Overlay Window Management: User Interaction with Multiple Security Domains
Total Page:16
File Type:pdf, Size:1020Kb
TECHNISCHE UNIVERSITAT¨ DRESDEN Fakultat¨ Informatik TUD–FI04–02–Marz¨ 2004 Norman Feske and Christian Technische Berichte Helmuth Institute for System Architecture, Operating Technical Reports Systems Group ISSN 1430-211X Overlay Window Management: User interaction with multiple security domains Technische Universitat¨ Dresden Fakultat¨ Informatik D-01062 Dresden Germany URL: http://www.inf.tu-dresden.de/ Overlay Window Management: User interaction with multiple security domains Norman Feske and Christian Helmuth Abstract one physical computer system into multiple protection do- mains where each domain can be an entirely different oper- Graphical user interfaces for high-assurance systems must ating system. Hartig¨ [15] presents an overview of such ar- fulfill a range of security requirements such as pro- chitectures and emphasizes the trend of wide application of tected and reliable presentation, prevention of unautho- these techniques in system design. Virtual machines lead rized cross-domain talk, and prevention of user-input to an unmatched flexibility and availability of user applica- eavesdropping. Additionally, it is desirable to support tions. As described in [14], the latests efforts with secure legacy applications running in confined compartments. booting techniques—namely TCPA [6]—pushed the appli- Standard isolation methods such as virtual-machine mon- cation area of these approaches even further. Even though itors provide one frame buffer per security domain, where the known approaches are technically different, they have each frame buffer is managed by one legacy window sys- one drawback in common that shrinks the application area tem. This raises the question of how to safely integrate significantly. There exists virtually no model for secure multiple (legacy) window systems and protect the dis- user interaction with multiple security domains. played data while preserving the usability of modern user In this paper, we present a generic solution for the interfaces. addressed problem and discuss application scenarios of Our paper describes the Overlay Window System, a gen- deploying virtualization and sandboxing techniques com- eral mechanism for multiplexing windows of multiple dis- bined with our user-interaction model. tinct window systems into the host frame buffer. Thus, Currently available virtual machines perform user inter- each legacy window appears to the user as one correspond- action based on consoles. Traditionally, there exist two in- ing host window that can be moved and resized. To achieve terfaces for the interaction with the user: input devices and this, only slight modifications of the legacy window sys- a frame buffer display. This paradigm appears antiquated tem are required whereby, the source code does not have to regarding the modern way of user interaction with com- be available. Our implementation of an Overlay Window puter systems. Today, we expect to interact with windowed System successfully multiplexes Linux, GEM and native applications that can freely be arranged on the screen. L4 applications. Existing virtual machines do not to deal with such ap- plications but leave the window management to the virtu- alized legacy operating system. This way, the virtual frame 1 Introduction buffer, containing all windows of the legacy operating sys- tem, is presented to the user as one host window or as full The ever-increasing number of security-sensitive platforms screen (Figure 1). connected to untrusted public networks raises a high de- Once multiple instances of virtual machines come into mand of executing trusted and untrusted applications side- play, as described in the numerous application scenarios by-side on one device. For example, people store and in [13], the problem of multiplexing virtual frame buffers process private data on PDAs using trusted software and immediately arises and the full-screen approach becomes execute gadgets—downloaded from untrusted sources— unfeasible. which are potentially malicious (malware). There exist We want to integrate multiple legacy window systems plenty of options to deal with such scenarios, which fall into one user environment. Thus, we approach the follow- into two categories: ing problems: Firstly, there are operating systems that provide strong application-level isolation and protection. Prominent examples are the L4 family [18] and EROS [19]—a • The way of how windows are managed and how re- capability-based operating system. They provide a cus- draw operations are performed differs among legacy tom infrastructure to build applications, which in turn are operating systems. especially designed for these operating systems. For exam- ple, with DOpE [11, 12] and EWS [20] there exist custom • We want to integrate proprietary legacy operating sys- trusted window systems for these operating systems. The tems of which the source code is not available. common drawback of these solutions is the lack of avail- able applications. • We cannot access the internal data structures that rep- Secondly, with virtual machine monitors and