Trusted Labeling & Input

The preliminary labeling scheme discussed in Section 6 relies on the window manager to obtain the label from a property attached to each window and display it in the window's decoration. This scheme is subject to spoofing attacks, since a malicious client application could recreate window decorations itself, misleading or confusing the user.

A more secure method would be to reserve an area of the screen for displaying labels. This area would be off-limits to client drawing; the server itself would be responsible for drawing the labels as the input focus changes from window to window. This scheme is employed by Solaris Trusted Extensions for X [2].

Secure input, input event labeling, and trusted path are areas that need addressing. However, the input subsystems in the X server are in a state of churn as new features are added. For example, recently improved device hotplugging support was added, which has resulted in deep changes to the server. Other proposals on the table include support for multiple concurrent mouse pointers and new ways for selecting input focus on windows for use in 3D environments. This author does not plan to study the X input model in depth until development has settled down.