New version of capabilities patch online, some more status

Bengt Richter bokr at accessone.com
Fri Apr 28 02:54:57 GMT 2000 

At 17:50 2000-04-27 -0500 Chad Hanson wrote:
>
[...]
>on the the size of screen which the desktop is being displayed. A less
>intrusive
>idea is to have an informational bar stating the security level. This is
>alot
>simpler, but can the stripe could be spoofed. 
>
	One anti-spoof guarantee is to be able to query the system interactively
	and securely (as opposed to passive viewing of status indications). Secure
	querying would require a Secure Access Key type of thing, such as for a
	secure local login. A signal could be propagated in a way appropriate to
	the current stack of trusted layers of display hardware use. If you had
	a trusted window manager running, it could be told to refresh its security
	indications and make sure nothing untrusted was on top. Or possibly you
	could use a window manager as is and pop up a new top window with status
	info. If a display was in text mode, it could be preempted to display status,
	etc. The point being to establish a low level secure mechanism that could
	handle future display uses without preordaining too much. I would imagine a
	specialized daemon to monitor dynamically changing uses of display hardware
	(actually, also KB and mouse), and manage preemptions and restorations of
	connections and states, etc.

	I am wondering what the actual requirements are. I.e., do you need a constant
	indication of security level? If you do, how annoyingly attention-demanding
	does it have to be? (could it be an auditory nag?) Can I never use the entire
	screen as a graphics surface for a program? Permanently reserving a piece of
	screen seems undesirable (even fixing the mode/resolution shouldn't be
necessary).
	
	I'll offer a few further thoughts to add to the concept flux ;-) ...
	What level of virtualization is best for introducing access controls? E.g.,
	if a future window manager is really a virtual 3D scene manager, sensitive
text
	being displayed could be routed to a wall-screen of a virtual top secret room
	that you moused your way into. Should elements of the virtual scene, such as
	the virtual wall-screen, have separate configurable access controls (e.g. via
	dynamically created virtual devices)? If you turn your avatar-back to the
	wall-screen, 	should the rendering of the view on the (real) CRT be
treated as
	secret, or could the transforms reliably prove that the sensitive data was
not
	visible? I.e., we never see data directly. There is always a rendering
function
	involved, whether it's VGA text mode hardware rendering ascii, or many
layers of
	processing putting rasterized text on Lara Croft's tee shirt by texture
mapping.
	A window manager is someplace in between. Would it pay to virtualize a WM
and its
	display surfaces to conceive it as an instantiation of the general process of
	composing visual renderings of multiple data sources of potentially differing
	security levels?

	Regards,
	Bengt Richter


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list