We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Modern Security Model for Embedded Linux Distributions

00:00

Formal Metadata

Title
Modern Security Model for Embedded Linux Distributions
Title of Series
Number of Parts
84
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Security and privacy of information stored on embedded devices is gaining on importance. It turns out that security models designed for desktops and servers cannot be directly adopted in embedded devices. Moreover desktop systems themselves seem to lag behind, when it comes to accessing privilege-oriented resources like camera, microphone or address book. Aleksander will show how growing security requirements for operating systems are fulfilled with usage of existing Linux mechanisms, like MAC or DAC and new ones, like Cynara and Security Manager. You will have a chance to learn the complete security framework implemented in Tizen operating system and Linux Foundation's Automotive Grade Linux and get to know how well designed solution can provide security and privacy for whole system, relieving efforts of 3rd-party developers.
System programmingInformation securityModel theoryServer (computing)PlastikkarteSoftwareLatent heatGroup actionExtension (kinesiology)Focus (optics)ImplementationNeuroinformatikOrder (biology)Presentation of a groupAxiom of choiceDegree (graph theory)Address spaceWindowSource codeSoftware frameworkSoftware developerMultiplication signCASE <Informatik>Cartesian coordinate systemDifferent (Kate Ryan album)Video gameKeyboard shortcut1 (number)SmartphoneTouchscreenOnline helpOperating systemHard disk driveDescriptive statisticsCovering spaceIntegrated development environmentAndroid (robot)Data storage deviceProxy serverSoftware testingConnected spaceInformation privacyInformationComputer clusterTopological vector spaceBefehlsprozessorCorrespondence (mathematics)MiniDiscInternet der Dinge2 (number)PasswordRadical (chemistry)Mobile WebXMLUMLLecture/ConferenceComputer animation
Cartesian coordinate systemServer (computing)Group actionPoint (geometry)SoftwareMultiplication signEmailLatent heatMereologyDigital photographyComputer animationLecture/Conference
Server (computing)Cartesian coordinate systemOperating systemContext awarenessSystem programmingDigital photographySocial classUniform resource locatorWeb browserGame theoryGame controllerInternetworkingRight angleLatent heatMappingPoint (geometry)Design by contractEmailWritingOperator (mathematics)TelnetReading (process)CalculationComputer animation
Flow separationUniform resource locatorServer (computing)Cartesian coordinate systemSystem programmingOperating systemMappingGame theoryComputer animation
Flow separationPresentation of a groupSystem programmingCartesian coordinate systemMetropolitan area networkContent (media)Limit (category theory)Video gameStaff (military)Open sourceSoftware developerImplementationDemo (music)Open setBitLecture/ConferenceComputer animation
Model theoryInformation securitySystem programmingOpen sourcePlastikkarteProduct (business)Mobile WebPlanningDistribution (mathematics)MereologyLecture/ConferenceComputer animation
Information securityModel theoryProduct (business)Projective planeCASE <Informatik>Rule of inferenceDifferent (Kate Ryan album)Group actionSystem programmingProcess (computing)File systemComputer fileMathematicsAsynchronous Transfer ModeWeightObject (grammar)Sampling (statistics)Computer virusCartesian coordinate systemGame controllerPresentation of a groupMiniDiscDirectory servicePlastikkarteComputer animation
System programmingInformation securityComputer fileSystem administratorObject (grammar)Model theoryDirectory serviceRead-only memoryUsabilityDatabaseMappingFacebookCartesian coordinate systemUniform resource locatorMultiplication signDifferent (Kate Ryan album)Server (computing)Operating systemSimilarity (geometry)Group actionoutputOperator (mathematics)Extension (kinesiology)Right angleRun time (program lifecycle phase)Android (robot)Default (computer science)Data storage deviceKernel (computing)Information privacyAddress spaceCalculationFluid staticsAntivirus softwareBlock (periodic table)3 (number)Core dumpWell-formed formulaComputer programmingAxiom of choiceNeuroinformatikVideo gameInformation technology consultingMoment (mathematics)CodeLevel (video gaming)Computer animationProgram flowchart
Cartesian coordinate systemIdentical particlesContext awarenessRule of inferenceTask (computing)Server (computing)VotingMappingCycle (graph theory)Domain nameVideo gameModel theoryInformation securityDifferent (Kate Ryan album)Process (computing)Operator (mathematics)Computer fileFlow separationSystem administratorData managementNeuroinformatikArithmetic meanDatabaseGroup actionCuboidComponent-based software engineeringOperating systemFile systemInformationSystem programmingCASE <Informatik>Table (information)Workstation <Musikinstrument>Level (video gaming)Demo (music)Computer programmingWindowUniform resource locatorCalculationMereologyComputer animation
