[DonHB]

Primarily about the security model that POSIX embodies. It doesn't seem to fit the granularity required today.

[Richard Buckley]

Primarily about the security model that POSIX embodies. It doesn't seem to fit the granularity required today.

Posix compliance does not enforce a security model. In any case since we are smartphones the security model has already departed from the normal user group policy model used in more traditional systems like desktop computers. Smartphones are generally organised around the concept of a single device user, and numerous applications that are nominally untrusted, but granted access to data or resources at some level of granularity. Since all smartphone OSs implement this similar security model, and all exhibit some degree of POSIX certification it does not follow that POSIX in any way hinders the deployment of any security model.

You have to remember that however complex the security model looks at the user level, at the OS level it boils down to a small set of privilege levels, often only two.

LeapSTR100-2/10.3.2.2876

[DonHB]

You have to remember that however complex the security model looks at the user level, at the OS level it boils down to a small set of privilege levels, often only two.

This model is inadequate for today's needs and at the OS level should incorporate abstractions to enable security beyond what BB10 and Marshmallow provide. Both systems are insufficient in granularity of control. And increased granularity of control should be considered needed for any networked device not just smartphones.

[Richard Buckley]

This model is inadequate for today's needs and at the OS level should incorporate abstractions to enable security beyond what BB10 and Marshmallow provide. Both systems are insufficient in granularity of control. And increased granularity of control should be considered needed for any networked device not just smartphones.

Well the small number of privilege levels is dominated by hardware constraints. X86 protected mode has 4 rings for example, 0-3. The Arm architecture is somewhat different especially where hyper visor support provided, but not really more numerous.

However the point is the few privilege levels supported does not prevent OS from providing higher granularity by the time you get to user level operation. If you are really interested in this area you should do some research into how security is provided by the OS withe the use of available hardware features. BBOS provided very good granularity at run time with much less hardware and OS support. The limit for granularity isn't the hardware, OS or POSIX, it is the ability of the user base ti effectively use the number of configuration controls need to support higher granularity.

LeapSTR100-2/10.3.2.2876

[DonHB]

Well the small number of privilege levels is dominated by hardware constraints. X86 protected mode has 4 rings for example, 0-3. The Arm architecture is somewhat different especially where hyper visor support provided, but not really more numerous.

When discussing the architecture and design of an OS you do not necessarily need to consider which CPU it will be running on until you actually build it. I am not aware of any commonly used OSes that actually implement gating of rings 1 and 2 in the IA86/64, primarily because most commercial OSes are descendants from *nix architecture which is a poor copy of Multics. Any experimental OS implementations using Rings 1 & 2 compromised performance. Similar to the arguments against the practicality of OSes with microkernels. Unlike protection rings hypervisor support is available in many CPUs including x86/64.

However the point is the few privilege levels supported does not prevent OS from providing higher granularity by the time you get to user level operation.

Actually, it should be implemented in the OS. The security and privacy abstractions that determine the security and privacy usage models (e.g. role-based access control) should be rethought which is what I was saying.

[Richard Buckley]

When discussing the architecture and design of an OS you do not necessarily need to consider which CPU it will be running on until you actually build it. I am not aware of any commonly used OSes that actually implement gating of rings 1 and 2 in the IA86/64, primarily because most commercial OSes are descendants from *nix architecture which is a poor copy of Multics. Any experimental OS implementations using Rings 1 & 2 compromised performance. Similar to the arguments against the practicality of OSes with microkernels. Unlike protection rings hypervisor support is available in many CPUs including x86/64.


Actually, it should be implemented in the OS. The security and privacy abstractions that determine the security and privacy usage models (e.g. role-based access control) should be rethought which is what I was saying.

That is quite often because hardware security measures are implemented as a hierarchy, as in the x86 4 rings, but security matters are far more complex. If data access permissions were arranged in some order and you could only access those at level zero if you had access to level one, which could only be accessed if you had level two, etc they would not be very useful. Even in the traditional classification model of confidential, secret, top secret you will find that other access controls quickly complicate matters.

But far from being held back by anything QNX is very well positioned to to provide the level of granularity desired. The kernel only passes messages according to access parameters. The processing is done in modules, conceptually one module for each grain. Of course it is up to whoever designs the final system to build what they need. A nuclear reactor doesn't need a set of access grains to segregate calendar from camera from mic from phone, etc. Building that security model into the OS would be bloating the OS doesn't need and would hold it back.

LeapSTR100-2/10.3.2.2876

[grimlok]

Ununtu's phone OS has a Hub-like interface which looks real promising.

Posted via CB10

[DonHB]

Building that security model into the OS would be bloating the OS doesn't need and would hold it back.

The issue is not just about how BB10 is unable to allow use of flash without also allowing use of the camera or BB10's inability to restrict access to certain records in contacts or calendars. It is about how commonly used OSes lack the appropriate abstractions to properly describe access control as it is needed today in all networked devices. It is unfortunate that BB10 is in this list because it has an architecture which is conducive to solving the problem.