The EROS Trusted Window System

Window systems are the primary mediator of user input and output in modern computing systems. As a result, they play a key role in the enforcement of security policies and the protection of sensitive information. A user typing a password or passphrase must be assured that it is disclosed exclusively to the intended program. The interprocess communication functionality that underlies "cut and paste" must be guarded such that (a) messages transmitted are known to reflect user intentions and (b) global policies concerning information flow are honored. Most window systems today, including X11 and Microsoft Windows, have carried forward the presumptive trust assumptions of the Xerox Alto from which they were conceptually derived. These assumptions are inappropriate for modern computing environments. In this paper, we present the design of a new trusted window system for the EROS capability- based operating system. The EROS Window System (EWS) provides robust traceability of user volition and is capable (with extension) of enforcing mandatory access controls. To our knowledge it does not introduce new covert channels into the overall system architecture, and it is not subject to significant denial of service attacks. The entire implementation of EWS is less than 4,500 lines, which is a factor of ten smaller than previous trusted window systems such as Trusted X, and well within the range of what can feasibly be evaluated for high assurance.