#2328 BLOC Trial-3: Bitfrost requires that the 'File New' and 'Share' features be initiated through Sugar itself, not through the activities.

Zarro Boogs per Child bugtracker at laptop.org
Thu Jul 19 15:23:44 EDT 2007 

#2328: Bitfrost requires that the 'File New' and 'Share' features be initiated
through Sugar itself, not through the activities.
-----------------------------+----------------------------------------------
 Reporter:  mstone           |       Owner:  dcbw   
     Type:  defect           |      Status:  new    
 Priority:  blocker          |   Milestone:  Trial-3
Component:  sugar            |     Version:         
 Keywords:  security, sugar  |    Verified:  0      
-----------------------------+----------------------------------------------
 To avoid forged file manipulation and sharing requests, we require that
 these privileged operations be initiated by Sugar itself (i.e. from inside
 the trusted computing base) and not by individual activity authors.

 In more detail:

 The present situation in which file opening or sharing is initiated by a
 single click on an activity-drawn button is unacceptable because it allows
 activities to forge requests to access files or to initiate sharing either
 by making such requests without user initiation or by maliciously
 misleading the user.

 Bitfrost is only able to protect the user from such malicious behavior by
 virtue of its ability to determine the user's intent. The only way we
 presently know how to determine such intent is require that the user
 interact with Sugar itself through a mechanism that cannot be interfered
 with by activities. Mechanisms that enable this authentication of user-
 intent include requiring the user to interact with Sugar through the
 activity ring or through a Sugar-drawn top-level dialog (again note: the
 activity must not be able to manipulate input to such a dialog, either by
 explicit control of input events or by visually misleading the user).

 When the Sugar team begins to work on this functionality, they should
 coordinate with the Security team so that we can produce a fully-
 functioning whole.

 As a rough proposal, we offer the following:

 When an activity wants to access files or to initiate sharing, it should
 call an appropriate DBus method in Sugar. This method should in turn query
 the user (perhaps directly, when requesting a file, perhaps subtly, i.e.
 "who would you like to share with?") to ascertain their intent. It should
 then communicate the result of this query to the security service
 (Rainbow) which will enforce an appropriate action.

-- 
Ticket URL: <http://dev.laptop.org/ticket/2328>
One Laptop Per Child <http://laptop.org/>

More information about the Bugs mailing list