[Gpephone-devel] package management and security

Dirk Sigurdson dsigurdson at a-la-mobile.com
Tue Mar 13 17:04:22 CET 2007 

Hi Laurent,

I'm curious as to what you think is the best way to do signature  
verification.  There are really two alternatives.  One is that  
executables are signed and the kernel does verification at runtime.   
Another option would be to sign an installation package and only do  
verification at install time.  I guess it is also possible for there  
to be a combination of the two.

I think it's probably better security to do runtime verification by  
the kernel.  This limits the attack surface by funneling everything  
through the kernel syscall interface.

Dirk

On Mar 13, 2007, at 3:22 AM, Laurent Gottely wrote:

> Hello All,
>
> From my point of view you are on schedule. As an operator we think  
> that security mechanism on the device is essential to protect user  
> from malicious behavior of downloaded program which could generate   
> over billing, destroy or leak user data, etc .  We have developed  
> internally a framework  for the sand boxing of native applications :
> - Access to critical resources are trapped and authorization are  
> granted depending on the trust level of the application.
> - The trust level are attached to the application using certificate.
>
> This is done using two level of control :
>     - MAC enforcement inside the kernel
>     - application level access control inside the software bus
>
> This is basically an implementation of the framework proposed by  
> the "OMTP Application Security" group. We plan to launch some work  
> on this inside LiPS in the following weeks and welcome all  
> contributions on this topic.
>
> Laurent
>
>
>
>
>
>
> Dirk Sigurdson wrote:
>> Maybe I'm getting a little ahead of myself here as it seems that  
>> people have other priorities. I'll bring it up again sometime down  
>> the road. Sincerely, Dirk On Tue, 2007-03-06 at 17:00 -0800, Dirk  
>> Sigurdson wrote:
>>> I'm wondering what people's thoughts are for package management  
>>> on G (PE)^2. Does it make sense to include the gpe-package  
>>> utility from GPE? One thing that could be important from both an  
>>> end user security perspective and potentially from a carrier  
>>> support perspective is being able to restrict the content that is  
>>> installed on the phone. The LiPS security spec has some stuff on  
>>> adding digital signatures to ipkg's that we should probably  
>>> investigate. Additionally, we may want to think of ways that we  
>>> could sandbox "untrustworthy" applications to restrict them from  
>>> accessing critical system resources. For example, we'd want to  
>>> try to prevent a trojan from constantly sending out SMS messages  
>>> by writing to the serial device or by asking the phoneserver to  
>>> do it on its behalf. Dirk  
>>> _______________________________________________ Gpephone-devel  
>>> mailing list Gpephone-devel at linuxtogo.org http:// 
>>> lists.linuxtogo.org/cgi-bin/mailman/listinfo/gpephone-devel
>> _______________________________________________ Gpephone-devel  
>> mailing list Gpephone-devel at linuxtogo.org http:// 
>> lists.linuxtogo.org/cgi-bin/mailman/listinfo/gpephone-devel
>
>
> -- 
> <orange_logo.gif>
>
> Laurent Gottely
> ft/rd/maps/ams/sle
> analyse et evaluation des logiciels embarqués
> tél. +33296052713
> mob. +33687088318
> laurent.gottely at orange-ftgroup.com
> <ampersand.gif>
>

More information about the Gpephone-devel mailing list