[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: User sessions, system request

From: Neal H. Walfield
Subject: Re: User sessions, system request
Date: Thu, 31 Jan 2008 12:45:38 +0100
User-agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (Shij┼Ź) APEL/10.6 Emacs/21.4 (i486-pc-linux-gnu) MULE/5.0 (SAKAKI)

At Thu, 31 Jan 2008 06:14:35 -0500,
Jonathan S. Shapiro wrote:
> On Wed, 2008-01-30 at 22:46 +0100, Bas Wijnen wrote:
> > As you seem to agree, Alt+SysRq may be designed for the purpose, but it
> > is badly designed and should not be used for it.
> No, I do not agree with this. Yes, I agree it would be better if SysRq
> did not require ALT. No, I do not agree that the current design is a
> serious problem.
> > > This is the right goal. The problem is to ensure that a "normal" program
> > > cannot simulate a password box well enough to fool the user into
> > > entering a password into an unauthorized program.
> > 
> > The user needs to be educated for this: when entering a password,
> > _always_ press break first.
> Actually, that isn't necessary. There are ways to design a window
> manager to provide visual feedback confirming that a trusted window has
> focus.

To fill in this dangling reference, here are two papers that present
some work in this direction:

  A Nitpicker's guide to a minimal-complexity secure GUI by N. Feske,
  C. Helmuth, in proceedings of the 21st Annual Computer Security
  Applications Conference (ACSAC 2005), Tucson, Arizona, USA, December


  Design of the EROS Trusted Window System by Jonathan S. Shapiro,
  John Vanderburgh, Eric Northup, and David Chizmadia, in proceedings
  of the 2004 USENIX Security Conference, 2004.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]