[Qt-qml] FW: capabilities of qml.exe

[shane.kearns at accenture.com]

Can we get a comment from the QML developers?

________________________________
From: Campbell, Iain
Sent: 31 March 2010 09:29
To: Kearns, Shane; Aleksandar Sasha Babic
Cc: qt-qml at trolltech.com; s60 at trolltech.com
Subject: RE: capabilities of qml.exe


I think this is a really tricky case - and I don't think we can just say we restrict qml.exe to user capabilities then make people build their own. Particularly if, on the device, you might be able to launch any version of qml.exe with your own QML files provided, which would be an easy escalation of privilege attack.

It depends on other critical things:

1) what is the deployment solution for QML? Is it just SIS files (needed if you extend it with a native DLL, but not in other cases)? Or something else? I haven't seen a good (secure) deployment story yet.

2) How does CWRT handle this? They have the same problem. In general, the security-for-runtimes problem is a totally open issue on Symbian.

Cheers,

Iain
-----Original Message-----
From: Aleksandar Sasha Babic
Sent:  31-03-2010, 07:56
To: Kearns, Shane
Cc: qt-qml at trolltech.com; s60 at trolltech.com
Subject: Re: capabilities of qml.exe



Hi,

True, "All -TCB" is much more than is needed.
I also myself did use "All -TCB" but we can get with less.

br
Sasha

shane.kearns at accenture.com<mailto:shane.kearns at accenture.com> wrote:
qml.exe is compiled with "ALL-TCB" capabilities.
I think this is too much, for the following reasons:

1. attack surface
any bugs in qml that can be exploited via a qml script will allow the hacker access to almost all of the system.
I don't think you'd install the qml player on linux as setuid root, or on windows with run as administrator.

It is dangerous to give so many capabilities to an application that can run arbitrary untrusted scripts.

2. ability to load plugins
Third party developers who are working with the SDK have access to only a limited set of capabilities.
See http://developer.symbian.org/wiki/index.php/Capabilities_(Symbian_Signed)

User capabilities are available to anyone
System capabilities require you to upload your DLL to a website and get a signed version back via email every time you make a change.
Unless you are a registered company with a publisher ID, in which case you can get a "developer certificate" that you can use for signing on your pc.
Restricted capabilities are only available to registered companies with publisher ID
Manufacturer capabilities require the developer to get special permission from Nokia (which is rarely given for DRM and TCB)

Therefore if qml.exe has more than the user set of capabilities it will be difficult for developers who download the SDK to test their plugin dlls.
Of course, when building qml.exe yourself, you can change the capabilities as needed.

3. requirements of underlying APIs

All Qt's APIs can be used with just the "user capabilities" set, with the exception of QProcess::kill() / QProcess::terminate() which require PowerMgmt

4. difference between exe and dll capabilities.

A process (exe) can load dlls with equal or greater capabilites to the process.
The process capabilities are not changed when loading dlls, and security checks are always done on a process.

So, capabilities of a general purpose DLL should be broad (so they can be used by many processes).
Capabilities of an EXE should be narrow (to limit the attack surface if it contains exploitable bugs).

Ideally, an EXE should have exactly the capabilities for the APIs it uses, and no more.
Ideally, a general purpose DLL should only have capabilities it is trusted with - higher capability DLLs should be reviewed more stringently. (in practice, this is only done for TCB and to a limited extent, DRM)
Ideally, plugins should have the same capabilities as the process that loads then (if there is only one process that should load a particular plugin)

5. Recommendation:

I recommend that qml.exe is built with the "user capabilities" set, to give benefit to the most developers.
Qml applications should be built with their own wrapper exe with the correct capabilities.
--
Communications with Accenture or any of its group companies (“Accenture Group”) including telephone calls and emails (including content), may be monitored by our systems for the purposes of security and the assessment of internal compliance with company policy. Accenture Group does not accept service by e-mail of court proceedings, other processes or formal notices of any kind.

Accenture means Accenture (UK) Limited (registered number 4757301), Accenture Technology Solutions Limited (registered number 4442596), or Accenture HR Services Limited (registered number 3957974), all registered in England and Wales with registered addresses at 30 Fenchurch Street, London EC3M 3BD, as the case may be.


This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.



This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information.  If you have received it in error, please notify the sender immediately and delete the original.  Any other use of the email by you is prohibited.