Tizen's new access-control broker "Cynara"

By Nathan Willis
June 11, 2014

TDC 2014

Like all computing platforms that allow users to install arbitrary applications, the Tizen project has expended considerable effort designing its security framework. At the 2014 Tizen Developer Conference (TDC), Casey Schaufler and Tomasz Świerczek presented a talk on the latest iteration of Tizen's application-security design, which introduces a privilege-checking service called Cynara.

The fundamental problem that Tizen faces in application security, Schaufler said, is that privileges are specified (in documents like the W3C APIs that Tizen supports for app development) with respect to abstract services, such as "telephony," rather than with respect to system components, such as network devices. All security policies attempt to bridge this gap by writing set of rules and exceptions that map the abstracts onto specific devices and filesystem locations.

In Tizen 2.x, he explained, the system's security policy was written as a set of Smack rules that attempted to isolate individual applications from each other by creating a separate Smack domain for each installed application. Each app package includes a manifest file detailing the files and directories it creates, and the API privileges it requests. At install time, the system's package manager would read the manifest, create a domain for the new app, and assign a Smack label for that domain to each file and directory installed. It would also compute the new Smack rules that correspond to the new app's combination of privileges and its Smack domain, and add those rules to the system Smack policy.

The problem is that this level of granularity resulted in a huge policy database that was difficult to maintain. "It was almost as big as an SELinux policy," Schaufler said; "I had to go apologize to people at the Security Summit." The upcoming Tizen 3.0 changes things dramatically, however—starting with a simplified, three-domain policy model, which puts all installed apps at one basic privilege level, the "User" domain. It also defines a "Floor" domain for static system data that will not change and a "System" domain for basic system services. This model defines a well-known set of Smack rules (such as allowing all processes to access /tmp and /dev/null) that do not need to be appended to for every installed app.

The Tizen security team decided to revisit how the app privilege framework was implemented as well, so it held a "policy-off" face-to-face meeting at which representatives from Intel and Samsung offices each presented their ideas. When the two offices presented essentially the same design, they decided to move forward with it.

The centerpiece of the new plan is a policy "service" called Cynara. Each installed app is still assigned its own unique Smack label (to protect its private files and directories), but rather than creating a new set of Smack rules and exceptions for each privilege an app requests, Cynara creates a shorter record of the label and its privileges. The complicated mapping between the set of available privileges and the system's resources is created beforehand and is implemented in the Smack rule set, but does not grow for every new app.

When a running app requests access to a system component (for example, the current geolocation reading), the component sends a cynara_check() query to Cynara, including the app's Smack label, the user ID that the app is running as, and the name of the privilege the app is requesting. The Cynara service returns either ALLOW or DENY, based on whether the policy database indicates that the combination of Smack label and privilege are allowed. Other return values are also supported, the speakers said, such as "Ask the user," but the essence is that a straightforward yes-or-no question is answered.

Thus, the Cynara API is quite simple, but the real benefits come by maintaining the simpler database of allowed privileges. In performance testing, Świerczek said, the average response time was under 10ms, as opposed to more than 30ms for some of the alternative solutions they explored—such as PolKit. He also noted that PolKit performance suffers due to some design decisions, such as its use of D-Bus for communication and its use of JSON and XML to store the policy database. That database format meant that the entire policy had to be read and parsed for every call; Cynara, in contrast, stores its database in SQLite.

The two then described the current state of Cynara development and outlined a rough roadmap. The core privilege-checking library is operational, they said, but is not yet working as a full-fledged service. That milestone would likely be reached by the end of June, as would the utilities for updating the policy database. The essential tools necessary for deployment should be in place by the end of July, after which the team would work on adding an asynchronous privilege-checking API and a mechanism for adding extensions to the system's security policy.

There were several questions from the audience, many of which concerned how Tizen uses Smack labels. For example, one audience member asked whether there was a possibility that two apps could accidentally or maliciously get assigned the same Smack labels when installed—which would cause several security problems. Schaufler explained that apps do not choose or assign their own Smack labels; the package manager does. In the Tizen 2.2 release, the Smack label is created from the app's cryptographic signature, so it is guaranteed to be unique (barring collisions, of course).

Perhaps the most difficult aspect of the system to grasp in a 40-minute conference talk is how the Cynara approach to storing security privileges compares in real-world terms to the older Tizen approach of storing a longer, more convoluted set of Smack rules. Unfortunately, time makes it difficult to compare the approaches in detail, but the real-world test will have to wait for the deployment of actual apps—some of which, no doubt, will test the security framework in ways its creators have not yet contemplated. Cynara, however, promises a simpler way to keep track of privileges and access-control rules, so hopefully it will also make it simpler to catch—and fix—problems.

[The author would like to thank the Tizen Association for travel assistance to attend TDC 2014.]

