SlideShare a Scribd company logo

A Pattern for Secure Graphical User Interface Systems

Marcel Winandy
Marcel Winandy
Technology
1 of 29
Download to read offline
RuhR-University Bochum System Security Lab A Pattern for Secure Graphical User Interface Systems Thomas Fischer, Ahmad-Reza Sadeghi, Marcel Winandy Horst Görtz Institute for IT Security Ruhr-University Bochum Germany SPattern '09 (co-located with DEXA 2009) 3rd International Workshop on Secure Systems Methodologies Using Patterns Linz, Austria, 2 September 2009
RuhR-University Bochum System Security Lab Motivating Example (1) Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 2
RuhR-University Bochum System Security Lab Motivating Example (1) Is it really the password dialog ?? Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 3
RuhR-University Bochum System Security Lab Motivating Example (2) Digital Signature Application Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 4
RuhR-University Bochum System Security Lab Motivating Example (2) Digital Signature Application Will it really sign the document you have selected before?? Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 5
RuhR-University Bochum System Security Lab Context ● You need User Trusted Path Application – Authenticity of the displayed application – Integrity and confidentiality of I/O between user and applications – Graphical user interface for several applications ● Here: architectural concepts for software GUI system Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 6
RuhR-University Bochum System Security Lab Problem ● Realization not trivial because – All applications have to share I/O hardware – Commodity OS provides insufficient security ● e.g. keylogger that intercept all user input – Picture-in-picture attack – Usability ● Additional forces – Flexibility to draw any content – Invocation of trusted services (trusted path) – Optionally: controlled communication (copy & paste) Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 7
RuhR-University Bochum System Security Lab Solution – Main Idea ● Mediate all user input/output through SUI system input input User output SUI output Application control input focus ● Separate content drawn by application from content displayed on screen App 1 1 multiplex 1 2 App 2 2 + add visible labels Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 8
RuhR-University Bochum System Security Lab Solution – Structure Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 9
RuhR-University Bochum System Security Lab Solution – Structure Integrity & confidentiality of input Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 10
RuhR-University Bochum System Security Lab Solution – Structure Integrity & confidentiality of output Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 11
RuhR-University Bochum System Security Lab Solution – Structure Authenticity Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 12
RuhR-University Bochum System Security Lab Solution – Structure Invocation of trusted path services Look for secure attention key Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 13
RuhR-University Bochum System Security Lab Solution – Structure Secure copy&paste Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 14
RuhR-University Bochum System Security Lab Solution – Structure Authentication Requires support by OS kernel Protected runtime environment Controlled access Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 15
RuhR-University Bochum System Security Lab Solution – Dynamics (1) Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 16
RuhR-University Bochum System Security Lab Solution – Dynamics (2) Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 17
RuhR-University Bochum System Security Lab Example Resolved (1) ● Fullscreen mode for different compartments (e.g. VMs) ● Using colors for different trust levels Secure Attention Key Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 18
RuhR-University Bochum System Security Lab Example Resolved (2) ● When switching an application to fullscreen mode, SUI displays the application name and color in reserved area ● Applications have only virtual framebuffers Reserved Area Vertical screen resolution for compartments is reduced by height of reserved area Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 19
RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 20
RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) window labels Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 21
RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) reserved area window labels Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 22
RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) reserved area window labels multi-level secure copy&paste Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 23
RuhR-University Bochum System Security Lab Known Uses ● Research ● Commercial – Trusted X (1993) – SDH (1991) ● Multiplex windows, X11 ● Separate screen regions – EROS EWS (2004) – Solaris TX (2006) ● Multiplex windows ● Multiplex windows, X11 – Nitpicker (2005) – INTEGRITY (2008) ● Multiplex windows ● Fullscreen VMs – mGUI (2005-2008) – Turaya (near future) ● Fullscreen compartments Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 24
RuhR-University Bochum System Security Lab Consequences ● Benefits ● Liabilities – Integrity & confidentiality – SUI must be trusted of user input/output ● High assurance systems – Trusted path – Single point of failure ● Authenticity – Usability issues – Flexibility ● e.g. labeling policy might ● Different implementations require user training are possible – 3D graphics ● Policy-driven design (e.g. ● Requires direct hardware labeling can be adjusted access according to needs) ● 3D virtualization could help Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 25
RuhR-University Bochum System Security Lab Summary ● Approaches for Secure GUI Systems exist ● Security pattern identified ● Provides trusted path, secure copy&paste, and high flexibility through policy ● Requires secure operating system support – Known uses mainly mandatory access control systems – But commodity OS's could be enhanced (e.g. Solaris) ● Secure GUI System pattern is important amendment to OS security patterns Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 26
RuhR-University Bochum System Security Lab Questions? Marcel Winandy Ruhr-University Bochum marcel.winandy@trust.rub.de Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 27
BACKUP Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 28
RuhR-University Bochum System Security Lab Related Patterns ● Secure GUI System is a – Single Access Point [Yoder & Barcalow 1997] – Reference Monitor [Fernandez 2002] ● Secure GUI System needs/uses – Authenticator [Fernandez & Sinibaldi 2003] – Execution Domain [Fernandez 2002] – Controlled Virtual Address Space [Fernandez 2002] – Secure Process [Fernandez, Sorgente, Larrondo-Petrie 2006] Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 29

