Tue Sep 24 00:55:31 2024 -0400 + + Merge remote-tracking branch 'github-whonix/master' + +commit e1e03d786078dd8b0e2bddb4a982afd76b864797 +Merge: e937174 bb4a714 +Author: Patrick Schleizer +Date: Tue Sep 24 00:52:03 2024 -0400 + + Merge pull request #1 from ArrayBolt3/arraybolt3 + + Harden and enhance Kloak + +commit bb4a7143877eb12904e797224c2b0afc05463713 +Author: Aaron Rainbolt +Date: Mon Sep 23 18:41:47 2024 -0500 + + Add a useful change from https://github.com/vmonaco/kloak/pull/65 that got missed + +commit ba5df2543f247ed5592690d97019e0444e79b749 +Author: Aaron Rainbolt +Date: Mon Sep 23 18:33:55 2024 -0500 + + Do resource cleanup on panic + +commit 7fa9500c32f6560bf6ee7fe55438e27869601a0e +Author: Aaron Rainbolt +Date: Mon Sep 23 18:15:42 2024 -0500 + + Add some missing syscalls for x86_64 + +commit d7f386dcdd25263eb9e7a7031b171fdec3d0d4d3 +Author: Aaron Rainbolt +Date: Mon Sep 23 17:59:36 2024 -0500 + + Enable use on non-Intel architectures, fix syscall whitelist + +commit 5beda6da49cf1ef9ef09767e35a5660015160ee8 +Author: Aaron Rainbolt +Date: Mon Sep 23 15:52:53 2024 -0500 + + Add address and undefined behavior sanitization + +commit e9284abf22adb36968011fb9ab47cc1357b58e9b +Author: Aaron Rainbolt +Date: Mon Sep 23 15:31:49 2024 -0500 + + Fix build failure, adjust number of supported devices to account for systems with many input devices + +commit 0d91a09a76ffa21b2782d673fcb91b16574b58d6 +Author: Aaron Rainbolt +Date: Mon Sep 23 14:27:59 2024 -0500 + + Add support for new devices attached after kloak starts (adapted from https://github.com/vmonaco/kloak/pull/67) + +commit 7f9bc1bcfd08e8b3554e135a4c4d59a0a09b26d8 +Author: Aaron Rainbolt +Date: Mon Sep 23 13:39:55 2024 -0500 + + Harden code based on advice from ChatGPT3 (adapted from https://github.com/vmonaco/kloak/pull/65) + +commit b0f0c926d84a6d60363c89c11b8f36cc55b57459 +Author: Aaron Rainbolt +Date: Mon Sep 23 13:24:20 2024 -0500 + + Add a header file to make future development easier (adapted from https://github.com/vmonaco/kloak/pull/61) + +commit dd255ad28bd404f3aad6012949d4fb4e04330db9 +Author: Aaron Rainbolt +Date: Mon Sep 23 13:08:09 2024 -0500 + + Use strtcpy rather than strncpy + +commit c9c5a9876bd7fba17ec638efd065cc0836329766 +Author: Aaron Rainbolt +Date: Mon Sep 23 12:36:13 2024 -0500 + + Add compiler hardening flags, fix all GCC warnings + +commit 36385d7b0050601e6f255b168c297dab8d8fb027 +Author: Aaron Rainbolt +Date: Mon Sep 23 11:16:50 2024 -0500 + + Use monotonic time for delay tracking + +commit e937174bb71313d943d8fb8965ae339343d0337f +Author: Patrick Schleizer +Date: Fri Feb 2 12:46:17 2024 +0000 + + bumped changelog version + +commit de06819bf221b994e00a0e8ccd93c64f66b20dec +Author: Patrick Schleizer +Date: Fri Feb 2 07:33:00 2024 -0500 + + usrmerge debhelper systemd Debian package maintainer scripts fix + +commit ade162aab807499dbf383afcb15effd1dbdb13bd +Author: Patrick Schleizer +Date: Mon Jan 22 13:25:12 2024 +0000 + + bumped changelog version + +commit 9b19632b302e534274b43c57c87cf8ead07f8b40 +Author: Patrick Schleizer +Date: Mon Jan 22 07:06:02 2024 -0500 + + usrmerge + +commit a8f0e5f8ef21befa74d00a6199ed7f30807e4f8e +Author: Patrick Schleizer +Date: Thu Jan 11 13:05:14 2024 +0000 + + bumped changelog version + +commit d48c864ace7ff9e4c98f04dea8cec4d4b0061a63 +Author: Patrick Schleizer +Date: Thu Jan 11 06:42:24 2024 -0500 + + update readme + +commit 49bb0ac90677a35c2abdc1096369bf24b9a1ba45 +Author: Patrick Schleizer +Date: Sat Nov 11 20:30:12 2023 +0000 + + bumped changelog version + +commit 1526784d9fdc79f7df0802c7519ce4f29fd0b37c +Author: Patrick Schleizer +Date: Sat Nov 11 14:43:10 2023 -0500 + + copyright + +commit cfd170899bea518f044359f01c4ce9d7f85ca11a +Author: Patrick Schleizer +Date: Fri Nov 10 12:35:12 2023 -0500 + + CodeQL + +commit daafc674bb10a03b7adcbae35015e9297cce6dd5 +Author: Patrick Schleizer +Date: Fri Nov 10 12:31:00 2023 -0500 + + CodeQL + +commit f10707f108872ba37673aec8303917d71deec8cd +Author: Patrick Schleizer +Date: Mon Sep 25 11:58:40 2023 -0400 + + bumped changelog version + +commit 196343c1c614c9d35264c43e502c83477d7107e0 +Merge: 61c0b09 9cbdf44 +Author: Patrick Schleizer +Date: Mon Sep 25 11:56:55 2023 -0400 + + Merge remote-tracking branch 'vmonaco/master' + +commit 9cbdf4484da19eb09653356e59ce42c37cecb523 +Merge: 130d81b 2ed1b1f +Author: Vinnie Monaco +Date: Sun Sep 24 21:49:52 2023 -0700 + + Merge pull request #62 from skyzzuu/check_rescue_key_str_not_null + + ensure _rescue_keys_str is not null before passing to strncpy to avoid potential null pointer dereference + +commit 130d81b6e5f2c892fbd7596eaf1ad1f10911426e +Merge: af79b08 efa47d1 +Author: Vinnie Monaco +Date: Sun Sep 24 21:47:27 2023 -0700 + + Merge pull request #63 from vmonaco/dev + + update readme + +commit 61c0b09452ded9bcbd8476ee3aa103f116bc5330 +Author: Patrick Schleizer +Date: Sun Sep 24 11:22:09 2023 -0400 + + bumped changelog version + +commit 2ed1b1f4e1613d5add68e051fcd1d58fd1ef97e4 +Author: Everett Gally +Date: Sat Sep 23 11:25:33 2023 -0400 + + ensure _rescue_keys_str is not null before passing to strncpy to avoid potential null pointer dereference + +commit c107815a062251cef694a84cf0710a73168e2bcf +Merge: ca5cf50 af79b08 +Author: Patrick Schleizer +Date: Tue Sep 19 08:23:59 2023 -0400 + + Merge remote-tracking branch 'vmonaco/master' + +commit efa47d1e0fa7b3cea17491a9520276e408d07569 +Merge: f171889 c928a7c +Author: Vinnie Monaco +Date: Mon Sep 18 08:43:59 2023 -0700 + + Merge pull request #55 from skyzzuu/readme_changes + + add dependency installation information into readme + +commit af79b08ea3dd83b70c5099391ef3e1233b102511 +Merge: 8fb85a0 68c3c70 +Author: Vinnie Monaco +Date: Mon Sep 18 08:43:25 2023 -0700 + + Merge pull request #53 from adrelanos/indentation-style + + improve indentation style + +commit 68c3c7063d51afee6bee63c15ab2465d83591442 +Author: Patrick Schleizer +Date: Mon Sep 18 08:04:34 2023 -0400 + + improve indentation style + + fixes https://github.com/vmonaco/kloak/issues/52 + +commit ca5cf502265f24bfd871547739d8b86449d00bc1 +Author: Patrick Schleizer +Date: Mon Sep 18 07:23:20 2023 -0400 + + bumped changelog version + +commit f49d6b8d4575f1694fe5038a6639e04dca9d4bfb +Merge: 537dec7 8fb85a0 +Author: Patrick Schleizer +Date: Mon Sep 18 07:22:36 2023 -0400 + + Merge remote-tracking branch 'vmonaco/master' + +commit c928a7c52e2fa0b4f2b7e7cf49c94197555fb288 +Author: Everett Gally +Date: Mon Sep 18 07:16:55 2023 -0400 + + update debian dependency installation information to install devscripts and then use sudo mk-build-deps --remove --install instead of hardcoding dependencies + +commit 8fb85a065a809be2b504075c500cbd1d12c4ecd9 +Merge: d343f5e f55cecc +Author: Vinnie Monaco +Date: Sun Sep 17 21:16:31 2023 -0700 + + Merge pull request #57 from skyzzuu/avoid_mem_leak_after_exit + + free pfds after exit to avoid memory leak + +commit f55ceccf164a7a2705fd6151bad77e6c421cf9e0 +Author: Everett Gally +Date: Sun Sep 17 19:42:08 2023 -0400 + + free pfds after while loop in main_loop exits to avoid memory leak after kloak ends + +commit b2f3a2aae1b85e22f40868266927773307131d0d +Author: Everett Gally +Date: Sun Sep 10 17:13:52 2023 -0400 + + add dependency installation information into readme + +commit 537dec7423af4635f3fa15a730844a57538a8947 +Author: Patrick Schleizer +Date: Wed Aug 16 06:51:59 2023 -0400 + + bumped changelog version + +commit cc2e0c39482eafe88c9607c609c790a0266b1837 +Merge: 0a1abe0 d343f5e +Author: Patrick Schleizer +Date: Wed Aug 16 06:32:04 2023 -0400 + + Merge remote-tracking branch 'vmonaco/master' + +commit d343f5e41124ff32ee78badeee540dfdea59b8ac +Merge: 2a3a45b f171889 +Author: Vinnie Monaco +Date: Tue Aug 15 21:57:43 2023 -0700 + + Merge pull request #38 from vmonaco/dev + + Multi-device support and multiple bug fixes + +commit f1718890b1620ac6ba42f2e2d1a1c2c84730c8d4 +Merge: cda8d74 0a1abe0 +Author: Vinnie Monaco +Date: Tue Aug 15 21:57:15 2023 -0700 + + Merge pull request #49 from adrelanos/chatgpt + + chatgpt + +commit 0a1abe03dd873058cb3f2e83ce97a4ba1ad89ea1 +Author: Patrick Schleizer +Date: Tue Aug 15 09:21:16 2023 -0400 + + bumped changelog version + commit 59056a25d1e14d6d81ee8a9666eda0bc62fe342a Author: Patrick Schleizer Date: Tue Aug 15 09:19:43 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 6543ad7..1a98136 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,93 @@ +kloak (0:0.3.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 27 Sep 2024 00:48:20 +0000 + +kloak (0:0.3.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 26 Sep 2024 11:07:01 +0000 + +kloak (0:0.3.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 Sep 2024 04:23:39 +0000 + +kloak (0:0.3.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 Sep 2024 04:16:46 +0000 + +kloak (0:0.3.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 Sep 2024 01:04:05 +0000 + +kloak (0:0.3.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Sep 2024 05:03:38 +0000 + +kloak (0:0.2.53-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Sep 2024 05:00:47 +0000 + +kloak (0:0.2.52-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 02 Feb 2024 12:46:16 +0000 + +kloak (0:0.2.51-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 22 Jan 2024 13:25:12 +0000 + +kloak (0:0.2.50-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 11 Jan 2024 13:05:14 +0000 + +kloak (0:0.2.49-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 11 Nov 2023 20:30:12 +0000 + +kloak (0:0.2.48-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 25 Sep 2023 15:58:40 +0000 + +kloak (0:0.2.47-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 