31
july 10th, 2014 tizen security F2F in warsaw [email protected] 1 SAPI Service API Secured API

SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

  • Upload
    lehuong

  • View
    282

  • Download
    0

Embed Size (px)

Citation preview

Page 1: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

1

SAPI

Service API

Secured API

Page 2: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

2

The three different behaviours of a same API (C language)

● Depending on your execution context, a same C language API have different security behaviour:– In the user land API, the call is

delegated to a service that is checking the privilege of the call

– In the service interface API, the call is checked against the client security tags using cynara to grant or deny it and then if granted delegated to the core service

– In the service real API, the call is executed

User land API

Service interface API

Service real API

cynara

User space

System space

int verb(int arg)

A P P L I

int verb(int arg)

int verb(int arg)

Page 3: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

3

Unity of the API

● There are some benefits to offer a unique API for the 3 behaviours:– Develop only once

– Separate the concern of programming (functional) and the concern of security (organic)

– Allow flexibility in the implementation of the security

Page 4: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

4

The example of crosswalk

● The implementation (in progress) of the Tizen's Web API in crosswalk left the details of checking privileges to the API that it calls.

● The called API should return the error “permission denied” on a privilege deny. The application (crosswalk) have to deal with this kind of error.

crosswalk

extensions

API

RP EPBP

ExecuteJS

W3CAPI

TizenAPI

The shared model of

crosswalk

Page 5: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

5

The example of crosswalk

RP EPBP APIUser

APIinterface

APIreal

RP EPBP APIinterface

APIreal

User space System space

flexibility in the implementation of

the security

Page 6: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

6

The example of composing API

APIUser

APIinterface

APIreal

User space System space

APIUser

APIinterface

APIreal

The blue API is using features of the white API

( Security analysis of Rice University )

Page 7: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

7

The example of wearables

● The case of the wearables might be complicated because:– applications could be

distributed

– The web API may be absent because WRT is absent

● Example: consulting its recent messages on a gear

gear

phone

APPLI

API proxy

API stub

API

flexibility in the implementation of

the security:IT'S A NEED

Page 8: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

8

The needs

● Simplicity to migrate the applications from Tizen 2 to Tizen 3

● Easy development process for native applications (including crosswalk)

● Open APIs common to all verticals of Tizen (see previous point)

● Flexibility of the design for flexibility of the implementations

● Allowing future evolutions

Page 9: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

9

The tizen 2 legacy

● WRT is checking the privileges and then calls the APIs

● OSP is checking the privileges and then calls the APIs

● Huge smack's rules was also checking in-system privileges with fine grain

User space

System space

WRT OSP

API

security

Page 10: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

10

Tizen 3

● The privileged API are services

● Security is also a service

User space

System space

WRTCROSSWALK

OSPNATIVE

API

securitycynara

Page 11: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

11

Example of migrating WRT to CROSSWALK

User space

System space

WRT

API

security

User space

System space

CROSSWALK

API

securitycynara

Page 12: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

12

Example of migrating WRT to CROSSWALK

User space

System space

WRT

API

security

User space

System space

CROSSWALK

API

securitycynara

crosswalk

Page 13: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

13

Example of migrating WRT to CROSSWALK

User space

System space

CROSSWALK

API

Security

User space

System space

CROSSWALK

API

securitycynaraThis is the current state

Page 14: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

14

Example of migrating WRT to CROSSWALK

User space

System space

CROSSWALK

APIUser

Security

User space

System space

CROSSWALK

API

securitycynara

APIInterface

cynara APIreal

Page 15: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

15

The idea of SAPI

User API

interface API

real API

cynara

User space

System space

int verb(int arg)

A P P L I

int verb(int arg)

int verb(int arg)

API

int verb(int arg)

A P P L I

becomes

The same API3 behaviours

Page 16: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

16

The idea of SAPI

● Get the existing API of Tizen 2 and migrate it to the Tizen 3 security model using the presented decomposition of the 3 behaviours. Try to migrate it mechanically

● Define standards API based on Tizen 2, consistent with Web APIs and secured. It will allow development of native API in a controlled way, a secure way.

● Ideally the standard will fit the Web API; in other words, the needs of crosswalk & WRT

● Allow chaining for IOT an flexibility

Page 17: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

17

Implementation of SAPI

User API

interface API

real API

cynara

User space

System space

int verb(int arg)

A P P L I

int verb(int arg)

int verb(int arg)

● Parts of this model is the implementation of the well known scheme proxy/stub RMI/RPC

proxy

stub

API

int verb(int arg)

A P P L I

int verb(int arg)

Page 18: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

18

DBUS? The well known ORB/RMI?