outputCartesian coordinate systemOperating systemCalculationInformationTouchscreenAndroid (robot)Convex setContext awarenessSystem programmingContent (media)Mobile WebComputer fileComputer animationProgram flowchart
DatabaseDistribution (mathematics)Multiplication signPlanningOffice suiteGroup actionWaveServer (computing)MathematicsInternetworkingCartesian coordinate systemVideo gameOperating systemSocial classSystem programmingReading (process)Computer fileReal numberComputer animation
Classical physicsServer (computing)Group actionContext awarenessCartesian coordinate systemOperating systemInformation securityModel theoryFunctional (mathematics)ImplementationSystem programmingFile systemComputer animation
Server (computing)Information securitySystem programmingCartesian coordinate systemImplementationClient (computing)Different (Kate Ryan album)Communications protocolSource codeModel theoryGroup actionExistenceLevel (video gaming)Term (mathematics)Game controllerArithmetic meanRight angleMessage passingInsertion lossPatch (Unix)Classical physicsComputer fileBus (computing)Thermal conductivitySoftwareAngleWritingSoftware developerVideo gameOrder (biology)MereologyDirection (geometry)Metropolitan area networkContext awarenessOnline helpArchaeological field surveyConfiguration spaceCalculationInterprozesskommunikationData storage deviceCodeComputer animation
Context awarenessProcess (computing)Arithmetic meanMultiplication signExtension (kinesiology)Coma BerenicesDivisorFacebookPhase transitionDefault (computer science)Software frameworkBoom (sailing)Information securityCartesian coordinate systemRevision controlTouch typingFitness functionPlanningServer (computing)HoaxRight angleUniform resource locatorProjective planeVideo gameBitModel theoryAndroid (robot)Prisoner's dilemmaSystem programmingPlastikkarteTopological vector spaceDifferent (Kate Ryan album)Product (business)Web serviceInformation privacyPlug-in (computing)Content (media)Run time (program lifecycle phase)Direction (geometry)SmartphoneAsynchronous Transfer ModeComputer configurationDemo (music)Lecture/Conference
FamilyTable (information)Server (computing)Group actionLink (knot theory)Cartesian coordinate systemLibrary (computing)Process (computing)Distribution (mathematics)Right angleNetwork socketModel theoryRule of inferenceData managementDemo (music)Semiconductor memoryState of matterCodeParticle systemSystem programmingConnected spaceComputer fileMetric systemLevel (video gaming)Bus (computing)SoftwareTotal S.A.Information privacyTerm (mathematics)Information securityClient (computing)Intercept theoremFile archiverFile systemModule (mathematics)Socket-SchnittstelleDatabaseFirewall (computing)Address spaceSystem administratorComputer programmingExtension (kinesiology)Multiplication signNumberPatch (Unix)Touch typingDefault (computer science)Mobile WebSystem callLecture/Conference
Ferry CorstenRight angleProcess (computing)Group actionFlow separationRevision controlSlide rulePatch (Unix)Different (Kate Ryan album)Server (computing)NumberMultiplication signModel theoryDistribution (mathematics)Information securitySystem programmingMereologyOpen sourcePOKEDigital photographyComputer filePoint (geometry)Context awarenessDigital electronicsoutputGraphical user interfaceInterface (computing)Disk read-and-write headOntologyNear-ring2 (number)Personal digital assistantBoss CorporationAdditionPentagonMoment (mathematics)Computer animation
Computer animation
Transcript: English(auto-generated)
Okay, shall we start? Welcome everybody. My name is Alexander Zdib. I come from Poland, but currently I'm based in Switzerland. I'm going to tell you about modern security
model for Linux operating systems. Why you might be interested in this? Well, this particular model is meant for embedded systems like smartphones, smartwatches, smart TVs and so on. And it's probably unlikely that you will have to design
such kind of system in nearest future because there are already many of them like Android, iOS, Windows, Tizen, even if you haven't heard of it before. But if you
were, yesterday on John Hawley's presentation about IoT devices, there's gonna be a lot of them, these IoT devices. And each of them is gonna to run on some system, probably a dedicated one, but maybe not. And they will really
need some security. Till the year 2020, there's gonna be 10 million of us
