Symbian:
Platform Security
Unit of Trust • Platform Security Controls what a
Process/Application can Do • A Process is Smallest Unit of Trust • Processes are Either – Built into the Phone by Manufacturers or – Installed on Phone After It has Left Manufacturing Unit
Four Tiers of Trust • Trusted Computing Base (TCB) • Trusted Computing Environment (TCE) • Trusted (Signed) Software • Untrusted Software
Trusted Computing Base (TCB) • Most Trusted Part of Symbian OS • Holds Highest Level of Privileges • Examples – – –
Kernel File Server Software Installer
Trusted Computing Environment (TCE) • Considered Less Trusted than TCB • Have Lesser Privileges than TCB • Each Component/Process has Only Those
Privileges as Required for Carrying out its Tasks • Examples – Window Server can access only Screen Hardware – Telephony Server can access only Communication Hardware
Signed Software • Software which is Signed by a Trusted Authority • Required Permissions are Granted if Included in the Signed Software
Unsigned Software • Software which is Not Signed by a Trusted
Authority or is Self-Signed • Does Not Necessarily Means that Software is Malicious • Unsigned Software are Sandboxed i.e. Cannot Perform Actions which Require Sensitive Operations • Generally Manufacturers Require that Software is Signed Before it can Even be Installed on Device
Capability Model • A Capability is Unit of Protection • Sensitive APIs are Protected using Capabilities • Each Process is Assigned a Level of Privilege • Privileges Indicates which Security Sensitive
Operations a Process can Perform • Kernel Holds a List of Capabilities for Each Running Process • Capabilities are Discrete • Capabilities are Listed in Project Definition File
Broad Categories of Capabilities • TCB Capability • System Capabilities • User Capabilities
User Capabilities • These are Security Concepts that a Phone User can Understand
– User can Decide whether to Install a Software that Accesses his/her Personal Data – Examples • Local Services—Bluetooth, USB, Infrared Connections • Location—Access to Data Giving Location of Phone • Network Services—Over the Air Data Services • Read/Write Access to User Confidential Data
System Capabilities • System Capabilities Allow a Process to Access Sensitive Operations • Generally Only Symbian Signed Software Are Granted System Capabilities • Examples – – – –
Read and Write Access to File System Access to Device Drivers Power to Kill Any Process Cause Phone to Go in Standby State, Wakeup or Power Down Completely – Access to All Communications Equipment Device Drivers
TCB Capability • Possessed by Members of TCB Only i.e.
kernel, device drivers etc. • Includes All System and User Capabilities • Example – Loading Program Code
Capability Rules • The Capabilities of a Process Never
Change During its Lifetime. • A Process can only Load a DLL if that DLL is Trusted with At Least the Same Capabilities as that Process
Identifier for Executable Applications • Unique Identifier (UID) – Each Executable Has Unique Identifiers.
• Secure Identifier (SID) – Used to Identify Private Directory the Process can Access – Used to Uniquely Identify Application when it Makes Inter-Process Call
• Vendor Identifier (VID) – Used to Uniquely Identify a Vendor
Data Caging • Also Called File Access Control • Allows Protection of Private Data • Both User and System Files Can be Protected
Symbian Signed
Symbian Signed • Allows Symbian Software Developers to Obtain a • •
Digital Signature for their Applications Does Not Guarantee Completely Correct Application Behavior. What it Guarantees?—Minimum Quality Level – Applications Do Not
• Block Incoming Calls • Overwrite File System • Refuse to Shutdown
– If Uninstalled, Application Does Not Leave any Files Behind – In Resource Critical Situations, Application Behaves Well – And Others…….
Symbian Signed Testing Criteria • Two Groups of Tests – Universal Tests (UNI) • Tests Basic Application Reliability and Robustness • Examples: Stress Testing, Correct Installation, Uninstall,
Compliance with System Events, Out of Memory Error, etc.
– Capability Related Test (CAP) • Perform Tests Related to Specific Capabilities • Examples: Platform Security Features, VoIP applications
must not interfere with GSM-based telephony functions,
Signing Options • Open Signed – Developer Certificate Based Signing for Developers Without a Publisher ID – Can be Used for Testing, Non-Commercial or Personal Use – Deployment is Restricted by Device IMEI
• Express Signed
– Signing Option that Does Not Require Independent Testing – Available Capabilities are Restricted
• Certified Signed – Mainstream Signing Option Based on Independent Testing – Provides Access to Most Capabilities
Signing Options Publisher ID Required
Independent Testing Required
IMEI Restrictions
For Commercial Distribution
Open Signed Online
No
No
Yes
No
Open Signed Offline
Yes
No
Yes
No
Express Signed
Yes
No
No
Yes
Certificate Signed
Yes
Yes
No
Yes
Capabilities and Signing Capability Type User Capabilities
System Capabilities
Restricted Capabilities
Capability Name LocalServices Location NetworkServices ReadUserData UserEnvironment WriteUserData PowerMgmt, ProtServ ReadDeviceData, SurroundingsDD, SwEvent, TrustedUI WriteDeviceData CommDD,
DiskAdmin NetworkControl Manufacture MultimediaDD AllFiles , DRM , TCB r Capabilities
Description User Capabilities are designed to be meaningful to mobile phone users
Availability All signing options
Depending on Device Manufacturer security policies, users may be able to grant blanket or single-shot permission to applications which use these Capabilities System Capabilities that protect All Signing system services, device settings, and Options some hardware features
Restricted Capabilities that protect file system, communications, and multimedia device Services Trusted Computing Base and System Capabilities that protect the most sensitive system services
Open Signed (with Publisher ID) & Certified Require Signed Manufacturer Approval
Which Applications Require Signing (Symbian Signed)? • For Symbian OS v9 and Above – Applications that Need to Access APIs Protected by System Capabilities, Must be Signed – Applications that Do Not Use Protected APIs May Require Signature if Device Implementation Enforces It. – Applications that Need Only User Capabilities May Require Signature if Device Implementation Enforces It. – Application that Need Manufacturer Capabilities are Required to Go Through Manufacturer Defined Signing Process
• There is no requirement to sign applications targeted at versions of Symbian OS earlier than v9
References • Mobile computing : technology, applications, and • • • • • •
service creation by Asoke K. Talukder, Roopa R. Yavagal S60 Programming by Paul Coulton and Reuben Edwards Developing Software for Symbian OS by Steve Babin The Accredited Symbian Developer Primer by Mark Jacobs and Jo Stichbury http://www.symbiansigned.com https://www.trustcenter.de/en/index.htm http://developer.symbian.com