Difference between revisions of "Symbian OS Platform Security/Appendix A: Capability Descriptions"
m (2 revisions: import from developer.symbian.org) |
(added backup link, tidied up formatting) |
||
Line 1: | Line 1: | ||
− | Reproduced by kind permission of John Wiley & Sons. | + | {| width="100%" |
+ | |- | ||
+ | |Reproduced by kind permission of John Wiley & Sons.||align="right"|[[Symbian OS Platform Security|Table of Contents]] | ||
+ | |} | ||
=System Capabilities= | =System Capabilities= | ||
− | {{Icode|Tcb}} | + | =={{Icode|Tcb}}== |
− | Write access to executables and shared read-only resources | + | '''Write access to executables and shared read-only resources''' |
− | Tcb allows write access to \sys and \resource directories. This is the | + | |
+ | {{Icode|Tcb}} allows write access to \sys and \resource directories. This is the | ||
most critical capability as it allows write access to executables, which | most critical capability as it allows write access to executables, which | ||
contain the capabilities that define the security attributes of a process. | contain the capabilities that define the security attributes of a process. | ||
Line 12: | Line 16: | ||
with at least this capability. | with at least this capability. | ||
− | {{Icode|AllFiles}} | + | =={{Icode|AllFiles}}== |
− | Read access to the entire file system and write access to other processes’ | + | '''Read access to the entire file system and write access to other processes’ private directories''' |
− | private directories | + | |
− | Similarly to Tcb, this capability is very strictly controlled and it is not | + | Similarly to {{Icode|Tcb}}, this capability is very strictly controlled and it is not |
granted lightly. Nevertheless, phone manufacturers’ test software might | granted lightly. Nevertheless, phone manufacturers’ test software might | ||
reasonably have it. | reasonably have it. | ||
Line 26: | Line 29: | ||
Unlike {{Icode|Tcb}}, {{Icode|AllFiles}} permits read and write in {{Icode|\private}}. | Unlike {{Icode|Tcb}}, {{Icode|AllFiles}} permits read and write in {{Icode|\private}}. | ||
− | The system capability AllFiles can be used in the following | + | The system capability {{Icode|AllFiles}} can be used in the following |
circumstances: | circumstances: | ||
*By mobile phone manufacturers wishing to have a powerful shell or file manager. In this case, the user would be allowed to destroy or modify some servers’ private files. Symbian therefore highly discourages such a facility being made publicly available | *By mobile phone manufacturers wishing to have a powerful shell or file manager. In this case, the user would be allowed to destroy or modify some servers’ private files. Symbian therefore highly discourages such a facility being made publicly available | ||
*For test utilities to retrieve files in order to audit them to validate the behavior of a subsystem. | *For test utilities to retrieve files in order to audit them to validate the behavior of a subsystem. | ||
− | {{Icode|CommDD}} | + | =={{Icode|CommDD}}== |
+ | |||
+ | '''Direct access to all communications equipment device drivers''' | ||
− | |||
This includes for example, WiFi, USB and serial device drivers. | This includes for example, WiFi, USB and serial device drivers. | ||
− | {{Icode|DiskAdmin}} | + | =={{Icode|DiskAdmin}}== |
− | Access to file system administration operations that affect more than | + | '''Access to file system administration operations that affect more than one file or directory (or overall file-system integrity and behavior, etc.)''' |
− | one file or directory (or overall file-system integrity and behavior, etc.) | + | |
− | + | ||
− | + | This includes, for example, mounting and unmounting a drive partition. | |
+ | =={{Icode|Drm}}== | ||
− | Access to DRM-protected content | + | '''Access to DRM-protected content''' |
DRM agents use this capability to decide whether or not a program should | DRM agents use this capability to decide whether or not a program should | ||
have access to protected content. Symbian OS trusts that software granted | have access to protected content. Symbian OS trusts that software granted | ||
− | Drm capability will respect the rights associated with this content. | + | {{Icode|Drm}} capability will respect the rights associated with this content. |
− | {{Icode|MultimediaDD}} | + | =={{Icode|MultimediaDD}}== |
− | Access to critical multimedia functions such as direct access to associated | + | '''Access to critical multimedia functions such as direct access to associated device drivers and priority access to multimedia APIs''' |
− | device drivers and priority access to multimedia APIs | + | |
This includes sound, camera, video, etc. | This includes sound, camera, video, etc. | ||
− | {{Icode|NetworkControl}} | + | =={{Icode|NetworkControl}}== |
+ | |||
+ | '''The ability to modify or access network protocol controls''' | ||
− | |||
Typically when an action can change the behavior of several existing and | Typically when an action can change the behavior of several existing and | ||
− | future connections, it should be protected by NetworkControl. | + | future connections, it should be protected by {{Icode|NetworkControl}}. |
For example, forcing all existing connections on a specific protocol to | For example, forcing all existing connections on a specific protocol to | ||
