Security/B2G/USB file-reading API: Difference between revisions
Jump to navigation
Jump to search
Ptheriault (talk | contribs) No edit summary |
Ptheriault (talk | contribs) (Initial security review) |
||
| Line 1: | Line 1: | ||
{{SecTracker}} | {{SecTracker | ||
|Component=USB File Reading API | |||
}} | |||
{{SecTrackerItem | {{SecTrackerItem | ||
|Sectrackerstatus=OK | |Sectrackerstatus=OK | ||
| Line 8: | Line 10: | ||
===Background=== | ===Background=== | ||
This feature allows to a b2g device plugged into a computer via a USB cable to be auto-mounted as a file system. Mounting happens automatically, and the entire contents of the sdcard partition are available. | |||
Feature Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=737153 | |||
Security Review Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=751048 | |||
Wiki: Not available. | |||
===Open Questions=== | ===Open Questions=== | ||
Is access read-only? | |||
If not, what damage could someone do by modifying files? | |||
Is this enabled by default, or by enabling a setting? | |||
===Threat Model=== | ===Threat Model=== | ||
{| | |||
! ID!!Title!!Threat!!Proposed Mitigations!!Threat Agent!!Rating!!Likelihood!!Notes!!Impact!!Notes | |||
|- | |||
| 1||Casual data theft||User has data stolen by an attacker who has limited physical access||\"Disable mounting device while device is locked | |||
|- | |||
| \"||Attacker with physical access to the phone||mod||||Requires physical device access||||Access sensitive data. | |||
|- | |||
| 2||Casual data tampering||User has data modified by an attacker who has limited physical access||Limiting file access and permissions||Attacker with physical access to the phone||mod||||Requires physical device access||||Potentially make the phone non-functional | |||
|- | |||
| 3||Data theft/tampering if device is stolen||Attacker has physical possession of the phone for unlimted time, attempting to read or change devices on the phone||\"None - an determined attacker who has the device could likely gain access to the file system regardless of this feature (e.g put the device in download mode). | |||
|- | |||
| Encryption of the file system is the only protection against this threat, and is outside the scope of this feature.\"||Attacker with physical access to the phone|||||||||| | |||
|} | |||
===Authorization Model=== | ===Authorization Model=== | ||
Not applicable. | |||
===Implementation Requirements=== | ===Implementation Requirements=== | ||
Prevent USB mounting when phone is locked. | |||
Enforce permissions to prevent access to read or modify sensitive files. | |||
Provide a setting to enable/disable feature, consider disabling by default. | |||
Revision as of 08:12, 17 May 2012
Please use "Edit with form" above to edit this page.
Project Info
| USB File Reading API | |
| Project Page | ` |
| Next Milestone | ` |
| Security Resource | ` |
{{#set:Component=USB File Reading API |Project=` |Milestone=` |Resource=` }}
Security Information
| Status: | OK |
| Securtiy Approved for Beta Launch?: | No |
| Data Flow Diagram: | ` |
| Threat Model: | ` |
| Bugs: | ` |
| Security Review: | ` |
| Final Security Approval: | no |
{{#set:Sectrackerstatus=OK |Simpyn=No |DFD=` |TM=` |bugs=` |Secreview=` |SecTrackerFSA=no }}
Background
This feature allows to a b2g device plugged into a computer via a USB cable to be auto-mounted as a file system. Mounting happens automatically, and the entire contents of the sdcard partition are available.
Feature Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=737153 Security Review Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=751048 Wiki: Not available.
Open Questions
Is access read-only? If not, what damage could someone do by modifying files? Is this enabled by default, or by enabling a setting?
Threat Model
| ID | Title | Threat | Proposed Mitigations | Threat Agent | Rating | Likelihood | Notes | Impact | Notes |
|---|---|---|---|---|---|---|---|---|---|
| 1 | Casual data theft | User has data stolen by an attacker who has limited physical access | \"Disable mounting device while device is locked | ||||||
| \" | Attacker with physical access to the phone | mod | Requires physical device access | Access sensitive data. | |||||
| 2 | Casual data tampering | User has data modified by an attacker who has limited physical access | Limiting file access and permissions | Attacker with physical access to the phone | mod | Requires physical device access | Potentially make the phone non-functional | ||
| 3 | Data theft/tampering if device is stolen | Attacker has physical possession of the phone for unlimted time, attempting to read or change devices on the phone | \"None - an determined attacker who has the device could likely gain access to the file system regardless of this feature (e.g put the device in download mode). | ||||||
| Encryption of the file system is the only protection against this threat, and is outside the scope of this feature.\" | Attacker with physical access to the phone |
Authorization Model
Not applicable.
Implementation Requirements
Prevent USB mounting when phone is locked. Enforce permissions to prevent access to read or modify sensitive files. Provide a setting to enable/disable feature, consider disabling by default.