Embed Size (px)
DESCRIPTION
Citation preview
RuhR-University Bochum System Security Lab
A Pattern for Secure Graphical User Interface Systems
Thomas Fischer, Ahmad-Reza Sadeghi, Marcel Winandy
Horst Görtz Institute for IT SecurityRuhr-University Bochum
Germany
SPattern '09 (co-located with DEXA 2009)3rd International Workshop on Secure Systems Methodologies Using PatternsLinz, Austria, 2 September 2009
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 2
RuhR-University Bochum
Marcel Winandy
System Security Lab
Motivating Example (1)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 3
RuhR-University Bochum
Marcel Winandy
System Security Lab
Motivating Example (1)
Is it really the password dialog ??
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 4
RuhR-University Bochum
Marcel Winandy
System Security Lab
Motivating Example (2)
DigitalSignatureApplication
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 5
RuhR-University Bochum
Marcel Winandy
System Security Lab
Motivating Example (2)
DigitalSignatureApplication
Will it really sign the documentyou have selected before??
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 6
RuhR-University Bochum
Marcel Winandy
System Security Lab
Context
● You need
– Authenticity of the displayed application
– Integrity and confidentiality of I/O between userand applications
– Graphical user interface for several applications
● Here: architectural concepts for software GUI system
User ApplicationTrusted Path
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 7
RuhR-University Bochum
Marcel Winandy
System Security Lab
Problem
● Realization not trivial because– All applications have to share I/O hardware
– Commodity OS provides insufficient security● e.g. keylogger that intercept all user input
– Picture-in-picture attack– Usability
● Additional forces– Flexibility to draw any content– Invocation of trusted services (trusted path)– Optionally: controlled communication (copy & paste)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 8
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – Main Idea
● Mediate all user input/output through SUI system
● Separate content drawn by application from content displayed on screen
User SUI Applicationinput input
outputoutput
App 1 1
App 2 2
12multiplex
+ add visible labels
control input focus
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 9
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – Structure
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 10
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – StructureIntegrity & confidentiality
of input
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 11
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – StructureIntegrity & confidentiality
of output
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 12
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – StructureAuthenticity
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 13
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – StructureInvocation of trusted path
services
Look for secure attention key
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 14
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – StructureSecure copy&paste
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 15
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – StructureRequires support by
OS kernel
Protectedruntimeenvironment
Controlled access
Authentication
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 16
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – Dynamics (1)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 17
RuhR-University Bochum
Marcel Winandy
System Security Lab
Solution – Dynamics (2)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 18
RuhR-University Bochum
Marcel Winandy
System Security Lab
Example Resolved (1)● Fullscreen mode for different compartments (e.g. VMs)● Using colors for different trust levels Secure Attention Key
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 19
RuhR-University Bochum
Marcel Winandy
System Security Lab
Example Resolved (2)
Reserved Area
Vertical screen resolution for compartments is reduced
by height of reserved area
● When switching an application to fullscreen mode, SUI displays the application name and color in reserved area
● Applications have only virtual framebuffers
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 20
RuhR-University Bochum
Marcel Winandy
System Security Lab
Example Resolved (3)● Multiplex mode with window labeling policy (Solaris TX)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 21
RuhR-University Bochum
Marcel Winandy
System Security Lab
Example Resolved (3)● Multiplex mode with window labeling policy (Solaris TX)
windowlabels
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 22
RuhR-University Bochum
Marcel Winandy
System Security Lab
Example Resolved (3)● Multiplex mode with window labeling policy (Solaris TX)
windowlabels
reservedarea
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 23
RuhR-University Bochum
Marcel Winandy
System Security Lab
Example Resolved (3)● Multiplex mode with window labeling policy (Solaris TX)
windowlabels
reservedarea
multi-levelsecure
copy&paste
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 24
RuhR-University Bochum
Marcel Winandy
System Security Lab
Known Uses
● Research– Trusted X (1993)
● Multiplex windows, X11
– EROS EWS (2004)● Multiplex windows
– Nitpicker (2005)● Multiplex windows
– mGUI (2005-2008)● Fullscreen compartments
● Commercial– SDH (1991)
● Separate screen regions
– Solaris TX (2006)● Multiplex windows, X11
– INTEGRITY (2008)● Fullscreen VMs
– Turaya (near future)
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 25
RuhR-University Bochum
Marcel Winandy
System Security Lab
Consequences
● Benefits– Integrity & confidentiality
of user input/output
– Trusted path● Authenticity
– Flexibility● Different implementations
are possible● Policy-driven design (e.g.
labeling can be adjusted according to needs)
● Liabilities– SUI must be trusted
● High assurance systems
– Single point of failure
– Usability issues● e.g. labeling policy might
require user training
– 3D graphics● Requires direct hardware
access● 3D virtualization could
help
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 26
RuhR-University Bochum
Marcel Winandy
System Security Lab
Summary
● Approaches for Secure GUI Systems exist● Security pattern identified● Provides trusted path, secure copy&paste, and
high flexibility through policy● Requires secure operating system support
– Known uses mainly mandatory access control systems
– But commodity OS's could be enhanced (e.g. Solaris)
● Secure GUI System pattern is important amendment to OS security patterns
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 27
RuhR-University Bochum
Marcel Winandy
System Security Lab
Questions?
Marcel WinandyRuhr-University Bochum
28Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02
BACKUP
Linz, 2009-09-02A Pattern for Secure GUI Systems (SPattern '09) 29
RuhR-University Bochum
Marcel Winandy
System Security Lab
Related Patterns
● Secure GUI System is a– Single Access Point [Yoder & Barcalow 1997]
– Reference Monitor [Fernandez 2002]
● Secure GUI System needs/uses– Authenticator [Fernandez & Sinibaldi 2003]
– Execution Domain [Fernandez 2002]
– Controlled Virtual Address Space [Fernandez 2002]
– Secure Process [Fernandez, Sorgente, Larrondo-Petrie 2006]
