You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by mcafasso <ca...@ctc.com> on 2018/07/23 17:57:01 UTC
Guacamole - Forcing full remote frame buffer update all the time
instead of incremental
Is it possible, either via a Guacamole configuration or changing code in
guacamole itself, to force a full remote frame buffer update all the time,
instead of the normal initial full remote buffer update on initial vnc
server connection, and then incremental remote frame buffer updates from
that point on?
We are not worried about performance, but want the ability to extract the
full remote vnc screen as an image on all updates from the server.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole - Forcing full remote frame buffer update all the
time instead of incremental
Posted by m99 <ca...@ctc.com>.
"You are concerned that users within remote desktop will use steganography to
hide data within images as a means of transferring that data out of the
remote desktop environment?"
Yes, correct, this is what we want to prevent by performing the jpeg lossy
compression on the screen images.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole - Forcing full remote frame buffer update all the time
instead of incremental
Posted by Mike Jumper <mj...@apache.org>.
On Wed, Sep 26, 2018, 05:09 m99 <ca...@ctc.com> wrote:
> "The issue is not the size of the patch but the reason(s) for the patch. If
> the assertion is that forcing JPEG provides some security benefit, the
> benefit needs to be explained."
>
> Forcing JPEG lossy compression on every screen image sent from guacamole
> would help mitigate attempts of steganography within these images. This is
> the main goal of the patch we have implemented.
>
You are concerned that users within remote desktop will use steganography
to hide data within images as a means of transferring that data out of the
remote desktop environment?
- Mike
Re: Guacamole - Forcing full remote frame buffer update all the
time instead of incremental
Posted by m99 <ca...@ctc.com>.
"The issue is not the size of the patch but the reason(s) for the patch. If
the assertion is that forcing JPEG provides some security benefit, the
benefit needs to be explained."
Forcing JPEG lossy compression on every screen image sent from guacamole
would help mitigate attempts of steganography within these images. This is
the main goal of the patch we have implemented.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole - Forcing full remote frame buffer update all the time
instead of incremental
Posted by Mike Jumper <mj...@apache.org>.
On Tue, Sep 25, 2018, 07:31 m99 <ca...@ctc.com> wrote:
> "What do you mean by this? Inspect/process it how? For what purpose?"
> "How does this relate to your need for full-frame updates?"
>
> Our requirement is to ensure all screen images sent to the end user in the
> Web browser have undergone a jpeg lossy compression (regardless of
> performance). ...
>
> We want to submit this patch to the Guacamole community for consideration
> to
> improve the security posture. We understand this change is tailored for a
> very specific use case, but as an optional configuration option, the impact
> of the change is very minimal.
>
The issue is not the size of the patch but the reason(s) for the patch. If
the assertion is that forcing JPEG provides some security benefit, the
benefit needs to be explained.
> Is this patch something the Guacamole community would be interested in?
This will depend on the reasoning behind the change.
> I've found the following link outlining the steps to submit a change to the
> guacamole project, is this the process I
> should follow to submit the patch for consideration?
>
> https://github.com/apache/guacamole-server/blob/master/CONTRIBUTING
Yes, the link describes the correct process.
- Mike
Re: Guacamole - Forcing full remote frame buffer update all the
time instead of incremental
Posted by m99 <ca...@ctc.com>.
"What do you mean by this? Inspect/process it how? For what purpose?"
"How does this relate to your need for full-frame updates?"
Our requirement is to ensure all screen images sent to the end user in the
Web browser have undergone a jpeg lossy compression (regardless of
performance). This can be achieved by changing Guacamole to force jpeg
encoding, thus to ensuring the jpeg lossy compression.
Our patch to Guacamole 0.14 adds a new configuration option for the build
(--enable-force-jpeg=yes; default is no). This patch adds an ifdef to the
surface.c file to force jpeg encoding all the time if enabled during
configure with this new option.
Our original thought was first to perform a jpeg lossy compression on the
actual frame buffer first (which we believed required a full frame buffer
update all the time) then forwarding on to Guacamole, however this turned
out to be a much larger effort than originally anticipated.
