A Pattern for Secure Graphical User Interface Systems
Upcoming SlideShare
Loading in...5
×
 

A Pattern for Secure Graphical User Interface Systems

on

  • 701 views

 

Statistics

Views

Total Views
701
Views on SlideShare
700
Embed Views
1

Actions

Likes
0
Downloads
4
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NoDerivs LicenseCC Attribution-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    A Pattern for Secure Graphical User Interface Systems A Pattern for Secure Graphical User Interface Systems Presentation Transcript

    • RuhR-University Bochum System Security Lab A Pattern for Secure Graphical User Interface Systems Thomas Fischer, Ahmad-Reza Sadeghi, Marcel Winandy Horst Görtz Institute for IT Security Ruhr-University Bochum Germany SPattern 09 (co-located with DEXA 2009) 3rd International Workshop on Secure Systems Methodologies Using Patterns Linz, Austria, 2 September 2009
    • RuhR-University Bochum System Security Lab Motivating Example (1)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 2
    • RuhR-University Bochum System Security Lab Motivating Example (1) Is it really the password dialog ??Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 3
    • RuhR-University Bochum System Security Lab Motivating Example (2) Digital Signature ApplicationMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 4
    • RuhR-University Bochum System Security Lab Motivating Example (2) Digital Signature Application Will it really sign the document you have selected before??Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 5
    • RuhR-University Bochum System Security Lab Context ● You need User Trusted Path Application – Authenticity of the displayed application – Integrity and confidentiality of I/O between user and applications – Graphical user interface for several applications ● Here: architectural concepts for software GUI systemMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 6
    • RuhR-University Bochum System Security Lab Problem ● Realization not trivial because – All applications have to share I/O hardware – Commodity OS provides insufficient security ● e.g. keylogger that intercept all user input – Picture-in-picture attack – Usability ● Additional forces – Flexibility to draw any content – Invocation of trusted services (trusted path) – Optionally: controlled communication (copy & paste)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 7
    • RuhR-University Bochum System Security Lab Solution – Main Idea ● Mediate all user input/output through SUI system input input User output SUI output Application control input focus ● Separate content drawn by application from content displayed on screen App 1 1 multiplex 1 2 App 2 2 + add visible labelsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 8
    • RuhR-University Bochum System Security Lab Solution – StructureMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 9
    • RuhR-University Bochum System Security Lab Solution – Structure Integrity & confidentiality of inputMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 10
    • RuhR-University Bochum System Security Lab Solution – Structure Integrity & confidentiality of outputMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 11
    • RuhR-University Bochum System Security Lab Solution – Structure AuthenticityMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 12
    • RuhR-University Bochum System Security Lab Solution – Structure Invocation of trusted path services Look for secure attention keyMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 13
    • RuhR-University Bochum System Security Lab Solution – Structure Secure copy&pasteMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 14
    • RuhR-University Bochum System Security Lab Solution – Structure Authentication Requires support by OS kernel Protected runtime environment Controlled accessMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 15
    • RuhR-University Bochum System Security Lab Solution – Dynamics (1)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 16
    • RuhR-University Bochum System Security Lab Solution – Dynamics (2)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 17
    • RuhR-University Bochum System Security Lab Example Resolved (1) ● Fullscreen mode for different compartments (e.g. VMs) ● Using colors for different trust levels Secure Attention KeyMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 18
    • RuhR-University Bochum System Security Lab Example Resolved (2) ● When switching an application to fullscreen mode, SUI displays the application name and color in reserved area ● Applications have only virtual framebuffers Reserved Area Vertical screen resolution for compartments is reduced by height of reserved areaMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 19
    • RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 20
    • RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) window labelsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 21
    • RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) reserved area window labelsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 22
    • RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) reserved area window labels multi-level secure copy&pasteMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 23
    • RuhR-University Bochum System Security Lab Known Uses ● Research ● Commercial – Trusted X (1993) – SDH (1991) ● Multiplex windows, X11 ● Separate screen regions – EROS EWS (2004) – Solaris TX (2006) ● Multiplex windows ● Multiplex windows, X11 – Nitpicker (2005) – INTEGRITY (2008) ● Multiplex windows ● Fullscreen VMs – mGUI (2005-2008) – Turaya (near future) ● Fullscreen compartmentsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 24
    • RuhR-University Bochum System Security Lab Consequences ● Benefits ● Liabilities – Integrity & confidentiality – SUI must be trusted of user input/output ● High assurance systems – Trusted path – Single point of failure ● Authenticity – Usability issues – Flexibility ● e.g. labeling policy might ● Different implementations require user training are possible – 3D graphics ● Policy-driven design (e.g. ● Requires direct hardware labeling can be adjusted access according to needs) ● 3D virtualization could helpMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 25
    • RuhR-University Bochum System Security Lab Summary ● Approaches for Secure GUI Systems exist ● Security pattern identified ● Provides trusted path, secure copy&paste, and high flexibility through policy ● Requires secure operating system support – Known uses mainly mandatory access control systems – But commodity OSs could be enhanced (e.g. Solaris) ● Secure GUI System pattern is important amendment to OS security patternsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 26
    • RuhR-University Bochum System Security Lab Questions? Marcel Winandy Ruhr-University Bochum marcel.winandy@trust.rub.deMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 27
    • BACKUPMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 28
    • RuhR-University Bochum System Security Lab Related Patterns ● Secure GUI System is a – Single Access Point [Yoder & Barcalow 1997] – Reference Monitor [Fernandez 2002] ● Secure GUI System needs/uses – Authenticator [Fernandez & Sinibaldi 2003] – Execution Domain [Fernandez 2002] – Controlled Virtual Address Space [Fernandez 2002] – Secure Process [Fernandez, Sorgente, Larrondo-Petrie 2006]Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 29