Index entries for this article
Security	Tizen
Conference	Tizen Developer Conference/2014

Tizen's new access-control broker "Cynara"

Posted Jun 12, 2014 5:30 UTC (Thu) by dlang (guest, #313) [Link] (2 responses)

If you have a policy service running, why does the database format matter? the service should keep the policy parsed in ram shouldn't it?

Tizen's new access-control broker "Cynara"

Posted Jun 12, 2014 7:19 UTC (Thu) by smurf (subscriber, #17840) [Link] (1 responses)

polkit currently does not.

I do wonder why you'd need an entirely new daemon (and a new protocol of course) for that. IMHO it'd make more sense to teach polkit to keep a pre-analyzed ruleset in RAM (or in some sort of database). That would cut down the response time significantly.

Tizen's new access-control broker "Cynara"

Posted Jun 13, 2014 23:02 UTC (Fri) by smoogen (subscriber, #97) [Link]

Probably because its harder to read someone else's code than write your own :). Eventually someone finally writes a version other people can maybe sort of grok and you end up with a code base which grows. Until then its all write-only code :).

[Actually I expect it is the dbus and other non-Tizen frameworks which were the bigger turn-off.. ]

Tizen's new access-control broker "Cynara"

Posted Jun 12, 2014 6:40 UTC (Thu) by fandingo (guest, #67019) [Link]

They seem to have put a large emphasis on performance. I wonder why Cynara is not a LSM since they would improve performance even more. The model of using SMACK labels for identification, but a user space program for authorization seems less than ideal. It seems obvious to alter SMACK, so it works like they want.

Tizen's new access-control broker "Cynara"

Posted Jun 12, 2014 6:52 UTC (Thu) by helge.bahmann (subscriber, #56804) [Link] (2 responses)

"When a running app requests access to a system component (for example, the current geolocation reading), the component sends a cynara_check() query to Cynara, including the app's Smack label, the user ID that the app is running as, and the name of the privilege the app is requesting."

Isn't that almost exactly the model used by SELinux (map (user,subject,predicate,object) to allow/deny)?

Tizen's new access-control broker "Cynara"

Posted Jun 12, 2014 7:42 UTC (Thu) by peter-b (subscriber, #66996) [Link] (1 responses)

> Isn't that almost exactly the model used by SELinux (map (user,subject,predicate,object) to allow/deny)?

I believe so.

"Those who do not understand SELinux are doomed to reinvent it, badly" perhaps?

Tizen's new access-control broker "Cynara"

Posted Jun 12, 2014 8:47 UTC (Thu) by dgm (subscriber, #49227) [Link]

For a brief introduction to the differences between Smack and SELinux see http://lwn.net/Articles/244531/

Tizen's new access-control broker "Cynara"

Posted Jun 13, 2014 6:56 UTC (Fri) by aleXXX (subscriber, #2742) [Link]

30 ms sounds like an eternity...
10 ms is better, but still not that fast IMO.

Alex

Tizen's new access-control broker "Cynara"

Posted Jun 13, 2014 9:53 UTC (Fri) by Siosm (subscriber, #86882) [Link] (7 responses)

> In Tizen 2.x, he explained, the system's security policy was written as a set of Smack rules that attempted to isolate individual applications from each other by creating a separate Smack domain for each installed application.

So it used to look like SELinux/AppArmor...

> The complicated mapping between the set of available privileges and the system's resources is created beforehand and is implemented in the Smack rule set, but does not grow for every new app.

... and it still looks like SELinux categories (MCS) re-invented in SMACK.

> He also noted that PolKit performance suffers due to some design decisions, such as its use of D-Bus for communication and its use of JSON and XML to store the policy database. That database format meant that the entire policy had to be read and parsed for every call; Cynara, in contrast, stores its database in SQLite.

As far as I understand, polkit works with a daemon which is the entity making decisions based on the policy. Is this daemon really re-reading the entire policy for each access? This looks like a bug to fix (the policy should be kept in memory), not a complete design failure. DBus slowness is a known issue that kdbus should fix.

> Other return values are also supported, the speakers said, such as "Ask the user," but the essence is that a straightforward yes-or-no question is answered.

Asking the user to make security decisions isn't the solution. The results are worse than random choice and the user has been trained for far too long to automatically answer yes to any confirmation dialog. The Android application security model also relies on prompting the user at install time and it is a perfect example of the failure of such systems.

SELinux does it "right" here because an access is either allowed, or not. There is no "asking the user for permission". It sure isn't "user friendly" but it is good from a security point of view. Don't get me wrong, the SELinux model is not the solution for user applications (it is for system services and daemons however).

Security prompts "uselessness" has already been discussed elsewhere: http://www.superlectures.com/guadec2013/more-secure-with-...

Alternative models for secure and user-driven permission granting have already been suggested: http://research.microsoft.com/pubs/152495/user-driven-acc...

