A Pattern for Secure Graphical User Interface Systems

818 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
818
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

A Pattern for Secure Graphical User Interface Systems

  1. 1. RuhR-University Bochum System Security Lab A Pattern for Secure Graphical User Interface Systems Thomas Fischer, Ahmad-Reza Sadeghi, Marcel Winandy Horst Görtz Institute for IT Security Ruhr-University Bochum Germany SPattern 09 (co-located with DEXA 2009) 3rd International Workshop on Secure Systems Methodologies Using Patterns Linz, Austria, 2 September 2009
  2. 2. RuhR-University Bochum System Security Lab Motivating Example (1)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 2
  3. 3. RuhR-University Bochum System Security Lab Motivating Example (1) Is it really the password dialog ??Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 3
  4. 4. RuhR-University Bochum System Security Lab Motivating Example (2) Digital Signature ApplicationMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 4
  5. 5. RuhR-University Bochum System Security Lab Motivating Example (2) Digital Signature Application Will it really sign the document you have selected before??Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 5
  6. 6. RuhR-University Bochum System Security Lab Context ● You need User Trusted Path Application – Authenticity of the displayed application – Integrity and confidentiality of I/O between user and applications – Graphical user interface for several applications ● Here: architectural concepts for software GUI systemMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 6
  7. 7. RuhR-University Bochum System Security Lab Problem ● Realization not trivial because – All applications have to share I/O hardware – Commodity OS provides insufficient security ● e.g. keylogger that intercept all user input – Picture-in-picture attack – Usability ● Additional forces – Flexibility to draw any content – Invocation of trusted services (trusted path) – Optionally: controlled communication (copy & paste)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 7
  8. 8. RuhR-University Bochum System Security Lab Solution – Main Idea ● Mediate all user input/output through SUI system input input User output SUI output Application control input focus ● Separate content drawn by application from content displayed on screen App 1 1 multiplex 1 2 App 2 2 + add visible labelsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 8
  9. 9. RuhR-University Bochum System Security Lab Solution – StructureMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 9
  10. 10. RuhR-University Bochum System Security Lab Solution – Structure Integrity & confidentiality of inputMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 10
  11. 11. RuhR-University Bochum System Security Lab Solution – Structure Integrity & confidentiality of outputMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 11
  12. 12. RuhR-University Bochum System Security Lab Solution – Structure AuthenticityMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 12
  13. 13. RuhR-University Bochum System Security Lab Solution – Structure Invocation of trusted path services Look for secure attention keyMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 13
  14. 14. RuhR-University Bochum System Security Lab Solution – Structure Secure copy&pasteMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 14
  15. 15. RuhR-University Bochum System Security Lab Solution – Structure Authentication Requires support by OS kernel Protected runtime environment Controlled accessMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 15
  16. 16. RuhR-University Bochum System Security Lab Solution – Dynamics (1)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 16
  17. 17. RuhR-University Bochum System Security Lab Solution – Dynamics (2)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 17
  18. 18. RuhR-University Bochum System Security Lab Example Resolved (1) ● Fullscreen mode for different compartments (e.g. VMs) ● Using colors for different trust levels Secure Attention KeyMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 18
  19. 19. RuhR-University Bochum System Security Lab Example Resolved (2) ● When switching an application to fullscreen mode, SUI displays the application name and color in reserved area ● Applications have only virtual framebuffers Reserved Area Vertical screen resolution for compartments is reduced by height of reserved areaMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 19
  20. 20. RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX)Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 20
  21. 21. RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) window labelsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 21
  22. 22. RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) reserved area window labelsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 22
  23. 23. RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) reserved area window labels multi-level secure copy&pasteMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 23
  24. 24. RuhR-University Bochum System Security Lab Known Uses ● Research ● Commercial – Trusted X (1993) – SDH (1991) ● Multiplex windows, X11 ● Separate screen regions – EROS EWS (2004) – Solaris TX (2006) ● Multiplex windows ● Multiplex windows, X11 – Nitpicker (2005) – INTEGRITY (2008) ● Multiplex windows ● Fullscreen VMs – mGUI (2005-2008) – Turaya (near future) ● Fullscreen compartmentsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 24
  25. 25. RuhR-University Bochum System Security Lab Consequences ● Benefits ● Liabilities – Integrity & confidentiality – SUI must be trusted of user input/output ● High assurance systems – Trusted path – Single point of failure ● Authenticity – Usability issues – Flexibility ● e.g. labeling policy might ● Different implementations require user training are possible – 3D graphics ● Policy-driven design (e.g. ● Requires direct hardware labeling can be adjusted access according to needs) ● 3D virtualization could helpMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 25
  26. 26. RuhR-University Bochum System Security Lab Summary ● Approaches for Secure GUI Systems exist ● Security pattern identified ● Provides trusted path, secure copy&paste, and high flexibility through policy ● Requires secure operating system support – Known uses mainly mandatory access control systems – But commodity OSs could be enhanced (e.g. Solaris) ● Secure GUI System pattern is important amendment to OS security patternsMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 26
  27. 27. RuhR-University Bochum System Security Lab Questions? Marcel Winandy Ruhr-University Bochum marcel.winandy@trust.rub.deMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 27
  28. 28. BACKUPMarcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 28
  29. 29. RuhR-University Bochum System Security Lab Related Patterns ● Secure GUI System is a – Single Access Point [Yoder & Barcalow 1997] – Reference Monitor [Fernandez 2002] ● Secure GUI System needs/uses – Authenticator [Fernandez & Sinibaldi 2003] – Execution Domain [Fernandez 2002] – Controlled Virtual Address Space [Fernandez 2002] – Secure Process [Fernandez, Sorgente, Larrondo-Petrie 2006]Marcel Winandy A Pattern for Secure GUI Systems (SPattern 09) Linz, 2009-09-02 29

×