User talk:Ptheriault: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
 
Testing Gaia with B2G desktop
 
Gaia is a collection of web apps which make up the UI for the Boot to Gecko project. It consists of a system app, which performs most runtime functions and loads all of the other Web Apps, such as apps for the Browser, Dialer, SMS, Contacts etc.  
== Web App Security Model ==
When running, Gaia can be thought of as one large HTML document as shown below:
==Introduction==
<window> Gecko chrome  |
===Motivation===
  +--> <iframe> Gaia system app
Currently all web functionality is provided in an untrusted model. Any API function that is to be made available to web content must be designed in such a way that it cannot be abused by potentially untrusted content, which often means limiting the flexibility or features of an API. A permissions model is required to define the requirements needed to trust web content with more powerful functionality and also to define the process for granting and managing permissions to use this functionality.
          |
 
          +--> <iframe> homescreen app
Instead of treating all content as untrusted, web apps can become trusted by virtue of being installed from trusted marketplaces.
          |
===Definitions===
          +--> <iframe> keyboard
* Untrusted Web App: This type of Web App is essentially a bookmark, with slightly elevated privileges granted by default. No extra permissions can be granted to this type of Web App, and it can be installed from anywhere.
          |
*Trusted Web App: The majority of Web Apps will be trusted Web Apps installed from a trusted marketplace.  This level of Web App is the equivalent of Apps for other mobile platforms. Permissions are granted to these Web Apps at install time, but can be modified by the user as part of the install process (or at any time later while the App is still installed).
          +--> <iframe> Web Apps (one per each app)
*Certified Web App: These Web Apps are highly trusted Web Apps which likely ship with the device, or could be attained through a very limited number of stores (e.g. only the carrier or the Mozilla). Permissions for certified Apps cannot be modified, as they are necessary for the function of the device.
          |
===Principles===
          +--> <iframe> browser app (when it is loaded)
In designing this permissions model, the following principles have been followed:
                  |
*User control of permissions: The user must be empowered to control the permissions granted to Web Apps
                  <iframe> Web content
*Protected from bad choices: Protect users from granting dangerous permissions or revoking essential ones.
So when performing Gaia security testing, we mainly was to test from two perspectives (from least to most privileged):
*Secure by default: Users must also be secure by default – if they choose not to manage permissions, and rely solely on marketplace for permission recommendations, their device must still be secure.
- Web Content loaded in the Gaia Browser App
*Security decisions made at appropriate times: timing plays an important role is security decisions – a user may be comfortable sharing certain information at one time, but not at others. In other cases, the user may want to grant a permission to an application forever, and not bothered by repeated prompts.
- Installed Web Apps
*Least privilege: applications should only be granted the permissions they need to perform the task they are developed for.
- The System App (in case of attack from content)
*Strength of permission correlates to risk : The more powerful an API is, and thus the higher risk associated with it, the stronger process for granting this permission must be
- Gecko chrome code (in case of further privilege escalation)
===Challenges===
This post will go through the basics of executing script at each of these levels.
* Avoid dialogue fatigue: over prompting users is a bad user experience, and leads to insecure behavior. Security decisions need to be timely, but avoid overly burdening users with security decisions.
===Setting up B2G Desktop===
*Simple model so users clearly understand implications of granting permissions. Too many permissions and the model is too complicated, too few and the user is no longer in control (apps have either all or nothing access, and granularity is not appropriate)
When testing gaia, you have 4 options:
*Avoid forcing users to grant permissions as a pre-requisite for app installation: UI for granting permissions should not allow websites to bludgeon the users into granting permissions (this behavior should lead to the user not wanting to use the application)
- a b2g device
 
- b2g in an emulator
==Web App Security Categories==
- b2g compiled to run on desktop (b2g desktop)
 
