1

I believe every Unix/Linux user wants his/her own computer free from key loggers. And I believe this cannot be done without some kind of OS-level support. The idea is that keypresses are only sent to the process who is actively accepting user input, and users should be aware of the process identity. Does Unix/Linux already have such (or other kinds of) security features against key loggers?

Cyker
  • 4,274
  • 7
  • 36
  • 46

2 Answers2

2

This question is based on two false premises.

One false premise is that keyloggers are a particularly common or egregious type of malware. They aren't: snooping keyboard input is neither easier than snooping other things (private files, passwords and cookies stored by browsers, browsing history, etc.) nor particularly useful (why read what the user is typing and puzzle out how it's dispatched to applications, instead of reading all the neatly stored files with explicit names?). The only point of using a keylogger is if it's an actual physical device that sits between the keys and the computer. Some malware gets called “keylogger” because of tradition, but in fact it's just malware that snoops and reports. The upshot is that there's no reason to focus on keyloggers over other malware — it would be like looking up while crossing in case a plane falls on you: better watch left and right for cars instead.

The other false premise is that “keypresses are only sent to the process who is actively accepting user input”. This assumes a very simplistic view of system design. Several processes are involved in getting input to an application. You might classify them as “system” processes: there's typically the X server, and the window manager, and the terminal emulator if the application is a text mode one. But that list is extensible: you can run any application that reacts to a hot key, you can run your own keyboard macro application such as Autokey or Xbindkeys, you can run a session-recording application, etc. Wayland, a proposed replacement for the traditional X11 window interface, aims to create a path from input to applications, but this isn't quite mature yet as the Wayland design doesn't accommodate for applications that require permanent access to input.

If you want to protect against malware, ensuring that it doesn't read keyboard input is the least of your worries. Ensuring that it doesn't read your files is a bigger concern. The only real solution is do not run malware on your account. And the primary way to do that is to only install software you trust. In particular, stick to software that comes from a well-known distribution. That doesn't guarantee that it's free of malware, but it does mean that the software is more likely to have had at least some scrutiny, and at least if malware is discovered you're likely to find out.

If you need to run untrusted software, run it in a virtual machine. The inconvenience that it's then isolated from your main environment (e.g., you should disable clipboard integration) matches the additional security that you're getting.

Community
  • 1
Gilles 'SO- stop being evil'
  • 829,060
  • No, I never made such a premise: keyloggers are a particularly common or egregious type of malware. Keyloggers are one of several common types of malwares. If I ask how to defend against malwares in general then the question is very likely to be flagged as too broad. So I'd like to narrow down on this specific type of malware. Know it or not, many people type their passwords every day, sometimes after sudo. Therefore keyloggers ARE useful as users don't want to print a list of pressed keys and send them to public. – Cyker Dec 07 '16 at 08:06
  • For the second premise, I'd like to say that very often security breaches result from complexity. I didn't mention X11 because I don't want to insert another layer of indirection into the key event handling process. In fact you may forget about GUI entirely and only consider a CLI environment. The kernel must be able to control event dispatch and those mechanisms would be the key to this question. – Cyker Dec 07 '16 at 08:13
  • @Cyker Finding out a user's local password is rarely useful. But if malware does want to do that then a keylogger isn't the easiest way to do it. The easiest way is substituting the program that is supposed to read the password for one that logs it. Regarding the second premise, your question didn't give any particular scenario so I assumed a typical desktop use case, and that uses a GUI. If you're working on a hardened machine with restricted capabilities and only minimal software installed, that's a different matter, but not one that's in any way relevant to “every Unix/Linux user”. – Gilles 'SO- stop being evil' Dec 07 '16 at 12:41
0

security-tools for Linux is rkhunter. It investigate your present data with MD5hashes. Search for hidden folder and files invested by known rootkits and malware. It checks also if commands are modified. It also tests network interfaces for listening applications. Here is the Manpage from the command. Another scanner is chrootkit

It is a good Idea to run this tools from a Live-Session (DVD/USB). So you can be sure that the tools are not infected itself.

The best way to keep your system clear, is to install programms from official sources, and system-encryption I think.

GAD3R
  • 66,769
  • 1
    Tools like rkhunter and chkrootkit are pretty useless: most rootkits infect the kernel and return normal system binaries to their good state. If you run them from a live session, they can be useful, but they aren't a panacea either because you need to have a known good signature for every single file on the system that might get executed. Furthermore system encryption is completely pointless. The only useful part of this answer is “install programms from official sources”. – Gilles 'SO- stop being evil' Dec 06 '16 at 22:55