Confirmed users
502
edits
B2G/Architecture/System Security: Difference between revisions
supervisor process task
Gdestuynder (talk | contribs) (Added road map, cleaned up features) |
Gdestuynder (talk | contribs) (supervisor process task) |
||
| Line 26: | Line 26: | ||
* Ensure several layers of security are being correctly used in the operating system | * Ensure several layers of security are being correctly used in the operating system | ||
* Limit and contain the impact of vulnerabilities caused by security bugs, system-wide | * Limit and contain the impact of vulnerabilities caused by security bugs, system-wide | ||
* Web application permissions and any application related security feature | * Web application permissions and any application related security feature are not detailed here | ||
* Expose a road-map of the upcoming system-related security features | * Expose a road-map of the upcoming system-related security features | ||
=== Road Map === | === Road Map === | ||
{| | {| | ||
|Feature||Implementation Status||Priority/Importance|| | ||Feature||Implementation Status||Priority/Importance|| | ||
|- | |- | ||
|Seccomp|https://bugzilla.mozilla.org/show_bug.cgi?id=790923 (ASAP)||High|| | ||Seccomp||https://bugzilla.mozilla.org/show_bug.cgi?id=790923 (ASAP)||High|| | ||
|- | |- | ||
|GL Proxy|N/A||High|| | ||GL Proxy||N/A||High|| | ||
|- | |- | ||
|Supervisor process|https://bugzilla.mozilla.org/show_bug.cgi?id=845191 (Soon)||High|| | ||Supervisor process||https://bugzilla.mozilla.org/show_bug.cgi?id=845191 (Soon)||High|| | ||
|- | |- | ||
|RBAC (MAC)|N/A|Medium|| | ||RBAC (MAC)||N/A|Medium|| | ||
|- | |- | ||
|Disk Encryption|https://bugzilla.mozilla.org/show_bug.cgi?id=777917||Medium|| | ||Disk Encryption||https://bugzilla.mozilla.org/show_bug.cgi?id=777917||Medium|| | ||
|- | |- | ||
|ASLR|https://bugzilla.mozilla.org/show_bug.cgi?id=777948 (Soon)||Medium|| | ||ASLR||https://bugzilla.mozilla.org/show_bug.cgi?id=777948 (Soon)||Medium|| | ||
|- | |- | ||
|Compiler hardening|https://bugzilla.mozilla.org/show_bug.cgi?id=620058||Medium|| | ||Compiler hardening||https://bugzilla.mozilla.org/show_bug.cgi?id=620058||Medium|| | ||
|- | |- | ||
|JIT hardening|https://bugzilla.mozilla.org/show_bug.cgi?id=677272||Low|| | ||JIT hardening||https://bugzilla.mozilla.org/show_bug.cgi?id=677272||Low|| | ||
|- | |- | ||
|Implement automated compliance testing of security features|N/A||Medium|| | ||Implement automated compliance testing of security features||N/A||Medium|| | ||
|- | |- | ||
|Integrity measurements|N/A|Low|| | ||Integrity measurements||N/A|Low|| | ||
|} | |} | ||
==== RBAC (Role Based Access Control) ==== | == Features implementation details, risk analysis, discussion == | ||
Features get scoped here, before going into a tracking bug if they're selected to be worked on. Each feature should in general include some sort of risk analysis (or a threat model), and some implementation details. | |||
==== Supervisor process ==== | |||
=== Risks === | |||
* Parent process (b2g) is compromised, gives full device access (run as root with no restriction). | |||
=== Implementation === | |||
* Create a new, small footprint process called "Supervisor". | |||
** Supervisor provides the following features: | |||
*** Start system update (Any kind of - Gecko and full system updates) | |||
*** Shutdown, Reboot system | |||
*** Adjust process priorities (nice/renice) | |||
*** Adjust OOM killer values (oom_adjust) | |||
*** Possibly, load kernel modules at process startup. If not, the init process should take care of starting the necessary scripts for this task. | |||
*** Drop privileges of spawned subprocesses | |||
** Supervisor DOES NOT provide the following features: | |||
*** XPCOM | |||
*** JS runtime | |||
*** Any other such gecko feature. This is not gecko. It MAY link to libxul and use a subset of features for IPC communication only. | |||
* the b2g process should run as system:system instead of root:root. | |||
* the supervisor process should run as root:root. | |||
* Select an IPC mechanism. It may use libxul for this (such as IPDL). | |||
See also bugs (up for discussion): | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=845736 | |||
* https://bugzilla.mozilla.org/show_bug.cgi?id=845738 | |||
=== RBAC (Role Based Access Control) === | |||
=== Risks === | |||
* TBD | |||
=== Implementation === | |||
RBAC is implemented by various frameworks, including SELinux, RSBAC RC, and GrSecurity RBAC. | RBAC is implemented by various frameworks, including SELinux, RSBAC RC, and GrSecurity RBAC. | ||
| Line 74: | Line 109: | ||
** Security policy can be extensive and eventually require modifications to run on different devices. | ** Security policy can be extensive and eventually require modifications to run on different devices. | ||
== Disk encryption == | === Disk encryption === | ||
=== Risks === | ==== Risks ==== | ||
* Device is stolen and attacker has full access to the user's data storage | * Device is stolen and attacker has full access to the user's data storage | ||
=== Proposed Implementation === | ==== Proposed Implementation ==== | ||
* Android already uses disk encryption in a relatively sane manner and their approach may be re-used, see http://source.android.com/tech/encryption/android_crypto_implementation.html - Password handling should be revisited (different encryption/unlock passwords, better derivation of the password, as Android needs a very long password to resist brute force attacks). | * Android already uses disk encryption in a relatively sane manner and their approach may be re-used, see http://source.android.com/tech/encryption/android_crypto_implementation.html - Password handling should be revisited (different encryption/unlock passwords, better derivation of the password, as Android needs a very long password to resist brute force attacks). | ||
| Line 105: | Line 140: | ||
** Ensures no data is left unencrypted on the flash device | ** Ensures no data is left unencrypted on the flash device | ||
== Address Space Layout Randomization (ASLR) == | === Address Space Layout Randomization (ASLR) === | ||
=== Risks === | ==== Risks ==== | ||
* Loading libraries and application code at predictable or fixed addresses leads to easy exploitation of memory corruption vulnerabilities | * Loading libraries and application code at predictable or fixed addresses leads to easy exploitation of memory corruption vulnerabilities | ||
=== Proposed Implementations === | ==== Proposed Implementations ==== | ||
* Upgrade Gonk to Jelly Bean's build system (newer GCC version, and complete ASLR support) | * Upgrade Gonk to Jelly Bean's build system (newer GCC version, and complete ASLR support) | ||
| Line 122: | Line 157: | ||
** May lead to slower process startup and high performance penalties - however, recent builds of B2G pre-start a content-process, which may hide any performance penalty | ** May lead to slower process startup and high performance penalties - however, recent builds of B2G pre-start a content-process, which may hide any performance penalty | ||
== Updates: Proposed Additional Implementation: Tracking of applications versions for known security patches == | === Updates: Proposed Additional Implementation: Tracking of applications versions for known security patches === | ||
A version tracking mechanism is necessary in order to decide when components of B2G need to be updated due to a security vulnerability. | A version tracking mechanism is necessary in order to decide when components of B2G need to be updated due to a security vulnerability. | ||