developers focused strictly on IoT devices. So there will be a lot of work on these devices and these devices will need to be secure. And I'm going to present a choice for security framework you can use on these devices if you haven't to design
or develop a system for such devices. Well, what I'm going to tell you about? First of all, about security considerations, security requirements of
embedded devices. How are these requirements different from, for example, desktop computers or servers? Why is it important? Next, what is the mission to accomplish in order to have this security in place and working?
Next, we're gonna focus on some technical details, implementations and so on. At the end, we have some short summary and if time allows, short Q&A sessions. So what about these security requirements or why we need security on
embedded devices? There are a lot of IoT and other embedded devices right now. And the pictures above are just pretty usual right now. We use more and more
of embedded devices and we store more and more private data on them. And these ones like smartphones, smartwatches, tablets, TVs are probably known to store
such kind of data. But there are more. Yesterday, you could see that there are thermostats, thermometers, even pregnancy tests with connectivity, yeah,
like John yesterday showed. And sometimes we are not even aware that these devices are surrounding us and that they gather and store and share information about us, about our environment. However, there is some data
on them, flying between them and it needs to be secure. So maybe some simple example. You can see two similar pictures, one taken on Ubuntu, the second
taken on Android. This is screen showing installation of software on corresponding devices. What's the difference? I mean, both have name of the application, some descriptions, some nice screenshots, but what's the
difference between desktop computer like Ubuntu and embedded mobile device like Android in this case? Well, when you try to install, actually install the application, in first example, you are presented with a password prompt to
authenticate and to, so the system knows that you allowed to install and to use this application. On the second picture, there's more. There are
privileges that the application will be using and that's the main difference. Let's go, let's go further. So Ubuntu, in this case, is using what I call classic security approach. I mean, installed and run application acts on
behalf of the user, on behalf of us to the full extent. The application, once run, can do whatever we would do, whatever we could do by sitting at the
terminal with our keyboard, with our mouse and so on. On the Android, for example, there's something different. The application, of course, also acts on our behalf, but not to the full extent. It was limited to the very specific
actions it can do. So, what's about this operating system run on desktop, on
servers maybe, and to compare them to the mobile or embedded devices, IoT devices, for example. So, the operating system isn't just a piece of software that consumes space on our disks and hooks our CPUs. It governs some
helpful services, some precious resources, and it helps us in using it. Of course, there are many resources and services, like this one presented
here, for example, email, camera, networking. There's not even a point in distinguishing them to services and resources. They may provide some services and have some resources at the same time. It doesn't matter. They live in our
operating systems and serve us in some way. But the real point here is that with these services and resources, we, or our applications, can do some specific things, can do some specific actions. Like, for example, in email, you can read,
write emails, you can preview your contacts, you can use camera for taking photos, or maybe this very same application also allows you to browse already taken photos, and so on. What's the real point here is that with these
services and resources, there are some actions connected, and these actions are further connected with privileges. I mean, if application is going to use, for
to tell that it may read and write emails, but maybe couldn't preview all of your contacts, and so on. But, of course, these services, these resources, are not
only for you. I mean, who's going to use Telnet to read emails or write emails. You need some applications in your operating system, and they are
really helpful. Email clients, browsers, games, whatever. And in the classic approach to security, like in presented Ubuntu, but it doesn't, it isn't
permitted to Ubuntu, it's rather a class of systems like desktops or servers. All these applications, once installed, have all your privileges. They can act on your behalf. So, all of these applications you install have the same