Recommended

Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Modeling Trusted Computing Support in a Protection Profile for High Assurance...Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Marcel Winandy
 
Presentation-57970
Presentation-57970Presentation-57970
Presentation-57970
João Pedro Lima
 
A guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalA guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
Rishabh Dangwal
 
Security view
Security viewSecurity view
Security view
nbann
 
TruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
TruWallet: Trustworthy and Migratable Wallet-Based Web AuthenticationTruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
TruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
Marcel Winandy
 
Uni-directional Trusted Path: Transaction Confirmation on Just One Device
Uni-directional Trusted Path: Transaction Confirmation on Just One DeviceUni-directional Trusted Path: Transaction Confirmation on Just One Device
Uni-directional Trusted Path: Transaction Confirmation on Just One Device
Marcel Winandy
 
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop EnvironmentsTrusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Marcel Winandy
 
A Note on the Security in the Card Management System of the German E-Health Card
A Note on the Security in the Card Management System of the German E-Health CardA Note on the Security in the Card Management System of the German E-Health Card
A Note on the Security in the Card Management System of the German E-Health Card
Marcel Winandy
 

Recommended

Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Modeling Trusted Computing Support in a Protection Profile for High Assurance...Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Marcel Winandy
 
Presentation-57970
Presentation-57970Presentation-57970
Presentation-57970
João Pedro Lima
 
A guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh DangwalA guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
A guide to Unified Threat Management Systems (UTMs) by Rishabh Dangwal
Rishabh Dangwal
 
Security view
Security viewSecurity view
Security view
nbann
 
TruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
TruWallet: Trustworthy and Migratable Wallet-Based Web AuthenticationTruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
TruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
Marcel Winandy
 
Uni-directional Trusted Path: Transaction Confirmation on Just One Device
Uni-directional Trusted Path: Transaction Confirmation on Just One DeviceUni-directional Trusted Path: Transaction Confirmation on Just One Device
Uni-directional Trusted Path: Transaction Confirmation on Just One Device
Marcel Winandy
 
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop EnvironmentsTrusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Marcel Winandy
 
A Note on the Security in the Card Management System of the German E-Health Card
A Note on the Security in the Card Management System of the German E-Health CardA Note on the Security in the Card Management System of the German E-Health Card
A Note on the Security in the Card Management System of the German E-Health Card
Marcel Winandy
 
Patterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer SystemsPatterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer Systems
Marcel Winandy
 
Compartmented Security for Browsers
Compartmented Security for BrowsersCompartmented Security for Browsers
Compartmented Security for Browsers
Marcel Winandy
 
Secure Computing Core Technology - A non-NDA Teaser
Secure Computing Core Technology - A non-NDA TeaserSecure Computing Core Technology - A non-NDA Teaser
Secure Computing Core Technology - A non-NDA Teaser
M2M Alliance e.V.
 
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET Journal
 
CONSULTCORP- CYBEROAM CR50ING
CONSULTCORP- CYBEROAM CR50INGCONSULTCORP- CYBEROAM CR50ING
CONSULTCORP- CYBEROAM CR50ING
Cyberoam Brasil Consultcorp
 
CONSULTCORP- CYBEROAM CR35ING
CONSULTCORP- CYBEROAM CR35INGCONSULTCORP- CYBEROAM CR35ING
CONSULTCORP- CYBEROAM CR35ING
Cyberoam Brasil Consultcorp
 
ICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologie
Alessio Pennasilico
 
Symbian OS - Platform Security
Symbian OS - Platform SecuritySymbian OS - Platform Security
Symbian OS - Platform Security
Andreas Jakl
 
Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)
Henry Muccini
 
CONSULTCORP CYBEROAM CR300ING
CONSULTCORP CYBEROAM CR300INGCONSULTCORP CYBEROAM CR300ING
CONSULTCORP CYBEROAM CR300ING
Cyberoam Brasil Consultcorp
 
OPC UA Security: Native and Add-on Solutions
OPC UA Security: Native and Add-on SolutionsOPC UA Security: Native and Add-on Solutions
OPC UA Security: Native and Add-on Solutions
team-WIBU
 
Embedding Existing Heterogeneous Monitoring Techniques into a Lightweight, Di...
Embedding Existing Heterogeneous Monitoring Techniques into a Lightweight, Di...Embedding Existing Heterogeneous Monitoring Techniques into a Lightweight, Di...
Embedding Existing Heterogeneous Monitoring Techniques into a Lightweight, Di...
yocaba
 
