Qubes GUI design security question
48 views
Skip to first unread message
Luís Fernando Schultz Xavier da Silveira
Apr 28, 2016, 3:28:11 AM4/28/16
to qubes...@googlegroups.com
Hi,
I have one question which does not seem addressed in the documentation:
what prevents untrusted domains from abusing window creation and
destruction to disrupt the system or spy on the user?
More precisely, it is clear untrusted domains get to pick when their
windows are created, with which geometry they are created and when they
are destroyed. What prevents such a domain from carrying out a denial
of service by repeatedly creating and destroying windows?
What prevents a domain from creating a window that steals the focus
from the user's window while he is entering a secret?
What if some untrusted domain the user is working on destroys a window
so the user enters "garbage" on a more trusted window below it?
Thank you,
Luís Fernando
I have one question which does not seem addressed in the documentation:
what prevents untrusted domains from abusing window creation and
destruction to disrupt the system or spy on the user?
More precisely, it is clear untrusted domains get to pick when their
windows are created, with which geometry they are created and when they
are destroyed. What prevents such a domain from carrying out a denial
of service by repeatedly creating and destroying windows?
What prevents a domain from creating a window that steals the focus
from the user's window while he is entering a secret?
What if some untrusted domain the user is working on destroys a window
so the user enters "garbage" on a more trusted window below it?
Thank you,
Luís Fernando
Marek Marczykowski-Górecki
Apr 28, 2016, 4:42:55 AM4/28/16
to Luís Fernando Schultz Xavier da Silveira, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
You can set focus stealing prevention in KDE to more restrictive value,
but it doesn't solve all the problems unfortunately. It is already tracked here:
https://github.com/QubesOS/qubes-issues/issues/881
https://github.com/QubesOS/qubes-issues/issues/1166
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXIc0FAAoJENuP0xzK19csn14H+wSll3q3sJHkULNvJToITJQ/
rk9qCtW9fydEFNKS335p92IDTOV4ZEF7+Cs4d5knDggqQs8BTWZsi+NGHJ4Zs7FB
Dgt2ItNCB7K9RVLXmD+nXWT2yi+kBOHTdVH+zXJuhR4OmBf/2fjea6IlZJsK8M5v
zU8VnqSnttUyEpLre3dO/67Bll9LHtWfWO7bFjIp7dNxWbDJ0H0r7+Vf2s+GZCQF
mf0eyxeJbbgU03PsXQ3I5OaA0BwQOri7gxA1VxpEOUauAA0wVtWR+ArGw8XfhYof
vAdjhOuuMu5VnbiwHCKT3tyhpMg2i8suDSTl6N5LMbY04IUSZiswymNDYB/ceTM=
=hOPJ
-----END PGP SIGNATURE-----
Hash: SHA256
but it doesn't solve all the problems unfortunately. It is already tracked here:
https://github.com/QubesOS/qubes-issues/issues/881
https://github.com/QubesOS/qubes-issues/issues/1166
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXIc0FAAoJENuP0xzK19csn14H+wSll3q3sJHkULNvJToITJQ/
rk9qCtW9fydEFNKS335p92IDTOV4ZEF7+Cs4d5knDggqQs8BTWZsi+NGHJ4Zs7FB
Dgt2ItNCB7K9RVLXmD+nXWT2yi+kBOHTdVH+zXJuhR4OmBf/2fjea6IlZJsK8M5v
zU8VnqSnttUyEpLre3dO/67Bll9LHtWfWO7bFjIp7dNxWbDJ0H0r7+Vf2s+GZCQF
mf0eyxeJbbgU03PsXQ3I5OaA0BwQOri7gxA1VxpEOUauAA0wVtWR+ArGw8XfhYof
vAdjhOuuMu5VnbiwHCKT3tyhpMg2i8suDSTl6N5LMbY04IUSZiswymNDYB/ceTM=
=hOPJ
-----END PGP SIGNATURE-----
Luís Fernando Schultz Xavier da Silveira
Apr 28, 2016, 10:49:49 AM4/28/16
to Marek Marczykowski-Górecki, qubes...@googlegroups.com
Hi,
I see, thank you for the pointers.
I would like to wonder then whether it would be a viable idea to have
per-domain workspaces accessible either by the dom0 workspace or by
configurable key combinations. They could even be rendered directly to
the Linux framebuffer with an X server and a window manager per domain.
This seems to simplify the GUI code quite a bit and also prevent all
these attacks.
I see, thank you for the pointers.
I would like to wonder then whether it would be a viable idea to have
per-domain workspaces accessible either by the dom0 workspace or by
configurable key combinations. They could even be rendered directly to
the Linux framebuffer with an X server and a window manager per domain.
This seems to simplify the GUI code quite a bit and also prevent all
these attacks.
Reply all
Reply to author
Forward
0 new messages