SXE - Requirements
Introduction
The Qtopia SXE must satisfy the following requirements:
- provide for selection and OTA installation of a range of packages including native binaries and themes
- maintain security and integrity of the Qtopia system, including user-data and access to any network or other services
- cause minimal impact and maximum usability for the end-user, including performance considerations
- provide an acceptable level of assurance for telephony applications that the operation of the device especially with respect to the carrier network cannot be compromised by a user knowingly downloading and installing software.
It is desirable to provide:
- improved performance, functionality, and security over other virtual machine or sand-boxing models.
- mechanisms to address a range of security risks such as denial of service, out-of-memory and UI spoofing.
Use-case
To define and circumscribe the security problem that the SXE system is intended to solve the following Use-Case is presented:
| Use-Case |
|---|
A device end-user:
- browses for a package
- downloads the package
- installs it on the device.
The package may, without the users knowledge, contain flawed or malicious software.
After installation the user expects to run the program and obtain the package's promised functionality.
|
| For telephony enabled devices the network provider expects the telephony software and service will not be compromised by malicious software knowingly installed by the user. |
Acceptance Scenario
The integrity of the user's data and the Qtopia system itself must remain intact following the installation and execution of new device programs.
Counter-indications
If a package can be constructed for installation, such that a program installed from it is able to perform any of the following actions then the requirements (above) will not have been met:
- append a line to the /etc/passwd file
- change the permission bits of the libc library file
- launch /opt/Qtopia/bin/qcop with LD_PRELOAD set to /root/mylibs/libc.so.1.0.1 such that, this library is loaded
- without having the Network profile to send an MMS have the server execute the telephony commands to send an MMS
- without having the AddressBook profile to process address book data successfully request the updateContact(QContact) service.
Discussion of Benefits
- Native applications will often have better performance, through code optimization and access to hardware.
- Native sand-boxing allows tailoring the security policy to the file-systems and application stack which provides stronger security.
- Previous implementations of MIDP (v1.0) was not strong on security, and even with version 2, security is focused on normal network protocols, with limited ability to protect the file system.
- There are licensing issues with the Java approach.
