[Dev] Tizen security workshop in Vannes, 30 Sep - 02 Oct 2014
casey.schaufler at intel.com
Wed Oct 8 01:14:37 GMT 2014
The security teams from Intel and Samsung held a face to face meeting in Vannes, France September 30 through October 2, 2014. This meeting was part of an ongoing effort to ensure mutual understanding of requirements, directions and concerns about Tizen security and security feature development. Over the three days there were 27 sessions, covering issues ranging from certificates to profiles. Here is a brief synopsis of each session.
Tizen 2.x security update
What is being done in Tizen 2?
Tizen 2.3 will support an EFL based native application runtime environment. The OSP native runtime environment has been deprecated and will not be included in Tizen 2.3. The Gear product line is using the new wearable profile. There will be a beta release of the 2.3 SDK near the end of September, a release of the system end of October and source by the end of the year. The first TV profile will be based on Tizen 2.2.1. The Tizen "Knox" facilities will be available sometime after 2.3. Cynara and Crosswalk will be added to the Tizen 2 line.
Tizen 3.0 security update
What is being done in Tizen 3?
Tizen 3 IVI is scheduled for release by the end of year. There are dependencies on security manager and the application runtime to resolve. There will be a solution for native applications based on native application support going into Tizen 2.3. Some of the communications facilities used in Tizen 3 have significant problems in a multi-user environment. Tizen 3 needs Cynara, security manager and user account management complete. Shared directory management is not fully defined and is a potential obstacle to bringing in new packages. The end of year objective is to install and update html5 and native applications. There are no native applications yet.
Replacing GPLv3 coreutils and cpio
Shall the current GPLv3 version of cpio be replaced with the latest GPLv2 version? Shall the GPLv3 version of coreutils be replaced with the latest GPLv2 (6.9) version, busybox or toybox? Who can do the work to make the replacement Smack aware?
Samsung has agreed to assign a developer to do the work to enhance ToyBox so that it can be used to replace the GPLv3 coreutils package. Intel will take care of the packaging work required to replace coreutils with ToyBox.
IVI, Mobile, TV, Wearable. Is there security divergence?
The IVI profile has identified and unidentified users, the identity can be by device (phone, fob) or visual recognition, and the user can be privileged or not. Tizen TV has parental controls. Tablet may require multi-user. Yes, there will be profile divergence in how they treat the multi-user environment.
Smack labels, UIDs, groups and what haven't we addressed yet?
Security manager (cynara) provides session management services. Devices attributes are generally Smack="*", uid=root, gid=gp1,gp2,... mode=660. The gid maps to the privilege, Smack+uid are used by services via security manager/cynara. Smack+uid+gid are used on device files (native applications). There needs to be a GID associated with each Privilege. If there are multiple applications in a package each will get its own Smack label. However, they will be given mutual access, as "AppFirst AppSecond rwxa" "AppSecond AppFirst rwxa".
Single use devices, account creation, application sharing, gumd
There has been a question about how to create a user at image creation time. Samsung is providing an offline API to set up cynara data. Security manager offline interfaces are in progress. Today there are two sorts of users, privileged and not. Dominique expresses a strong opinion regarding support for arbitrary uninstall scripts. Gumd will integrate with security manager. Actually, it seems that security manager ought to invoke gumd. That should make the upstream integration of gumd easier.
Bumjin will provide an Introduction, describe how it is configured, and provides the schedule for its implementation
The new native "Core API" privilege model resembles the OSP model. For 2.3 Core API reuses OSP package format. In 2.3 privileges are implemented as Smack rules. There are five privilege categories. Privilege are intended to map to APIs. Currently the core API uses 58 privileges. Deviced is a dbus service to provide access to five specific simple devices. The Smack floor ("_") label semantics will be modified to include general lock ("l") access.
Device Sharing Control
Analysis, solutions. When a device like /dev/audio is shared between applications and users what are the security attributes (Smack, UID, GID, ACL ...) assigned to it, and how are they managed?
There is a group ID related to each privilege. This is assigned to the device.
API development, Cynara service, updating services, dbus, Buxton
Cynara has demonstrated massively better performance than polkit or security-server. The 0.3.0 version was available 2014.09.05. The async API is in progress. The extension mechanism in progress. This will allow "ask user" and similar policies. There is an administration library for when no service is running, such as image creation time. Database integrity checks and recovery modes are in the works. Dominique pointed out that there is already a pop-up service available, so Cynara does not have to provide one.
What is security manager? What is its scope and what services does it provide? Why is it becoming so important?