rights like you do. Camera, internet, location services, contacts, and so on. It's not the point to disallow the applications to do so, but there is a
point in limiting this access, because it's probably a good thing, so maps have access to location services. Maybe even camera could have this access to geotags, the taken photos, but probably calculator or games shouldn't have
access to camera or contacts. So, what we need is access control to these services and resources. And what do we need to do so? Well, we need to
separate things inside the operating systems. First, we need to separate users to tell them apart. This one user can access location services, the other one
doesn't, and we need to distinguish to tell apart the applications, like maps have access to location services, but the games do not. And the first
constraint, I mean separation of users, is already there in Unix systems, Linux systems. And the separation of applications is a whole larger and more complicated complex, and the rest of the presentation today is about this
mainly. But the solution to this problem of separating users and applications is already there. It's implemented. I'm one of the developers
who implemented it, and I'm going to present it to you. This is all of stuff I'm gonna present today. It's open source, so every one of you can take this, try this, and implement this in your setups. It doesn't have...
Excuse me, can you speak a little bit louder? Oh, sorry. I will try. Okay. So, every one of you can take this and implement, apply to new systems,
existing systems, and it's, as you will hopefully see in the demo I'm going to present, it's not only limited to embedded devices, but we can go beyond this, but that will come. So, the security model I'm presenting was
originally, initially developed for Tizen operating system. It's a plain Linux distribution. It's meant mainly for embedded and mobile devices. It's open
source. It's already shipped on many devices like smartwatches, smartphones, smart TVs, but there are more of them. I mean, more of products which are using some parts of this security models. Maybe you heard something,
sometimes on these projects there are more, and these are just examples of usage. So, this new security model consists of three pillars, discretionary
access control, Linux security models, in this case smart and a new one, user space-based scenario. I'm going to go through all of them. First is DAG.
You probably heard about this, even if you don't heard of this, you are really using it every day. It's just plain old security model for present in
Unix like for 40 years. You know the commands like change owner, change mode and so on, and this is it. It's used to separate users and their resources.
You probably all know how to allow access to your files on Linux systems to some group or users, and this is it. You can have access type of reading, writing, executing and so on. There's really nothing much to say. It allows
to fulfill the first restriction of separating user, and this is first pillar and it is used for this. The second is SMUG. Who has ever heard of SMUG?
Okay, some of you. Maybe Linux runs some mobiles. Yeah, it's something like this. SMUG is one of the Linux security models. It allows to restrict
access to the resources, but in different ways than DAG does. In operating systems,
you have some entities like processes or files maybe, and you can, thanks to SMUG, label them. For example, you have a file on the file system and you can
give it a label, in the example label 2, and it's file on our disk. And there's a process, for example, which is labeled with label 1, and we can have some rules
which tell what actions the subject, for example, process, labeled somehow, can do on object labeled maybe differently. If they have the same label, then the access is
unrestricted. But if the labels are different, there are rules which tell the subject with this label can read but not write the object labeled differently. And, of course,
many objects and many subjects may have this very same label. So, for example, all files in one of the directories can be labeled with the same label, so the process with
distinct rules can access all of them. And maybe other process without rules to access these files will not have this. There are some conventions of labeling objects and subjects
in operating system. I mean, it depends on you, but the security model I'm presenting uses this convention. For example, there's label floor underscore really to label some
read-only system directories, there is label user to label files in directories of users, and so on. But it is just a convention for simplicity and for ease of administration.
