Passive and active attacks via X11. Is Wayland any better?
tiago.vignatti at linux.intel.com
Mon Feb 20 05:28:29 PST 2012
On 02/18/2012 12:07 AM, Joanna Rutkowska wrote:
> The approach with trusted/untrusted apps is far from an optimal solution
> -- just as the world is not black and white, it is also hard to divide
> apps strictly into just two categories: trusted and not trusted. It is
> even difficult to assign 1-dimnesional levels of trust to apps, such as
> in military (confidential, secret, top secret, etc). Consider e.g. the
> following security domains: work, personal, banking -- do you really
> think there is an ordering trust relation between them? I don't think
> so. In fact, the most reasonable solution is that a user wants isolation
> between all of them (which is a special case of a tree-like trust relation).
funny, because Qubes implements exactly the 1-dimensional level policy
(per domain) for the isolation which you're opposing here. And your
system is a workaround by nature; it's implementing entirely the
isolation policy in application level, calling heavy-weighted VMs, and
breaking the fundamental concept of desktop which is to integrate
applications, having them interacting each other. Why not make the
isolation, well _selection_, at windowing system's instead?
> So, back to the example with clipboard -- what a user typically expects
> is that the clipboard allows for (secure) communication between two
> _select_ apps, such as e.g. KeepassX and the Firefox in the example
> above, and is not allowing any other app to steal the clipboard in the
sorry but what's the difference between what you describe here and the
other, to classify clients as trusted or not?
PS: I like nasty ;)
More information about the wayland-devel