Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Firefox OS Malware Prevention

advertisement 
Text
Firefox OS Security
Paul Theriault, Sept 2013
Firefox OS Components
• Gaia
- User interface
• Gecko
• Gonk
– Browser Runtime
– underlying Linux OS, firmware etc
• Third-party
Apps - HTML/JS/CSS Apps
Gaia
• Collection
of web apps which run all UI
• https://github.com/mozilla-b2g/gaia
Gecko
• Web
APIs
navigator.telephony.dial('5551234')
navigator.mozTCPSocket.open("www.mozilla.org", 80);
• Gaia
Glue (see shell.js)
• Gonk
Glue (communication with daemons etc)
Gonk
• Lower-level
• Linux
operating system
kernel and HAL (Hardware Abstraction Layer)
• Open-source
• Android
lbs: libusb, bluez ...
libs: GPS, camera ...
Firefox OS Web Apps
• HTML,
JavaScript, CSS
• Defined
by location of manifest file
• Has
to be installed
• Can
be hosted remotely or in a local package
Challenge #1
Make the web trusted.
Permission Model
Type
Trust Level
Web
Untrusted
Privileged
Trusted
Certified
Highly Trusted
Controls
• Regular web security controls
• Packaged, signed apps.
• Reviewed & delivered from marketplace.
• Default CSP policy applied
•
•
•
•
System apps which run the phone
Apps developed by Mozilla and/or partners
Can’t be installed, must be created with build
Default CSP policy applied
Types vs Permissions
• Regular
• Web
Content : Geolocation, Fullscreen
apps Sensor API, Alarm API
• Privileged
apps : Camera API, Alarm API, TCP
Socket, Contacts API, Device Storage API, Browser
API, WiFi Information API, MobileNetwork API
• Certified
: Background services, WebSMS,
WebTelephony, WebBluetooth, MobileConnection
API, PowerManagementAPI, Push Notifications API,
Settings API, Permissions API, FM Radio
Full list
CSP
• Content
Security Policy
• https://developer.mozilla.org/Apps/CSP
• No
Remote scripts (include them in your app)
• No
dynamic script (onclick=“”, eval, Function(), etc)
• No
remote styles
Web Activities
• Provides
a mechanism for web apps to access
restricted APIs, by asking other apps to get data on
their behalf
• Also
use for user-mediated inter-app communication
Full list of activities
Challenge #2
Give users control, while protecting them.
Permission Checks
• Permission
• User
checks performed at first API use
has context of activity
• Can
install the app without granting permissions
• Can
change their mind later
Permission types
Explicit permissions
• Location,
contacts, images ,audio, video etc.
Implicit permissions
• TCPSocket,
mobilenetwork, systemXHR, alarms etc.
Challenge #3
Protect apps from each other.
Web App Sandbox
System Architecture
Getting Started
• Getting
started with apps
• http://buildingfirefoxos.com
• https://hacks.mozilla.org/
• Tablet
Contribution Program
Questions
Security overview
https://developer.mozilla.org/enUS/docs/Mozilla/Firefox_OS/Security/Security_model
Email: pauljt@mozilla.com
Related documents
Student Login Manual
Student Login Manual
Action Item Nugget Webinar
Action Item Nugget Webinar
Slide 1 - UDHS-CFF
Slide 1 - UDHS-CFF
PPTX - Thing
PPTX - Thing
PowerPoint presented at TCEA, Feb. 2011
PowerPoint presented at TCEA, Feb. 2011
Testing Web Apps and Services introduction to a 2 day
Testing Web Apps and Services introduction to a 2 day
Usage of the memoQ web service API by LSP
Usage of the memoQ web service API by LSP
Empowering Students
Empowering Students
Customer API Program Overview
Customer API Program Overview
Download
advertisement