Confirm
502
edits
Changes
supervisor process task
* Ensure several layers of security are being correctly used in the operating system
* Limit and contain the impact of vulnerabilities caused by security bugs, system-wide
* Web application permissions and any application related security feature is are not detailed in [[/Apps/Security]]here
* Expose a road-map of the upcoming system-related security features
=== Road Map ===
{|
||Feature||Implementation Status||Priority/Importance||
|-
||Seccomp||https://bugzilla.mozilla.org/show_bug.cgi?id=790923 (ASAP)||High||
|-
||GL Proxy||N/A||High||
|-
||Supervisor process||https://bugzilla.mozilla.org/show_bug.cgi?id=845191 (Soon)||High||
|-
||RBAC (MAC)||N/A|Medium||
|-
||Disk Encryption||https://bugzilla.mozilla.org/show_bug.cgi?id=777917||Medium||
|-
||ASLR||https://bugzilla.mozilla.org/show_bug.cgi?id=777948 (Soon)||Medium||
|-
||Compiler hardening||https://bugzilla.mozilla.org/show_bug.cgi?id=620058||Medium||
|-
||JIT hardening||https://bugzilla.mozilla.org/show_bug.cgi?id=677272||Low||
|-
||Implement automated compliance testing of security features||N/A||Medium||
|-
||Integrity measurements||N/A|Low||
|}
== Features implementation details, risk analysis, discussion == Features get scoped here, before going into a tracking bug if they're selected to be worked on. Each feature should in general include some sort of risk analysis (or a threat model), and some implementation details. ==== Supervisor process ======= Risks ===* Parent process (b2g) is compromised, gives full device access (run as root with no restriction). === Implementation ===* Create a new, small footprint process called "Supervisor".** Supervisor provides the following features:*** Start system update (Any kind of - Gecko and full system updates)*** Shutdown, Reboot system*** Adjust process priorities (nice/renice)*** Adjust OOM killer values (oom_adjust)*** Possibly, load kernel modules at process startup. If not, the init process should take care of starting the necessary scripts for this task.*** Drop privileges of spawned subprocesses** Supervisor DOES NOT provide the following features:*** XPCOM*** JS runtime*** Any other such gecko feature. This is not gecko. It MAY link to libxul and use a subset of features for IPC communication only.* the b2g process should run as system:system instead of root:root.* the supervisor process should run as root:root. * Select an IPC mechanism. It may use libxul for this (such as IPDL). See also bugs (up for discussion):* https://bugzilla.mozilla.org/show_bug.cgi?id=845736* https://bugzilla.mozilla.org/show_bug.cgi?id=845738 === RBAC (Role Based Access Control) ====== Risks ===* TBD === Implementation ===
RBAC is implemented by various frameworks, including SELinux, RSBAC RC, and GrSecurity RBAC.
** Security policy can be extensive and eventually require modifications to run on different devices.
=== Disk encryption ======= Risks ====
* Device is stolen and attacker has full access to the user's data storage
==== Proposed Implementation ====
* Android already uses disk encryption in a relatively sane manner and their approach may be re-used, see http://source.android.com/tech/encryption/android_crypto_implementation.html - Password handling should be revisited (different encryption/unlock passwords, better derivation of the password, as Android needs a very long password to resist brute force attacks).
** Ensures no data is left unencrypted on the flash device
=== Address Space Layout Randomization (ASLR) ===
==== Risks ====
* Loading libraries and application code at predictable or fixed addresses leads to easy exploitation of memory corruption vulnerabilities
==== Proposed Implementations ====
* Upgrade Gonk to Jelly Bean's build system (newer GCC version, and complete ASLR support)
** May lead to slower process startup and high performance penalties - however, recent builds of B2G pre-start a content-process, which may hide any performance penalty
=== Updates: Proposed Additional Implementation: Tracking of applications versions for known security patches ===
A version tracking mechanism is necessary in order to decide when components of B2G need to be updated due to a security vulnerability.
