Issott_Common Design Patterns for Symbian OS-The Foundations of Smartphone Software_0470516356 (779879), страница 49
Текст из файла (страница 49)
No further securitychecks can be performed on it after this point.Plug-in selection is performed via the ECom service which resides inthe ECom server process (see Figure 7.7) and hence involves a contextswitch when the plug-in is loaded. However, once the ECom plug-inhas been selected it acts just as if the DLL providing the plug-in wasloaded directly into the process and has the same performance benefitsas statically loaded DLLs.Figure 7.7 Dynamics of the Buckle patternThe framework can use the REcomSession::ListImplementationsL() API to find plug-ins that have implemented the plug-in interface specified by the framework provider. For usability reasons, it onlyreturns references to plug-ins that would satisfy the DLL loading rulefor the framework process.
Whilst this might seem to make the CreateImplementationsL() security check unnecessary, it avoids a256SECURITYTime-of-Check-Time-of-Use (TOCTOU)25 security hole since a client canpass any plug-in UID into CreateImplementationsL().ImplementationFrameworkOne of the early decisions that framework providers need to make whenusing this pattern is what capabilities they should require plug-ins tohave.26 Note that this decision has important consequences for whocan provide plug-ins and the cost associated with doing so.
See theintroduction to this chapter for more details.Once the decision has been made on what the capabilities of theframework will be, the developer of the framework should assign them tothe EXE:// Framework.mmpTARGETframework.exeTARGETTYPEexeUID0xE8000077CAPABILITY<capability list>SOURCEPATHSOURCE.framework.cppUSERINCLUDE.SYSTEMINCLUDE \epoc32\includeSYSTEMINCLUDE \epoc32\include\ecomLIBRARYLIBRARYeuser.libecom.libFor more details of the MMP file syntax, see the Symbian DeveloperLibrary.The loading of the actual plug-ins should be done using the EComservice as described in the Symbian Developer Library and [Heath, 2006,Chapter 6].
A plug-in can be considered to be a resource and hence thepatterns in Chapter 3 may be helpful.Plug-insA plug-in developer should assign the same capabilities as used by theframework process, unless there’s a very good reason to add more,27 to25 en.wikipedia.org/wiki/TOCTOU26 The complete list is provided in [Heath, 2006, Section 2.4] and the Symbian DeveloperLibrary.27For instance, the plug-in DLL may contain code that is known to be loaded elsewhere.Even in this case you should consider separating the code out into two DLLs, one containingthe plug-in and the other containing the code loaded elsewhere.BUCKLE257the plug-in’s MMP file to be successfully loaded by the framework at runtime.Other than this, a plug-in should be implemented exactly as specifiedby the ECom service.ConsequencesPositives• This pattern is simple to understand, which reduces maintenancecosts.• It is easy to implement the security checks in the framework since itcould be as little as one extra line in an MMP file compared to nothaving any checks at all.• There is no impact on performance or memory usage except for asmall overhead when the plug-in is loaded compared to staticallylinking to it.Negatives• The security check is all or nothing.• Once a plug-in has been loaded, it can access any data that theframework process can access and hence is able to affect its behavior.• If the framework process requires additional capabilities to perform itsown tasks then this may result in unnecessary security requirementsbeing placed on the plug-ins.• Adding more capabilities to the framework executable is, at best,difficult.
This is because all plug-ins would also need to have thisnew capability or the framework will no longer be able to load them.The more plug-in providers there are, the more of a problem thisis. In practice, adding more capabilities after a framework has beenreleased isn’t feasible. If you think you might need to do this then useQuarantine (see page 260) or Cradle (see page 273).• Any plug-ins with more capabilities than the framework processcannot use them since a plug-in DLL is limited at run time to just thecapabilities assigned to the framework process.Example ResolvedThe Notification Server resolves its need for secure plug-ins by using theECom service to identify and load plug-ins directly into the eiksrvs.exeprocess. The server requires the TrustedUI capability to allow it to display258SECURITYdialogs to the user that won’t be misleading or somehow corrupt theUI.
In addition, the process requires the ProtServ capability to allow itto register the Notification Server within a protected name space and solimit the scope for the server to be spoofed.The result of this is that dialog plug-in providers must create an EComplug-in DLL which implements a custom notifier class by deriving fromMEikSrvNotifierBase2. For the DLL to successfully load into theeiksrvs.exe process, it must have the same capabilities as the process(TrustedUI and ProtServ) or more. Since both of these are systemcapabilities, some additional development time is required of plug-inproviders to achieve this but no additional run-time costs are incurred.28Note that we would expect plug-ins to need the TrustedUI capabilitysince it is directly related to what a plug-in does.