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Marcel Winandy
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
Lilian Schaffer
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
Lilian Schaffer
 
Audit and security application
Audit and security applicationAudit and security application
Audit and security application
Rihab Chebbah
 
Insecure mag-19
Insecure mag-19Insecure mag-19
Insecure mag-19
Ambuj Sharma
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud Resources
Niranjana Padmanabhan
 
CaselliM_CV
CaselliM_CVCaselliM_CV
CaselliM_CV
Marco Caselli
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
 

More Related Content

Similar to A Pattern for Secure Graphical User Interface Systems

Patterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer SystemsPatterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer Systems
Marcel Winandy
 
OPC UA Security: Native and Add-on Solutions
OPC UA Security: Native and Add-on SolutionsOPC UA Security: Native and Add-on Solutions
OPC UA Security: Native and Add-on Solutions
team-WIBU
 
Embedding Existing Heterogeneous Monitoring Techniques into a Lightweight, Di...
Embedding Existing Heterogeneous Monitoring Techniques into a Lightweight, Di...Embedding Existing Heterogeneous Monitoring Techniques into a Lightweight, Di...
Embedding Existing Heterogeneous Monitoring Techniques into a Lightweight, Di...
yocaba
 
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Marcel Winandy
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud Resources
Niranjana Padmanabhan
 

Similar to A Pattern for Secure Graphical User Interface Systems (20)

Patterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer SystemsPatterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer Systems
 
Compartmented Security for Browsers
Compartmented Security for BrowsersCompartmented Security for Browsers
Compartmented Security for Browsers
 
Secure Computing Core Technology - A non-NDA Teaser
Secure Computing Core Technology - A non-NDA TeaserSecure Computing Core Technology - A non-NDA Teaser
Secure Computing Core Technology - A non-NDA Teaser
 
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
 
CONSULTCORP- CYBEROAM CR50ING
CONSULTCORP- CYBEROAM CR50INGCONSULTCORP- CYBEROAM CR50ING
CONSULTCORP- CYBEROAM CR50ING
 
CONSULTCORP- CYBEROAM CR35ING
CONSULTCORP- CYBEROAM CR35INGCONSULTCORP- CYBEROAM CR35ING
CONSULTCORP- CYBEROAM CR35ING
 
ICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologieICT Security 2010: Le minacce delle nuove tecnologie
ICT Security 2010: Le minacce delle nuove tecnologie
 
Symbian OS - Platform Security
Symbian OS - Platform SecuritySymbian OS - Platform Security
Symbian OS - Platform Security
 
Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)
 
CONSULTCORP CYBEROAM CR300ING
CONSULTCORP CYBEROAM CR300INGCONSULTCORP CYBEROAM CR300ING
CONSULTCORP CYBEROAM CR300ING
 
OPC UA Security: Native and Add-on Solutions
OPC UA Security: Native and Add-on SolutionsOPC UA Security: Native and Add-on Solutions
OPC UA Security: Native and Add-on Solutions
 
Embedding Existing Heterogeneous Monitoring Techniques into a Lightweight, Di...
Embedding Existing Heterogeneous Monitoring Techniques into a Lightweight, Di...Embedding Existing Heterogeneous Monitoring Techniques into a Lightweight, Di...
Embedding Existing Heterogeneous Monitoring Techniques into a Lightweight, Di...
 
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
 
Audit and security application
Audit and security applicationAudit and security application
Audit and security application
 
Insecure mag-19
Insecure mag-19Insecure mag-19
Insecure mag-19
 
An Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud ResourcesAn Architecture for Providing Security to Cloud Resources
An Architecture for Providing Security to Cloud Resources
 
CaselliM_CV
CaselliM_CVCaselliM_CV
CaselliM_CV
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Recently uploaded (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

