Consumer electronics systems are becoming increasingly connected, increasingly sophisticated and increasingly at risk from security threats. This presentation considers whether the use of high-level operating systems in consumer electronics can help address these risks.
2. Is Security an Issue?
Connectivity means exposing an attack surface to the
outside world
Trend to “apps with everything”
downloadable active content extends the market life of a
consumer electronics device
provides additional revenue opportunities
but also provides additional attack surface
There will be attackers
hackers making a name for themselves
researchers proving a point
individuals cracking DRM for fun and profit
criminals attempting to defraud users and steal personal data
2
3. Is a High-Level Operating System Good
for Security?
Not necessarily – some downside
Complete Symbian Platform and associated tools contain 40
million lines of code
Similar figures for other HLOSes (Linux, iOS, Windows CE)
Security assurance of so much code is effectively impossible
But it can bring significant benefits
Application Security Framework
nobody wants to repeat the PC malware explosion
Content Protection
to prevent copying and redistribution of commercial content
User Data Controls
users need easy-to-understand and enforceable privacy controls
3
4. The Least-Privilege Principle Can Help
Requires a modular platform architecture rather than a
monolithic one
Ensures that the majority of the code base is running
with the minimum privileges necessary to perform each
task
Security assurance can target only the highly privileged code
Minimises the risk posed by security vulnerabilities due
to design or implementation errors
Allows tight sandboxing of third-party code while still
enabling rich functionality
4
5. Symbian Platform: Capability Architecture
Trusted Computing Base (TCB) Trusted Computing Environment (TCE)
full access to all APIs and files servers with selected “system capabilities”
(kernel, installer, file server)
most third-party apps need
only “user capabilities”
5
6. Over the Horizon: Privacy Labelling
Symbian platform has the notion of “user data”, and the
ReadUserData and WriteUserData capabilities
doesn’t, however, identify which user data is intended to be
shared and which to be kept private
Could borrow the concept of “sensitivity labels” from the
classic MLS (Multi-Level Secure) orange book systems
principle is that the sensitivity label is indivisible from the data
Labels could be set in one application (e.g. the camera app)
and then acted upon in another (e.g. a file sharing app)
should be preserved even when files are moved or copied
Useful (essential?) for interfacing to social networking services
but it currently isn’t implemented (“you can trust us” attitude?)
6