Content: Installed Software: Safe Execution Environment
Functional Description
The Safe Execution Environment provides a level of security to enable
downloading, installing and running third-party native applications; by
addressing the risk of compromising the operation of the device, or its data,
when running such applications.
The Safe Execution Environment for Qt Extended 4.3 Final only supports the
download and secure execution of games
Features
End-users may safely download and run games. Here games refers to restricted applications which do not require access to the full range of Qt Extended features (such as networking and document access).
These applications are restricted to
- write-only display access
- a specific location on the file-system
- play audio
Refer to the Package Manager spec for details of the SXE related features of the Package Manager.
Application Level Policy
A policy file can be used to regulate the communication between applications and the server that take place along Qt Extended IPC. The policy file consists of a set of domains, each of which consists of a set of request strings. There are currently 2 domains, untrusted and trusted.
Through application policy, requests can be allowed for applications in the trusted domain while denied for those in the untrusted domain.
OS Level Policy
Application level policy is supplemented by Operating System level policy provided by a number of scripts. These scripts are used specify the policy of a Mandatory Access Control implementation ( such as LIDS from http://www.lids.org). Mandatory Access Control can, for example, prevent a program accessing the network or modem device directly.
An example integration of MAC rules, SXE file-system and Qt Extended is provided as part of the Greenphone image. Scripts to build modified versions of the kernel, and the image are available. Generic script templates are also provided so that system customization can be performed for other platforms.
Untrusted applications run under a sandbox MAC rule set which inverts the usual system of allow, unless specifically denied to instead be deny, unless specifically allowed. This ensures that downloaded applications are not able to access any exploitable system resources.
The sandbox restricts the application to a specific subset of the file-system for its read-write access.
This feature includes a complete integration of the the SANDBOX rule into the 2.4 kernel based file-system on the Greenphone. It also caters for read-only filesystems such as cramfs.
The sandbox implementation is provided as a set of kernel patches and file-system tools, which builders of an SXE Qt Extended device must apply during integration.
SxeMonitor is a Qt Extended system process, which monitors breaches in SXE policy. The following action is taken upon detection of a policy breach:
- Alert dialog on application attempting unauthorized action
- Alert SMS on application attempting unauthorized action
- Downloaded application prevented from relaunching, ie disabled, after attempting unauthorized action. (Application can be re-enabled using Package Manager)
- All running instances of the downloaded application are terminated when attempting an unauthorized action.
- All downloaded applications are terminated and disabled if a brute force attack on binary keys is detected.
This feature is provided as part of the Touchscreen Phone Reference Design.
SXE adopts a two tier domain model, all applications must declare whether they belong into the trusted or untrusted domains. Application and OS level policy files have been developed so that untrusted applications will run under sandbox conditions while trusted applications are unrestricted.
All system applications are trusted while downloaded applications are may either be untrusted or trusted. (SXE may be configured so that downloaded applications must always declare themselves untrusted).
SXE only supports the running of games within the untrusted domain.
| Copyright © 2009 Nokia |
Trademarks |
Qt Extended 4.4.3 |