The ProtServ capabilityhowever, isn’t needed by the plug-in though it must have it assigned sothat the framework can trust the plug-in not to subvert the framework’sown use of the capability.The result is that third-party developers can add new dialogs to theNotification Server but, because they are signed, any such plug-ins thatare found to be malicious could potentially have their signatures revokedin future to prevent them from being installed on new devices.For more on the Symbian OS Notification Services, including notifiercode examples, see [Willee, Dec 2007].Other Known UsesThis pattern is widely used but we’ve just picked the following twoexamples to further illustrate it:• Y-Browser [Silvennoinen, 2007]This is a file browser application designed for S60 3rd edition devices.In particular, it supports plug-ins for its ‘Open With’ menu optionthat are loaded using the pattern.
The framework process is createdwhen YuccaBrowser.exe is executed, which uses ECom to locateany plug-ins that have at least the following capabilities: NetworkServices, LocalServices, ReadUserData, WriteUserData,UserEnvironment. Since these are all user-grantable capabilities,it is relatively easy for any third-party developer to obtain them andso extend the functionality of Y-Browser without risking the loss of theuser’s information.• Protocol ModulesAnother example is the Symbian OS Communication Infrastructure,which loads protocol module plug-ins (.PRTs) into the c32exe.exeprocess.
This framework process has an extensive list of capabilitiesof up to but not including device-manufacturer-approved grantable28 Thisis true, at the time of writing, when you use the Open Signed – Online option.BUCKLE259capabilities which means that the providers of plug-ins won’t generally include the average third-party developer. Note that, like anumber of older Symbian OS plug-in frameworks, the Communication Infrastructure doesn’t use ECom but uses RLibrary::Load()directly.Variants and ExtensionsNone known.References• Client–Thread Service (see page 171) solves a different problem butits implementation has some similarities to this pattern.• Quarantine (see page 260) is an alternative way of providing anextension point which doesn’t require the plug-in to be signed withthe same capabilities as the framework when you require little or nocommunication between the framework and its plug-ins.• Cradle (see page 273) extends Quarantine (see page 260) to supportan ongoing communication session between the framework and itsplug-ins.• See Chapter 3 for patterns describing how you can improve executionperformance or RAM usage by changing the point at which you loadand unload plug-ins.• The following documents contain some additional information onECom:• Symbian Developer LibraryLibraries Using EComSymbian OS guideSystem• Symbian Developer Library Examples ECom example code260SECURITYQuarantineIntentLoad plug-ins as separate processes, operating at different levels of trustto your own, to increase the flexibility of your architecture withoutcompromising security.AKANone knownProblemContextYou need to provide a secure fire-and-forget extension point in yourcomponent and you can’t use Buckle (see page 252) due to the restraintsit places on the capabilities of the framework and its plug-ins.Summary• Architectural extensibility has to be provided.• The potential damage caused by plug-ins needs to be limited byminimizing the capabilities with which they execute (principle ofleast privilege).• There must be minimal restrictions on who can provide plug-ins.• Different sets of capabilities are required for plug-ins and the framework.DescriptionBuckle (see page 252) works best when there is a close match betweenthe capabilities of the framework and those expected of its plug-ins.Where there is a mismatch between the capabilities of the framework andany that one or more plug-ins might need at run time, it can be temptingto simply raise the capabilities of the framework process so as to supportany reasonable activity of a plug-in DLL.
This is bad practice since theresult is to raise the security risk by unnecessarily putting more trust inthe whole framework process and all the DLLs it depends on,29 not justthe plug-ins. It would also be contrary to the principle of least privilege.For instance, if one plug-in needs TCB then creating a useful frameworkwould be significantly more difficult if the plug-in was loaded as a DLL.Alternatively, the framework may need a hard-to-obtain capability forits own use which is unrelated to the trust required of the plug-ins and29 Asa direct result of the DLL loading rule.QUARANTINE261you don’t want to restrict who can provide plug-ins by forcing themto be signed with a capability that their code doesn’t need to operatecorrectly.Another consideration is that the scope for security problems is significant when the plug-ins reside in the same process as the framework asin Buckle (see page 252).
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