● Technically it is possible to implement the model using DBUS only:– User API: a DBUS method call

– Interface API: DBUS transparently checks the rights using cynara

– real API: a DBUS object handling the method calls

● BUT– Slow! Fat!

– Problem of the callbacks and of the multithreading

– Introduce dependency on DBUS every where (temptation: even in places where not useful because DBUS will checks)

– DBUS has to be modified (development and maintenance, fork?)

– DBUS has to be configured (how?)

Page 19: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

19

Our research work

● Taking the existing API in language C– discover the API

– create the user+proxy API● proxy the calls & manage the connection to the service

– create the server+stub process● manage client (fork) & stub the calls & call the interface

API

– create the interface API● check the rights using cynara & call the real API

Page 20: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

20

mechanical creation

*.h

header files

XML desc

gccxml

stub fileproxy file

python scripts

interface file

API vs PRIVILEGEdescription

(SAPI tools)

Page 21: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

21

create the delivery

stub fileproxy file

SAPI library

user API

link

link

real API

service interface API

interface file

link

libffi

Page 22: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

22

Generated system

real API

cynara

User space

System space

A P P L I

proxy / user API

stub

interface API

The Service

● Almost all calls are granted then checking security after deserialisation isn't a drawback

Page 23: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

23

Current state

● Few resource on the subject (¼ man) but from a long time (4 months)

● Proxy/stub generation 90%● Privilege vs API database 0%● SAPI library 90%● Privilege check 0%● Low latency on ODROID (around 0.1 ms)

Page 24: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

24

Current fallout

● Need to define cynara verbs that will integrate the common context (to be discussed). Reasons: – forking a service for handling a specific client is an

option to consider:● Protection of the service against malicious codes● Allow integration of API having global variables (statics)

without any rewrite

– The concept of “interface API” is needing it

– Could speed the requests if in protocol

Page 25: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

25

Contextual cynara API (proposal)

int sapi_cynara_start(const char  *clientid, – the clientid of all checksconst char  *userid,  – the userid of all checksconst char  *sessionid – the default sessionid

);

int sapi_cynara_check(const char  *privilege,  – the privilege to checkconst char  *sessionid – the sessionid to check

– or NULL for using default);

void sapi_cynara_stop();

The name of the verbs are coming from SAPI. They have to be changed.

Page 26: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

26

Things to do

● Manage the privileges● Terminate the proxy/stub generation

– Allow plugin to handle complex types

– Finish link to sapi lib

● Specify how are implemented API– Separate user libs and services

– Separate user libs but only one service

– Only one user lib and one service

● Specify how to integrate transparently to the workflow OBS/GBS

● Specify how to manage evolutions

Page 27: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

27

What API to wrap?

● At the beginning of the concept of SAPI, the core API was targeted

● Further studies about WRT of Tizen 2 shown that more APIs have to be targeted

● The current proposal is to wrap any API that make sense to :– Implement crosswalk

– Map the Web APIs

– have a secured native API framework

– Optionally: migrate other API

Page 28: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

28

What is SAPI?

● SAPI is a process to mostly automatically wrap API and enforce the 3 behavioural aspects of service APIs

● A set of tools, a privilege/API database and and a communication library (currently home made and using UDS, but it may change)

● It can become a kind of C foundation library for tizen

Page 29: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

29

What is wrong with SAPI?

● The process is not 100% automatic● Performances are pointed out. Should the frontier

between the user space and the system space be always crossed ? SAPI isn't smart enough to guess it and it crosses always.

● Until fully implemented we don't know what are all the traps and obstacles

● Few man power● It adds small delay to long DBUS calls

Page 30: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

30

What could be added?

● Track of dependencies– There should be added an analysis of the

dependencies of the API

– This analysis would produce a database of the dependencies

– This database should be used with the database of the API / PRIVILEGE to detect hidden privilege needs.

● Inclusion of resource management (murphy)

Page 31: SAPI Service API Secured API - Tizen · SAPI Service API Secured API. ... The current proposal is to wrap any API that make ... SAPI is a process to mostly automatically wrap

july 10th, 2014 tizen security F2F in warsaw [email protected]

31

What to remember

● Transparency improve flexibility of designing● Easy the migration process● As fallout, the database of API / PRIVILEGE is

known● Reduce the amount of development in short

and long term● On a high level, SAPI is the combination of a

proxy with a firewall