24 Sep 2023 15:22:09 +0000 + +kloak (0:0.2.46-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 18 Sep 2023 11:23:20 +0000 + +kloak (0:0.2.45-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 16 Aug 2023 10:51:58 +0000 + kloak (0:0.2.44-1) unstable; urgency=medium * New upstream version (local package). diff --git a/debian/control b/debian/control index 9e28eed..fe0fcdf 100644 --- a/debian/control +++ b/debian/control @@ -5,7 +5,7 @@ Source: kloak Section: misc Priority: optional Maintainer: Patrick Schleizer -Build-Depends: debhelper (>= 13), debhelper-compat (= 13), dh-apparmor, libevdev2, libevdev-dev, libsodium23, libsodium-dev, pkg-config +Build-Depends: debhelper (>= 13.11.4), debhelper-compat (= 13), dh-apparmor, libevdev2, libevdev-dev, libsodium23, libsodium-dev, pkg-config Homepage: https://github.com/vmonaco/kloak Vcs-Browser: https://github.com/vmonaco/kloak Vcs-Git: https://github.com/vmonaco/kloak.git @@ -29,7 +29,7 @@ Package: kloak ## qemu:handle_cpu_signal received signal outside vCPU context @ pc=0x60269d8c ## qemu:handle_cpu_signal received signal outside vCPU context @ pc=0x6000178c ## Update: Same as above. -Architecture: amd64 +Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, libevdev2, libsodium23 Description: anti keystroke deanonymization tool A keystroke-level online anonymization kernel. diff --git a/debian/kloak.install b/debian/kloak.install index b008116..f557fc0 100644 --- a/debian/kloak.install +++ b/debian/kloak.install @@ -3,7 +3,9 @@ ## Manually maintained file. nogenmkfile -etc/* -lib/* eventcap usr/sbin/ kloak usr/sbin/ + +etc/* +usr/* +lib/* diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh index 22bba0b..cc1d4f8 100755 --- a/debian/make-helper-overrides.bsh +++ b/debian/make-helper-overrides.bsh @@ -3,7 +3,8 @@ ## Copyright (C) 2016 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -version_numbers_by_upstream=true +## Fork. +#version_numbers_by_upstream=true ## Already included upstream. genmkfile_lintian_post_opts+=" --suppress-tags maintainer-manual-page" diff --git a/etc/apparmor.d/usr.sbin.kloak b/etc/apparmor.d/usr.sbin.kloak index fcd5f48..ca4eac6 100644 --- a/etc/apparmor.d/usr.sbin.kloak +++ b/etc/apparmor.d/usr.sbin.kloak @@ -1,4 +1,4 @@ -# Last Modified: Sun Jul 9 12:23:04 2023 +# Last Modified: Wed Sep 25 04:21:21 2024 include ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP @@ -24,6 +24,9 @@ include /{,usr/}lib{,32,64}/** mr, owner /dev/input/event* r, owner /dev/uinput rw, + owner /proc/*/cmdline r, + owner /proc/*/environ r, + owner /proc/*/maps r, owner /sys/devices/virtual/input/** r, # Site-specific additions and overrides. See local/README for details. diff --git a/lib/udev/rules.d/95-kloak.rules b/lib/udev/rules.d/95-kloak.rules new file mode 100644 index 0000000..51fbdc0 --- /dev/null +++ b/lib/udev/rules.d/95-kloak.rules @@ -0,0 +1,23 @@ +SUBSYSTEM!