Thus, the third pillar. First two pillars were, well, they were in Linux for a long time. Duck was in Linux for its very beginning and even longer in Unixes.
Smack, I believe, was in Linux from 2008, and other Linux security models were there since the beginning of the century. But Sinara is something new. First of all, it's not in kernel space
like the former two were. It's user space one and it's dedicated for the presented solution.
How it works, I will explain in a moment. And this is it. For example, in Duck, you have access rights for the files. If some user or some group could read or write
this file. In Smack, you had labels. This label can read or write object with another label. Here, it's different. For example, we have a service, say it's location service like
GPS, and we have some application in operating system like maps. Maps connect to the location service and request the current location of the user of this system. But how does the service
if this particular application can access location? Well, it doesn't. It could have some mapping, some database with the answer for this question. Yes, maps can have location,
calculator cannot. But it may work, but it will probably be static, just static mapping or database. And the second thing is that every each service in the operating system would need
similar mapping or database. Well, it's not a good solution. What I propose is Scenara. It's that kind of database I was just talking about. It knows all the answers for this kind of
questions. Is maps allowed to use location services? Is Facebook allowed to use contact
lists? And so on. Scenara is a database really, but sophisticated one. It can store entries statically like yes, Facebook has access to contact lists, but it may also compute
these answers on the run runtime with some extensions. For example, if you are familiar with iOS or newer Android systems, you could be presented with a pop-up asking if these
applications at this time can have access to some service or some resource. And end-to-end, Scenara computes the answer and returns it to the service. And this answer is distinct. Yes or not? So it knows if this particular request can be served or not.
How does Scenara know all these answers? There are some same defaults built in the system.
There are manifests of installed applications. If you're familiar with developing for Android operating systems, then you know what is manifest. It simply tells the operating system which privileges are going to be needed by these applications and user can
accept them or not. Does privacy manager, if you're familiar with newer Android systems, then you know that in the run time after the application is installed, you can grant
or deny some of the privileges. And this is it. Once you may accept Facebook to use your contact list, but the other day it doesn't have to be so. And at the end, there's also administrator role who can alter all these choices. So how does it work in practice?
I mean, in the last cycle of application, what actions are done? But first,
there's another component of this solution. It's called security manager, who is a main hub for all this information. It's also a dedicated program. It is used in many different aspects,
in many different steps of life cycle of the applications. For example, it takes parts in installing and launching applications. It manages different policies and tools in the systems.
It's a hub where administrator or users can do their work to manage the rules in the operating system. So first step in the life cycle of the application is of course installation of this particular application. There are files unpacked, but it's really nothing interesting.
The more interesting thing is after putting the files on the file system, we grant access with DAC. For example, we apply access rules who can read the files.
Next, we label them with smack labels, which means we tell what processes can access files, what processes can access other processes, and so on.
Next, the application is run. The main step in this launching process is applying so-called security context.
Application in this security model has to have this security context, which is, which contains not only smack label, the process of the application runs with. So we can use these smack rules to allow accesses between the processes or processes and
files, for example, but also groups it runs with. It's also important because we can have
accesses to files and so on on this device, on this particular device. So how does it work in practice? As I told you before on the simple example, there is this GPS service. It probably just had request from some kind of application,
for example, in this example maps to have, to read the location. And as I told you before, it needs to ask scenario if this access is granted. So what's there? What really happens?