> The Cynara service returns either ALLOW or DENY, based on whether the policy database indicates that the combination of Smack label and privilege are allowed.

How does the Cynara service effectively grants an application access to a device? Is this access permanent? How is this enforced? This does not look like Mandatory Access Control anymore.

I'm really disappointed here as they could have created a clean model from the ground up as they had no legacy to work with but instead they re-invented the current prompt-ridden, user-unfriendly and broken design.

Tizen's new access-control broker "Cynara"

Posted Jun 13, 2014 18:09 UTC (Fri) by pwfxq (subscriber, #84695) [Link] (6 responses)

> Asking the user to make security decisions isn't the solution.

Asking the user: "Can this app rewrite the boot sector?" is not a question a standard user should be asked.

Asking the user: "Can this app access GPS/My Address Book/Send a Text/etc" is a question the user *should* be asked.

Tizen's new access-control broker "Cynara"

Posted Jun 16, 2014 14:56 UTC (Mon) by Siosm (subscriber, #86882) [Link] (5 responses)

Please read: http://research.microsoft.com/pubs/152495/user-driven-acc...

You'll then understand that this is NOT OK to ask:

> "Can this app access GPS/My Address Book/Send a Text/etc"

There are cases where the user should be prompted but those are extremely limited in scope (they mostly concern task automation).

Tizen's new access-control broker "Cynara"

Posted Jun 18, 2014 11:34 UTC (Wed) by robbe (guest, #16131) [Link] (4 responses)

I don't see how the cited paper changes anything, fundamentally. Instead of popping up "May this app access your precise location? Y/N" (iOS) or allowing it forever during install (Android) Rösner et al. propose embedding a special widget (button or similar) into the application where clicking it means agreement.

This is certainly a better UI, but we're still delegating access decisions to the user, with all the problems you mentioned upthreads.

Tizen's new access-control broker "Cynara"

Posted Jun 18, 2014 13:42 UTC (Wed) by Siosm (subscriber, #86882) [Link] (3 responses)

> Instead of popping up "May this app access your precise location? Y/N" (iOS) or allowing it forever during install (Android) Rösner et al. propose embedding a special widget (button or similar) into the application where clicking it means agreement.

You nailed it. There is no need to ask the user again to confirm an action because the action has already been triggered by the user and no one else.

> This is certainly a better UI, but we're still delegating access decisions to the user, with all the problems you mentioned upthreads.

What problems are you referring to ? And of course we're still delegating security decisions to the user but we do this implicitly, with no need for additional prompts because we are sure that only the user (and not the application) requested access.

Tizen's new access-control broker "Cynara"

Posted Jun 20, 2014 11:56 UTC (Fri) by smurf (subscriber, #17840) [Link] (2 responses)

> There is no need to ask the user again to confirm an action because
> the action has already been triggered by the user and no one else.

This assumes that the system is able to securely determine that, yes, this action has been initiated by the user. I do not believe that this assumption holds in any way.

The solution is rather simple -- you ask the first time, and offer an option to *remember* that decision.

SuperSU on Android gets that right.
The warning you see when you start a VPN connection does not.

Tizen's new access-control broker "Cynara"

Posted Jun 20, 2014 15:40 UTC (Fri) by Siosm (subscriber, #86882) [Link] (1 responses)

> This assumes that the system is able to securely determine that, yes, this action has been initiated by the user. I do not believe that this assumption holds in any way.

This is indeed part of the prerequisites, and this is something already ensured with Wayland/Weston (not with X, but Tizen supports Wayland). User input is managed by the compositor, cannot be forged, and is directed only to the corresponding window, thus it can be trusted.

Embedding trusted widgets inside another application can be done using Wayland subsurfaces (or another protocol extension if subsurfaces turns out not to be flexible enough).

Confining trusted widgets to ensure that they are not influenced in any way by another process can be done using SELinux (or maybe even AppArmor).

For a discussion regarding Wayland input security, see: http://mupuf.org/blog/2014/02/19/wayland-compositors-why-...

> The solution is rather simple -- you ask the first time, and offer an option to *remember* that decision.

This is unacceptable for two reasons:
* Asking once is already too much when you don't have to: you get horrible results as users *have already been trained to answer any confirmation dialog with yes all the time*. See http://research.microsoft.com/en-us/um/people/cormac/pape... for a complete analysis of the cost of some "security features" for users;
* There is no obvious way offered to the user to revert a *remembered* answer.

Tizen's new access-control broker "Cynara"

Posted Jun 20, 2014 21:20 UTC (Fri) by mathstuf (subscriber, #69389) [Link]

> Asking once is already too much when you don't have to: you get horrible results as users *have already been trained to answer any confirmation dialog with yes all the time*.

Have they done research with putting verbs on the buttons rather than Yes/No or OK/Cancel? I think putting verbs in the button text might help get the idea of the action across (I know I've clicked the wrong one before due to a double negative in the dialog text).