The current release of Qtopia provides only a technical preview of the Safe Execution Environment.
The Safe Execution Environment provides a level of security to enable downloading, installing and running third-party native applications; by addressing the risk of compromising the operation of the device, or its data, when running such applications.
Safe Execution Environment is designed to enable downloading, installing and running third party native applications in Qtopia. It provides a level of security to address the risk of compromising the operation of the device, or its data, so as allow running such applications with confidence.
Features
Safe Execution Policy Implementation
Currently the SXE application level policies have been operating in a development environment, and all Qtopia programs have been adapted to use SXE. A comprehensive set of security domains has been developed. The package manager is available to trial downloading and installing of packages via http.
Safe Execution is included as a technology preview for purposes of trial and research only, and is disabled by default. It can be enabled for research purposes by specifying the -sxe switch to the Qtopia configure command.
Application Level Policy
Application level policy is implemented via a set of Domains, each associated with a set of request strings. Installed programs are allocated a Program Id, and the sxe.policy file records which Program IDs have which Domain/s, and thus are allowed to issue which requests.
This prevents downloaded programs issuing a request for a web page to be loaded or an SMS to be sent for example.
Qtopia applications such as Messaging or Calendar must also be controlled by SXE policy. This is because a downloaded program may gain unauthorized access by exploiting a Qtopia program.
Mandatory Access Control Rule-sets
Mandatory Access Control policy can, for example, prevent a program from accessing the network or the modem device directly. The rule-sets are used to control a kernel facility ( such as LIDS from http://lids.org ) to provide the access controls.
The policy rule-sets are maintained by scripts which can be called as appropriate by the Qtopia system. Example scripts have been provided for the LIDS system.
Safe Execution Package Manager
Refer to the Package Manager spec for details of the SXE related features of the Package Manager.
The Safe Execution Package Manager provides a number of features required for download and installation of Qtopia 4 Safe Execution packages. These features are available in the Package Manager when SXE is enabled at compile time.
Sample Integration
An example integration of MAC rules, SXE file-system and Qtopia is provided in the Virtual Target Environment tool, which is available as a VMPlayer image. Scripts to build modified versions of the kernel, and the image are available.
End-users may safely download and run games. Here games refers to restricted applications which do not require access to the full range of Qtopia features (such as networking and document access).
These applications will be restricted to access
write-only display access
keypad input only
a limited amount of disk/storage space
a specific location on the file-system
Sand-boxing
Untrusted applications run under a sandbox MAC rule set which inverts the usual system of allow, unless specifically denied to instead be deny, unless specifically allowed. This ensures that downloaded applications are not able to access any exploitable system resources.
The sandbox restricts the application to a specific subset of the file-system for its read-write access.
This feature includes a complete integration of the the SANDBOX rule into the 2.4 kernel based file-system on the Greenphone. It also caters for read-only filesystems such as cramfs.
The sandbox implementation is provided as a set of kernel patches and file-system tools, which builders of an SXE Qtopia device must apply during integration.
Advanced Sample Integration
Priority
2
The integration is accomplished via a range of scripts as described in SXE system customization. Specific working examples of these scripts are provided with the VirtualTargetEnvironment, and for a few popular target device platforms. Generic script templates are provided so that system customization can be performed for other platforms.
These scripts are tested and proven working on the Greenphone.
Security Monitor
SxeMonitor is a Qtopia system process, which monitors breaches in sxe policy. The following action is taken upon detection of a policy breach:
Alert dialog on application attempting unauthorized action
Alert SMS on application attempting unauthorized action
Downloaded application prevented from relaunching ("Disable") after attempting unauthorized action
Downloaded application are all terminated after attempting unauthorized action
The monitor uses the system log facility to receive communication from and to reduce coupling with the qpe server. Errant applications are detected via posts to the log which consist of LIDS messages and messages from SXE at the Qt/Qtopia level. System SMS messages are used as part of the alerts mechanism.
Constrained Resources and Privileges for Sand-boxed Applications Pt 1
Resources such as memory will be limited for sand-boxed applications.
System Hardening
In order to have an increased resistance of those parts of the Qtopia device system exposed to untrusted downloaded applications, a number of specific security initiatives are implemented to provide protection in addition to the Safe Execution Environment sandbox.
In 4.2.2 QWS bounds checking is used to protect against simple crafted attacks against the QWS socket.
Note that System Hardening will be broadened in scope in later releases.
