Security

This document aims to explore in depth the security considerations around Mir based compositors.

Threat Model

Mir is a C++ library for building compositors, not a product itself. As such, when discussing the threat model for Mir, it is useful to discuss it in terms of an actual product that is built on Mir. With this in mind, we will define the threat model of Ubuntu Frame in this document.

Ubuntu Frame Threat Model Diagram

Ubuntu Frame is published as a snap. As such, the threat model for frame assumes that the snap is secure, and proceeds to outline the frame snap’s interactions with the outside world.

Snap
input
screen content
content/input
input
contents/configuration
configuration
visuals
help message
input events
properties
vnc
window contents
input/window management
Mir-based Shell
VNC Server
On-screen Keyboard
VNC Client
Snapd
Operator App
User
Display
App

Cryptography

There is no cryptography used in Mir, no direct dependency on en/decryption, hashing or digital signatures.