="input", GOTO="end" + + +# do not run kloak on devices created by kloak +KERNEL=="event*", ATTRS{name}=="*kloak", GOTO="end" + +# new keyboard or mouse attached, start kloak@event[0-9].service +KERNEL=="event*", ACTION=="add", ENV{ID_INPUT_KEYBOARD}=="1", RUN+="/usr/bin/systemctl restart kloak.service" +KERNEL=="event*", ACTION=="add", ENV{ID_INPUT_KEYBOARD}=="1", GOTO="end" + +KERNEL=="event*", ACTION=="add", ENV{ID_INPUT_MOUSE}=="1", RUN+="/usr/bin/systemctl restart kloak.service" +KERNEL=="event*", ACTION=="add", ENV{ID_INPUT_MOUSE}=="1", GOTO="end" + + +# keyboard or mouse removed, stop the service +KERNEL=="event*", ACTION=="remove", ENV{ID_INPUT_KEYBOARD}=="1", RUN+="/usr/bin/systemctl restart kloak.service" +KERNEL=="event*", ACTION=="remove", ENV{ID_INPUT_KEYBOARD}=="1", GOTO="end" + +KERNEL=="event*", ACTION=="remove", ENV{ID_INPUT_MOUSE}=="1", RUN+="/usr/bin/systemctl restart kloak.service" +KERNEL=="event*", ACTION=="remove", ENV{ID_INPUT_MOUSE}=="1", GOTO="end" + + +LABEL="end" diff --git a/src/kloak.h b/src/kloak.h new file mode 100644 index 0000000..60d716b --- /dev/null +++ b/src/kloak.h @@ -0,0 +1,28 @@ +#ifndef KLOAK_H +#define KLOAK_H + +struct entry { + struct input_event iev; + long time; + TAILQ_ENTRY(entry) entries; + int device_index; +}; + +ssize_t strtcpy(char *, const char *, size_t); +void sleep_ms(long int); +long current_time_ms(void); +long int random_between(long int, long int); +void set_rescue_keys(const char*); +int supports_event_type(int, int); +int supports_specific_key(int, unsigned int); +int is_keyboard(int); +int is_mouse(int); +void detect_devices(); +void init_inputs(); +void init_outputs(); +void emit_event(struct entry *); +void main_loop(); +void usage(); +void banner(); + +#endif diff --git a/src/main.c b/src/main.c index c8a9615..951bd58 100644 --- a/src/main.c +++ b/src/main.c @@ -1,3 +1,4 @@ +#define _GNU_SOURCE #include #include #include @@ -5,23 +6,25 @@ #include #include #include +#include #include #include #include #include +#include "kloak.h" #include "keycodes.h" #define BUFSIZE 256 // for device names and rescue key sequence -#define MAX_INPUTS 16 // number of devices to try autodetection -#define MAX_DEVICES 16 // max number of devices to read events from +#define MAX_INPUTS 48 // number of devices to try autodetection +#define MAX_DEVICES 48 // max number of devices to read events from #define MAX_RESCUE_KEYS 10 // max number of rescue keys to exit in case of emergency #define MIN_KEYBOARD_KEYS 20 // need at least this many keys to be a keyboard #define POLL_TIMEOUT_MS 1 // timeout to check for new events #define DEFAULT_MAX_DELAY_MS 20 // upper bound on event delay #define DEFAULT_STARTUP_DELAY_MS 500 // wait before grabbing the input device -#define panic(format, ...) do { fprintf(stderr, format "\n", ## __VA_ARGS__); fflush(stderr); exit(EXIT_FAILURE); } while (0) +#define panic(format, ...) do { fprintf(stderr, format "\n", ## __VA_ARGS__); fflush(stderr); cleanup(); exit(EXIT_FAILURE); } while (0) #ifndef min #define min(a, b) ( ((a) < (b)) ? (a) : (b) ) @@ -31,8 +34,13 @@ #define max(a, b) ( ((a) > (b)) ? (a) : (b) ) #endif +const char *qubes_detect_file = "/usr/share/qubes/marker-vm"; +static bool is_qubes_vm = false; + static int interrupt = 0; // flag to interrupt the main loop and exit static int verbose = 0; // flag for verbose output +static int persistent = 0; // flag for persistent mode (diables rescue key sequence) +static int custom_rescue = 0; // flag for setting a custom rescue key sequence static char rescue_key_seps[] = ", "; // delims to strtok static char rescue_keys_str[BUFSIZE] = "KEY_LEFTSHIFT,KEY_RIGHTSHIFT,KEY_ESC"; @@ -42,7 +50,7 @@ static int rescue_len = 0; // Number of rescue keys, set during initializat static int max_delay = DEFAULT_MAX_DELAY_MS; // lag will never exceed this upper bound static int startup_timeout = DEFAULT_STARTUP_DELAY_MS; -static int device_count = 0; +static unsigned int device_count = 0; static char named_inputs[MAX_INPUTS][BUFSIZE]; static int input_fds[MAX_INPUTS]; @@ -61,32 +69,62 @@ static struct option long_options[] = { TAILQ_HEAD(tailhead, entry) head; -struct entry { - struct input_event iev; - long time; - TAILQ_ENTRY(entry) entries; - int device_index; -}; +// From string_copying manpage +ssize_t strtcpy(char *restrict dst, const char *restrict src, size_t dsize) +{ + bool trunc; + size_t dlen, slen; + + if (dsize == 0) { + errno = ENOBUFS; + return -1; + } + + slen = strnlen(src, dsize); + trunc = (slen == dsize); + dlen = slen - trunc; + + stpcpy(mempcpy(dst, src, dlen), ""); + if (trunc) + errno = E2BIG; + return trunc ? -1 : (ssize_t)slen; +} + +void cleanup() { + for (int i = 0; i < device_count; i++) { + libevdev_uinput_destroy(uidevs[i]); + libevdev_free(output_devs[i]); + close(input_fds[i]); + } +} void sleep_ms(long milliseconds) { struct timespec ts; ts.tv_sec = milliseconds / 1000; ts.tv_nsec = (milliseconds % 1000) * 1000000; - nanosleep(&ts, NULL); + if (nanosleep(&ts, NULL) == -1) + panic("nanosleep failed: %s", strerror(errno)); } long current_time_ms(void) { struct timespec spec; - clock_gettime(CLOCK_REALTIME, &spec); + clock_gettime(CLOCK_MONOTONIC, &spec); return (spec.tv_sec) * 1000 + (spec.tv_nsec) / 1000000; } long random_between(long lower, long upper) { + long maxval; + long randval; // default to max if the interval is not valid if (lower >= upper) return upper; - return lower + randombytes_uniform(upper - lower + 1); + maxval = upper - lower + 1; + if (maxval > UINT32_MAX) + return UINT32_MAX; + + randval = randombytes_uniform((uint32_t)maxval); + return lower + randval; } void set_rescue_keys(const char* rescue_keys_str) { @@ -117,20 +155,24 @@ void set_rescue_keys(const char* rescue_keys_str) { int supports_event_type(int device_fd, int event_type) { unsigned long evbit = 0; // Get the bit field of available event types. - ioctl(device_fd, EVIOCGBIT(0, sizeof(evbit)), &evbit); - return evbit & (1 << event_type); + if (ioctl(device_fd, EVIOCGBIT(0, sizeof(evbit)), &evbit) == -1) + panic("ioctl EVIOCGBIT failed: %s", strerror(errno)); + // NOTE: EVIOCGBIT ioctl returns an int, see handle_eviocgbit function in + // linux/drivers/input/evdev.c, thus this cast is safe + return (int)evbit & (1 << event_type); } int supports_specific_key(int device_fd, unsigned int key) { size_t nchar = KEY_MAX/8 + 1; unsigned char bits[nchar]; // Get the bit fields of available keys. - ioctl(device_fd, EVIOCGBIT(EV_KEY, sizeof(bits)), &bits); + if (ioctl(device_fd, EVIOCGBIT(EV_KEY, sizeof(bits)), &bits) == -1) + panic("ioctl EVIOCGBIT for EV_KEY failed: %s", strerror(errno)); return bits[key/8] & (1 << (key % 8)); } int