Check out the new USENIX Web site.

USENIX Home . About USENIX . Events . membership . Publications . Students
13th USENIX Security Symposium — Abstract

Pp. 165–178 of the Proceedings

Design of the EROS Trusted Window System

Jonathan S. Shapiro, John Vanderburgh, and Eric Northup, Johns Hopkins University; David Chizmadia, Promia Inc.


Window systems are the primary mediator of user input and output in modern computing systems. They are also a commonly used interprocess communication mechanism. As a result, they play a key role in the enforcement of security policies and the protection of sensitive information. A user typing a password or passphrase must be assured that it is disclosed exclusively to the intended program. In highly secure systems, global policies concerning information flow restrictions must be honored. Most window systems today, including X11 and Microsoft Windows, have carried forward the presumptive trust assumptions of the Xerox Alto from which they were conceptually derived. These assumptions are inappropriate for modern computing environments.

In this paper, we present the design of a new trusted window system for the EROS capability-based operating system. The EROS Window System (EWS) provides robust traceability of user volition and is capable (with extension) of enforcing mandatory access controls. The entire implementation of EWS is less than 4,500 lines, which is a factor of ten smaller than previous trusted window systems such as Trusted X, and well within the range of what can feasibly be evaluated for high assurance.

  • View the full text of this paper in PDF.
    Click here if you have forgotten your password Until August 2005, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2004 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.

  • If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
To become a USENIX Member, please see our Membership Information.

?Need help? Use our Contacts page.

Last changed: 12 Aug. 2004 aw
Technical Program
Security '04 Home