Security manager is a set of APIs and a service to manage security attributes and configure system policy. It understands the Tizen policies, where the underlying mechanisms my not. It provides an API to support application launching. Setting privilege on user session launchers has complexity. AMD is the native application launcher. TZlauncher configuration will be done using security manager. Privilege manager from Tizen 2.x. allows the user to configure privileges on the fly. User manager allows updating the user profile. Containers (and name spaces) need to be supported and configured by the security manager.
Samsung would like to understand the relationship between Security Manager and the Application Framework. Overlap and duplication should be identified and addressed.
The commonality between a "guest" on a phone and a "guest" in a car was discussed at length.
Cynara integration status
Cynara policy checks are being added in the dbus daemon. Services don't have to be changed to do the checks, however configuration needs to be provided. Add check tag for dbus daemon. Dbus uses the Cynara async API. Testing includes python bindings. New tests are included in the common profile test framework. Upstream is already looking at allowing interactive authentication. Implementation is expected to be complete in late October. A new base version of dbus is required. Email to this effect should go to the dev list.
Vconf conversion, Cynara integration
Buxton needs to get used or vconf needs to be changed for multi-user. The plan is to replace libvconf with libvconfbuxton, add Jose's patches to buxton. We will deal with the cases that don't work individually.
Current integration plan
Everything looks like it is on track. All parties are communicating to mutual satisfaction.
Application installer, Application launcher, Cynara issues, Application Signatures
There is structure for certificate management, but no enforcement. Crosswalk will need the pop-up cynara extension. Privacy manager could be useful for dropping application privilege. Tomasz asked about test cases. Terri reports that they are available on github.
APIs, runtime environment, sandboxing, cryptographic interfaces
There are still questions about the secure certificate and key storage. Samsung has a key manager repository. There has to be a documented native C/C++ API. Samsung requires that the key management be FIPS certify able. Intel is still waiting to see the core API code on Tizen.org. Even native applications get launched. Native applications use the (TPK) directory structure. Namespace containers would be interesting. We will need a mechanism for privileged (system level privilege) native apps. Native apps can tell the window manager to do things that HTML5 apps can't (today), so services like the window managers and gstreamer may have some work to do.
AMD, TZlauncher and other application invocation mechanisms
What should we do about all of the non-standard mechanisms we have for launching applications?
Rafal proposed how to label the content of $HOME. There was much rejoicing.
Integration with the Tizen 3 security model. What we know about it so far.
OIC is the group providing guidance on the interfaces for the Internet of Things. The security team from Samsung is in the dark. The Intel team has been involved. Samsung has a message protocol, Intel a stream protocol.
CSF is the scanner infrastructure from McAfee. Samsung would like a server architecture in place of the library architecture. They would like to support more 3rd party checkers. McAfee does not seem to have made this a high priority.
Smack Bringup mode
How to use it
Going in 3.18. The patch is available for backport.
Upstream project may be stalled. Tizen TV wants kdbus, so we need to track the progress. It should support Smack when it is accepted upstream.
Current design and status
Two "domains" for Samsung container based solution. SCS spawns containers. It is Libvert/LXC based. It includes Smack namespaces. No release for the time being, but they want it on tizen.org.
Current design and status
Security namespaces, with a Smack base are 2 months from being done. Then the kernel patches will be sent for LSM review. Then the fun begins.
Strategy and requirements for a Tizen CA infrastructure
The Tizen store has 3 root certificates. Samsung has one for Gear 2 and Gear S. All issued and managed by Samsung. Multiple chain support may be our best answer. We should ask about tizen.org chain. Platform development needs to have a certificate of its own.
Current design and status
Samsung wants to use Flora license. Intel says "no". No one is surprised.
We got as far as an outline and stopped. How can we progress?
Casey will make preliminary assignments.
Schedule, assignments, risks, fallback plans
Network: Content Security Policy. Smack use of secmark for IPTables needs to be investigated. The strategy for removable media still needs to be fleshed out. It will require the ExternalMedia privilege. On disk encryption for user data is required, but not yet available and raises issues for flash filesystems. Integrity controls, including key management are desired and available. Fast Boot is critical, security cannot be seen as a bottleneck. Update by image requires a mechanism to get the Smack configuration for the applications already installed.
End of 2014 Release
Schedule, assignments, risks, fallback plans
Security manager and Cynara are required and may be at risk for the IVI profile end of year release.
Final wrap up and action items
What is next?
The next security face to face is proposed for the middle of January in Hillsboro, Oregon USA. We will also consider returning to Vannes as a "warm weather" alternate.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dev