Passive and active attacks via X11. Is Wayland any better?
Tiago Vignatti
tiago.vignatti at linux.intel.com
Mon Feb 20 05:28:29 PST 2012
On 02/18/2012 12:07 AM, Joanna Rutkowska wrote:
>
> The approach with trusted/untrusted apps is far from an optimal solution
> -- just as the world is not black and white, it is also hard to divide
> apps strictly into just two categories: trusted and not trusted. It is
> even difficult to assign 1-dimnesional levels of trust to apps, such as
> in military (confidential, secret, top secret, etc). Consider e.g. the
> following security domains: work, personal, banking -- do you really
> think there is an ordering trust relation between them? I don't think
> so. In fact, the most reasonable solution is that a user wants isolation
> between all of them (which is a special case of a tree-like trust relation).
funny, because Qubes implements exactly the 1-dimensional level policy
(per domain) for the isolation which you're opposing here. And your
system is a workaround by nature; it's implementing entirely the
isolation policy in application level, calling heavy-weighted VMs, and
breaking the fundamental concept of desktop which is to integrate
applications, having them interacting each other. Why not make the
isolation, well _selection_, at windowing system's instead?
> So, back to the example with clipboard -- what a user typically expects
> is that the clipboard allows for (secure) communication between two
> _select_ apps, such as e.g. KeepassX and the Firefox in the example
> above, and is not allowing any other app to steal the clipboard in the
> meantime.
sorry but what's the difference between what you describe here and the
other, to classify clients as trusted or not?
PS: I like nasty ;)
Tiago
More information about the wayland-devel
mailing list