a pattern for secure graphical user interface systems
DESCRIPTION
TRANSCRIPT
![Page 1: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/1.jpg)
RuhR-University Bochum System Security Lab
A Pattern for Secure Graphical User Interface Systems
Thomas Fischer, Ahmad-Reza Sadeghi, Marcel Winandy
Horst Görtz Institute for IT SecurityRuhr-University Bochum
Germany
SPattern '09 (co-located with DEXA 2009)3rd International Workshop on Secure Systems Methodologies Using PatternsLinz, Austria, 2 September 2009
![Page 2: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/2.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 2
RuhR-University Bochum
Marcel Winandy
System Security Lab
Motivating Example (1)
![Page 3: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/3.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 3
RuhR-University Bochum
Marcel Winandy
System Security Lab
Motivating Example (1)
Is it really the password dialog ??
![Page 4: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/4.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 4
RuhR-University Bochum
Marcel Winandy
System Security Lab
Motivating Example (2)
DigitalSignatureApplication
![Page 5: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/5.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 5
RuhR-University Bochum
Marcel Winandy
System Security Lab
Motivating Example (2)
DigitalSignatureApplication
Will it really sign the documentyou have selected before??
![Page 6: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/6.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 6
RuhR-University Bochum
Marcel Winandy
System Security Lab
Context
● You need
– Authenticity of the displayed application
– Integrity and confidentiality of I/O between userand applications
– Graphical user interface for several applications
● Here: architectural concepts for software GUI system
User ApplicationTrusted Path
![Page 7: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/7.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 7
RuhR-University Bochum
Marcel Winandy
System Security Lab
Problem
● Realization not trivial because– All applications have to share I/O hardware
– Commodity OS provides insufficient security● e.g. keylogger that intercept all user input
– Picture-in-picture attack– Usability
● Additional forces– Flexibility to draw any content– Invocation of trusted services (trusted path)– Optionally: controlled communication (copy & paste)
![Page 8: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/8.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 8
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – Main Idea
● Mediate all user input/output through SUI system
● Separate content drawn by application from content displayed on screen
User SUI Applicationinput input
outputoutput
App 1 1
App 2 2
12multiplex
+ add visible labels
control input focus
![Page 9: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/9.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 9
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – Structure
![Page 10: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/10.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 10
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – StructureIntegrity & confidentiality
of input
![Page 11: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/11.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 11
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – StructureIntegrity & confidentiality
of output
![Page 12: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/12.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 12
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – StructureAuthenticity
![Page 13: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/13.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 13
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – StructureInvocation of trusted path
services
Look for secure attention key
![Page 14: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/14.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 14
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – StructureSecure copy&paste
![Page 15: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/15.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 15
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – StructureRequires support by
OS kernel
Protectedruntimeenvironment
Controlled access
Authentication
![Page 16: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/16.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 16
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – Dynamics (1)
![Page 17: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/17.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 17
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – Dynamics (2)
![Page 18: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/18.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 18
RuhR-University Bochum
Marcel Winandy
System Security Lab
Example Resolved (1)● Fullscreen mode for different compartments (e.g. VMs)● Using colors for different trust levels Secure Attention Key
![Page 19: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/19.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 19
RuhR-University Bochum
Marcel Winandy
System Security Lab
Example Resolved (2)
Reserved Area
Vertical screen resolution for compartments is reduced
by height of reserved area
● When switching an application to fullscreen mode, SUI displays the application name and color in reserved area
● Applications have only virtual framebuffers
![Page 20: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/20.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 20
RuhR-University Bochum
Marcel Winandy
System Security Lab
Example Resolved (3)● Multiplex mode with window labeling policy (Solaris TX)
![Page 21: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/21.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 21
RuhR-University Bochum
Marcel Winandy
System Security Lab
Example Resolved (3)● Multiplex mode with window labeling policy (Solaris TX)
windowlabels
![Page 22: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/22.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 22
RuhR-University Bochum
Marcel Winandy
System Security Lab
Example Resolved (3)● Multiplex mode with window labeling policy (Solaris TX)
windowlabels
reservedarea
![Page 23: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/23.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 23
RuhR-University Bochum
Marcel Winandy
System Security Lab
Example Resolved (3)● Multiplex mode with window labeling policy (Solaris TX)
windowlabels
reservedarea
multi-levelsecure
copy&paste
![Page 24: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/24.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 24
RuhR-University Bochum
Marcel Winandy
System Security Lab
Known Uses
● Research– Trusted X (1993)
● Multiplex windows, X11
– EROS EWS (2004)● Multiplex windows
– Nitpicker (2005)● Multiplex windows
– mGUI (2005-2008)● Fullscreen compartments
● Commercial– SDH (1991)
● Separate screen regions
– Solaris TX (2006)● Multiplex windows, X11
– INTEGRITY (2008)● Fullscreen VMs
– Turaya (near future)
![Page 25: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/25.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 25
RuhR-University Bochum
Marcel Winandy
System Security Lab
Consequences
● Benefits– Integrity & confidentiality
of user input/output
– Trusted path● Authenticity
– Flexibility● Different implementations
are possible● Policy-driven design (e.g.
labeling can be adjusted according to needs)
● Liabilities– SUI must be trusted
● High assurance systems
– Single point of failure
– Usability issues● e.g. labeling policy might
require user training
– 3D graphics● Requires direct hardware
access● 3D virtualization could
help
![Page 26: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/26.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 26
RuhR-University Bochum
Marcel Winandy
System Security Lab
Summary
● Approaches for Secure GUI Systems exist● Security pattern identified● Provides trusted path, secure copy&paste, and
high flexibility through policy● Requires secure operating system support
– Known uses mainly mandatory access control systems
– But commodity OS's could be enhanced (e.g. Solaris)
● Secure GUI System pattern is important amendment to OS security patterns
![Page 27: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/27.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 27
RuhR-University Bochum
Marcel Winandy
System Security Lab
Questions?
Marcel WinandyRuhr-University Bochum
![Page 28: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/28.jpg)
28Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02
BACKUP
![Page 29: A Pattern for Secure Graphical User Interface Systems](https://reader033.vdocuments.mx/reader033/viewer/2022042813/54902221b47959f2248b51ba/html5/thumbnails/29.jpg)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 29
RuhR-University Bochum
Marcel Winandy
System Security Lab
Related Patterns
● Secure GUI System is a– Single Access Point [Yoder & Barcalow 1997]
– Reference Monitor [Fernandez 2002]
● Secure GUI System needs/uses– Authenticator [Fernandez & Sinibaldi 2003]
– Execution Domain [Fernandez 2002]
– Controlled Virtual Address Space [Fernandez 2002]
– Secure Process [Fernandez, Sorgente, Larrondo-Petrie 2006]