Upload
lehuong
View
282
Download
0
Embed Size (px)
Citation preview
july 10th, 2014 tizen security F2F in warsaw [email protected]
2
The three different behaviours of a same API (C language)
● Depending on your execution context, a same C language API have different security behaviour:– In the user land API, the call is
delegated to a service that is checking the privilege of the call
– In the service interface API, the call is checked against the client security tags using cynara to grant or deny it and then if granted delegated to the core service
– In the service real API, the call is executed
User land API
Service interface API
Service real API
cynara
User space
System space
int verb(int arg)
A P P L I
int verb(int arg)
int verb(int arg)
july 10th, 2014 tizen security F2F in warsaw [email protected]
3
Unity of the API
● There are some benefits to offer a unique API for the 3 behaviours:– Develop only once
– Separate the concern of programming (functional) and the concern of security (organic)
– Allow flexibility in the implementation of the security
july 10th, 2014 tizen security F2F in warsaw [email protected]
4
The example of crosswalk
● The implementation (in progress) of the Tizen's Web API in crosswalk left the details of checking privileges to the API that it calls.
● The called API should return the error “permission denied” on a privilege deny. The application (crosswalk) have to deal with this kind of error.
crosswalk
extensions
API
RP EPBP
ExecuteJS
W3CAPI
TizenAPI
The shared model of
crosswalk
july 10th, 2014 tizen security F2F in warsaw [email protected]
5
The example of crosswalk
RP EPBP APIUser
APIinterface
APIreal
RP EPBP APIinterface
APIreal
User space System space
flexibility in the implementation of
the security
july 10th, 2014 tizen security F2F in warsaw [email protected]
6
The example of composing API
APIUser
APIinterface
APIreal
User space System space
APIUser
APIinterface
APIreal
The blue API is using features of the white API
( Security analysis of Rice University )
july 10th, 2014 tizen security F2F in warsaw [email protected]
7
The example of wearables
● The case of the wearables might be complicated because:– applications could be
distributed
– The web API may be absent because WRT is absent
● Example: consulting its recent messages on a gear
gear
phone
APPLI
API proxy
API stub
API
flexibility in the implementation of
the security:IT'S A NEED
july 10th, 2014 tizen security F2F in warsaw [email protected]
8
The needs
● Simplicity to migrate the applications from Tizen 2 to Tizen 3
● Easy development process for native applications (including crosswalk)
● Open APIs common to all verticals of Tizen (see previous point)
● Flexibility of the design for flexibility of the implementations
● Allowing future evolutions
july 10th, 2014 tizen security F2F in warsaw [email protected]
9
The tizen 2 legacy
● WRT is checking the privileges and then calls the APIs
● OSP is checking the privileges and then calls the APIs
● Huge smack's rules was also checking in-system privileges with fine grain
User space
System space
WRT OSP
API
security
july 10th, 2014 tizen security F2F in warsaw [email protected]
10
Tizen 3
● The privileged API are services
● Security is also a service
User space
System space
WRTCROSSWALK
OSPNATIVE
API
securitycynara
july 10th, 2014 tizen security F2F in warsaw [email protected]
11
Example of migrating WRT to CROSSWALK
User space
System space
WRT
API
security
User space
System space
CROSSWALK
API
securitycynara
july 10th, 2014 tizen security F2F in warsaw [email protected]
12
Example of migrating WRT to CROSSWALK
User space
System space
WRT
API
security
User space
System space
CROSSWALK
API
securitycynara
crosswalk
july 10th, 2014 tizen security F2F in warsaw [email protected]
13
Example of migrating WRT to CROSSWALK
User space
System space
CROSSWALK
API
Security
User space
System space
CROSSWALK
API
securitycynaraThis is the current state
july 10th, 2014 tizen security F2F in warsaw [email protected]
14
Example of migrating WRT to CROSSWALK
User space
System space
CROSSWALK
APIUser
Security
User space
System space
CROSSWALK
API
securitycynara
APIInterface
cynara APIreal
july 10th, 2014 tizen security F2F in warsaw [email protected]
15
The idea of SAPI
User API
interface API
real API
cynara
User space
System space
int verb(int arg)
A P P L I
int verb(int arg)
int verb(int arg)
API
int verb(int arg)
A P P L I
becomes
The same API3 behaviours
july 10th, 2014 tizen security F2F in warsaw [email protected]
16
The idea of SAPI
● Get the existing API of Tizen 2 and migrate it to the Tizen 3 security model using the presented decomposition of the 3 behaviours. Try to migrate it mechanically
● Define standards API based on Tizen 2, consistent with Web APIs and secured. It will allow development of native API in a controlled way, a secure way.
● Ideally the standard will fit the Web API; in other words, the needs of crosswalk & WRT
● Allow chaining for IOT an flexibility
july 10th, 2014 tizen security F2F in warsaw [email protected]
17
Implementation of SAPI
User API
interface API
real API
cynara
User space
System space
int verb(int arg)
A P P L I
int verb(int arg)
int verb(int arg)
● Parts of this model is the implementation of the well known scheme proxy/stub RMI/RPC
proxy
stub
API
int verb(int arg)
A P P L I
int verb(int arg)
july 10th, 2014 tizen security F2F in warsaw [email protected]
18
DBUS? The well known ORB/RMI?
