Security/B2G/USB file-reading API: Difference between revisions
Jump to navigation
Jump to search
Ptheriault (talk | contribs) No edit summary |
Ptheriault (talk | contribs) No edit summary |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 12: | Line 12: | ||
This feature allows to a b2g device plugged into a computer via a USB cable to be auto-mounted as a file system. Mounting happens automatically, and the entire contents of the sdcard partition are available. | This feature allows to a b2g device plugged into a computer via a USB cable to be auto-mounted as a file system. Mounting happens automatically, and the entire contents of the sdcard partition are available. | ||
Feature Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=737153 | *Feature Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=737153 | ||
Security Review Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=751048 | *Security Review Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=751048 | ||
Wiki: Not available. | *Wiki: Not available. | ||
===Open Questions=== | ===Open Questions=== | ||
| Line 20: | Line 20: | ||
If not, what damage could someone do by modifying files? | If not, what damage could someone do by modifying files? | ||
Is this enabled by default, or by enabling a setting? | Is this enabled by default, or by enabling a setting? | ||
===Architecture Diagram=== | |||
Not applicable as this scenario is limited to a b2g device communicating with a PC via USB. | |||
===Detailed Application Diagram=== | |||
Not applicable due to the simplistic nature of this scenario. | |||
===Data-flow Enumeration=== | |||
Data-flows depend on the actions taken by the user once the file system is mounted. | |||
===Threat Model=== | ===Threat Model=== | ||
{| | {| border="1" | ||
| ID||Title||Threat||Proposed Mitigations||Threat Agent||Rating||Likelihood||Notes||Impact||Notes | | ID||Title||Threat||Proposed Mitigations||Threat Agent||Rating||Likelihood||Notes||Impact||Notes | ||
|- | |- | ||
| Line 35: | Line 44: | ||
===Implementation Requirements=== | ===Implementation Requirements=== | ||
Prevent USB mounting when phone is locked. | #Prevent USB mounting when phone is locked. | ||
Enforce permissions to prevent access to read or modify sensitive files. | #Enforce permissions to prevent access to read or modify sensitive files. | ||
Provide a setting to enable/disable feature, consider disabling by default. | #Provide a setting to enable/disable feature, consider disabling by default. | ||
===Post-review follow-up=== | |||
# Gaia modifies a setting when the phone is locked to prevent UMS. See https://github.com/mozilla-b2g/gaia/pull/1467 for details. | |||
# UMS Mounts /sdcard only which is user data only (no system files) | |||
# Setting is provided under settings->storage, disabled by default | |||
Latest revision as of 08:20, 19 July 2012
Please use "Edit with form" above to edit this page.
Project Info
| USB File Reading API | |
| Project Page | ` |
| Next Milestone | ` |
| Security Resource | ` |
{{#set:Component=USB File Reading API |Project=` |Milestone=` |Resource=` }}
Security Information
| Status: | OK |
| Securtiy Approved for Beta Launch?: | No |
| Data Flow Diagram: | ` |
| Threat Model: | ` |
| Bugs: | ` |
| Security Review: | ` |
| Final Security Approval: | no |
{{#set:Sectrackerstatus=OK |Simpyn=No |DFD=` |TM=` |bugs=` |Secreview=` |SecTrackerFSA=no }}
Background
This feature allows to a b2g device plugged into a computer via a USB cable to be auto-mounted as a file system. Mounting happens automatically, and the entire contents of the sdcard partition are available.
- Feature Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=737153
- Security Review Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=751048
- Wiki: Not available.
Open Questions
Is access read-only? If not, what damage could someone do by modifying files? Is this enabled by default, or by enabling a setting?
Architecture Diagram
Not applicable as this scenario is limited to a b2g device communicating with a PC via USB.
Detailed Application Diagram
Not applicable due to the simplistic nature of this scenario.
Data-flow Enumeration
Data-flows depend on the actions taken by the user once the file system is mounted.
Threat Model
| ID | Title | Threat | Proposed Mitigations | Threat Agent | Rating | Likelihood | Notes | Impact | Notes |
| 1 | Casual data theft | User has data stolen by an attacker who has limited physical access | Disable mounting device while device is locked | Attacker with physical access to the phone | mod | Requires physical device access | Access sensitive data. | ||
| 2 | Casual data tampering | User has data modified by an attacker who has limited physical access | Limiting file access and permissions | Attacker with physical access to the phone | mod | Requires physical device access | Potentially make the phone non-functional | ||
| 3 | Data theft/tampering if device is stolen | Attacker has physical possession of the phone for unlimted time, attempting to read or change devices on the phone | None - an determined attacker who has the device could likely gain access to the file system regardless of this feature (e.g put the device in download mode). Encryption of the file system is the only protection against this threat, and is outside the scope of this feature. | Attacker with physical access to the phone |
Authorization Model
Not applicable.
Implementation Requirements
- Prevent USB mounting when phone is locked.
- Enforce permissions to prevent access to read or modify sensitive files.
- Provide a setting to enable/disable feature, consider disabling by default.
Post-review follow-up
- Gaia modifies a setting when the phone is locked to prevent UMS. See https://github.com/mozilla-b2g/gaia/pull/1467 for details.
- UMS Mounts /sdcard only which is user data only (no system files)
- Setting is provided under settings->storage, disabled by default