UAB's security model is designed for enterprise environments where AI agents need controlled, auditable access to desktop applications. Security is built into every phase of the Smart Function Discovery pipeline β from scan to action.
- Threat Model
- Trust Boundaries
- Permission & Safety Model
- Credential Handling
- Audit Trail
- Rate Limiting
- Network Security
- Governance Integration
- Responsible Disclosure
- API Key Authentication (v1.0.0)
- ELECTRON_ENABLE_REMOTE_DEBUGGING
UAB interacts with desktop applications through OS-level automation APIs. It can:
- Read UI element trees (labels, values, states)
- Perform UI actions (click, type, navigate)
- Read/write application data (cells, documents, cookies)
- Send keyboard input
- Manage windows (move, resize, minimize, close)
- Take screenshots
- No file system access β UAB does not read or write files directly. All interaction is through application UI or automation APIs.
- No network requests β UAB does not make outbound network calls (except localhost CDP connections to browsers/Electron apps).
- No process injection β UAB does not inject code into target processes. It uses existing debug/automation interfaces.
- No kernel-level hooks β UAB operates entirely in user space through documented Windows APIs.
- No credential storage β UAB does not store, cache, or transmit credentials.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Trust Zone 1 β
β Agent Runtime β
β β
β The agent (Claude, GPT, etc.) issues commands β
β to UAB. The agent is trusted to make reasonable β
β requests within its permission scope. β
ββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β
ββββββββββΌβββββββββ Trust Boundary βββββββββ
β
ββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββ
β Trust Zone 2 β
β UAB Service β
β β
β UAB validates, rate-limits, and audits every β
β action before execution. Destructive actions β
β can be gated behind confirmation. β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Permission Manager β β
β β - Risk classification (safe/moderate/dest.) β β
β β - Rate limiting (100 actions/min per PID) β β
β β - Audit logging (all actions recorded) β β
β β - Destructive action gating β β
β ββββββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β
ββββββββββΌβββββββββ Trust Boundary βββββββββ
β
ββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββ
β Trust Zone 3 β
β Target Applications β
β β
β Desktop apps controlled via their own automation β
β interfaces (CDP, COM, UIA). UAB has the same β
β access as the logged-in user β no privilege β
β escalation. β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
UAB operates with the same permissions as the logged-in user. It cannot:
- Access apps running in other user sessions
- Bypass UAC prompts
- Access protected system processes
- Escalate privileges
If the user can't click a button, UAB can't click it either.
Every action is classified by risk level before execution:
| Risk Level | Actions | Default Behavior |
|---|---|---|
| Safe | click, doubleclick, rightclick, focus, hover, scroll, screenshot, minimize, maximize, restore, move, resize | Always allowed |
| Moderate | type, clear, select, check, uncheck, toggle, expand, collapse, invoke, keypress, hotkey | Allowed, logged |
| Destructive | close | Configurable: allow or block |
When blockDestructive: true is configured:
- Agent requests
closeaction - PermissionManager blocks it
- Agent must call
confirmDestructive(pid)first - Only then does
closesucceed - Confirmation can be revoked with
revokeDestructive(pid)
This prevents accidental window closure and data loss.
