[Qt-qml] FW: capabilities of qml.exe

Mon Apr 12 10:58:03 CEST 2010

For the time being the qml deployment solution are SIS files files.
We will provide a tool to simplify package creation to the minimum possible. 
The tool will also take care of creating a "stub" to replace qml.exe on the 
device, with the correct capabilities.

Anything else would be a can of worms which we don't intend to open anytime 
soon.

qml.exe is still very useful during the development process, both on the 
desktop and on the device.

 Matthias

On Monday 12 April 2010 10:25:10 ext shane.kearns at accenture.com wrote:
> Can we get a comment from the QML developers?
> 
> ________________________________
> From: Campbell, Iain
> Sent: 31 March 2010 09:29
> To: Kearns, Shane; Aleksandar Sasha Babic
> Cc: qt-qml at trolltech.com; s60 at trolltech.com
> Subject: RE: capabilities of qml.exe
> 
> 
> I think this is a really tricky case - and I don't think we can just say we
>  restrict qml.exe to user capabilities then make people build their own.
>  Particularly if, on the device, you might be able to launch any version of
>  qml.exe with your own QML files provided, which would be an easy
>  escalation of privilege attack.
> 
> It depends on other critical things:
> 
> 1) what is the deployment solution for QML? Is it just SIS files (needed if
>  you extend it with a native DLL, but not in other cases)? Or something
>  else? I haven't seen a good (secure) deployment story yet.
> 
> 2) How does CWRT handle this? They have the same problem. In general, the
>  security-for-runtimes problem is a totally open issue on Symbian.
> 
> Cheers,
> 
> Iain
> -----Original Message-----
> From: Aleksandar Sasha Babic
> Sent:  31-03-2010, 07:56
> To: Kearns, Shane
> Cc: qt-qml at trolltech.com; s60 at trolltech.com
> Subject: Re: capabilities of qml.exe
> 
> 
> 
> Hi,
> 
> True, "All -TCB" is much more than is needed.
> I also myself did use "All -TCB" but we can get with less.
> 
> br
> Sasha
> 
> shane.kearns at accenture.com<mailto:shane.kearns at accenture.com> wrote:
> qml.exe is compiled with "ALL-TCB" capabilities.
> I think this is too much, for the following reasons:
> 
> 1. attack surface
> any bugs in qml that can be exploited via a qml script will allow the
>  hacker access to almost all of the system. I don't think you'd install the
>  qml player on linux as setuid root, or on windows with run as
>  administrator.
> 
> It is dangerous to give so many capabilities to an application that can run
>  arbitrary untrusted scripts.
> 
> 2. ability to load plugins
> Third party developers who are working with the SDK have access to only a
>  limited set of capabilities. See
>  http://developer.symbian.org/wiki/index.php/Capabilities_(Symbian_Signed)
> 
> User capabilities are available to anyone
> System capabilities require you to upload your DLL to a website and get a
>  signed version back via email every time you make a change. Unless you are
>  a registered company with a publisher ID, in which case you can get a
>  "developer certificate" that you can use for signing on your pc.
>  Restricted capabilities are only available to registered companies with
>  publisher ID Manufacturer capabilities require the developer to get
>  special permission from Nokia (which is rarely given for DRM and TCB)
> 
> Therefore if qml.exe has more than the user set of capabilities it will be
>  difficult for developers who download the SDK to test their plugin dlls.
>  Of course, when building qml.exe yourself, you can change the capabilities
>  as needed.
> 
> 3. requirements of underlying APIs
> 
> All Qt's APIs can be used with just the "user capabilities" set, with the
>  exception of QProcess::kill() / QProcess::terminate() which require
>  PowerMgmt
> 
> 4. difference between exe and dll capabilities.
> 
> A process (exe) can load dlls with equal or greater capabilites to the
>  process. The process capabilities are not changed when loading dlls, and
>  security checks are always done on a process.
> 
> So, capabilities of a general purpose DLL should be broad (so they can be
>  used by many processes). Capabilities of an EXE should be narrow (to limit
>  the attack surface if it contains exploitable bugs).
> 
> Ideally, an EXE should have exactly the capabilities for the APIs it uses,
>  and no more. Ideally, a general purpose DLL should only have capabilities
>  it is trusted with - higher capability DLLs should be reviewed more
>  stringently. (in practice, this is only done for TCB and to a limited
>  extent, DRM) Ideally, plugins should have the same capabilities as the
>  process that loads then (if there is only one process that should load a
>  particular plugin)
> 
> 5. Recommendation:
> 
> I recommend that qml.exe is built with the "user capabilities" set, to give
>  benefit to the most developers. Qml applications should be built with
>  their own wrapper exe with the correct capabilities. --
> Communications with Accenture or any of its group companies (“Accenture
>  Group”) including telephone calls and emails (including content), may be
>  monitored by our systems for the purposes of security and the assessment
>  of internal compliance with company policy. Accenture Group does not
>  accept service by e-mail of court proceedings, other processes or formal
>  notices of any kind.
> 
> Accenture means Accenture (UK) Limited (registered number 4757301),
>  Accenture Technology Solutions Limited (registered number 4442596), or
>  Accenture HR Services Limited (registered number 3957974), all registered
>  in England and Wales with registered addresses at 30 Fenchurch Street,
>  London EC3M 3BD, as the case may be.
> 
> 
> This message is for the designated recipient only and may contain
>  privileged, proprietary, or otherwise private information. If you have
>  received it in error, please notify the sender immediately and delete the
>  original. Any other use of the email by you is prohibited.
> 
> 
> 
> This message is for the designated recipient only and may contain
>  privileged, proprietary, or otherwise private information.  If you have
>  received it in error, please notify the sender immediately and delete the
>  original.  Any other use of the email by you is prohibited.
> 
> _______________________________________________
> Qt-qml mailing list
> Qt-qml at trolltech.com
> http://lists.trolltech.com/mailman/listinfo/qt-qml
> 