Designing an ocap clipboard for privacy
6 views
Skip to first unread message
Tony Garnock-Jones
Feb 8, 2022, 7:22:33 AM2/8/22
to cap-...@googlegroups.com
Hi all,
Recently, denizens of an orange website discussed the ability of
applications to snoop on clipboard contents in commodity operating
systems: https://news.ycombinator.com/item?id=30193091
Some of the discussion turned to object capabilities, since the problem
is rooted in each application's ambient authority to read and write a
singleton clipboard object.
There are some interesting design wrinkles to solve around the
(seeming?) tension between custom user-interface and good security
design. For example, allowing applications to add custom gestures for
"paste" without sacrificing privacy could be a bit of a design nightmare.
I could have sworn I'd seen some good past work on design of user
interface systems including secure clipboard facilities, but I cannot
seem to find it again.
Could someone here point me in the right direction, please?
Regards,
Tony
Recently, denizens of an orange website discussed the ability of
applications to snoop on clipboard contents in commodity operating
systems: https://news.ycombinator.com/item?id=30193091
Some of the discussion turned to object capabilities, since the problem
is rooted in each application's ambient authority to read and write a
singleton clipboard object.
There are some interesting design wrinkles to solve around the
(seeming?) tension between custom user-interface and good security
design. For example, allowing applications to add custom gestures for
"paste" without sacrificing privacy could be a bit of a design nightmare.
I could have sworn I'd seen some good past work on design of user
interface systems including secure clipboard facilities, but I cannot
seem to find it again.
Could someone here point me in the right direction, please?
Regards,
Tony
Matt Rice
Feb 8, 2022, 10:11:08 AM2/8/22
to cap-talk
Design of the EROS Trusted Window System
https://www.usenix.org/legacy/publications/library/proceedings/sec04/tech/full_papers/shapiro/shapiro.pdf
The above paper talks about clipboards a bit, and cites
Towards trusted cut and paste in the X Window System
https://ieeexplore.ieee.org/document/213020
genode is newer and I know it also has a mechanism, it seems like it
doesn't require full traceability like EROS,
in the sense that it seems like access to the pasteboard is ambient,
but only available under conditions
like the application is focused and has had interaction within 500ms.
https://genodians.org/nfeske/2019-07-03-copy-paste
> --
> You received this message because you are subscribed to the Google Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/c4a5874e-71b6-38c9-b8dc-f98d8e2a7daf%40leastfixedpoint.com.
https://www.usenix.org/legacy/publications/library/proceedings/sec04/tech/full_papers/shapiro/shapiro.pdf
The above paper talks about clipboards a bit, and cites
Towards trusted cut and paste in the X Window System
https://ieeexplore.ieee.org/document/213020
genode is newer and I know it also has a mechanism, it seems like it
doesn't require full traceability like EROS,
in the sense that it seems like access to the pasteboard is ambient,
but only available under conditions
like the application is focused and has had interaction within 500ms.
https://genodians.org/nfeske/2019-07-03-copy-paste
> You received this message because you are subscribed to the Google Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/c4a5874e-71b6-38c9-b8dc-f98d8e2a7daf%40leastfixedpoint.com.
Mark S. Miller
Feb 8, 2022, 11:22:45 AM2/8/22
to cap-...@googlegroups.com
Also some stuff in DarpaBrowser report, IIRC
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CACTLOFqEZ2QPGwkvkGgg6xH%3DxHwVsiEfK1%3DKxhMX0rOiWpJCeg%40mail.gmail.com.
Tony Garnock-Jones
Feb 8, 2022, 3:10:00 PM2/8/22
to cap-...@googlegroups.com
Brilliant, thank you Matt and Mark. The Shapiro 2004 paper and the
DarpaBrowser reports are exactly the kind of thing I was thinking of.
Genode/Qubes isn't quite what I had in mind since it's more of a legacy
thing than a proper reimagining of what the clipboard could/should be in
an ocap world.
Cheers,
Tony
On 2/8/22 16:10, Matt Rice wrote:
> Design of the EROS Trusted Window System
> https://www.usenix.org/legacy/publications/library/proceedings/sec04/tech/full_papers/shapiro/shapiro.pdf
On 2/8/22 17:22, 'Mark S. Miller' via cap-talk wrote:
> Also some stuff in DarpaBrowser report, IIRC [http://www.combex.com/papers/darpa-report/html/]
DarpaBrowser reports are exactly the kind of thing I was thinking of.
Genode/Qubes isn't quite what I had in mind since it's more of a legacy
thing than a proper reimagining of what the clipboard could/should be in
an ocap world.
Cheers,
Tony
On 2/8/22 16:10, Matt Rice wrote:
> Design of the EROS Trusted Window System
> https://www.usenix.org/legacy/publications/library/proceedings/sec04/tech/full_papers/shapiro/shapiro.pdf
> Also some stuff in DarpaBrowser report, IIRC [http://www.combex.com/papers/darpa-report/html/]
Reply all
Reply to author
Forward
0 new messages