Secure GUI Programs

Norman Feske norman.feske at ...1...
Thu Jan 14 11:33:57 CET 2016

Hi Ben,

On 12.01.2016 23:07, Nobody III wrote:
> I've been thinking about writing graphical utilities (e.g. a file
> manager), but I'm not sure whether I should be using Qt. Can I consider
> Qt secure for things such as rendering filenames from untrusted
> filesystem servers? If not, what do you suggest?

I would start with using Qt5. There is no serious alternative toolkit
available on Genode anyway. The only other options were to wait until a
different toolkit becomes available, to port a different toolkit, or to
build a new toolkit from scratch. Neither of those options seem
attractive if you want to implement a file manager right now.

For an security assessment, you have to take the (1) attack surface and
(2) reach of a security breach into account:

1. Is it exposed to the network? Which inputs does it handle (you
   mentioned file names) and where do those input come from?

2. Is it prone to leak information between different security domains?
   I.e., does it deal with only one or multiple file systems? Can it
   merely read data but not modify a file system? What can happen in
   the worst case?

> Another question: for previews/thumbnails (e.g. for icons), is it
> reasonably efficient to render the preview for each file in its own
> process, or should I batch them together?

The best approach would be to try it out, starting with the simplest
solution (creating a sandboxed component per image). If it turns out to
be too slow, you can still think about processing multiple images in one


Dr.-Ing. Norman Feske
Genode Labs ·

Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden
Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth

More information about the users mailing list