|
|
Subscribe / Log in / New account

Tizen's new access-control broker "Cynara"

Tizen's new access-control broker "Cynara"

Posted Jun 20, 2014 11:56 UTC (Fri) by smurf (subscriber, #17840)
In reply to: Tizen's new access-control broker "Cynara" by Siosm
Parent article: Tizen's new access-control broker "Cynara"

> There is no need to ask the user again to confirm an action because
> the action has already been triggered by the user and no one else.

This assumes that the system is able to securely determine that, yes, this action has been initiated by the user. I do not believe that this assumption holds in any way.

The solution is rather simple -- you ask the first time, and offer an option to *remember* that decision.

SuperSU on Android gets that right.
The warning you see when you start a VPN connection does not.

to post comments

Tizen's new access-control broker "Cynara"

Posted Jun 20, 2014 15:40 UTC (Fri) by Siosm (subscriber, #86882) [Link] (1 responses)

> This assumes that the system is able to securely determine that, yes, this action has been initiated by the user. I do not believe that this assumption holds in any way.

This is indeed part of the prerequisites, and this is something already ensured with Wayland/Weston (not with X, but Tizen supports Wayland). User input is managed by the compositor, cannot be forged, and is directed only to the corresponding window, thus it can be trusted.

Embedding trusted widgets inside another application can be done using Wayland subsurfaces (or another protocol extension if subsurfaces turns out not to be flexible enough).

Confining trusted widgets to ensure that they are not influenced in any way by another process can be done using SELinux (or maybe even AppArmor).

For a discussion regarding Wayland input security, see: http://mupuf.org/blog/2014/02/19/wayland-compositors-why-...

> The solution is rather simple -- you ask the first time, and offer an option to *remember* that decision.

This is unacceptable for two reasons:
* Asking once is already too much when you don't have to: you get horrible results as users *have already been trained to answer any confirmation dialog with yes all the time*. See http://research.microsoft.com/en-us/um/people/cormac/pape... for a complete analysis of the cost of some "security features" for users;
* There is no obvious way offered to the user to revert a *remembered* answer.

Tizen's new access-control broker "Cynara"

Posted Jun 20, 2014 21:20 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

> Asking once is already too much when you don't have to: you get horrible results as users *have already been trained to answer any confirmation dialog with yes all the time*.

Have they done research with putting verbs on the buttons rather than Yes/No or OK/Cancel? I think putting verbs in the button text might help get the idea of the action across (I know I've clicked the wrong one before due to a double negative in the dialog text).


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds