17.2. Chameleon User InterfaceThis section describes the current version of the Chameleon interface and highlights issues we considered in its design that are specific to security interfaces. Security as a secondary (or tertiary, or lower-priority) task means not only that the security operations must be easy to use, but also that they cannot interfere too much with the primary task or tasks. We designed the Chameleon interface to be easy to use itself, and also to not intrude on the ordinary activities that people want to perform. To make Chameleon easy to understand and use, we used popular interfaces such as Microsoft Windows and the Macintosh as a starting point. Chameleon uses separate, overlapping windows to display applications and to browse and manage files. The Chameleon design attempts to add or modify this interface style only as much as necessary to support roles. The role features are designed to be simple, so they are easy to understand and convenient to use. Chameleon has evolved over time through two low-fidelity (paper) prototypes and one software prototype, based on lessons learned in user studies. These old versions of the interface are shown in Figures 17-1 and 17-2. The current implementation is under development; a schematic of how its screen will be laid out is shown in Figure 17-3.
If you design user interfaces or web sites, low-fi prototyping can be a very useful tool. If you'd like to learn more, consult the books devoted to low-fi prototyping.[10]
Users need to be aware of what role each program and file belong to. Otherwise, a user might put an untrustworthy application, such as a game downloaded from an untrusted web site, in the same role as valuable data, such as personal financial records. To make roles visible, all windows and icons in Chameleon have a colored border that shows what role they belong to. Windows also have the role name in their titlebar. As an extra cue indicating what role the user is currently working with, all windows that do not belong to Figure 17-1. Low-fidelity prototypeFigure 17-2. Visual Basic prototypethe currently active role are dimmed slightly. We plan to study whether this level of notification will give users a sufficient level of role awareness. Figure 17-3. Schematic of the Chameleon X Windows implementation; cross-hatched regions are controlled by trusted software; gradient areas are controlled by end-user applications; application borders indicate their roleOf course, in addition to being aware of roles, users also need to interact with roles. Specifically, Chameleon supports these role-based actions:
Based on user testing, the current design provides the following methods for these actions. Because the role to which a file belongs is tied to what directory it is in, the user can copy and move files across roles, just like copying and moving files within a role, simply by dragging and dropping the file from a folder that belongs to one role to a folder that belongs to another. A file can also be copied or cut to the clipboard in one role, and pasted into another. Sometimes, a user may want to access a file that belongs to role A from an application that belongs to role B. For example, the email application running in the Communications role might want to attach a file from the Vault role. The user could copy the file to the Communications role, but this would be cumbersome. An easier way is to use a file dialog box that has been enhanced to know about roles, as shown in Figure 17-4. An important issue with the design of security interactions in Chameleon is how easy they should be. Security in Chameleon comes from role separation. So if, for example, moving or copying files across roles is too easy, people might do it too readily, without considering the security implications. Although this is a risk, Chameleon errs on the side of convenience because experience with other security technologies shows that people are very willing to work around mechanisms they deem too inconvenient. Even if users move or copy some files across roles in a way that exposes them, that is better than abandoning Chameleon altogether and losing its benefits for all their other files, too. Figure 17-4. Role-aware file dialog box from low-fidelity prototype; the role palette on the left side chooses the role to browse; the "Roles" button hides and shows the role paletteThe decision to require all files in the same directory to belong to the same role seemed simple, straightforward, and easy to understand and use. Then we considered the desktop, where it is likely that people will want to put files and applications from different roles side by side. Showing all files from all roles at the same time could make for a messy desktop. But showing only files that belong to the currently active role could be confusing, and would require users to remember what role a file belonged to. Applications, too, can be installed in multiple rolesfor example, a simple text editor might be useful in many roles. As with files, we considered a verbose and a concise option for displaying desktop icons for an application installed in multiple roles. The verbose option is to show a separate icon for each role in which the application could run. The concise option is to show only a single icon but to change the color of its border depending on the role of the active window. If the application is available in the active role, we would color its icon border to match; otherwise, we would color it gray to indicate that it is not available in that role. Our user studies so far indicate that people have strong preferences about which display style to use for iconsstrong, but different, preferences, unfortunately. There is a slight preference for separate icons for files and applications, so that is the default. Given that nearly half of people prefer the other, it should be easy to change. The next section describes the interface development process, and issues that we discovered from user testing and analysis.
|