Add A presentation about security from steve and I

1 files changed, 15 insertions, 0 deletions

diff --git a/Events/XDC2014/Program.mdwn b/Events/XDC2014/Program.mdwn
index d94dddf2..876b3142 100644
--- a/Events/XDC2014/Program.mdwn
+++ b/Events/XDC2014/Program.mdwn
@@ -404,3 +404,18 @@ This talk will explain why we did a complete transition to XCB in KWin and the s
 As a C++ application using a low level C library is not particularly thrilling to the developers especially as it can be error-prone. The KWin development team went a long way to make using XCB inside the code base as convenient as possible and safe using advanced features of C++ like RAII and variadic templates. The talk will explain why we introduced wrappers for XCB and illustrates the advantages from a coding point of view. As these wrappers do not dependent on other parts of KWin and are mostly template based header only implementations they might be of interest for other C++ projects interacting with XCB.
 
 Author: Martin Gräßlin
+
+### Security in Wayland-based desktop environments: Privileged clients, authorization, authentication and sandboxing!
+
+We have been talking about security in the Graphics Stack for some time. Wayland has fixed all the problems we had ... but at the expense of usability and accessibility as applications are now unable to perform any sensitive task such as taking screenshots or injecting input events. Indeed, some applications (especially the ones related to accessibility) really *DO* require privileged capabilities and should work across the different Wayland compositors. Before designing privileged interfaces, it was thus necessary to think about how to handle privileged clients securely.
+The biggest issue with handling privileged clients is not how to grant them the rights, it is about making sure that the user understands what is going on on his/her system. This sometimes require to capture the user's intent somewhere in the TCB (Trusted Code Base), often in the compositor. 
+
+In February, we proposed a way to handle privileged clients. We first started by listing different ways of capturing the user's intent in the Wayland compositor. We then talked about how to expose the current security threats and vulnerabilities to user by adding an icon to the systray allowing the user both to see the security properties that may become violated and by which programs. The user could then revoke the rights away from an application for the current instance or any further instance.
+
+We also proposed a way to delegate security decisions within the compositor to a centralized security decision engine such as SELinux, AppArmor or polkit. This would allow distro developers to ship applications with their security policy for the system and the graphical environment. We called this proposition Wayland Security Module (WSM) because they resemble the Linux Security Module interface found in the Linux kernel. An android-like system could thus be implemented where the package manager displays the capabilities required by the application and the user would select the permission he/she gives to the application. The same policy could be shared across all the Desktop Environments thanks to the common WSM interface that would need to be used by all the wayland compositors. Work on the WSM is currently on its way.
+
+This leads us to another GUI-related problem of applications, they need to be able to access files only when the user wants it to. Capturing the user's intent when it comes to giving permission to an application to open a file requires to delegate the file chooser to an external process. Doing so has several challenges that we will talk about before showing our proposition and show you our interface (both from the code and the GUI perspective).
+
+Currently, any application can pretend to be your DE's window that asks for credentials. This inspired us to look into the different of authorization and authentication UIs on major OSes and their problems. We finally proposed several ways of making your DE's authentication window be unspoofable by making it trivial for a user to check its legitimacy.
+
+Authors: Martin Peres & Steve Dodier