Embedded Consumer Electronics:

Security Considerations in the Use

of High-Level Operating Systems

Embedded Consumer Electronics: Security Considerations in the Use of High-Level Operating Systems

Craig HeathChief Security Technologist

Symbian Foundation

Is Security an Issue?Is Security an Issue?

Connectivity means exposing an attack surface to the outside world

Trend to “apps with everything”

downloadable active content extends the market life of a consumer electronics device

provides additional revenue opportunities

but also provides additional attack surface

There will be attackers

hackers making a name for themselves

researchers proving a point

individuals cracking DRM for fun and profit

criminals attempting to defraud users and steal personal data

2

Is a High-Level Operating System Good

for Security?

Is a High-Level Operating System Good for Security? Not necessarily – some downside

Complete Symbian Platform and associated tools contain 40 million lines of code

Similar figures for other HLOSes (Linux, iOS, Windows CE)

Security assurance of so much code is effectively impossible

But it can bring significant benefits

Application Security Framework

nobody wants to repeat the PC malware explosion

Content Protection

to prevent copying and redistribution of commercial content

User Data Controls

users need easy-to-understand and enforceable privacy controls

3

The Least-Privilege Principle Can HelpThe Least-Privilege Principle Can Help

Requires a modular platform architecture rather than a monolithic one

Ensures that the majority of the code base is running with the minimum privileges necessary to perform each task

Security assurance can target only the highly privileged code

Minimises the risk posed by security vulnerabilities due to design or implementation errors

Allows tight sandboxing of third-party code while still enabling rich functionality

4

Symbian Platform: Capability ArchitectureSymbian Platform: Capability Architecture

Trusted Computing Base (TCB)

full access to all APIs and files

(kernel, installer, file server)

Trusted Computing Environment (TCE)

servers with selected “system capabilities”

most third-party apps need

only “user capabilities”

5

Over the Horizon: Privacy LabellingOver the Horizon: Privacy Labelling

Symbian platform has the notion of “user data”, and the

ReadUserData and WriteUserData capabilities

doesn’t, however, identify which user data is intended to be

shared and which to be kept private

Could borrow the concept of “sensitivity labels” from the

classic MLS (Multi-Level Secure) orange book systems

principle is that the sensitivity label is indivisible from the data

Labels could be set in one application (e.g. the camera app)

and then acted upon in another (e.g. a file sharing app)

should be preserved even when files are moved or copied

Useful (essential?) for interfacing to social networking services

but it currently isn’t implemented (“you can trust us” attitude?)

6

7