First of all, as I told you in this mission of separation, we are able to distinguish users and processes. So the GPS service in this particular example can tell what user
is running this maps application and what this map application really is. I mean,
how is it different from calculator application? So it has UID of the user running these maps and it has smack label of this maps application. It's worth nothing that
all application of this same kind, I mean, from this same executable are run with the same smack label. Even if they run with different UIDs, for example, Susan and Bob, Susan's maps has
label, for example, maps and Bob's maps application, if it's the same application, runs with the very same smack label. The GPS service knows this credential,
this credentials UID of the user requesting and the smack label of the application and it forwards it to Znara with the request, with the question if this tuple, this pair of so-called client,
in this case it's label of the application and this particular user can have access to privilege. In this example, it's location privilege. Znara is calculating the answer,
it may come directly from that database, it may be calculated, computed by external plugins like pop-up, like maybe contacting some external service even, maybe windows domain, whatever,
and GPS service gets the answer right back and it's distinct. It knows it's yes or not, grant access or deny access. And hopefully we can show this on a demo. I prepared the demo
on, I don't remember, Ubuntu or Fedora. It's not embedded system, definitely, but I just wanted to show you that you are not
limited to the embedded or mobile devices. So here we are with two applications installed on the operating system. One is contacts and one is some other application, evil calculator.
What to notice on this first screen is that, as I told you at the very beginning, there are these privileges like in Android or like in iOS for example.
And here we have this information that contacts application have read access to contacts denied and also editing contacts is also denied. And we go a little further.
We run this contacts application and as you can see, contacts could not be fetched from contacts book, which is a service in this example. It could be plain file like database but
whatever. We know that the access to reading or editing is denied, so this application could not have this access. Next, we change the permissions in real time, I mean in live system
and this time we can access the contacts. Now we try to edit contacts. As you can see,
the access for editing is denied, so when we try to save, we have permission denied for this action. The editing is editing as well, so we cannot. Now we change permission to ask user, so every
time some application will try to edit contacts, we will be presented with a pop-up. Now
we save this particular edit and we are presented with a prompt to allow this or not. If we deny, then we again have this permission denied and if we allow,
it's done. We could save this contacts. What's more, this application was legitimate.
I mean, we installed it, it requested in the manifest that it will be using contacts in this particular way. I mean, it requested that it will read contacts and edit contacts and we have possibility to change these permissions, to alter these permissions even in live. But there's also
another application, it's not so legitimate but somehow it is present in our operating system. Maybe it's just a random application we download from internet and it didn't request any privileges
but let's see what will happen. Okay, so we downloaded this application, it seems to be legitimate
and it does what it does, it's a calculator, but it has a hidden function, that's why it's evil. It tries to read our contacts, it wasn't supposed to do so, but with plain old classic
security approach, there is nothing to stop this application from accessing the resources
from our file system or access services on our operating system. When we use this security model I'm presenting, we can know that this application which is
evil wants to do something that it's not supposed to do and we of course deny this action but what if we allowed? Yes, it just read our contacts.
And I believe this is it for the demo, hopefully you now get the idea. Just another implementation
detail. This contact service was a service. In this example it served on a D-Bus IPC but it
doesn't have to be D-Bus, it could be unique socket, it could be whatever, but it was IPC D-Bus in this particular example. Sometimes we have some resources that we don't want to be
governed by a service. For example, we want to have raw access to the camera device on our system just because it is faster. We can do so as well within this security model.
And this is how we use groups. We apply a group, for example camera users, to the device
that is device of our camera, of our microphone or whatever. And when the application, in this example camera is launched, we apply this group for this application.
We do not apply this group like in classic approach to the user because if user Bob or Susan was in camera user's group, all of their application would have access to this device.
