New version of capabilities patch online, some more status
Bengt Richter
bokr at accessone.com
Fri Apr 28 02:54:57 GMT 2000
At 17:50 2000-04-27 -0500 Chad Hanson wrote:
>
[...]
>on the the size of screen which the desktop is being displayed. A less
>intrusive
>idea is to have an informational bar stating the security level. This is
>alot
>simpler, but can the stripe could be spoofed.
>
One anti-spoof guarantee is to be able to query the system interactively
and securely (as opposed to passive viewing of status indications). Secure
querying would require a Secure Access Key type of thing, such as for a
secure local login. A signal could be propagated in a way appropriate to
the current stack of trusted layers of display hardware use. If you had
a trusted window manager running, it could be told to refresh its security
indications and make sure nothing untrusted was on top. Or possibly you
could use a window manager as is and pop up a new top window with status
info. If a display was in text mode, it could be preempted to display status,
etc. The point being to establish a low level secure mechanism that could
handle future display uses without preordaining too much. I would imagine a
specialized daemon to monitor dynamically changing uses of display hardware
(actually, also KB and mouse), and manage preemptions and restorations of
connections and states, etc.
I am wondering what the actual requirements are. I.e., do you need a constant
indication of security level? If you do, how annoyingly attention-demanding
does it have to be? (could it be an auditory nag?) Can I never use the entire
screen as a graphics surface for a program? Permanently reserving a piece of
screen seems undesirable (even fixing the mode/resolution shouldn't be
necessary).
I'll offer a few further thoughts to add to the concept flux ;-) ...
What level of virtualization is best for introducing access controls? E.g.,
if a future window manager is really a virtual 3D scene manager, sensitive
text
being displayed could be routed to a wall-screen of a virtual top secret room
that you moused your way into. Should elements of the virtual scene, such as
the virtual wall-screen, have separate configurable access controls (e.g. via
dynamically created virtual devices)? If you turn your avatar-back to the
wall-screen, should the rendering of the view on the (real) CRT be
treated as
secret, or could the transforms reliably prove that the sensitive data was
not
visible? I.e., we never see data directly. There is always a rendering
function
involved, whether it's VGA text mode hardware rendering ascii, or many
layers of
processing putting rasterized text on Lara Croft's tee shirt by texture
mapping.
A window manager is someplace in between. Would it pay to virtualize a WM
and its
display surfaces to conceive it as an instantiation of the general process of
composing visual renderings of multiple data sources of potentially differing
security levels?
Regards,
Bengt Richter
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list