be dropped or changing the priority of a call. | be dropped or changing the priority of a call. | ||
− | {{Icode|PowerMgmt}} | + | =={{Icode|PowerMgmt}}== |
− | The ability to kill any process, to power-off unused peripherals and to | + | '''The ability to kill any process, to power-off unused peripherals and to cause the mobile phone to go into stand-by, to wake up, or to power down completely''' |
− | cause the mobile phone to go into stand-by, to wake up, or to power | + | |
− | down completely | + | |
Note that this doesn’t control access to anything and everything that | Note that this doesn’t control access to anything and everything that | ||
might drain battery power. | might drain battery power. | ||
− | {{Icode|ProtServ}} | + | =={{Icode|ProtServ}}== |
+ | |||
+ | '''Allows a server process to register with a protected name''' | ||
− | |||
Protected names start with a ‘!’. The kernel will prevent servers without | Protected names start with a ‘!’. The kernel will prevent servers without | ||
− | ProtServ capability from using such a name, and, therefore, will prevent | + | {{Icode|ProtServ}} capability from using such a name, and, therefore, will prevent |
protected servers from being impersonated. All servers in the TCE have | protected servers from being impersonated. All servers in the TCE have | ||
this capability. | this capability. | ||
− | {{Icode|ReadDeviceData}} | + | =={{Icode|ReadDeviceData}}== |
− | Read access to confidential network operator, mobile phone manufacturer | + | '''Read access to confidential network operator, mobile phone manufacturer and device settings''' |
− | and device settings | + | |
Settings that are not confidential (such as the system clock) do not need | Settings that are not confidential (such as the system clock) do not need | ||
to be protected by this capability. | to be protected by this capability. | ||
+ | |||
Examples of confidential device data include the list of installed | Examples of confidential device data include the list of installed | ||
applications and the device lock PIN code. | applications and the device lock PIN code. | ||
− | {{Icode|SurroundingsDD}} | + | =={{Icode|SurroundingsDD}}== |
− | Access to logical device drivers that provide input information about | + | '''Access to logical device drivers that provide input information about the surroundings of the mobile phone''' |
− | the surroundings of the mobile phone | + | |
Good examples of drivers that require this capability would be GPS | Good examples of drivers that require this capability would be GPS | ||
and biometrics device drivers. For complex multimedia logical device | and biometrics device drivers. For complex multimedia logical device | ||
drivers that provide both input and output functions, such as a sound | drivers that provide both input and output functions, such as a sound | ||
− | device driver, the MultimediaDD capability should be used where it is | + | device driver, the {{Icode|MultimediaDD}} capability should be used where it is |
impractical to separate the input from the output calls at its API level. | impractical to separate the input from the output calls at its API level. | ||
− | {{Icode|SwEvent}} | + | =={{Icode|SwEvent}}== |
− | The ability to simulate key presses and pen input and to capture such | + | '''The ability to simulate key presses and pen input and to capture such events from any program''' |
− | events from any program | + | |
Note that, when it has the user input focus, normal software does not | Note that, when it has the user input focus, normal software does not | ||
− | need SwEvent in order to be dispatched key and pen events. | + | need {{Icode|SwEvent}} in order to be dispatched key and pen events. |
− | {{Icode|TrustedUI}} | + | =={{Icode|TrustedUI}}== |
− | The ability to create a trusted UI session and, therefore, to display | + | '''The ability to create a trusted UI session and, therefore, to display dialogs in a secure UI environment''' |
− | dialogs in a secure UI environment | + | |
Trusted UI dialogs are rare. They must be used only when confidentiality | Trusted UI dialogs are rare. They must be used only when confidentiality | ||
Line 122: | Line 121: | ||
Normal access to the user interface and the screen does not require this. | Normal access to the user interface and the screen does not require this. | ||
− | Code implementing a trusted UI dialog would need SwEvent capability. | + | Code implementing a trusted UI dialog would need {{Icode|SwEvent}} capability. |
+ | |||
Note that trusted UI dialogs are not implemented in Symbian OS v9.1. | Note that trusted UI dialogs are not implemented in Symbian OS v9.1. | ||
− | {{Icode|WriteDeviceData}} | + | =={{Icode|WriteDeviceData}}== |
+ | |||
+ | '''Write access to settings that control the behavior of the device''' | ||
− | + | This setting is not always symmetrical with {{Icode|ReadDeviceData}}, i.e. just | |
− | This setting is not always symmetrical with ReadDeviceData, i.e. just | + | |
because data important to maintaining the integrity of the system is | because data important to maintaining the integrity of the system is | ||
protected from being written, does not mean that it needs to be protected | protected from being written, does not mean that it needs to be protected | ||
