•Full file system privilege
…Reserved for Trusted Computing Base
…Capabilities: TCB, AllFiles, CommDD, DiskAdmin
•Extended privileges
…Reserved for the Trusted Computing Environment
…Generally user is never aware
…Capabilities: PowerMgmt, MultimediaDD, ReadDeviceData, WriteDeviceData, ProtServ, DiskAdmin, NetworkControl, SwEvent, SurroundingsDD, DRM, etc
•Basic privileges
…Can be understood and, in some cases, granted by user
…Capabilities: NetworkServices, LocalServices, ReadUserData, WriteUserData, UserEnvironment, Location
Thursday, June 5, 2008
Trusted Computing
•Trusted Computing Base (TCB)
…New Kernel, EKA2
…New Software Install
…File server & Loader
•Trusted Computing Environment (TCE)
…All important system servers (e.g. ETel, ESock, WServ etc)
…New Kernel, EKA2
…New Software Install
…File server & Loader
•Trusted Computing Environment (TCE)
…All important system servers (e.g. ETel, ESock, WServ etc)
Process Identification
•Each executable now contains a Secure ID (SID)
•Secure IDs are guaranteed to be locally unique
…Hence \private\\
•SIDs will come from a specific part of the UID range
•SID is specified by the SECUREID keyword in an .mmp file
…If not given, UID3 is used, otherwise KNullID
•Secure IDs are guaranteed to be locally unique
…Hence \private\
•SIDs will come from a specific part of the UID range
•SID is specified by the SECUREID keyword in an .mmp file
…If not given, UID3 is used, otherwise KNullID
Data Caging
•Separating code from data
•File-system structure changes
…\sys, \resource, \private\
…Executables will be placed in and only run from \sys\bin
•Processes are confined to their own part of the file-system
•Access rules based on directory path
…Single user, no access control list required
…No extra storage needed
•Support for removable media file systems
…tamper evidence for binaries
A capability
A capability is a statement of trust
•Every executable is tagged at build time with some capabilities, this applies for both EXEs and DLLs
•At run time, every process has a set of capabilities
•Capabilities of a process never change
•Capabilities are assigned based on which APIs a process needs and therefore is authorised to use
•Capabilities, and policing of, is transparent to API users
•Every executable is tagged at build time with some capabilities, this applies for both EXEs and DLLs
•At run time, every process has a set of capabilities
•Capabilities of a process never change
•Capabilities are assigned based on which APIs a process needs and therefore is authorised to use
•Capabilities, and policing of, is transparent to API users
Scope of Platform Security
•Includes:
…Symbian OS & device drivers
…User interface
…Applications
•Excludes:
…Hardware
…Network infrastructure
…Remote servers
…Symbian OS & device drivers
…User interface
…Applications
•Excludes:
…Hardware
…Network infrastructure
…Remote servers
When we talk about Platform Security…
•it is about
…protecting phone integrity
…protecting sensitive data
…controlling access to sensitive operations
•it is not about
…encrypting data
…scanning for viruses
…managing public key infrastructure
…protecting phone integrity
…protecting sensitive data
…controlling access to sensitive operations
•it is not about
…encrypting data
…scanning for viruses
…managing public key infrastructure
Why a finer-grained Platform Security model ?
•Phones are open, networked & data communication devices
•Users expect their phones to be highly reliable
•Users care about their privacy –and their phone bills
•Mobile networks are not like the internet –they can restrict access
•Existing "Perimeter Security" model enables unrestricted access to all phone capabilities once installed
•Users expect their phones to be highly reliable
•Users care about their privacy –and their phone bills
•Mobile networks are not like the internet –they can restrict access
•Existing "Perimeter Security" model enables unrestricted access to all phone capabilities once installed
What is Symbian OS v9.x Platform Security ?
- It follows a per-process capability-based model
- It compartmentalises the system, according to access capabilities, to APIs and files
- It makes sure that the users can make policy decisions they understand
- It is Kernel mediated but server enforced
- It is a fine-grained way to efficiently restrict or completely prevent unauthorised access to sensitive APIs and data on the mobile phone while keeping the device open to developers.
Subscribe to:
Comments (Atom)