Unix security additions
Joshua Osborne
stripes at eng.umd.edu
Wed Mar 27 01:16:07 AEST 1991
In article <1991Mar19.193342.28295 at Think.COM>, barmar at think.com (Barry Margolin) writes:
[...]
> The problem is that while you may trust the *people*, you can't always
> trust the software they run. In many window systems, it is possible for
> software to simulate user actions, and this is ripe breeding ground for
> Trojan Horses. If a user can manually cut and paste, then a TH can
> simulate this and downgrade information without the user realizing it.
In X any events created by a client program (the one that asks for things to be
drawn in windows, not the thing that does all the drawing) have a bit set. Well
it is a 16 or 32 bit field that gets set to a "non-zero" value, when makeing a
MAC (is that the right term?). I guess that you could make the non-zero value the
clasifaction level of the progam that sends. The only program that I know of that
uses this is xterm which ignores all client created events (or at least the
keyboard events, and most likely mouse ones) unless the AlowSendEvents resource
is set to true (or the provided menu item is used...).
> However, if cut-and-paste uses a "trusted path" that can't be emulated by
> unverified software (which probably requires much of the window system to
> be in the TCB, yuck) then it might be feasible to relax such restrictions
> in some environments.
It will only require the "paste" function to done by proper software. I don't
know if it is acceptable for this software to be in a lib (as opposed to being
part of the OS).
> Such operations must be audited, but if you permit
> downgrading at such a fine grain then then tracing back the information in
> the logs can be difficult (cut buffers don't generally remember the name of
> the document from which the data came).
Again this could be done in X, the selection protocall is very flexable you can
add to the data passed (via cut/copy) the file the info was from and even what
line (or cell, or whatever) it was from. Then the paste could refuse to paste
from a higher clearance window unless it (a) had all that info, and (b) the
user was allowd to downgrade that info.
Meta-comment:
I cross posted this to comp.windows.x & alt.security, and redirected the followups
to alt.security (I am unsure whether it belongs in alt.security or comp.windows.x
so I guessed, it has gotten rather removed from comp.unix.internals 'tho)
--
stripes at eng.umd.edu "Security for Unix is like
Josh_Osborne at Real_World,The Multitasking for MS-DOS"
"The dyslexic porgramer" - Kevin Lockwood
"CNN is the only nuclear capable news network..."
- lbruck at eng.umd.edu (Lewis Bruck)
More information about the Comp.unix.internals
mailing list