is_keyboard(int fd) { - int key; + unsigned int key; int num_supported_keys = 0; // Only check devices that support EV_KEY events @@ -152,26 +194,27 @@ int is_mouse(int fd) { void detect_devices() { int fd; - char device[256]; + char device[BUFSIZE]; for (int i = 0; i < MAX_DEVICES; i++) { - sprintf(device, "/dev/input/event%d", i); + snprintf(device, sizeof(device), "/dev/input/event%d", i); if ((fd = open(device, O_RDONLY)) < 0) { continue; } if (is_keyboard(fd)) { - strncpy(named_inputs[device_count++], device, BUFSIZE-1); + strtcpy(named_inputs[device_count++], device, BUFSIZE); if (verbose) printf("Found keyboard at: %s\n", device); } else if (is_mouse(fd)) { - strncpy(named_inputs[device_count++], device, BUFSIZE-1); + strtcpy(named_inputs[device_count++], device, BUFSIZE); if (verbose) printf("Found mouse at: %s\n", device); } - close(fd); + if (close(fd) == -1) + panic("close failed on device: %s, error: %s", device, strerror(errno)); if (device_count >= MAX_INPUTS) { if (verbose) @@ -202,12 +245,33 @@ void init_inputs() { } void init_outputs() { + char *name; + const char *suffix = " kloak"; for (int i = 0; i < device_count; i++) { int err = libevdev_new_from_fd(input_fds[i], &output_devs[i]); if (err != 0) panic("Could not create evdev for input device: %s", named_inputs[i]); + // Setting the device name under Qubes is pointless, as a Qubes VM + // will never have a dynamically changing number of input devices like + // a normal VM or a physical system. Furthermore, setting the device + // name causes an alarming "Denied qubes.InputKeyboard from vm to + // dom0" notification. + if (!is_qubes_vm) { + const char *tmp_name = libevdev_get_name(output_devs[i]); + name = malloc(strlen(tmp_name) + strlen(suffix) + 1); + if (name == NULL) + panic("Could not allocate memory for device name: %s", tmp_name); + + strcpy(name, tmp_name); + strcat(name, suffix); + + libevdev_set_name(output_devs[i], name); + + free(name); + } + err = libevdev_uinput_create_from_device(output_devs[i], LIBEVDEV_UINPUT_OPEN_MANAGED, &uidevs[i]); if (err != 0) @@ -233,7 +297,7 @@ void emit_event(struct entry *e) { } void main_loop() { - int err; + long int err; long prev_release_time = 0; long current_time = 0; long lower_bound = 0; @@ -291,15 +355,17 @@ void main_loop() { panic("read() failed: %s", strerror(errno)); // check for the rescue sequence. - if (ev.type == EV_KEY) { - int all = 1; - for (int j = 0; j < rescue_len; j++) { - if (rescue_keys[j] == ev.code) - rescue_state[j] = (ev.value == 0 ? 0 : 1); - all = all && rescue_state[j]; + if (!persistent) { + if (ev.type == EV_KEY) { + int all = 1; + for (int j = 0; j < rescue_len; j++) { + if (rescue_keys[j] == ev.code) + rescue_state[j] = (ev.value == 0 ? 0 : 1); + all = all && rescue_state[j]; + } + if (all) + interrupt = 1; } - if (all) - interrupt = 1; } // schedule the keyboard event to be released sometime in the future. @@ -351,6 +417,7 @@ void usage() { fprintf(stderr, " -s startup_timeout: time to wait (milliseconds) before startup. Default 100.\n"); fprintf(stderr, " -k csv_string: csv list of rescue key names to exit kloak in case the\n" " keyboard becomes unresponsive. Default is 'KEY_LEFTSHIFT,KEY_RIGHTSHIFT,KEY_ESC'.