const perms = new PermissionManager({
blockDestructive: true, // Require confirmation for close
rateLimit: 50, // 50 actions per minute per PID
rateLimitWindow: 60000, // 1-minute window
maxAuditEntries: 5000, // Keep last 5000 actions
exemptPids: new Set([pid]) // PIDs exempt from rate limiting
});UAB does not:
- Store API keys or passwords
- Cache authentication tokens
- Save browser session cookies to disk
- Record sensitive form field values in audit logs
When using the BrowserPlugin, UAB can read/set cookies via CDP. This is:
- Same-origin scoped β only cookies the browser would expose to DevTools
- Session-scoped β UAB connection to CDP is ephemeral
- Logged β all cookie operations appear in the audit trail
- Not persisted β UAB does not write cookies to its own storage
Office COM automation objects are:
- Created per-connection
- Released on disconnect
- Not serialized or cached
- Garbage collected by the .NET runtime
Every action goes through the audit system:
{
timestamp: 1709500000000, // Unix timestamp (ms)
pid: 1234, // Target process
appName: "EXCEL.EXE", // Application name
action: "writeCell", // Action performed
elementId: "cell-A1", // Target element
riskLevel: "moderate", // Risk classification
allowed: true, // Whether action was permitted
reason: undefined // Block reason (if blocked)
}// Get last 50 actions
const log = perms.getAuditLog(50);
// Get actions for specific app
const excelLog = perms.getAuditForPid(excelPid, 100);
// Via CLI (Telegram bot)
/uabaudit 20- Default: last 1000 entries (configurable)
- In-memory only β not persisted to disk
- Clears on service restart
- For persistent audit logging, configure
UAB_LOG_FILEenvironment variable
- 100 actions per PID per 60 seconds
- Sliding window implementation
- Configurable per PermissionManager instance
When rate-limited, actions are blocked with:
{
allowed: false,
riskLevel: "safe",
reason: "Rate limited: 100/100 actions in 60s window"
}const status = perms.getRateLimitStatus(pid);
// { count: 85, remaining: 15, resetMs: 23000 }Specific PIDs can be exempted from rate limiting:
const perms = new PermissionManager({
exemptPids: new Set([trustedPid])
});All UAB network connections are localhost only:
| Protocol | Endpoint | Purpose |
|---|---|---|
| CDP WebSocket | ws://localhost:<port> |
Electron/Browser control |
| HTTP Server | http://0.0.0.0:3100 |
UABServer REST API |
| Chrome Extension | ws://localhost:8787 |
Extension bridge |
| PowerShell | Local process | UIA/COM execution |
UAB makes zero outbound internet connections.
- CDP debugging ports are not exposed by default
- For Electron apps, the
--remote-debugging-portflag must be explicitly set - For browsers, UAB discovers or configures the debug port locally
- Ports are bound to
127.0.0.1(loopback only)
UAB's permission and audit systems are designed as extension points for enterprise governance:
- Custom PermissionManager β Subclass or wrap to integrate with your policy engine
- Audit log export β Read audit entries and forward to SIEM/logging infrastructure
- Risk level override β Reclassify actions based on organizational policy
- PID allowlisting β Restrict UAB to approved applications only
- Action allowlisting β Restrict to specific action types
import { PermissionManager } from 'universal-app-bridge';
class EnterprisePermissions extends PermissionManager {
private allowedApps: Set<string>;
constructor(allowedApps: string[]) {
super({ blockDestructive: true, rateLimit: 50 });
this.allowedApps = new Set(allowedApps);
}
check(pid: number, action: ActionType, app?: DetectedApp) {
// Only allow approved applications
if (app && !this.allowedApps.has(app.name)) {
return { allowed: false, riskLevel: 'safe', reason: 'Application not approved' };
}
return super.check(pid, action, app);
}
}If you discover a security vulnerability in UAB, please report it responsibly:
- Do not open a public GitHub issue
- Email: security@your-org.com (replace with actual contact)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if you have one)
| Stage | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 5 business days |
| Fix development | Depends on severity |
| Coordinated disclosure | After fix is released |
| Severity | Description | Example |
|---|---|---|
| Critical | Remote code execution, privilege escalation | UAB bypasses session isolation |
| High | Data exfiltration, unauthorized app control | Audit log bypass |
| Medium | Rate limit bypass, permission misconfiguration | Race condition in permission check |
| Low | Information disclosure, minor DoS | Verbose error messages expose internals |
UABServer now requires API key authentication for all POST endpoints.
- The API key is generated during installation and persisted locally
- All requests must include
X-API-Key: <key>header - GET /health is exempt (used for daemon health checks)
- The server binds to 0.0.0.0:3100 to allow VM access, but the API key prevents unauthorized use
- The key is stored at:
- Windows:
%LOCALAPPDATA%\UAB Bridge\api-key - macOS:
~/Library/Application Support/UAB Bridge/api-key
- Windows:
The installer sets ELECTRON_ENABLE_REMOTE_DEBUGGING=1 as a user environment variable. This enables CDP access to Electron apps for full DOM inspection. Security implications:
- Only affects apps launched by the current user
- CDP is bound to localhost only
- Required for deep UI inspection of Electron apps (ChatGPT, VS Code, Slack, etc.)
When deploying UAB in production:
- Enable destructive action blocking β
blockDestructive: true - Set conservative rate limits β Start with 50/min, adjust up
- Configure audit logging β Set
UAB_LOG_FILEfor persistent logs - Restrict to known apps β Use PID/name allowlists
- Monitor the audit trail β Pipe to your SIEM
- Keep UAB updated β Security fixes are released as patches
- Run with minimal privileges β Don't run UAB as Administrator unless necessary
- Lock the desktop session β UAB requires an interactive desktop session; ensure it's secured