A high-level view of the MeeGo security landscape

Several members of the MeeGo security team were on hand at the 2010 MeeGo conference to talk about what kinds of threats they will be trying to address—and why—as well as a security framework to enable MeeGo integrators and application developers to handle security tasks. MeeGo security architect Ryan Ware of Intel looked at the what and the why, while Elena Reshetova and Casey Schaufler of Nokia presented on the Mobile Simplified Security Framework (MSSF). As might be guessed from the presence of Schaufler, the Smack kernel security module plays a prominent role in the access control portion of MSSF. This week, we'll cover Ware's presentation and look at Reshetova and Schaufler's next week.

Ware started with a look back at 1990 by way of a justification of the need for MeeGo security solutions. In 1990, Intel had 25MHz 386 processors, the Simpsons were on TV, and there were all of 12 CERT security alerts for the year. All of those alerts "fit on one slide easily" and contain some amusing entries like "rumor of alleged attack" and "security probes from Italy". He listed, again on one slide, the conferences and other notable computer security news for the year. Things have changed just a little bit since then.

Fast-forwarding to the present, there have been 4221 CVEs so far this year, Intel has 3+GHz chips, and the Simpsons are still on TV. When looking at the growth of malware, there is an inflection point in 1996, which is probably associated with wider usage of the internet. "The internet is a petri dish" where all kinds of malware can grow and change. If you put a stock Windows XP system on the internet today without a firewall, it will be infected before you can get the updates installed; it only takes an average of four minutes before that happens, he said.

There is a huge financial incentive these days for those who write malware, which has changed the landscape significantly. You can now get "malware as a service" or rent botnets ($8-90/1000 bots "depending on quantity", he said). In the pwn2own contest at CanSecWest, someone with a working iPhone exploit was unwilling to release it for the $15,000 prize as they believed they could get more elsewhere—and did, with rumors of a six-figure sum.

There are also "spearphishing" efforts like Aurora that targeted Google and 30 other companies, including Intel, last year. It targeted specific individual employees, sending them an email that looked it came from someone they knew. When the PDF or JPG inside was opened, it appeared to be an innocuous file of that type, but actually infected their machine with a worm that looked for source code repositories. Once found, the contents of those repositories were slowly—so that intrusion detection systems weren't alerted—sent elsewhere. The Stuxnet worm/virus is another example of this new kind of "persistent" threat.

With MeeGo, there are new usage models where desktop data is migrating to mobile phones, which are much more easily lost, for example. People are doing banking from their phones as well. When Ware asked how many in the audience had used their phone for banking, he got quite a few hands; "you're all screwed", he said. Those credentials are stored somewhere in the phone for an attacker (or thief) to find. There are also various efforts to publish your location or turn your phone into a credit card, all of which have various dangers.

Because the number of Linux devices is growing quickly, it is becoming more of a target. For reference, he said there are more than a billion Windows-installed systems—some botnets have more than a million bots—but the smartphone market is growing at a rate (35.5%/year) that will go beyond that soon. At that rate, the expected sales of smartphones in 2014 is 506 million. In addition, the smartphone market is getting less fragmented and he sees iOS and Linux as likely to be the only players before too long.

The focus on mobile Linux security is growing, he said. He noted the recent Coverity study of the Android kernel that found 88 high-risk defects and there were "some interesting things in there". The report will not be available for a bit as Coverity gave Google 60 days to fix the problems before the report will be released. Ware noted that the study found that the defect rate for the code written for Android was "significantly higher than for the rest of the kernel".

MSSF was originally developed for smartphones, but has been broadened to support all of the MeeGo vertical markets (netbook, connected TV, in-vehicle-infotainment (IVI), ...). At a high level, the goals for MSSF are to provide protections for users of devices, the device itself, and for new services that are envisioned for MeeGo devices.

For users, that includes protecting things like login credentials and cookies, but also to try to prevent malicious software from being able to do things like making expensive phone calls without the knowledge or consent of the device owner. Protecting the device entails protecting the SIM lock and ensuring that regulatory requirements (for things like radio frequency emissions) are strictly adhered to. New services like mobile payment also need protection, he said.

The MeeGo security team is doing things beyond just MSSF. It ensures that the external facing MeeGo infrastructure is kept secure. That includes things like source code repositories and open build service packages. The team also ensures that MeeGo images are secure by not having insecure defaults on network services, patching packages for security vulnerabilities, and issuing MeeGo advisories.

MeeGo "can't be secure without you guys", he said. The team could do static analysis and code reviews for 80 hours a week and still not find everything. He asked that folks keep an eye out and point out any flaws they find to security@meego.com. There is also a new MeeGo-security-discussion mailing list and weekly IRC meetings of the security team are planned in the near future.

In answer to some audience questions, Ware said he was concerned about security issues surrounding "cloud" applications, but hadn't looked at it specifically yet. It is "something to look at in the future". He also was not interested in talking about DRM solutions, though some in the audience clearly were. He worked on DRM five years ago and was glad to not be working on it any more. "I don't want to fix someone's broken business model", he said. Others who need those kinds of "solutions" will undoubtedly come up with them.