Techniques are disclosed to provide security for user input in which a
first, host operating system is used along with a second, high assurance
operating system, where the first system provides at least some of the
infrastructure for the second system. Two modes are presented. In a first
mode, user data is passed to the host operating system. In a second mode,
user data is retained in the second operating system for the use of the
second operating system or processes running on the second operating
system. Transitions between the nodes can be accomplished according to
hypothecated user actions such as keystroke combinations, or when the
user performs an action which indicates a programmatic activation of a
process running in the second operating system. Where shadow graphical
elements are run by the first operating system to indicate the location
of graphical elements from processes running on the second operating
system, this programmatic activation may be indicated by programmatic
activation of a shadow graphical element.