We want to submit this patch to the Guacamole community for consideration to
improve the security posture. We understand this change is tailored for a
very specific use case, but as an optional configuration option, the impact
of the change is very minimal.
Is this patch something the Guacamole community would be interested in?
I've found the following link outlining the steps to submit a change to the
guacamole project, is this the process I
should follow to submit the patch for consideration?
https://github.com/apache/guacamole-server/blob/master/CONTRIBUTING
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole - Forcing full remote frame buffer update all the time
instead of incremental
Posted by Mike Jumper <mj...@apache.org>.
On Tue, Jul 24, 2018, 07:06 m99 <ca...@ctc.com> wrote:
> Thanks! We wanted the ability to inspect/process the image from the frame
> buffer before it reached guacamole
What do you mean by this? Inspect/process it how? For what purpose?
and enforce a lossy compression on the
> image before reaching guacamole.
Not recommended - see below.
However if full frame buffer updates
> aren't possible, would it instead be possible to have guacamole always
> force
> jpeg lossy compression on all frame buffer images/updates?
>
How does this relate to your need for full-frame updates?
> I was looking at the guacamole code and it appears changing
> /src/common/surface.c in the __guac_common_surface_flush method to always
> call _guac_common_surface_flush_to_jpeg might do what we wanted to always
> guaranteed jpeg encoding. I couldn't find any configuration settings in
> guacamole to enforce jpeg encoding all the time, so this would have to be a
> code change to guacamole?
>
I would not recommend this. Some types of images do not compress well with
JPEG, and forcing JPEG for all updates will lead to reduced performance.
Guacamole already tries to detect when JPEG / WebP are more appropriate
based on content and update frequency.
- Mike
Re: Guacamole - Forcing full remote frame buffer update all the
time instead of incremental
Posted by m99 <ca...@ctc.com>.
Thanks! We wanted the ability to inspect/process the image from the frame
buffer before it reached guacamole and enforce a lossy compression on the
image before reaching guacamole. However if full frame buffer updates
aren't possible, would it instead be possible to have guacamole always force
jpeg lossy compression on all frame buffer images/updates?
I was looking at the guacamole code and it appears changing
/src/common/surface.c in the __guac_common_surface_flush method to always
call _guac_common_surface_flush_to_jpeg might do what we wanted to always
guaranteed jpeg encoding. I couldn't find any configuration settings in
guacamole to enforce jpeg encoding all the time, so this would have to be a
code change to guacamole?
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: Guacamole - Forcing full remote frame buffer update all the time
instead of incremental
Posted by Mike Jumper <mj...@apache.org>.
On Mon, Jul 23, 2018, 10:57 mcafasso <ca...@ctc.com> wrote:
> Is it possible, either via a Guacamole configuration or changing code in
> guacamole itself, to force a full remote frame buffer update all the time,
> instead of the normal initial full remote buffer update on initial vnc
> server connection, and then incremental remote frame buffer updates from
> that point on?
>
No. Even if you're truly OK with neutering the performance of the VNC
connection in this way, the server side of Guacamole has a built-in
optimizer which will try to trim redundant data from updates.
I suggest looking for alternative means of achieving your high-level goal
(more on this below). I'm not sure what lead you down the path of forcing
100% full-frame updates, but I'm skeptical it should be necessary.
We are not worried about performance
Shouldn't you be?
but want the ability to extract the
> full remote vnc screen as an image on all updates from the server.
The ability to extract an image from the display of the client does not
depend on all updates to that display being absolute. Regardless of whether
the updates are incremental, the user sees the full display, and you can
extract an image of that full display.
The Guacamole webapp already does this in order to periodically update the
recent connection thumbnail and the browser's tab icon. To do the same, you
would use the flatten() function of the display to get a canvas containing
a flattened copy of all display layers, and then use the canvas API as you
see fit to do what you wish with that data.
http://guacamole.apache.org/doc/guacamole-common-js/Guacamole.Display.html#flatten
- Mike