Presentation Material
Abstract
Operating systems provide various inter-process communication (IPC) mechanisms. Software applications typically use IPC for communication between front-end and back-end components, which run in different processes on the same computer. This paper studies the security of how the IPC mechanisms are used in PC, Mac and Linux software. We describe attacks where a nonprivileged process impersonates the IPC communication endpoints. The attacks are closely related to impersonation and man-in-the-middle attacks on computer networks but take place inside one computer. The vulnerable IPC methods are ones where a server process binds to a name or address and waits for client communication. Our results show that application developers are often unaware of the risks and secure practices in using IPC. We find attacks against several security-critical applications including password managers and hardware tokens, in which another user’s process is able to steal and misuse sensitive data such as the victim’s credentials. The vulnerabilities can be exploited in enterprise environments with centralized access control that gives multiple users remote or local login access to the same host. Computers with guest accounts and shared computers at home are similarly vulnerable.
AI Generated Summary
This research introduces the “man-as-a-machine” attack class, where an unprivileged local user (e.g., a guest or coworker) exploits inter-process communication (IPC) channels to steal sensitive data from other users on a shared multi-user system. The threat model assumes a compromised but legitimate user account, distinct from a full system compromise by malware.
The study identifies IPC mechanisms vulnerable to this attacker, specifically those where a server process listens on a globally accessible name (e.g., Unix domain sockets, Windows named pipes, and USB Human Interface Devices). Attackers run malicious processes in the background (using features like fast user switching or nohup) to perform client or server impersonation. Key case studies demonstrate practical exploits: RoboForm’s password manager lacked any authentication on its local HTTP server, allowing direct database theft. 1Password’s browser extension failed to verify the server’s identity and used a weak, unidirectional key exchange protocol, enabling an attacker’s malicious server to intercept form data. FIDO2/U2F security keys on Windows were vulnerable because the OS permits any logged-in user to access USB HID devices, allowing an attacker’s browser to hijack the authentication challenge-response sequence.
Mitigations include application-level checks to ensure client and server processes share the same user identity, cryptographic protections like TLS for IPC channels, and system configuration changes such as disabling guest accounts and limiting single-user logins. The research concludes that IPC is not inherently secure against insider threats, and developers must explicitly defend against this model. Vendors for the affected applications were notified and most issued patches.