Test the implementation for security vulnerabilities

[langweg]

The implementation should be tested for security vulnerabilities by providing attack samples, e.g.

• a program that tries to interfere with installing the application
• a program that tries to modify the binaries of the application
• a program that tries to modify the configuration of the application
• a program that tries to access the process memory of the application while it is running
• a program that tries to inject another thread into the application while it is running
• a program that tries to start another process on the secure desktop
• a program that tries to send window messages to the application
• a program that tries to take a screenshot of the secure desktop
• a program that tries to simulate the applications visible on the secure desktop

Once this issue is addressed, it makes sense to create sub-issues dealing with individual attacks.

[SailReal]

We looked at the individual points with the following results:

1. not enough knowledge for the remaining time to implement
2. not enough knowledge for the remaining time to implement
3. ACL of config are set to only allow admin access -> modifying is not possible
4. not enough knowledge for the remaining time to implement
5. not enough knowledge for the remaining time to implement
6. all files sent to the service are parsed as config files, if this fails we exit
   & should be prevented by peters token
7. windows messages can only be sent to processes on the same desktop -> labeler runs on the secure desktop and is the only process which has a custom message loop
8. not sure how this can be achieved from the default desktop
9. is possible, but not preventable

Maybe that would be a good side topic.

[bencikpeter]

9. Isn´t the picture there for exactly this reason?

[langweg]

Yes, the picture should be available only to the cage labeller. The attack program could try to read the picture from the config file (and fail) and could try to show the wrong picture. The point here is that the attack program could be used in an experiment where unsuspecting users could be observed whether or not they detect that the wrong picture is shown (or if they do not care):