A Pattern for Secure Graphical User Interface Systems
1. RuhR-University Bochum System Security Lab
A Pattern for Secure Graphical User
Interface Systems
Thomas Fischer, Ahmad-Reza Sadeghi, Marcel Winandy
Horst Görtz Institute for IT Security
Ruhr-University Bochum
Germany
SPattern '09 (co-located with DEXA 2009)
3rd International Workshop on Secure Systems Methodologies Using Patterns
Linz, Austria, 2 September 2009
2. RuhR-University Bochum System Security Lab
Motivating Example (1)
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 2
3. RuhR-University Bochum System Security Lab
Motivating Example (1)
Is it really the password dialog ??
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 3
4. RuhR-University Bochum System Security Lab
Motivating Example (2)
Digital
Signature
Application
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 4
5. RuhR-University Bochum System Security Lab
Motivating Example (2)
Digital
Signature
Application
Will it really sign the document
you have selected before??
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 5
6. RuhR-University Bochum System Security Lab
Context
● You need User
Trusted Path
Application
– Authenticity of the displayed application
– Integrity and confidentiality of I/O between user
and applications
– Graphical user interface for several applications
● Here: architectural concepts for software GUI system
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 6
7. RuhR-University Bochum System Security Lab
Problem
● Realization not trivial because
– All applications have to share I/O hardware
– Commodity OS provides insufficient security
● e.g. keylogger that intercept all user input
– Picture-in-picture attack
– Usability
● Additional forces
– Flexibility to draw any content
– Invocation of trusted services (trusted path)
– Optionally: controlled communication (copy & paste)
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 7
8. RuhR-University Bochum System Security Lab
Solution – Main Idea
● Mediate all user input/output through SUI system
input input
User output SUI output Application
control input focus
● Separate content drawn by application from
content displayed on screen
App 1 1
multiplex 1
2
App 2 2
+ add visible labels
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 8
9. RuhR-University Bochum System Security Lab
Solution – Structure
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 9
10. RuhR-University Bochum System Security Lab
Solution – Structure
Integrity & confidentiality
of input
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 10
11. RuhR-University Bochum System Security Lab
Solution – Structure
Integrity & confidentiality
of output
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 11
12. RuhR-University Bochum System Security Lab
Solution – Structure
Authenticity
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 12
13. RuhR-University Bochum System Security Lab
Solution – Structure
Invocation of trusted path
services
Look for secure attention key
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 13
14. RuhR-University Bochum System Security Lab
Solution – Structure
Secure copy&paste
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 14
15. RuhR-University Bochum System Security Lab
Solution – Structure
Authentication
Requires support by
OS kernel
Protected
runtime
environment
Controlled access
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 15
16. RuhR-University Bochum System Security Lab
Solution – Dynamics (1)
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 16
17. RuhR-University Bochum System Security Lab
Solution – Dynamics (2)
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 17
18. RuhR-University Bochum System Security Lab
Example Resolved (1)
● Fullscreen mode for different compartments (e.g. VMs)
● Using colors for different trust levels Secure Attention Key
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 18
19. RuhR-University Bochum System Security Lab
Example Resolved (2)
● When switching an application to fullscreen mode, SUI
displays the application name and color in reserved area
● Applications have only virtual framebuffers
Reserved Area
Vertical screen resolution
for compartments is reduced
by height of reserved area
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 19
20. RuhR-University Bochum System Security Lab
Example Resolved (3)
● Multiplex mode with window labeling policy (Solaris TX)
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 20
21. RuhR-University Bochum System Security Lab
Example Resolved (3)
● Multiplex mode with window labeling policy (Solaris TX)
window
labels
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 21
22. RuhR-University Bochum System Security Lab
Example Resolved (3)
● Multiplex mode with window labeling policy (Solaris TX)
reserved
area
window
labels
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 22
23. RuhR-University Bochum System Security Lab
Example Resolved (3)
● Multiplex mode with window labeling policy (Solaris TX)
reserved
area
window
labels
multi-level
secure
copy&paste
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 23
24. RuhR-University Bochum System Security Lab
Known Uses
● Research ● Commercial
– Trusted X (1993) – SDH (1991)
● Multiplex windows, X11 ● Separate screen regions
– EROS EWS (2004) – Solaris TX (2006)
● Multiplex windows ● Multiplex windows, X11
– Nitpicker (2005) – INTEGRITY (2008)
● Multiplex windows ● Fullscreen VMs
– mGUI (2005-2008) – Turaya (near future)
● Fullscreen compartments
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 24
25. RuhR-University Bochum System Security Lab
Consequences
● Benefits ● Liabilities
– Integrity & confidentiality – SUI must be trusted
of user input/output ● High assurance systems
– Trusted path – Single point of failure
● Authenticity – Usability issues
– Flexibility ● e.g. labeling policy might
● Different implementations require user training
are possible – 3D graphics
● Policy-driven design (e.g. ● Requires direct hardware
labeling can be adjusted
access
according to needs)
● 3D virtualization could
help
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 25
26. RuhR-University Bochum System Security Lab
Summary
● Approaches for Secure GUI Systems exist
● Security pattern identified
● Provides trusted path, secure copy&paste, and
high flexibility through policy
● Requires secure operating system support
– Known uses mainly mandatory access control systems
– But commodity OS's could be enhanced (e.g. Solaris)
● Secure GUI System pattern is important
amendment to OS security patterns
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 26
27. RuhR-University Bochum System Security Lab
Questions?
Marcel Winandy
Ruhr-University Bochum
marcel.winandy@trust.rub.de
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 27
28. BACKUP
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 28
29. RuhR-University Bochum System Security Lab
Related Patterns
● Secure GUI System is a
– Single Access Point [Yoder & Barcalow 1997]
– Reference Monitor [Fernandez 2002]
● Secure GUI System needs/uses
– Authenticator [Fernandez & Sinibaldi 2003]
– Execution Domain [Fernandez 2002]
– Controlled Virtual Address Space [Fernandez 2002]
– Secure Process [Fernandez, Sorgente, Larrondo-Petrie 2006]
Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 29