- load Gaia inside nightly
Web Apps fall into three security categories: Installed, Trusted and Certified Web Apps.
Testing on b2g desktop is the sweet spot for ease of use vs completeness. Obviously some things don't work (dialing, sms etc) but for just testing Gaia as a whole this is a great place to start.  
===Untrusted Web Apps===
The following are condensed instructions for how to install and run b2g desktop. For a more detailed explanation and further information, see https://wiki.mozilla.org/Gaia/Hacking.
An Installed Web App is one that is installed from anywhere – the user has chosen to trust this page as a Web App, but no additional security requirements are placed on the Web App provider. As such, the only limited additional features are available Installed Web Apps, and they cannot be granted specific permissions, beyond a basic few that allow for a better user experience without increasing risk.
'''Step 1. Install B2G desktop'''
User experience: “bookmark to desktop/homescreen” style experience distinct from Web App experience. No installation dialog.
Download an install the appropriate binary for your system here: http://ftp.mozilla.org/pub/mozilla.org/b2g/nightly/latest-mozilla-central/
Permissions: Granted very basic permissions to allow for a more “App-like” experience. No additional permissions can be granted beyond what is available to a regular web page.
Mac: Open the dmg file and drag the b2g app to your applications directory
Installation: Any marketplace , or web apps can self install from their own website.
Windows: Run the installer
Security Requirements: None. All APIs provided to this level of application must be implemented defensively to protect user even if this content turns out to be malicious
'''Step 2. Download and build Gaia'''
===Trusted Web Apps===
You need to download Gaia, and then build it, which builds a profile which you can load with b2g desktop. This can be achieved with the following commands:
A Trusted Web App is one that is installed from a trusted marketplace. The marketplace has a contract with the web app provider, and certain security requirements must be in place for these applications.
    $ git clone https://github.com/mozilla-b2g/gaia
User experience: App like installation experience (visit a store, install an App).  
    $ cd gaia
Permissions: Permissions levels set at install time. Any permission that is to available to a trusted Web App must be granted prior to launch. Use of an API feature may still require user consent at runtime, depending on the level of permission set.  
    $ DEBUG=1 make
Installation: Installation from a Trusted Marketplace
Note: "DEBUG=1" is needed to enable testing tools.
Security Requirements: TBD. Enough to mitigate risks of APIs associated with this permission level.
'''Step 3. Load B2G desktop using the profile created by gaia'''
===Certified Web Apps===
Load the b2g executable, supplying the -profile option with the path to the gaia location
Certified Web Apps will most likely ship with the devices themselves or be installed through a very limited number of stores (maybe only the carrier, or possibly the Mozilla store)
    $ b2g -profile /path/to/gaia/profile
User experience: The user would rarely if ever install a certified app. Installation would be similar to Trusted App  case expect that permissions can not be modified.
Assuming it all works, you should see the lock screen: http://imgur.com/yKxqN
Permissions: Permissions levels set at install time and can not be modified to protect the user.
Specific examples, assuming current directory is where you installed gaia.
Installation: Installation from a Marketplace which is Trusted by the device to install certified Web Apps
Mac:
Security Requirements: Very strict requirements. Completely offline apps, with code authentication and integrity controls.
    $ /Applications/B2G.app/Contents/MacOS/b2g -profile `pwd`/profile
 
Linux:
==Permissions==
    [Todo] You're smart, I'm sure you can figure it out.
 
Windows:
===Permission Types===
    [Make a shortcut, not sure how to build gaia though (gnu make fails for me…)]
How permissions are implemented vs. how they are conveyed to the user?
*Useful switches when running b2g:
Maybe group permissions by Application roles ?
** Launch B2G desktop with a specific screen resolution:  --screen (e.g. --screen 800x600)
List of permissions:
** Enable the error console: -jsconsole
*Browser
'''Notes'''
*Camera
* The lock screen is initially shown (default passcode "0000"). This can be turned off/changed in settings
*Etc…
* Exit an app using esc or home key
 
* This is a phone; the screen will sleep! Wake from sleep (black screen) using home key command only (fn + left, mac users)
===Permission Levels===
===Testing the B2G Browser App===
[unsure about this section, but even if permissions are binary, I think we need to support these four user experiences]
Webpages are the least privileged content on b2g and the easiest to test. Just open the browser app and load a web page.
 
[NOTE: currently a bug with the latest b2g desktop builds 15 jul. Missing a lib, but you can copy it from xulrunner which gaia installs when it is building see  https://bugzilla.mozilla.org/show_bug.cgi?id=774215]
The are four levels of permission which can been granted, either allow, prompt on first use, prompt always or deny.
===Testing as a Web App===
*Allow: Always allow this permission to the application. A notification may be provided to the user that the permission is in use, but explicit user permission is not required.
The easiest way to test as a web app is to create your web app. This is made easy since there is already a template in gaia which you can copy.
*Prompt on first use: This Web App has been registered to require this permission, however the user must be prompted before granted access to this permission. The platform can provide a mechanism to remember this decision, in which case the permission is elevated
Below are instructions to copy http://www.squarefree.com/shell/shell.html into an app so you have a nice shell to execute commands as an app (again assuming current in gaia directory).
*Prompt Always: This Web App has been registered to require this permission, however the user must always be prompted before granted access to this permission.
'''Step 1. Make a copy of the template app'''
 
    $ cp -R test_apps/template test_apps/shell
===Granting Permissions===
'''Step 2. Put some content in index.html'''
A Web App requests permissions in the manifest when submitting to a store (an application may only be granted permissions that it requests in the manifest)
    $curl http://www.squarefree.com/shell/shell.html >test_apps/shell/index.html
An App Store can grant permissions to a Web App during the install process (but not necessarily all of the requested permissions
'''3. Change the name in manifest.webapp so that it is called something other than template:
The user is informed of the permissions during installation, and can modify them if desired, or choose to trust the defaults set by the App Store. If the App is a certified App, then the permissions can not be modified by the user.
sed -e '/Template/s//Shell/' test_apps/shell/manifest.webapp'''
Permissions Granted by Marketplaces
You might want to launch b2g with a larger screen res so you can see what you are typing. Or click and drag to zoom the page.
In order to gain permissions, an application must be installed from a trusted marketplace. The process for a Web App to gain permissions is as follows:
=== Testing with Marionette===
# Web App specifies the permissions it would like in its manifest file
Marionette provides a mechanism to connect a remote client to a B2G instance, call javascript and get the result. It allows injecting script into any level from chrome right down to web content.
# Manifest added to a marketplace
To install and get started with Marionette, follow the instructions here: https://developer.mozilla.org/en/Mozilla/Boot_to_Gecko/Setting_Up_Marionette_for_B2G
# And then?????
Important: Since we are running b2g desktop instead of on a device or emulator, you do not need to use adb to forward port 2828. Just skip this step.
===Management of Permissions===
Once you have it all working, the following commands will get you started.
A user can modify the permissions granted to a Web App at any time including granting or revoking privileges
>>> from marionette import Marionette
Permissions can be granted per application, or set globally in the Default Permission Policy (see below)
>>> marionette = Marionette('localhost', 2828)
Users need to be guided on the consequence of changing permissions, and protected from making choices which are insecure or which could disable their device (e.g. removing the permissions setting capability from the permissions web app)
>>> marionette.start_session()
Permissions can be modified either through a permission manager application, or set through contextual actions (e.g. response to security prompts including "remember me" checkboxes or through behavior in some cases, e.g. user ignores a prompt five times in a minute, don't prompt again for an hour)
u'8-b2g'
 
At this point we are connected and can start issuing commands.
==Trust Model==
>>> marionette.execute_script("return document.location.href")
===Trusted Model===
u'http://system.gaiamobile.org:8080/'
1. The user is the root source of trust for permissions settings.
By default, we are executing script inside the top level content frame, which is the Gaia "System" app.
2. B2G devices will be shipped with a root Trusted Store (or several) which has the power to set the permissions defaults for an Web App.
To switch to chrome perform use the set_context command:
3. The user can choose to override store permissions (either granting or revoking privileges), but the store permissions should be safe for the user, and represent the minimum permissions the application needs to run.
>>> marionette.set_context("chrome")
4. The store can also entrust other stores with the power to grant permissions (possibly a subset of permissions, or not privileged permissions)
True
 
>>> marionette.execute_script("return document.location.href")
===Certified Model===
u'chrome://browser/content/shell.xul'
1. The marketplace is the root source of trust for permissions settings.
To switch back, use the same command:
2. B2G devices will be shipped with a root Certified Store (or several)
>>> marionette.set_context("content")
 
True
===Trust Model Questions===
>>> marionette.execute_script("return document.location.href")
Is there way for a user to add a Trusted store? (In a sense the answer is always yes, but how difficult will it be from a scale from jail breaking to through to a UI provided mechanism) This is out-of-scope of for the permissions model though, and relates more to the business model of partners.
u'http://system.gaiamobile.org:8080/'
 
Now lets open the browser app:
==Future Goals==
[more todo]
Requirements Out of Scope for Version 1.0
Ability for users to add trusted application stores
Ability for the user to add arbitrary permissions to an application
Ability for the user to install trusted application directly from application providers

Revision as of 11:54, 16 July 2012

Testing Gaia with B2G desktop Gaia is a collection of web apps which make up the UI for the Boot to Gecko project. It consists of a system app, which performs most runtime functions and loads all of the other Web Apps, such as apps for the Browser, Dialer, SMS, Contacts etc. When running, Gaia can be thought of as one large HTML document as shown below: <window> Gecko chrome | 

 +--> <iframe> Gaia system app 
         |
         +--> <iframe> homescreen app
         |
         +--> <iframe> keyboard
         |
         +--> <iframe> Web Apps (one per each app)
         |
         +--> <iframe> browser app (when it is loaded)
                 |
                 <iframe> Web content

So when performing Gaia security testing, we mainly was to test from two perspectives (from least to most privileged): - Web Content loaded in the Gaia Browser App - Installed Web Apps - The System App (in case of attack from content) - Gecko chrome code (in case of further privilege escalation) This post will go through the basics of executing script at each of these levels.

