A Pattern for Secure Graphical User Interface Systems

  • 532 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
532
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
5
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. RuhR-University Bochum System Security Lab A Pattern for Secure Graphical User Interface Systems Thomas Fischer, Ahmad-Reza Sadeghi, Marcel Winandy Horst Görtz Institute for IT Security Ruhr-University Bochum Germany SPattern 09 (co-located with DEXA 2009) 3rd International Workshop on Secure Systems Methodologies Using Patterns Linz, Austria, 2 September 2009
  • 2. RuhR-University Bochum System Security Lab Motivating Example (1)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 2
  • 3. RuhR-University Bochum System Security Lab Motivating Example (1) Is it really the password dialog ??Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 3
  • 4. RuhR-University Bochum System Security Lab Motivating Example (2) Digital Signature ApplicationMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 4
  • 5. RuhR-University Bochum System Security Lab Motivating Example (2) Digital Signature Application Will it really sign the document you have selected before??Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 5
  • 6. RuhR-University Bochum System Security Lab Context ● You need User Trusted Path Application – Authenticity of the displayed application – Integrity and confidentiality of I/O between user and applications – Graphical user interface for several applications ● Here: architectural concepts for software GUI systemMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 6
  • 7. RuhR-University Bochum System Security Lab Problem ● Realization not trivial because – All applications have to share I/O hardware – Commodity OS provides insufficient security ● e.g. keylogger that intercept all user input – Picture-in-picture attack – Usability ● Additional forces – Flexibility to draw any content – Invocation of trusted services (trusted path) – Optionally: controlled communication (copy & paste)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 7
  • 8. RuhR-University Bochum System Security Lab Solution – Main Idea ● Mediate all user input/output through SUI system input input User output SUI output Application control input focus ● Separate content drawn by application from content displayed on screen App 1 1 multiplex 1 2 App 2 2 + add visible labelsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 8
  • 9. RuhR-University Bochum System Security Lab Solution – StructureMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 9
  • 10. RuhR-University Bochum System Security Lab Solution – Structure Integrity & confidentiality of inputMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 10
  • 11. RuhR-University Bochum System Security Lab Solution – Structure Integrity & confidentiality of outputMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 11
  • 12. RuhR-University Bochum System Security Lab Solution – Structure AuthenticityMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 12
  • 13. RuhR-University Bochum System Security Lab Solution – Structure Invocation of trusted path services Look for secure attention keyMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 13
  • 14. RuhR-University Bochum System Security Lab Solution – Structure Secure copy&pasteMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 14
  • 15. RuhR-University Bochum System Security Lab Solution – Structure Authentication Requires support by OS kernel Protected runtime environment Controlled accessMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 15
  • 16. RuhR-University Bochum System Security Lab Solution – Dynamics (1)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 16
  • 17. RuhR-University Bochum System Security Lab Solution – Dynamics (2)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 17
  • 18. RuhR-University Bochum System Security Lab Example Resolved (1) ● Fullscreen mode for different compartments (e.g. VMs) ● Using colors for different trust levels Secure Attention KeyMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 18
  • 19. RuhR-University Bochum System Security Lab Example Resolved (2) ● When switching an application to fullscreen mode, SUI displays the application name and color in reserved area ● Applications have only virtual framebuffers Reserved Area Vertical screen resolution for compartments is reduced by height of reserved areaMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 19
  • 20. RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 20
  • 21. RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) window labelsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 21
  • 22. RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) reserved area window labelsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 22
  • 23. RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) reserved area window labels multi-level secure copy&pasteMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 23
  • 24. RuhR-University Bochum System Security Lab Known Uses ● Research ● Commercial – Trusted X (1993) – SDH (1991) ● Multiplex windows, X11 ● Separate screen regions – EROS EWS (2004) – Solaris TX (2006) ● Multiplex windows ● Multiplex windows, X11 – Nitpicker (2005) – INTEGRITY (2008) ● Multiplex windows ● Fullscreen VMs – mGUI (2005-2008) – Turaya (near future) ● Fullscreen compartmentsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 24
  • 25. RuhR-University Bochum System Security Lab Consequences ● Benefits ● Liabilities – Integrity & confidentiality – SUI must be trusted of user input/output ● High assurance systems – Trusted path – Single point of failure ● Authenticity – Usability issues – Flexibility ● e.g. labeling policy might ● Different implementations require user training are possible – 3D graphics ● Policy-driven design (e.g. ● Requires direct hardware labeling can be adjusted access according to needs) ● 3D virtualization could helpMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 25
  • 26. RuhR-University Bochum System Security Lab Summary ● Approaches for Secure GUI Systems exist ● Security pattern identified ● Provides trusted path, secure copy&paste, and high flexibility through policy ● Requires secure operating system support – Known uses mainly mandatory access control systems – But commodity OSs could be enhanced (e.g. Solaris) ● Secure GUI System pattern is important amendment to OS security patternsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 26
  • 27. RuhR-University Bochum System Security Lab Questions? Marcel Winandy Ruhr-University Bochum marcel.winandy@trust.rub.deMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 27
  • 28. BACKUPMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 28
  • 29. RuhR-University Bochum System Security Lab Related Patterns ● Secure GUI System is a – Single Access Point [Yoder & Barcalow 1997] – Reference Monitor [Fernandez 2002] ● Secure GUI System needs/uses – Authenticator [Fernandez & Sinibaldi 2003] – Execution Domain [Fernandez 2002] – Controlled Virtual Address Space [Fernandez 2002] – Secure Process [Fernandez, Sorgente, Larrondo-Petrie 2006]Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 29