Line 138: | Line 139: | ||
=User Capabilities= | =User Capabilities= | ||
− | {{Icode|LocalServices}} | + | =={{Icode|LocalServices}}== |
+ | |||
+ | '''Access to services over ‘short-link’ connections (such as Bluetooth or infra-red). Such services will not normally incur cost for the user''' | ||
− | |||
− | |||
The location of the remote service is assumed to be well known to | The location of the remote service is assumed to be well known to | ||
the user. A program with this capability can normally send or receive | the user. A program with this capability can normally send or receive | ||
Line 150: | Line 151: | ||
telephone number. | telephone number. | ||
− | {{Icode|Location}} | + | =={{Icode|Location}}== |
− | Access to data giving the location of the phone | + | '''Access to data giving the location of the phone''' |
This capability supports the management of a user’s privacy regarding the | This capability supports the management of a user’s privacy regarding the | ||
mobile phone’s location. | mobile phone’s location. | ||
− | {{Icode|NetworkServices}} | + | =={{Icode|NetworkServices}}== |
+ | |||
+ | '''Access to remote services (such as over-the-air data services or Wi-Fi network access), which might incur cost for the user''' | ||
− | |||
− | |||
This capability allows access to a remote service without any restriction | This capability allows access to a remote service without any restriction | ||
on its physical location. Typically, this location is unknown to the user. | on its physical location. Typically, this location is unknown to the user. | ||
Line 168: | Line 169: | ||
profile’). | profile’). | ||
− | {{Icode|ReadUserData}} | + | =={{Icode|ReadUserData}}== |
− | Read access to confidential user data | + | '''Read access to confidential user data''' |
This capability supports the management of a user’s privacy. | This capability supports the management of a user’s privacy. | ||
Line 178: | Line 179: | ||
there could be a choice to be made by the user. | there could be a choice to be made by the user. | ||
− | {{Icode|UserEnvironment}} | + | =={{Icode|UserEnvironment}}== |
+ | |||
+ | '''Access to live data about the user and their immediate environment''' | ||
− | |||
This capability protects the user’s privacy. | This capability protects the user’s privacy. | ||
Line 186: | Line 188: | ||
and video recording, and biometrics (such as fingerprint) recording. Please | and video recording, and biometrics (such as fingerprint) recording. Please | ||
note that the location of the device is excluded from this capability and | note that the location of the device is excluded from this capability and | ||
− | is instead protected by using the dedicated capability Location. | + | is instead protected by using the dedicated capability {{Icode|Location}}. |
− | {{Icode|WriteUserData}} | + | =={{Icode|WriteUserData}}== |
− | Write access to confidential user data | + | '''Write access to confidential user data''' |
This capability supports the management of the integrity of user data. | This capability supports the management of the integrity of user data. | ||
− | Please note that this capability is not always symmetric with | + | |
− | + | Please note that this capability is not always symmetric with {{Icode|ReadUserData}}. For instance, one might wish to prevent rogue software from | |
deleting music tracks but not wish to restrict read access to them. | deleting music tracks but not wish to restrict read access to them. | ||
+ | |||
Software developers creating programs (whether system servers or | Software developers creating programs (whether system servers or | ||
applications) may use this capability to control access to their data when | applications) may use this capability to control access to their data when | ||
Line 203: | Line 206: | ||
choice will depend on the UI implementation. | choice will depend on the UI implementation. | ||
− | [[Category: | + | [[Category: Book]] |
Revision as of 22:13, 20 December 2010
Reproduced by kind permission of John Wiley & Sons. | Table of Contents |
Contents
System Capabilities
Tcb
Write access to executables and shared read-only resources
Tcb allows write access to \sys and \resource directories. This is the most critical capability as it allows write access to executables, which contain the capabilities that define the security attributes of a process. No third-party code should be allowed to do this. The TCB processes run with at least this capability.
AllFiles
Read access to the entire file system and write access to other processes’ private directories
Similarly to Tcb, this capability is very strictly controlled and it is not granted lightly. Nevertheless, phone manufacturers’ test software might reasonably have it.
For instance, the backup and restore server might need it to backup data on behalf of programs.
Unlike Tcb, AllFiles permits read and write in \private.
The system capability AllFiles can be used in the following circumstances:
- By mobile phone manufacturers wishing to have a powerful shell or file manager. In this case, the user would be allowed to destroy or modify some servers’ private files. Symbian therefore highly discourages such a facility being made publicly available
- For test utilities to retrieve files in order to audit them to validate the behavior of a subsystem.
