Designing an ocap clipboard for privacy

Skip to first unread message

Tony Garnock-Jones

Feb 8, 2022, 7:22:33 AMFeb 8
Hi all,

Recently, denizens of an orange website discussed the ability of
applications to snoop on clipboard contents in commodity operating

Some of the discussion turned to object capabilities, since the problem
is rooted in each application's ambient authority to read and write a
singleton clipboard object.

There are some interesting design wrinkles to solve around the
(seeming?) tension between custom user-interface and good security
design. For example, allowing applications to add custom gestures for
"paste" without sacrificing privacy could be a bit of a design nightmare.

I could have sworn I'd seen some good past work on design of user
interface systems including secure clipboard facilities, but I cannot
seem to find it again.

Could someone here point me in the right direction, please?


Matt Rice

Feb 8, 2022, 10:11:08 AMFeb 8
to cap-talk
Design of the EROS Trusted Window System

The above paper talks about clipboards a bit, and cites

Towards trusted cut and paste in the X Window System

genode is newer and I know it also has a mechanism, it seems like it
doesn't require full traceability like EROS,
in the sense that it seems like access to the pasteboard is ambient,
but only available under conditions
like the application is focused and has had interaction within 500ms.
> --
> You received this message because you are subscribed to the Google Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> To view this discussion on the web visit

Mark S. Miller

Feb 8, 2022, 11:22:45 AMFeb 8
Also some stuff in DarpaBrowser report, IIRC

Tony Garnock-Jones

Feb 8, 2022, 3:10:00 PMFeb 8
Brilliant, thank you Matt and Mark. The Shapiro 2004 paper and the
DarpaBrowser reports are exactly the kind of thing I was thinking of.
Genode/Qubes isn't quite what I had in mind since it's more of a legacy
thing than a proper reimagining of what the clipboard could/should be in
an ocap world.


On 2/8/22 16:10, Matt Rice wrote:
> Design of the EROS Trusted Window System

On 2/8/22 17:22, 'Mark S. Miller' via cap-talk wrote:
> Also some stuff in DarpaBrowser report, IIRC []
Reply all
Reply to author
0 new messages