Please examine our W3C position paper.
- OpenAjax device APIs security wiki page
- W3C access control reference
- Access Control for Cross-site Requests
- Android on security
- Nokia S60 & Security
- FF3 security & privacy
- Iphone security
- Flash security
Security isn’t boolean. It’s about identifying and mitigating the risks. Security in layers, MIDP and via browser plugin WebVM’s subsystems.
Old syntax
Sidenote: Not far off Y! Browser Plus JSON security syntax. Google’s protocol buffers looks attractive.
From webvm/security/policy.conf:
# BNF: simplified
# The <text> element is a little bit simplified here
#
# <syntax> ::= <ruleset> | <ruleset> <syntax>
# <string> ::= '"' <text> '"'
# <ruleset> ::= "ruleset" <string> "{" <body> "}"
# <body> ::= <priority> <display> <identities> <permissions> | <display> <identities> <permissions> | <domains> <permissions> | <domains> | ""
# <priority> ::= "priority" <string>
# <display> ::= "display" <string>
# <identities> ::= <identity> | <identity> <identities>
# <permissions> ::= <permission> | <permission> <permissions>
# <identity> ::= <domain> | <dn> | <midlet>
# <permission> ::= <grant> | <deny> | <prompt> | <default-allow> | <default>
# <domain> ::= "domain" <text>
# <dn> ::= "dn" <text>
# <midlet> ::= "midlet" <text> ";" <text> | "midlet" <text> ";" <text> ";" <text> | "midlet" <text> ";" <text> ";" <text> ";" <text>
# <grant> ::= "grant" <text> <text>
# <deny> ::= "deny" <text> <text>
# <prompt> ::= "prompt" <text> <text>
# <default-allow> ::= "default-allow" <text> <text>
# <default> ::= "default" <text> <text>
ruleset "restricted" {
priority "0"
display "Restricted sites"
domain ".*.evil.com/"
domain ".*"
deny "core:window.open"
prompt "jsx:bind"
}
ruleset "trusted" {
display "Trusted sites"
priority "2"
domain ".*.aplix.co.jp/.*" dn "Aplix Corp"
domain "http://.*.webvm.net"
midlet "Aplix Corporation Midlet Suite;net.webvm.location.LocationMIDlet;0.1;Location Midlet"
grant "core:window.open" domain "http://domain.com"
grant "midp:javax.location.CurrentLocation.read"
grant "midp:javax.pim.PimList.read"
prompt "midp:javax.pim.PimList.write"
prompt "jsx:bind"
}
MIDP security layer (JBlend?)
- midp: java.pim.ContactList.read
- midp: java.pim.ContactList.write
Other elements
- monitor (history, log)
- security dialog - populates policy database from a prompt
- policy configuration UI
- polling
- identity
- MIDP settings
UI considerations
The WebVM security system has to remember and track settings of controls. Controls will probably need some UUID.
Security dialog
For now we have the following different kinds of permissions:
- bind
- MIDP
- lib
If a specific security query has to be prompted because the security policy evaluated the query to prompt or default-allow, the user has basically the following 4 kinds of different options to the question if he wants to permit the operation:
- always (don’t ask again)
- yes, but ask again
- no, but ask again
- never (don’t ask again)
If a permission is being granted for ever (always), or denied for ever (never), this decision by the user has to be stored persistently.
However, if a permission is being granted only temporarily (which means ask again the next time), this information will only be stored within the data structures of the plugin being active.
Misc requirements, unsorted
Besides this, each module/lib might be shipped with its own default policy, then there is the plugins security policy (basically pass-through for the bind permissions), and for doing the policies persistently, we might want to store site-specific rulesets into separate files/objects.
For efficieny reasons, a query being evaluated should be cached by the permission manager.
bind
This check is already implemented.
lib
Just needs to be implemented due to the trusted subsystem distinguishing, soon.
MIDP
Needs to be checked from within JBlend backend.
“Pass-Through” & “Trusted Subsystem” model short example
It’s about making the distinction about how the APIs work.
Trusted subsystem question: Can Gmail use my addressbook?
In this case the addressbook is an API. Like “getcontacts();”
Pass through question: Can my addressbook use Gmail?
In this case the addressbook is a Web application using WebVM JS APIs like “getcontacts();” which in turn uses Gmail APIs with the data from the WebVM APIs.
“Pass-Through” & “Trusted Subsystem” model long example
The trusted subsystem model allows websites to access certain functionality from the platform but also control the security risk by only exposing that functionality in a particular way.
For example, suppose a web application wanted to know whether or not a user is at home, because it offers different services when the user is at home. If the website was offered complete access to the JSR179 API, then (if the website is compromised or spoofed) it would be able to track the user’s movements completely, which would be a big security risk.
With the trusted subsystem model, it would be possible to create a java library that used JSR179 but only provided a very simple API which indicated whether or not a user is at home. The java system is sandboxed, so it can guarantee that only the isAtHome() method can be called from the web application. Then the security policy can be configured so that the java library can access JSR179 APIs, but the web application itself cannot.
Another example is with JSR177. It will not be acceptable to give arbitrary web pages access to the JSR177 APDU API, but a library can be written that uses JSR177 APDU but only uses the API to get the IMSI of the SIM. It is then possible to grant web applications the permission to get the IMSI, but not permission to send any other kind of APDU to the SIM.
But, I still don’t understand “Pass-Through” Model,” particularly
“a transparent extension.” Would you explain it for a bit?
So, suppose you have a Location API (ie a WebVM module, consisting of a Java Library containing the LocationMIDlet class and a Javascript binding) published by Google, Inc (and the Java code is signed by Google).
A photo sharing website wishes to use this API so it can show you pictures that were taken near to your current location. Suppose the photo site is flickr.com.
The low-level permission needed to use the relevant JSR179 API is javax.microedition.location.Location, so in the WebVM configuration, this permission would be:
[1] midp:javax.microedition.location.Location
In the pass-through model, WebVM does not trust the java library, and so it isn’t interested in who wrote the library. If the photo site calls the WebVM API, and this in turn calls the JSR179 method, then WebVM wants to know if flickr.com has this permission [1] granted. This is what I meant when I described it as a “transparent extension” - ie the operations attempted by the Java library are really just considered to be actions of the invoking web page.
In the trusted subsystem model, the library itself could define new permissions; so the permission relating to accessing the “getLocation” API on Google’s library would be:
[2] jsx-lib:Google, Inc.;LocationMIDlet;getLocation
So now, WebVM separately must check two things:
(a) flickr.com has permission [2] granted, so it is entitled to call the library; (b) Google, Inc. has permission [1] granted, so the library is entitled to call the JSR179 API.
Security user interfaces
Look out for notes on Flickr on the screenshots.
FF extensions
IE privacy slider
[P3P was] just a distraction for shaking off the FTC regulators -anon
Facebook sliders?
Firefox 2
Used with addons and several other things:
Just allow:
Allow & block:
Firefox uses this hostperm.1 format:
# Permission File
# This is a generated file! Do not edit.
host cookie 1 yourlibrary.ca
host install 1 update.mozilla.org
host install 1 www.getfirebug.com
host firebug 2 www.google.com
host install 1 livehttpheaders.mozdev.org
host install 1 gears.google.com
host firebug 2 mail.google.com
host install 1 addons.mozilla.org
host popup 1 www.lenovoservicetraining.com
host image 2 msn.com
Firefox 3
hostperm.1 seems to be now in an sqlite format. 
Google gears
See gears.
Adobe Flash
Java certifications
Some docs:
Actual dialog:
