Concepts with Symbian OS (779878), страница 61
Текст из файла (страница 61)
An attacker might target asingle service – say, a web service – and send a flood of HTTP requests,thereby shutting down service to requests from any other source. Denialof-service attacks become even more insidious when they come frommultiple sources – called distributed denial-of-service attacks. In distributed denial-of-service attacks, many computers team up to bringdown a computer or website.There are many other types of threat that exist. The number of attackson computers is limited only by human ingenuity.Many operating systems are designed by concentrating on how tomanage the computer system and laying on security after that initialdesign.
The result is usually security that does not fit correctly with allcomputer use. Examples abound. In the early design of Unix systemservices such as trivial-file-transfer protocol (TFTP) were designed withno authentication in mind, allowing any file to be transferred anywhere.The invention and use of email spam initially resulted from a featuredesigned by trusting mail transport designers. These designers allowedone message to be sent to a site from anywhere and they allowed it to goto many destinations at once.14.5Security on SmartphonesSmartphones provide a difficult environment to make secure.
They aresingle-user devices and require no user authentication to use basic functions. Even more complicated functions (such as installing applications)require authorization but no authentication.1 However, they run on1Bluetooth usage is an exception to this. The Bluetooth protocols specify a passkey beused to allow Bluetooth functionality between phones.294SECURITYcomplex operating systems with many ways to bring data – includingexecuting programs – in and out.
Safeguarding these environments iscomplicated.Symbian OS is a good example. Users expect Symbian OS smartphonesto allow any kind of use without authentication – no logging in or verifyingyour identity. Yet, as we have found out in this book, an operating systemas complicated as Symbian OS is very capable yet also susceptible toviruses, worms, and other malicious programs. Versions of Symbian OSprior to v9 offered a gatekeeper type of security: the system asked the userfor permission for every installed application. The thinking in this designwas that only user-installed applications could cause system havoc andan informed user would know what programs he intended to install andwhat programs were malicious.
The user is trusted to use them wisely.This gatekeeper design has a lot of merit. For example, a new smartphone with no user-installed applications would be a system that couldrun without error. Installing only applications that a user knew werenot malicious would logically maintain the security of the system. Theproblem with this design is that users do not always know the complete ramifications of the software they are installing.
There are virusesthat masquerade as useful programs, performing useful functions whilesilently installing malicious code. Normal users are unable to verify thecomplete trustworthiness of all the software available.This verification of trust is what prompted a complete redesign ofplatform security for Symbian OS v9. This version of the operating systemkeeps the gatekeeper model, but takes the responsibility for verifyingsoftware away from the user. Software developers are now responsiblefor verifying their own software through a process called signing andthe system verifies the developer’s claim. Not all software requires suchverification, only those that access certain system functions.
When anapplication requires signing, this is done through a series of steps:1.The software developer must obtain a vendor ID from a certificateauthority. These trusted parties are certified by Symbian.2.When a developer has developed a software package and wants todistribute it, he must submit his package to an independent test housefor validation. The developer submits his vendor ID, the software,and a list of ways that the software accesses the system.3.The test house then verifies that the list of software access types iscomplete and that no other type of access occurs. If the test houseSECURITY ON SMARTPHONES295can make this verification, the software is signed by it.
This meansthat the installation package has a special amount of information thatdetails what it does to a Symbian OS system and that it may actuallydo that.4.The installation package is sent back signed to the software developerand may now be distributed to users.Note that this method depends on how the software accesses systemresources. Symbian OS says that in order to access a system resource,a program must have the capability to access the resource. This idea ofcapabilities is built into the kernel of Symbian OS.
When a process iscreated, part of its PCB records the capabilities granted to the process.Should the process try to perform an access that was not listed in thesecapabilities, the access would be denied by the kernel and a programerror would result.The result of this seemingly elaborate process to distribute signedapplications is a trust system in which an automated gatekeeper built intoSymbian OS can verify software to be installed. The installation processchecks the signage of the installation package. If the signing of thepackage is valid, the capabilities granted to the software are recorded andthese are the capabilities granted to the application by the kernel whenit executes. The diagram in Figure 14.1 depicts the trust relationships inSymbian OS v9.Trusted-computing base:full ability to modify file system;contains Kernel, F32 andSWInstallTrusted-computing environment:system servers run with differentprivilegesMessagingMMFetelKernel, F32, SWInstallesockSigned applications:less-trusted software that issigned according to itsstated purposeFigure 14.1SWInstall is thegatekeeperWservUnsigned software:untrustworthy applications that do notaffect file systems or the systemenvironmentThe trust relationships in Symbian OS v9296SECURITYNote here that there are several levels of trust built into the system.There are some applications that do not access system resources at all,and therefore do not require signing.
An example of this might be anapplication that only displays something on the screen. These applicationsare not trusted, but they do not need to be. The next level of trust is madeup of user-level signed applications. These signed applications are onlygranted the capabilities they need. The third level of trust is made up ofsystem servers.
Like user-level applications, these servers may only needcertain capabilities to perform their duties. In a microkernel architecturesuch as Symbian OS, these servers run at the user-level and are trusted likeuser-level applications. Finally, there is a class of programs that requiresfull trust of the system. This set of programs has the full ability to changethe system and is made up of kernel code.There are several aspects to this system that might seem questionable.For example, is this elaborate process really necessary (especially whenit costs money to do)? The answer is yes: the Symbian Signed systemreplaces users as the verifier of software integrity and real verificationis done. This process might seem to make development difficult: doeseach test on real hardware require a new signed installation package? Toanswer this, Symbian OS recognizes the need for developer certificates.
Adeveloper must get a special signed digital certificate that is time limited(usually for six months) and specific to a particular smartphone. Thedeveloper can then build his own installation packages with the digitalcertificate.In addition to this gatekeeping function in Symbian OS v9, SymbianOS also employs something called data caging, which organizes datainto certain directories. Executable code only exists in one directory, forexample, that is writable only by the software installation application.In addition, data written by applications can only be written into onedirectory, which is private and inaccessible from other programs.14.6SummaryThis chapter has provided an overview of operating system security.
Webegan by introducing general security concepts. We then discussed howauthorization and authentication are used to ensure secure system access.We then outlined some of the threats that can jeopardize operating systemaccess. We concluded by taking a look at the security of Symbian OS.EXERCISES297Exercises1.Passwords can be problematic. Devise a few schemes that choosegood passwords but allow them to be remembered.2.Files have characteristics that can be used to see if they have beentampered with.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