CommDD
Direct access to all communications equipment device drivers
This includes for example, WiFi, USB and serial device drivers.
DiskAdmin
Access to file system administration operations that affect more than one file or directory (or overall file-system integrity and behavior, etc.)
This includes, for example, mounting and unmounting a drive partition.
Drm
Access to DRM-protected content
DRM agents use this capability to decide whether or not a program should have access to protected content. Symbian OS trusts that software granted Drm capability will respect the rights associated with this content.
MultimediaDD
Access to critical multimedia functions such as direct access to associated device drivers and priority access to multimedia APIs
This includes sound, camera, video, etc.
NetworkControl
The ability to modify or access network protocol controls
Typically when an action can change the behavior of several existing and future connections, it should be protected by NetworkControl.
For example, forcing all existing connections on a specific protocol to be dropped or changing the priority of a call.
PowerMgmt
The ability to kill any process, to power-off unused peripherals and to cause the mobile phone to go into stand-by, to wake up, or to power down completely
Note that this doesn’t control access to anything and everything that might drain battery power.
ProtServ
Allows a server process to register with a protected name
Protected names start with a ‘!’. The kernel will prevent servers without ProtServ capability from using such a name, and, therefore, will prevent protected servers from being impersonated. All servers in the TCE have this capability.
ReadDeviceData
Read access to confidential network operator, mobile phone manufacturer and device settings
Settings that are not confidential (such as the system clock) do not need to be protected by this capability.
Examples of confidential device data include the list of installed applications and the device lock PIN code.
SurroundingsDD
Access to logical device drivers that provide input information about the surroundings of the mobile phone
Good examples of drivers that require this capability would be GPS and biometrics device drivers. For complex multimedia logical device drivers that provide both input and output functions, such as a sound device driver, the MultimediaDD capability should be used where it is impractical to separate the input from the output calls at its API level.
SwEvent
The ability to simulate key presses and pen input and to capture such events from any program
Note that, when it has the user input focus, normal software does not need SwEvent in order to be dispatched key and pen events.
TrustedUI
The ability to create a trusted UI session and, therefore, to display dialogs in a secure UI environment
Trusted UI dialogs are rare. They must be used only when confidentiality and security are critical: for instance for password dialogs.
Normal access to the user interface and the screen does not require this. Code implementing a trusted UI dialog would need SwEvent capability.
Note that trusted UI dialogs are not implemented in Symbian OS v9.1.
WriteDeviceData
Write access to settings that control the behavior of the device
This setting is not always symmetrical with ReadDeviceData, i.e. just because data important to maintaining the integrity of the system is protected from being written, does not mean that it needs to be protected against being read.
Examples of this type of setting are device lock settings, system time, time zone, alarms, etc.
User Capabilities
LocalServices
Access to services over ‘short-link’ connections (such as Bluetooth or infra-red). Such services will not normally incur cost for the user
The location of the remote service is assumed to be well known to the user. A program with this capability can normally send or receive information through a serial port, USB, IR and point-to-point Bluetooth profiles. Examples of local services are synchronization of data with the user’s PC, file transfer, etc. This capability does not allow use of IP or any routable Bluetooth profiles, or spending of a user’s money by dialing a telephone number.
Location
Access to data giving the location of the phone
This capability supports the management of a user’s privacy regarding the mobile phone’s location.
NetworkServices
Access to remote services (such as over-the-air data services or Wi-Fi network access), which might incur cost for the user
This capability allows access to a remote service without any restriction on its physical location. Typically, this location is unknown to the user. Voice calls, SMS and Internet services are good examples of such network services. This capability controls access to services delivered via GSM, CDMA and all IP transport protocols including IP over Bluetooth (‘PAN profile’).
ReadUserData
Read access to confidential user data
This capability supports the management of a user’s privacy.
Typically contacts, messages and appointments are always seen as the user’s confidential data. For other content, such as images or sounds, there could be a choice to be made by the user.
UserEnvironment
Access to live data about the user and their immediate environment
This capability protects the user’s privacy.
Examples of services protected using this capability are audio, picture and video recording, and biometrics (such as fingerprint) recording. Please note that the location of the device is excluded from this capability and is instead protected by using the dedicated capability Location.
WriteUserData
Write access to confidential user data
This capability supports the management of the integrity of user data.
Please note that this capability is not always symmetric with ReadUserData. For instance, one might wish to prevent rogue software from deleting music tracks but not wish to restrict read access to them.
Software developers creating programs (whether system servers or applications) may use this capability to control access to their data when it is stored in private directories.
It is not always obvious whether to treat data as confidential and the choice will depend on the UI implementation.