File powerboxes
What is a file powerbox?
A file powerbox is a kind of file chooser dialog box, and it works the same from the user's perspective. The difference is that as well as telling the application which file to access, it dynamically grants the application the right to access the file.
This helps provide security: It means that the application does not have to be given access to all of the user's files by default. This is an example of applying the principle of least privilege/authority: the aim is to give the program the authority it needs to do its job, but no more.
An example
Suppose you run Gnumeric to view a spreadsheet you downloaded from the Internet. Gnumeric might not be a malicious program, but suppose it has a buffer overrun bug -- quite possible considering that it is written in C -- and the spreadsheet exploits that bug.
If Gnumeric runs with all your authority, the dodgy spreadsheet can read any of your files (such as "~/sensitive-file.txt", or your private keys from "~/.ssh") and send them back to its creator.
But if Gnumeric runs with minimum authority, the malicious spreadsheet can't do anything except write to the file it was opened from, and open a powerbox to request a file. The application cannot specify a default pathname for the powerbox to open, so for the spreadsheet to get access to a sensitive file, the user would have to specifically choose that file. The malicious spreadsheet would find it very hard to get access to ".ssh": why would the user choose ".ssh" if Gnumeric opened a powerbox out of the blue without a good reason?
How do powerboxes work?
In order for the powerbox file chooser to provide security, it cannot be implemented by the application and its libraries. It must be implemented as a separate, trusted component, and it must run in its own protection domain.
The idea is that the file chooser has a trusted path to the user, so only the user can enter a filename into it. This allows the system to distinguish between requests made by the user and requests made by the application.
Plash's implementation
Arguments to powerbox API
- Whether a file or directory is being requested.
- Open or save: whether the application is requesting an existing file or somewhere to save a new file.
- A start directory: the powerbox manager will check whether this is a directory the user has already visited using this application's powerbox.
- A piece of text that can be displayed in the powerbox window to describe why the application wants to be granted some authority.
- The X window ID of the parent window. The powerbox manager can use this to mark the powerbox window as a child of its parent, using the WM_TRANSIENT_FOR window property (a window manager hint).
History
The powerbox concept appears to have first been proposed by Ka-Ping Yee and Miriam Walker in Interaction Design for End User Security (December 2000).
Other trusted-path user interfaces
- Printing: The ability to print a document could be granted via a "print powerbox" dialog
Copy and paste: Access to the clipboard could be granted via TrustedPathButtons
Other powerbox implementations
Other systems have implemented powerboxes:
CapDesk, a desktop GUI based around the E programming language
- Polaris, a system for sandboxing Windows applications
The One Laptop Per Child project has recently proposed a powerbox system for its "Bitfrost" security system (see the P_DOCUMENT requirement), currently only a specification.