● Technically it is possible to implement the model using DBUS only:– User API: a DBUS method call
– Interface API: DBUS transparently checks the rights using cynara
– real API: a DBUS object handling the method calls
● BUT– Slow! Fat!
– Problem of the callbacks and of the multithreading
– Introduce dependency on DBUS every where (temptation: even in places where not useful because DBUS will checks)
– DBUS has to be modified (development and maintenance, fork?)
– DBUS has to be configured (how?)
july 10th, 2014 tizen security F2F in warsaw [email protected]
19
Our research work
● Taking the existing API in language C– discover the API
– create the user+proxy API● proxy the calls & manage the connection to the service
– create the server+stub process● manage client (fork) & stub the calls & call the interface
API
– create the interface API● check the rights using cynara & call the real API
july 10th, 2014 tizen security F2F in warsaw [email protected]
20
mechanical creation
*.h
header files
XML desc
gccxml
stub fileproxy file
python scripts
interface file
API vs PRIVILEGEdescription
(SAPI tools)
july 10th, 2014 tizen security F2F in warsaw [email protected]
21
create the delivery
stub fileproxy file
SAPI library
user API
link
link
real API
service interface API
interface file
link
libffi
july 10th, 2014 tizen security F2F in warsaw [email protected]
22
Generated system
real API
cynara
User space
System space
A P P L I
proxy / user API
stub
interface API
The Service
● Almost all calls are granted then checking security after deserialisation isn't a drawback
july 10th, 2014 tizen security F2F in warsaw [email protected]
23
Current state
● Few resource on the subject (¼ man) but from a long time (4 months)
● Proxy/stub generation 90%● Privilege vs API database 0%● SAPI library 90%● Privilege check 0%● Low latency on ODROID (around 0.1 ms)
july 10th, 2014 tizen security F2F in warsaw [email protected]
24
Current fallout
● Need to define cynara verbs that will integrate the common context (to be discussed). Reasons: – forking a service for handling a specific client is an
option to consider:● Protection of the service against malicious codes● Allow integration of API having global variables (statics)
without any rewrite
– The concept of “interface API” is needing it
– Could speed the requests if in protocol
july 10th, 2014 tizen security F2F in warsaw [email protected]
25
Contextual cynara API (proposal)
int sapi_cynara_start(const char *clientid, – the clientid of all checksconst char *userid, – the userid of all checksconst char *sessionid – the default sessionid
);
int sapi_cynara_check(const char *privilege, – the privilege to checkconst char *sessionid – the sessionid to check
– or NULL for using default);
void sapi_cynara_stop();
The name of the verbs are coming from SAPI. They have to be changed.
july 10th, 2014 tizen security F2F in warsaw [email protected]
26
Things to do
● Manage the privileges● Terminate the proxy/stub generation
– Allow plugin to handle complex types
– Finish link to sapi lib
● Specify how are implemented API– Separate user libs and services
– Separate user libs but only one service
– Only one user lib and one service
● Specify how to integrate transparently to the workflow OBS/GBS
● Specify how to manage evolutions
july 10th, 2014 tizen security F2F in warsaw [email protected]
27
What API to wrap?
● At the beginning of the concept of SAPI, the core API was targeted
● Further studies about WRT of Tizen 2 shown that more APIs have to be targeted
● The current proposal is to wrap any API that make sense to :– Implement crosswalk
– Map the Web APIs
– have a secured native API framework
– Optionally: migrate other API
july 10th, 2014 tizen security F2F in warsaw [email protected]
28
What is SAPI?
● SAPI is a process to mostly automatically wrap API and enforce the 3 behavioural aspects of service APIs
● A set of tools, a privilege/API database and and a communication library (currently home made and using UDS, but it may change)
● It can become a kind of C foundation library for tizen
july 10th, 2014 tizen security F2F in warsaw [email protected]
29
What is wrong with SAPI?
● The process is not 100% automatic● Performances are pointed out. Should the frontier
between the user space and the system space be always crossed ? SAPI isn't smart enough to guess it and it crosses always.
● Until fully implemented we don't know what are all the traps and obstacles
● Few man power● It adds small delay to long DBUS calls
july 10th, 2014 tizen security F2F in warsaw [email protected]
30
What could be added?
● Track of dependencies– There should be added an analysis of the
dependencies of the API
– This analysis would produce a database of the dependencies
– This database should be used with the database of the API / PRIVILEGE to detect hidden privilege needs.
● Inclusion of resource management (murphy)
july 10th, 2014 tizen security F2F in warsaw [email protected]
31
What to remember
● Transparency improve flexibility of designing● Easy the migration process● As fallout, the database of API / PRIVILEGE is
known● Reduce the amount of development in short
and long term● On a high level, SAPI is the combination of a
proxy with a firewall