13th USENIX Security Symposium Abstract
Pp. 165178 of the Proceedings
Design of the EROS Trusted Window System
Jonathan S. Shapiro, John Vanderburgh, and Eric Northup, Johns Hopkins University; David Chizmadia, Promia Inc.
Window systems are the primary mediator of user input and output in modern computing systems. They are also
a commonly used interprocess communication mechanism. As a result, they play a key role in the enforcement
of security policies and the protection of sensitive information. A user typing a password or passphrase must
be assured that it is disclosed exclusively to the intended program. In highly secure systems, global policies
concerning information flow restrictions must be honored. Most window systems today, including X11 and
Microsoft Windows, have carried forward the presumptive trust assumptions of the Xerox Alto from which
they were conceptually derived. These assumptions are inappropriate for modern computing environments.
In this paper, we present the design of a new trusted window system for the EROS capability-based operating
system. The EROS Window System (EWS) provides robust traceability of user volition and is capable (with
extension) of enforcing mandatory access controls. The entire implementation of EWS is less than 4,500 lines,
which is a factor of ten smaller than previous trusted window systems such as Trusted X, and well within the
range of what can feasibly be evaluated for high assurance.
- View the full text of this paper in PDF.
Until August 2005, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2004 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.