But we don't want to. We want to distinguish that camera application has this access and calculator doesn't. So we do not put user in the group but we put distinct
applications of this user. It's done in lunchtime and it works just like I explained. Okay, that would be it. There are some bonuses. First of all, you probably noticed that
when you have some service, like in the examples here, contact service or GPS service, it has to have some code to contact scenario, to request scenario in order to know
which requests should be served or not. This is true. The services need some modifications but they don't have to. They don't have to. If the services are using DBaaS,
then it's already done. I mean, we have a patch for DBaaS so we can intercept messages on this bus and it's transparent for both service and client. They don't even have to know
of existence of this security model, of scenario and so on. You just write config files that some particular service, the methods on DBaaS are protected with some kind of access right
and that's it. The second bonus is Natter. It allows us to configure the very same
access control for networking. I mean, that this application can access network resources, the other doesn't. You can configure it on different access for different hosts, for different protocols and so on. And the third bonus is
night slot. You can audit all this stuff. I mean, you can follow the requests, you can follow the accesses, you can follow the answers for requests in terms of was this request
allowed or denied and so on. And this is important, especially on begging of work with this security model because you have many services and applications and sometimes it's
hard to configure it properly from the very begging and this tool is helping you with it. Okay, so hopefully I showed you the difference, the main difference between a classic approach
to security and the one I'm proposing. Hopefully I showed you that this classic mechanism is not enough in modern world with more and more applications from different sources
like different kind of application stores and so on. And that's it. If you have any questions, I think we have some time.
At this stage of development, could your software also fake an access for the application? Could you explain more what do you mean by faking? If you have an application that is
evil but the user wants this application. For example, you have Facebook and if you install Facebook, they capture all your contacts at the installation process and afterwards you can
block them from your contacts but at the installation it is mandatory you gave them access to your contacts so they are gone. I want as the user wants Facebook to run on
his device and if it's not run properly, he will rip off your extensions, your security extension to get this application. Do you understand what I mean? You mean that if at installation time I grant the application rights to with my contacts?
No, no, no. For security reasons you have to do fake in direction of that application. You have to fake that your contacts are empty or there are only bullshit in it and gave them
to Facebook so they capture nonsense. But you can install that application and afterwards you can block the contents as the contact contents for the application
and Facebook is fine with that. Okay, now I get it. First, you don't have to do. I mean this approach was taken several years ago by the Xenogon mode project and before Android has
this newer security model which allowed in runtime to alter the privileges but you don't have to do this this way because when you install application and the privilege is
privacy oriented like contacts like location and so on it's configured by default to ask user on the first usage like in newer versions of Android. So of course the application
Facebook in your example in manifests requests access to contacts but it won't get it before first prompting user if they want to. Yeah, I understand but the user wants that
application and if he has to decide will they get my contacts or not and you make a pop-up and he has the he can install with a grantage and he cannot install if he says no so he will
say yes and live with that. Okay, but first of all the application will be installed anyways so I mean you accept the requested privileges but they won't be granted before first usage really
before so when this Facebook application runs for the first time and it only then it accesses the contacts at this time you can decide do I accept it or not but
returning nonsense contacts is on different layer it would need to be implemented in this
contact service for example this framework doesn't yeah but you said you have to update or implement that in your services so why do doesn't we implement that too
yeah we could implement it this way but it's we don't think it's really needed I mean this pop-up is only one of the extensions to this security model I mean there is
a plugin which shows pop-up allow or deny but you could implement your own extension which presents pop-up allow deny return nonsense it would be up to you what happens when user
chooses the third option but we I mean this framework is very generic we run it on
Tizen smartphones for example smart TVs with Tizen I just showed you on it on fedora if we wanted to implement I mean we don't know what services exist on a system it's generic it
it just grants accesses or not it doesn't know about what services are on the systems what do these services do so implementing such things like return nonsense as contacts is beyond
this project's yeah yeah has it been run on Ubuntu touch for example yet no I run it on
a plain Ubuntu like the desktop and it works okay I think that there are no restrictions running it on Ubuntu touch you just have to implement for example this pop-up extension for I mean this was just a quick example I hacked in one evening just to show you on demo it was
in QT if you implemented it in toolkit used on Ubuntu touch it would work great thank you