sandbox- resent the user interface on the legacy operating sys- ing techniques, there exist powerful solutions to partition tem. • All properties of used virtualization and sandboxing techniques in regard to isolation and protection of se- curity domains must persist. Window layer 1 Logical representation In this paper, we present a solution for the problems men- tioned above. We can integrate any number of legacy win- Window layer 2 dow systems running on different virtual machines. The legacy window systems can even use virtual frame buffers Physical representation of different sizes and color depths. This can be achieved Virtual frame buffer Legacy window system with virtually no (or marginal) modifications of the legacy operating systems. As a proof-of-concept, we integrated three entirely different window systems—namely X11, GEM and DOpE—into one user environment while run- Windowed frame ning them inside fully isolated security domains. For this, we required no access to the GEM source code. The rest of the paper is structured as follows: In Sec- Physical frame buffer Host window system tion 2 we describe our basic mechanism to multiplex win- dow systems. It is followed by Section 3 that describes the actual implementation of our mechanism. Section 4 Figure 1: Virtual frame buffer displayed as one host win- highlights new application fields, which can be captured dow. Legacy window information are only exported as by virtual machines combined with our technique. In Sec- virtual frame buffer and the virtual machine displays the tion 5 we give an overview about related work and put our entire frame as one host window. Windows are displayed work in the context of trusted window systems. Section 6 with shadows at the logical representation level to high- concludes the paper with an outlook to future work. light the fact, that the semantics are known not only the pixel data. 2 Mechanism 2.1 Nested-window-systems approach important information on the way from the legacy win- dow system to the host representation. Since the exist- Current implementations of virtual machines virtualize (or ing interfaces—frame buffer and input devices—alone are emulate) standard hardware devices to enable guest oper- insufficient, we looked for novel ways to obtain the se- ating systems to perform I/O operations. This way, legacy mantics of legacy windows. An ideal (i. e. cooperative) operating systems reuse existing device drivers to access legacy window system for our purposes would provide virtual input devices or graphics cards, and thus, the host additional window information besides the virtual frame system. buffer. Thus, a host window system is able to manage The common technique for emulating graphics cards is legacy and host windows similarly, as it would know about to provide a virtual frame buffer to the guest. The legacy the semantics of legacy windows. This approach is com- window system renders its private window stack into the parable to remote GUI protocols (e. g., X11 or RDP), but virtual frame buffer (Figure 1). Thereby, the window sys- needs fewer high-level commands. tem translates its logical representation (e. g., window lists and window-decoration configuration) into the physical We have to tackle the problem of how to export legacy representation of pixels in the frame buffer. The physical window contents, positions, and sizes. Furthermore, the representation of the legacy system contains no semantics host window system needs to know the legacy window about the displayed information anymore, so that the logi- stacking order to present a consistent global window state cal representation is not known to the host window system. to the user. Figure 2 illustrates this idea. Therefore, established virtual machines render the virtual The generic export of window state information from ar- frame buffer into one big host window. bitrary legacy window systems is tricky, as the used data This approach has several usability drawbacks. Firstly, structures differ significantly. Keeping the two window the virtual-machine window is unhandy due to its size and stacks—legacy and host—consistent on the basis of totally pollutes the screen. Secondly, all legacy windows are on different structures appears to be infeasible. On the other the same stacking level regarding host window order. This hand, window-state changes (e. g., movement or resizing) highly restricts the flexibility of application-window place- are very easy to export. The host window system can use ment. Interaction with such nested window systems is nei- them to reconstruct the legacy window configuration on ther natural nor efficient. the host side. We call such a window system Overlay Window System 2.2 Overlay window system—hosting as it overlays distinct window stacks and thus, legacy and legacy windows host windows. The Overlay Window System tracks top (come to front), move, resize, open, and close window- The above-mentioned limitations are not caused by the state-change events, it receives from the legacy system. utilization of the virtual frame buffer but by the loss of This way, the Overlay Window System is at all times about these state changes via the view abstraction.