A Pattern for Secure Graphical User Interface Systems

  • 1. RuhR-University Bochum System Security Lab A Pattern for Secure Graphical User Interface Systems Thomas Fischer, Ahmad-Reza Sadeghi, Marcel Winandy Horst Görtz Institute for IT Security Ruhr-University Bochum Germany SPattern '09 (co-located with DEXA 2009) 3rd International Workshop on Secure Systems Methodologies Using Patterns Linz, Austria, 2 September 2009
  • 2. RuhR-University Bochum System Security Lab Motivating Example (1) Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 2
  • 3. RuhR-University Bochum System Security Lab Motivating Example (1) Is it really the password dialog ?? Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 3
  • 4. RuhR-University Bochum System Security Lab Motivating Example (2) Digital Signature Application Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 4
  • 5. RuhR-University Bochum System Security Lab Motivating Example (2) Digital Signature Application Will it really sign the document you have selected before?? Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 5
  • 6. RuhR-University Bochum System Security Lab Context ● You need User Trusted Path Application – Authenticity of the displayed application – Integrity and confidentiality of I/O between user and applications – Graphical user interface for several applications ● Here: architectural concepts for software GUI system Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 6
  • 7. RuhR-University Bochum System Security Lab Problem ● Realization not trivial because – All applications have to share I/O hardware – Commodity OS provides insufficient security ● e.g. keylogger that intercept all user input – Picture-in-picture attack – Usability ● Additional forces – Flexibility to draw any content – Invocation of trusted services (trusted path) – Optionally: controlled communication (copy & paste) Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 7
  • 8. RuhR-University Bochum System Security Lab Solution – Main Idea ● Mediate all user input/output through SUI system input input User output SUI output Application control input focus ● Separate content drawn by application from content displayed on screen App 1 1 multiplex 1 2 App 2 2 + add visible labels Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 8
  • 9. RuhR-University Bochum System Security Lab Solution – Structure Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 9
  • 10. RuhR-University Bochum System Security Lab Solution – Structure Integrity & confidentiality of input Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 10
  • 11. RuhR-University Bochum System Security Lab Solution – Structure Integrity & confidentiality of output Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 11
  • 12. RuhR-University Bochum System Security Lab Solution – Structure Authenticity Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 12
  • 13. RuhR-University Bochum System Security Lab Solution – Structure Invocation of trusted path services Look for secure attention key Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 13
  • 14. RuhR-University Bochum System Security Lab Solution – Structure Secure copy&paste Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 14
  • 15. RuhR-University Bochum System Security Lab Solution – Structure Authentication Requires support by OS kernel Protected runtime environment Controlled access Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 15
  • 16. RuhR-University Bochum System Security Lab Solution – Dynamics (1) Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 16
  • 17. RuhR-University Bochum System Security Lab Solution – Dynamics (2) Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 17
  • 18. RuhR-University Bochum System Security Lab Example Resolved (1) ● Fullscreen mode for different compartments (e.g. VMs) ● Using colors for different trust levels Secure Attention Key Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 18
  • 19. RuhR-University Bochum System Security Lab Example Resolved (2) ● When switching an application to fullscreen mode, SUI displays the application name and color in reserved area ● Applications have only virtual framebuffers Reserved Area Vertical screen resolution for compartments is reduced by height of reserved area Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 19
  • 20. RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 20
  • 21. RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) window labels Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 21
  • 22. RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) reserved area window labels Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 22
  • 23. RuhR-University Bochum System Security Lab Example Resolved (3) ● Multiplex mode with window labeling policy (Solaris TX) reserved area window labels multi-level secure copy&paste Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 23
  • 24. RuhR-University Bochum System Security Lab Known Uses ● Research ● Commercial – Trusted X (1993) – SDH (1991) ● Multiplex windows, X11 ● Separate screen regions – EROS EWS (2004) – Solaris TX (2006) ● Multiplex windows ● Multiplex windows, X11 – Nitpicker (2005) – INTEGRITY (2008) ● Multiplex windows ● Fullscreen VMs – mGUI (2005-2008) – Turaya (near future) ● Fullscreen compartments Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 24
  • 25. RuhR-University Bochum System Security Lab Consequences ● Benefits ● Liabilities – Integrity & confidentiality – SUI must be trusted of user input/output ● High assurance systems – Trusted path – Single point of failure ● Authenticity – Usability issues – Flexibility ● e.g. labeling policy might ● Different implementations require user training are possible – 3D graphics ● Policy-driven design (e.g. ● Requires direct hardware labeling can be adjusted access according to needs) ● 3D virtualization could help Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 25
  • 26. RuhR-University Bochum System Security Lab Summary ● Approaches for Secure GUI Systems exist ● Security pattern identified ● Provides trusted path, secure copy&paste, and high flexibility through policy ● Requires secure operating system support – Known uses mainly mandatory access control systems – But commodity OS's could be enhanced (e.g. Solaris) ● Secure GUI System pattern is important amendment to OS security patterns Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 26
  • 27. RuhR-University Bochum System Security Lab Questions? Marcel Winandy Ruhr-University Bochum marcel.winandy@trust.rub.de Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 27
  • 28. BACKUP Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 28
  • 29. RuhR-University Bochum System Security Lab Related Patterns ● Secure GUI System is a – Single Access Point [Yoder & Barcalow 1997] – Reference Monitor [Fernandez 2002] ● Secure GUI System needs/uses – Authenticator [Fernandez & Sinibaldi 2003] – Execution Domain [Fernandez 2002] – Controlled Virtual Address Space [Fernandez 2002] – Secure Process [Fernandez, Sorgente, Larrondo-Petrie 2006] Marcel Winandy A Pattern for Secure GUI Systems (SPattern '09) Linz, 2009-09-02 29