Setting up B2G Desktop

When testing gaia, you have 4 options: - a b2g device - b2g in an emulator - b2g compiled to run on desktop (b2g desktop) - load Gaia inside nightly Testing on b2g desktop is the sweet spot for ease of use vs completeness. Obviously some things don't work (dialing, sms etc) but for just testing Gaia as a whole this is a great place to start. The following are condensed instructions for how to install and run b2g desktop. For a more detailed explanation and further information, see https://wiki.mozilla.org/Gaia/Hacking. Step 1. Install B2G desktop Download an install the appropriate binary for your system here: http://ftp.mozilla.org/pub/mozilla.org/b2g/nightly/latest-mozilla-central/ Mac: Open the dmg file and drag the b2g app to your applications directory Windows: Run the installer Step 2. Download and build Gaia You need to download Gaia, and then build it, which builds a profile which you can load with b2g desktop. This can be achieved with the following commands: 

    $ git clone https://github.com/mozilla-b2g/gaia 
    $ cd gaia
    $ DEBUG=1 make

Note: "DEBUG=1" is needed to enable testing tools. Step 3. Load B2G desktop using the profile created by gaia Load the b2g executable, supplying the -profile option with the path to the gaia location 

    $ b2g -profile /path/to/gaia/profile

Assuming it all works, you should see the lock screen: http://imgur.com/yKxqN Specific examples, assuming current directory is where you installed gaia. Mac: 

    $ /Applications/B2G.app/Contents/MacOS/b2g -profile `pwd`/profile

Linux: 

    [Todo] You're smart, I'm sure you can figure it out.

Windows: 

    [Make a shortcut, not sure how to build gaia though (gnu make fails for me…)]
  • Useful switches when running b2g:
    • Launch B2G desktop with a specific screen resolution: --screen (e.g. --screen 800x600)
    • Enable the error console: -jsconsole

Notes

  • The lock screen is initially shown (default passcode "0000"). This can be turned off/changed in settings
  • Exit an app using esc or home key
  • This is a phone; the screen will sleep! Wake from sleep (black screen) using home key command only (fn + left, mac users)

Testing the B2G Browser App

Webpages are the least privileged content on b2g and the easiest to test. Just open the browser app and load a web page. [NOTE: currently a bug with the latest b2g desktop builds 15 jul. Missing a lib, but you can copy it from xulrunner which gaia installs when it is building see https://bugzilla.mozilla.org/show_bug.cgi?id=774215]

Testing as a Web App

The easiest way to test as a web app is to create your web app. This is made easy since there is already a template in gaia which you can copy. Below are instructions to copy http://www.squarefree.com/shell/shell.html into an app so you have a nice shell to execute commands as an app (again assuming current in gaia directory). Step 1. Make a copy of the template app 

    $ cp -R test_apps/template test_apps/shell

Step 2. Put some content in index.html 

    $curl http://www.squarefree.com/shell/shell.html >test_apps/shell/index.html

3. Change the name in manifest.webapp so that it is called something other than template: sed -e '/Template/s//Shell/' test_apps/shell/manifest.webapp You might want to launch b2g with a larger screen res so you can see what you are typing. Or click and drag to zoom the page.

Testing with Marionette

Marionette provides a mechanism to connect a remote client to a B2G instance, call javascript and get the result. It allows injecting script into any level from chrome right down to web content. To install and get started with Marionette, follow the instructions here: https://developer.mozilla.org/en/Mozilla/Boot_to_Gecko/Setting_Up_Marionette_for_B2G Important: Since we are running b2g desktop instead of on a device or emulator, you do not need to use adb to forward port 2828. Just skip this step. Once you have it all working, the following commands will get you started. >>> from marionette import Marionette >>> marionette = Marionette('localhost', 2828) >>> marionette.start_session() u'8-b2g' At this point we are connected and can start issuing commands. >>> marionette.execute_script("return document.location.href") u'http://system.gaiamobile.org:8080/' By default, we are executing script inside the top level content frame, which is the Gaia "System" app. To switch to chrome perform use the set_context command: >>> marionette.set_context("chrome") True >>> marionette.execute_script("return document.location.href") u'chrome://browser/content/shell.xul' To switch back, use the same command: >>> marionette.set_context("content") True >>> marionette.execute_script("return document.location.href") u'http://system.gaiamobile.org:8080/' Now lets open the browser app: [more todo]

Retrieved from "https://wiki.mozilla.org/index.php?title=User_talk:Ptheriault&oldid=450985"