how does it technically work so if a program wants to open address an address book which is in some kind of file does it somehow intercept system calls or how how does it prevent a program from bypassing the okay if address book was a file on the file system we would
apply a group to this file for example contacts users and only users in this group would have
access for this file and also only applications which are in this group would have access to this file so in the lunch time of the application here
you have applying groups for the process so that so if this database with contacts has um group uh contacts users then this run application this this launch application
would need to have uh would have to be in this group to access this file and does it not what happens with network connection say what when you want to open a
kind of groups and Linux um yeah this is done by the special module it it's never
it's intercepting packets I don't remember how this technique is called but it's just like IP tables which decide which packets can go through and which cannot it's
it's more like some kind of simple firewall but it not only checks origin and destination of pockets but also it knows about which user and which applications created this pocket or
which user and which application is is going to to to get this pocket thanks okay as far as I'm concerned you just said that you just hacked up the the demo
the privacy manager I think it's it's actually a pretty nice solution to have something like that on a on a desktop system as well so um are you at any stage planning to do to actually release and uh and work on a privacy manager like that in the future or was it just for the
demo and someone else is gonna have to do that okay first of all no I'm not going to continue on this because it it would really need to it's gonna need much much work from the
not only administrator of the particular installation but from managers of distributions I mean the contact service presented here run of on dbus so if if services run on dbus we can just patch dbus in one
extension when in one distribution and and we we're okay but many services don't work on dbus they they open their own sockets they share today memory
they shared their files they would need to be modified in some way of course scenario provides some helper libraries so you can use these libraries to modify the services
without much effort I mean you just link with this library and you have a socket from the client you just give this library the socket and it and it makes the work so it's not much effort to modify services but there's a lot of them and to for this security model to be
effective you have to I mean modify all the resources of the services it's I showed it on a desktop system just to show you it's possible but if it's feasible I don't think so yeah so it's
better suited for mobile devices because there's one manufacturer who decides what kinds of applications are shipped with by default and then of course they can modify those few applications and then the the whole system itself is of course built around this security
model yes yes of course as I told in the beginning this security model was meant for Tizen operating system and I worked on on this effort I worked on Tizen and we could decide
which way to go and we could even implement the needed modifications to the services and there was I mean a limited number of these services if you want to go to the wild and do it in
fedora or want to it's just too much work okay thanks I have a question regarding the camera example which you have there it was which one the one with the camera users
right this one yeah I wanted to ask you that you activate some group right to access the camera but what if you want to access the camera and also the GPS so you activate another group or like if you have a process in Linux it's running under one group so you cannot have
process one hundred two groups when the process is launched it can run with arbitrary number of groups so you can apply it camera groups camera users groups GPS users group and so on and so it's arbitrary number just like user can be at the same time in different groups the process
as well it can be in several groups in this at the same moment okay okay thank you can one last question okay
Okay, thank you. As far as I understood, so now it requires a patch D-Bus to operate in a secure manner. Yeah, I mean... Is this, are these patches going to be integrated into D-Bus?
Not really. I mean, Tizen is open source and you can download these patches from tizen.org but we haven't done any effort yet to upstream these patches to D-Bus.
But, I mean, we take newer and newer versions of D-Bus
and we backport these patches but it's not really upstream and I don't think it will be in some near future. This concept is not so popular. I mean, this is run in several systems like Tizen, for example.
Some parts of this model are run in different IoT-oriented distributions but it's not so popular that it would be accepted in upstream D-Bus, I think.
Not in the near future. Okay, how does it differ from something like PolicyKit? It doesn't differ much but, to be honest, we tried to use PolicyKit instead of Tzenara
but PolicyKit is something that is meant to run in GUI interfaces mainly. So, even I don't want to say it was PolicyKit was slow but it was.
If you want every single request for some services of our resource in operating system to be, let's say, let's use this word, intercepted, interpreted and managed,
it can't be slow and PolicyKit was too slow for us, so we implemented. I mean, PolicyKit was okay but, I mean, 100 milliseconds is not much if you show pop-up
every time but if you do several hundreds of requests per second, it matters. Okay, and one last question for the concept illustrated in the slide.
I assume this works something like a pseudo to supply the additional groups to the process at the startup of the process. Yeah, I mean, this launcher is a privileged process which can apply
different security contexts, for example groups. Okay, thank you. Thank you. Okay, we're already out of time, so thank you again for listening.