\n"); + fprintf(stderr, " -p: persistent mode (disable rescue key sequence)\n"); fprintf(stderr, " -v: verbose mode\n"); } @@ -364,10 +431,13 @@ void banner() { for (int i = 1; i < device_count; i++) { printf("* %s\n", named_inputs[i]); } - - printf("* Rescue keys : %s", lookup_keyname(rescue_keys[0])); - for (int i = 1; i < rescue_len; i++) { - printf(" + %s", lookup_keyname(rescue_keys[i])); + if (persistent) { + printf("* Persistent mode, rescue keys disabled"); + } else { + printf("* Rescue keys : %s", lookup_keyname(rescue_keys[0])); + for (int i = 1; i < rescue_len; i++) { + printf(" + %s", lookup_keyname(rescue_keys[i])); + } } printf("\n"); @@ -382,8 +452,12 @@ int main(int argc, char **argv) { if ((getuid()) != 0) printf("You are not root! This may not work...\n"); + if (access(qubes_detect_file, F_OK) == 0) { + is_qubes_vm = true; + } + while (1) { - int c = getopt_long(argc, argv, "r:d:s:k:vh", long_options, NULL); + int c = getopt_long(argc, argv, "r:d:s:k:vph", long_options, NULL); if (c < 0) break; @@ -392,7 +466,7 @@ int main(int argc, char **argv) { case 'r': if (device_count >= MAX_INPUTS) panic("Too many -r options: can read from at most %d devices\n", MAX_INPUTS); - strncpy(named_inputs[device_count++], optarg, BUFSIZE-1); + strtcpy(named_inputs[device_count++], optarg, BUFSIZE); break; case 'd': @@ -406,13 +480,24 @@ int main(int argc, char **argv) { break; case 'k': - strncpy(rescue_keys_str, optarg, BUFSIZE-1); + if (persistent) { + panic("-k and -p options are mutually exclusive, try -h for help\n"); + } + strtcpy(rescue_keys_str, optarg, BUFSIZE); + custom_rescue = 1; break; case 'v': verbose = 1; break; + case 'p': + if (custom_rescue) { + panic("-k and -p options are mutually exclusive, try -h for help\n"); + } + persistent = 1; + break; + case 'h': usage(); exit(0); @@ -450,11 +535,7 @@ int main(int argc, char **argv) { main_loop(); // close everything - for (int i = 0; i < device_count; i++) { - libevdev_uinput_destroy(uidevs[i]); - libevdev_free(output_devs[i]); - close(input_fds[i]); - } + cleanup(); exit(EXIT_SUCCESS); } diff --git a/lib/systemd/system/kloak.service b/usr/lib/systemd/system/kloak.service similarity index 83% rename from lib/systemd/system/kloak.service rename to usr/lib/systemd/system/kloak.service index 244f1f8..5c45aa3 100644 --- a/lib/systemd/system/kloak.service +++ b/usr/lib/systemd/system/kloak.service @@ -55,7 +55,7 @@ NoNewPrivileges=true RestrictRealtime=true RestrictNamespaces=true SystemCallArchitectures=native -SystemCallFilter=ioctl nanosleep select write read openat close brk fstat lseek mmap mprotect munmap rt_sigaction rt_sigprocmask access execve getuid arch_prctl set_tid_address set_robust_list prlimit64 pread64 getrandom newfstatat clock_nanosleep pselect6 poll shmctl openat getdents64 +SystemCallFilter=brk clock_nanosleep close execve faccessat getdents64 getpid getrandom getuid ioctl madvise mmap mprotect munmap newfstatat openat ppoll prlimit64 read readlinkat rseq rt_sigaction set_robust_list set_tid_address sigaltstack write rt_sigprocmask sysinfo uname getcwd access fstat pread64 poll readlink open [Install] WantedBy=multi-user.target