Several members of the MeeGo security team were on hand at the 2010 MeeGo
conference to talk about what kinds of threats they will be trying to
address—and why—as well as a security framework to enable MeeGo
integrators and application developers to handle security tasks. MeeGo security architect Ryan Ware
of Intel looked at the what and the
why, while Elena Reshetova and Casey Schaufler of Nokia presented on the
Mobile Simplified Security Framework (MSSF). As might be guessed from the
presence of Schaufler, the Smack kernel security module plays a prominent
role in the access control portion of MSSF. This week, we'll cover Ware's
presentation and look at Reshetova and Schaufler's next week.
Ware started with a look back at 1990 by way of a justification of the need
for MeeGo security solutions. In 1990, Intel had 25MHz 386 processors, the
Simpsons were on TV, and there were all of 12 CERT security alerts for the
year. All of those alerts "fit on one slide easily" and contain some
amusing entries like "rumor of alleged attack" and
"security probes from Italy". He listed, again on one slide,
the conferences and other notable computer security news for the year.
Things have changed just a little bit since then.
Fast-forwarding to the present, there have been 4221 CVEs so far this year,
Intel has 3+GHz chips, and the Simpsons are still on TV. When looking at
the growth of malware, there is an inflection point in 1996, which is
probably associated with wider usage of the internet. "The internet
is a petri dish" where all kinds of malware can grow and change. If
you put a stock Windows XP system on the internet today without a firewall,
it will be infected before you can get the updates installed; it only takes
an average of four minutes before that happens, he said.
There is a huge financial incentive these days for those who write malware,
which has changed the landscape significantly. You can now get "malware as
a service" or rent botnets ($8-90/1000 bots "depending on
quantity", he said). In the pwn2own contest at CanSecWest, someone with
a working iPhone exploit was unwilling to release it for the $15,000 prize
as they believed they could get more elsewhere—and did, with rumors of a
There are also "spearphishing" efforts like Aurora that
and 30 other companies, including Intel, last year. It targeted specific
individual employees, sending them an email that looked it came from
someone they knew. When the PDF or JPG inside was opened, it appeared to
be an innocuous file of that type, but actually infected their machine with
a worm that looked for source code repositories. Once found, the contents
of those repositories were slowly—so that intrusion detection systems weren't
alerted—sent elsewhere. The Stuxnet worm/virus is another example of
this new kind of "persistent" threat.
With MeeGo, there are new usage models where desktop data is migrating to
mobile phones, which are much more easily lost, for example. People are
doing banking from their phones as well. When Ware asked how many in the
audience had used their phone for banking, he got quite a few hands;
"you're all screwed", he said. Those credentials are stored
somewhere in the phone for an attacker (or thief) to find. There are also
various efforts to publish your location or turn your phone into a credit
card, all of which have various dangers.
Because the number of Linux devices is growing quickly, it is becoming more
of a target. For reference, he said there are more than a billion
Windows-installed systems—some botnets have more than a million
bots—but the smartphone market is growing at a rate (35.5%/year) that
will go beyond that soon. At that rate, the expected sales of smartphones
in 2014 is 506 million. In addition, the smartphone market is getting less
fragmented and he sees iOS and Linux as likely to be the only players
before too long.
The focus on mobile Linux security is growing, he said. He noted the
recent Coverity study of the Android kernel that found 88 high-risk
defects and there were "some interesting things in there".
The report will not be available for a bit as Coverity gave Google 60 days
to fix the problems before the report will be released. Ware noted that
the study found that the defect rate for the code written for Android was
higher than for the rest of the kernel".
MSSF was originally developed for smartphones, but has been broadened to
support all of the MeeGo vertical markets (netbook, connected TV,
in-vehicle-infotainment (IVI), ...). At a high level, the goals for MSSF
are to provide protections for users of devices, the device itself, and for
new services that are envisioned for MeeGo devices.
For users, that includes protecting things like login credentials and
cookies, but also to try to prevent malicious software from being able to
do things like making expensive phone calls without the knowledge or consent of
the device owner. Protecting the device entails protecting the SIM lock
and ensuring that regulatory requirements (for things like radio frequency
emissions) are strictly adhered to. New services like mobile payment also
need protection, he said.
The MeeGo security team is doing things beyond just MSSF. It ensures that
the external facing MeeGo infrastructure is kept secure. That includes
things like source code repositories and open build service packages. The
team also ensures that MeeGo images are secure by not having insecure
defaults on network services, patching packages for security
vulnerabilities, and issuing MeeGo advisories.
MeeGo "can't be secure without you guys", he said. The team
could do static analysis and code reviews for 80 hours a week and still not
find everything. He asked that folks keep an eye out and point out any
flaws they find to firstname.lastname@example.org. There is also a new MeeGo-security-discussion
mailing list and weekly IRC meetings of the security team are planned in
the near future.
In answer to some audience questions, Ware said he was concerned about
security issues surrounding "cloud" applications, but hadn't looked at it
specifically yet. It is "something to look at in the
future". He also was not interested in talking about DRM solutions,
though some in the audience clearly were. He worked on DRM five years ago
and was glad to not be working on it any more. "I don't want to fix
someone's broken business model", he said. Others who need those
kinds of "solutions" will undoubtedly come up with them.
to post comments)