[EROS-Arch] Re: [E-Lang] Interaction Design for End-User Security

Mark S. Miller markm@caplet.com
Fri, 16 Mar 2001 21:21:15 -0800 

At 05:01 PM Friday 3/16/01, Ka-Ping Yee wrote:
>As i'm sure you all realize, the user interface is critical since
>it communicates intent, and it is only from an interpretation of
>that intent that a meaningful definition of security is possible.
>
>Miriam Walker and i worked together on a paper last semester to
>describe and apply a set of design principles for usable security.
>Mark has encouraged me to post it here for review.  Here it is:
>
>    http://www.cs.berkeley.edu/~pingster/sec/project/
>
>We're very interested in your thoughts on the topic and look
>forward to your comments on the paper.

I'd like to emphasize just how crucially important this work is, as well as 
how good it is.  Security isn't very meaningful if humans can't be securely 
included.  Prior to this work, the only serious works I know on user 
interface/interaction security are

* Good work from the old command line days, such as the "attention key" 
notion so a user can be sure they're talking to the login program when they 
see an alleged login prompt.

* "Why Johnny Can't Encrypt" http://www.cs.cmu.edu/~alma/johnny.pdf 
explaining why PGP's graphical UI fails as a secure UI.  It's a great paper, 
but it only has the bad news: Why secure GUI design is hard, but no hope that 
we may eventually succeed at it.

(* Concurrently with this work, MarcS has been working on CapWT and the 
secure caplet launcher.  The two efforts learned from each other, but are 
very different.)

And that's about it.  There are probably other prior works, in which case 
I'd love to hear about them, as would others on this list.  But for me, this 
ground breaking paper was the first concrete image I've ever had of what a 
secure general purpose GUI design might look like.  And the first 
demonstration that a secure GUI could still be a usable GUI.  Even, 
possibly, more usable.

Never again will the GUI area be one where security folks throw up their 
hands and exclaim, "It's critical, but no one knows has any idea what to do 
about it."  (Yes, I have heard such exclamations, and not only from myself 
;).)  The presence of one concrete design establishes that such designs are 
possible, and so starts this important new subfield.

Miriam & Ping, if it's ok with you, I've announced this work on the erights 
home page.

I'm cross posting this to the EROS list, because this vision of a secure GUI 
for a secure platform is at least as relevant for EROS, as EROS has the 
potential to be a basis for a truly comprehensive no-compromise secure 
platform.


        Cheers,
        --MarkM