Designing an ocap clipboard for privacy

6 views
Skip to first unread message

Tony Garnock-Jones

unread,
Feb 8, 2022, 7:22:33 AMFeb 8
to cap-...@googlegroups.com
Hi all,

Recently, denizens of an orange website discussed the ability of
applications to snoop on clipboard contents in commodity operating
systems: https://news.ycombinator.com/item?id=30193091

Some of the discussion turned to object capabilities, since the problem
is rooted in each application's ambient authority to read and write a
singleton clipboard object.

There are some interesting design wrinkles to solve around the
(seeming?) tension between custom user-interface and good security
design. For example, allowing applications to add custom gestures for
"paste" without sacrificing privacy could be a bit of a design nightmare.

I could have sworn I'd seen some good past work on design of user
interface systems including secure clipboard facilities, but I cannot
seem to find it again.

Could someone here point me in the right direction, please?

Regards,
Tony

Matt Rice

unread,
Feb 8, 2022, 10:11:08 AMFeb 8
to cap-talk
Design of the EROS Trusted Window System
https://www.usenix.org/legacy/publications/library/proceedings/sec04/tech/full_papers/shapiro/shapiro.pdf

The above paper talks about clipboards a bit, and cites

Towards trusted cut and paste in the X Window System
https://ieeexplore.ieee.org/document/213020

genode is newer and I know it also has a mechanism, it seems like it
doesn't require full traceability like EROS,
in the sense that it seems like access to the pasteboard is ambient,
but only available under conditions
like the application is focused and has had interaction within 500ms.
https://genodians.org/nfeske/2019-07-03-copy-paste
> --
> You received this message because you are subscribed to the Google Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/c4a5874e-71b6-38c9-b8dc-f98d8e2a7daf%40leastfixedpoint.com.

Mark S. Miller

unread,
Feb 8, 2022, 11:22:45 AMFeb 8
to cap-...@googlegroups.com
Also some stuff in DarpaBrowser report, IIRC


Tony Garnock-Jones

unread,
Feb 8, 2022, 3:10:00 PMFeb 8
to cap-...@googlegroups.com
Brilliant, thank you Matt and Mark. The Shapiro 2004 paper and the
DarpaBrowser reports are exactly the kind of thing I was thinking of.
Genode/Qubes isn't quite what I had in mind since it's more of a legacy
thing than a proper reimagining of what the clipboard could/should be in
an ocap world.

Cheers,
Tony

On 2/8/22 16:10, Matt Rice wrote:
> Design of the EROS Trusted Window System
> https://www.usenix.org/legacy/publications/library/proceedings/sec04/tech/full_papers/shapiro/shapiro.pdf

On 2/8/22 17:22, 'Mark S. Miller' via cap-talk wrote:
> Also some stuff in DarpaBrowser report, IIRC [http://www.combex.com/papers/darpa-report/html/]
Reply all
Reply to author
Forward
0 new messages