[Qt-qml] capabilities of qml.exe

Aleksandar Sasha Babic ababic at trolltech.com
Wed Mar 31 08:56:09 CEST 2010 

Hi,

True, "All -TCB" is much more than is needed.
I also myself did use "All -TCB" but we can get with less.

br
Sasha

shane.kearns at accenture.com wrote:
>
> qml.exe is compiled with "ALL-TCB" capabilities.
>
> I think this is too much, for the following reasons:
>
>  
>
> 1. attack surface
>
> any bugs in qml that can be exploited via a qml script will allow the 
> hacker access to almost all of the system.
>
> I don't think you'd install the qml player on linux as setuid root, or 
> on windows with run as administrator.
>
>  
>
> It is dangerous to give so many capabilities to an application that 
> can run arbitrary untrusted scripts.
>
>  
>
> 2. ability to load plugins
>
> Third party developers who are working with the SDK have access to 
> only a limited set of capabilities.
>
> See 
> http://developer.symbian.org/wiki/index.php/Capabilities_(Symbian_Signed)
>
>  
>
> User capabilities are available to anyone
>
> System capabilities require you to upload your DLL to a website and 
> get a signed version back via email every time you make a change.
>
> Unless you are a registered company with a publisher ID, in which case 
> you can get a "developer certificate" that you can use for signing on 
> your pc.
>
> Restricted capabilities are only available to registered companies 
> with publisher ID
>
> Manufacturer capabilities require the developer to get special 
> permission from Nokia (which is rarely given for DRM and TCB)
>
>  
>
> Therefore if qml.exe has more than the user set of capabilities it 
> will be difficult for developers who download the SDK to test their 
> plugin dlls.
>
> Of course, when building qml.exe yourself, you can change the 
> capabilities as needed.
>
>  
>
> 3. requirements of underlying APIs
>
>  
>
> All Qt's APIs can be used with just the "user capabilities" set, with 
> the exception of QProcess::kill() / QProcess::terminate() which 
> require PowerMgmt
>
>  
>
> 4. difference between exe and dll capabilities.
>
>  
>
> A process (exe) can load dlls with equal or greater capabilites to the 
> process.
>
> The process capabilities are not changed when loading dlls, and 
> security checks are always done on a process.
>
>  
>
> So, capabilities of a general purpose DLL should be broad (so they can 
> be used by many processes).
>
> Capabilities of an EXE should be narrow (to limit the attack surface 
> if it contains exploitable bugs).
>
>  
>
> Ideally, an EXE should have exactly the capabilities for the APIs it 
> uses, and no more.
>
> Ideally, a general purpose DLL should only have capabilities it is 
> trusted with - higher capability DLLs should be reviewed more 
> stringently. (in practice, this is only done for TCB and to a limited 
> extent, DRM)
>
> Ideally, plugins should have the same capabilities as the process that 
> loads then (if there is only one process that should load a particular 
> plugin)
>
>  
>
> 5. Recommendation:
>
>  
>
> I recommend that qml.exe is built with the "user capabilities" set, to 
> give benefit to the most developers.
>
> Qml applications should be built with their own wrapper exe with the 
> correct capabilities.
>
> -- 
>
> Communications with Accenture or any of its group companies 
> ("Accenture Group") including telephone calls and emails (including 
> content), may be monitored by our systems for the purposes of security 
> and the assessment of internal compliance with company policy. 
> Accenture Group does not accept service by e-mail of court 
> proceedings, other processes or formal notices of any kind.
>
>  
>
> Accenture means Accenture (UK) Limited (registered number 4757301), 
> Accenture Technology Solutions Limited (registered number 4442596), or 
> Accenture HR Services Limited (registered number 3957974), all 
> registered in England and Wales with registered addresses at 30 
> Fenchurch Street, London EC3M 3BD, as the case may be.
>
>  
>
> This message is for the designated recipient only and may contain 
> privileged, proprietary, or otherwise private information. If you have 
> received it in error, please notify the sender immediately and delete 
> the original. Any other use of the email by you is prohibited.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.qt.nokia.com/pipermail/qt-qml/attachments/20100331/73669733/attachment.html

More information about the Qt-qml mailing list