sapi service api secured api - tizen · sapi service api secured api. ... the current proposal is...

july 10th, 2014 tizen security F2F in warsaw jose.bollo@open.eurogiciel.org

Service API

Secured API

The three different behaviours of a same API (C language)

● Depending on your execution context, a same C language API have different security behaviour:– In the user land API, the call is

delegated to a service that is checking the privilege of the call

– In the service interface API, the call is checked against the client security tags using cynara to grant or deny it and then if granted delegated to the core service

– In the service real API, the call is executed

User land API

Service interface API

Service real API

cynara

User space

System space

int verb(int arg)

A P P L I

int verb(int arg)

Unity of the API

● There are some benefits to offer a unique API for the 3 behaviours:– Develop only once

– Separate the concern of programming (functional) and the concern of security (organic)

– Allow flexibility in the implementation of the security

The example of crosswalk

● The implementation (in progress) of the Tizen's Web API in crosswalk left the details of checking privileges to the API that it calls.

● The called API should return the error “permission denied” on a privilege deny. The application (crosswalk) have to deal with this kind of error.

crosswalk

extensions

RP EPBP

ExecuteJS

W3CAPI

TizenAPI

The shared model of

crosswalk

The example of crosswalk

RP EPBP APIUser

APIinterface

APIreal

RP EPBP APIinterface

APIreal

User space System space

flexibility in the implementation of

the security

The example of composing API

APIUser

APIinterface

APIreal

User space System space

APIUser

APIinterface

APIreal

The blue API is using features of the white API

( Security analysis of Rice University )

The example of wearables

● The case of the wearables might be complicated because:– applications could be

distributed

– The web API may be absent because WRT is absent

● Example: consulting its recent messages on a gear

API proxy

API stub

flexibility in the implementation of

the security:IT'S A NEED

The needs

● Simplicity to migrate the applications from Tizen 2 to Tizen 3

● Easy development process for native applications (including crosswalk)

● Open APIs common to all verticals of Tizen (see previous point)

● Flexibility of the design for flexibility of the implementations

● Allowing future evolutions

The tizen 2 legacy

● WRT is checking the privileges and then calls the APIs

● OSP is checking the privileges and then calls the APIs

● Huge smack's rules was also checking in-system privileges with fine grain

User space

System space

WRT OSP

security

Tizen 3

● The privileged API are services

● Security is also a service

User space

System space

WRTCROSSWALK

OSPNATIVE

securitycynara

Example of migrating WRT to CROSSWALK

User space

System space

security

User space

System space

CROSSWALK

securitycynara

User space

System space

security

User space

System space

CROSSWALK

securitycynara

crosswalk

User space

System space

CROSSWALK

Security

User space

System space

CROSSWALK

securitycynaraThis is the current state

User space

System space

CROSSWALK

APIUser

Security

User space

System space

CROSSWALK

securitycynara

APIInterface

cynara APIreal

The idea of SAPI

User API

interface API

real API

cynara

User space

System space

int verb(int arg)

A P P L I

int verb(int arg)

A P P L I

becomes

The same API3 behaviours

The idea of SAPI

● Get the existing API of Tizen 2 and migrate it to the Tizen 3 security model using the presented decomposition of the 3 behaviours. Try to migrate it mechanically

● Define standards API based on Tizen 2, consistent with Web APIs and secured. It will allow development of native API in a controlled way, a secure way.

● Ideally the standard will fit the Web API; in other words, the needs of crosswalk & WRT

● Allow chaining for IOT an flexibility

Implementation of SAPI

User API

interface API

real API

cynara

User space

System space

int verb(int arg)

A P P L I

int verb(int arg)

● Parts of this model is the implementation of the well known scheme proxy/stub RMI/RPC

int verb(int arg)

A P P L I

int verb(int arg)

DBUS? The well known ORB/RMI?

● Technically it is possible to implement the model using DBUS only:– User API: a DBUS method call

– Interface API: DBUS transparently checks the rights using cynara

– real API: a DBUS object handling the method calls

● BUT– Slow! Fat!

– Problem of the callbacks and of the multithreading

– Introduce dependency on DBUS every where (temptation: even in places where not useful because DBUS will checks)

– DBUS has to be modified (development and maintenance, fork?)

– DBUS has to be configured (how?)

Our research work

● Taking the existing API in language C– discover the API

– create the user+proxy API● proxy the calls & manage the connection to the service

– create the server+stub process● manage client (fork) & stub the calls & call the interface

– create the interface API● check the rights using cynara & call the real API

mechanical creation

header files

XML desc

gccxml

stub fileproxy file

python scripts

interface file

API vs PRIVILEGEdescription

(SAPI tools)

create the delivery

stub fileproxy file

SAPI library

user API

real API

service interface API

interface file

libffi

Generated system

real API

cynara

User space

System space

A P P L I

proxy / user API

interface API

The Service

● Almost all calls are granted then checking security after deserialisation isn't a drawback

Current state

● Few resource on the subject (¼ man) but from a long time (4 months)

● Proxy/stub generation 90%● Privilege vs API database 0%● SAPI library 90%● Privilege check 0%● Low latency on ODROID (around 0.1 ms)

Current fallout

● Need to define cynara verbs that will integrate the common context (to be discussed). Reasons: – forking a service for handling a specific client is an

option to consider:● Protection of the service against malicious codes● Allow integration of API having global variables (statics)

without any rewrite

– The concept of “interface API” is needing it

– Could speed the requests if in protocol

Contextual cynara API (proposal)

int sapi_cynara_start(const char *clientid, – the clientid of all checksconst char *userid, – the userid of all checksconst char *sessionid – the default sessionid

int sapi_cynara_check(const char *privilege, – the privilege to checkconst char *sessionid – the sessionid to check

– or NULL for using default);

void sapi_cynara_stop();

The name of the verbs are coming from SAPI. They have to be changed.

Things to do

● Manage the privileges● Terminate the proxy/stub generation

– Allow plugin to handle complex types

– Finish link to sapi lib

● Specify how are implemented API– Separate user libs and services

– Separate user libs but only one service

– Only one user lib and one service

● Specify how to integrate transparently to the workflow OBS/GBS

● Specify how to manage evolutions

What API to wrap?

● At the beginning of the concept of SAPI, the core API was targeted

● Further studies about WRT of Tizen 2 shown that more APIs have to be targeted

● The current proposal is to wrap any API that make sense to :– Implement crosswalk

– Map the Web APIs

– have a secured native API framework

– Optionally: migrate other API

What is SAPI?

● SAPI is a process to mostly automatically wrap API and enforce the 3 behavioural aspects of service APIs

● A set of tools, a privilege/API database and and a communication library (currently home made and using UDS, but it may change)

● It can become a kind of C foundation library for tizen

What is wrong with SAPI?

● The process is not 100% automatic● Performances are pointed out. Should the frontier

between the user space and the system space be always crossed ? SAPI isn't smart enough to guess it and it crosses always.

● Until fully implemented we don't know what are all the traps and obstacles

● Few man power● It adds small delay to long DBUS calls

What could be added?

● Track of dependencies– There should be added an analysis of the

dependencies of the API

– This analysis would produce a database of the dependencies

– This database should be used with the database of the API / PRIVILEGE to detect hidden privilege needs.

● Inclusion of resource management (murphy)

What to remember

● Transparency improve flexibility of designing● Easy the migration process● As fallout, the database of API / PRIVILEGE is

known● Reduce the amount of development in short

and long term● On a high level, SAPI is the combination of a

proxy with a firewall

sapi service api secured api - tizen · sapi service api secured api. ... the current proposal is...

Documents

identifikasi susu sapi murni dan susu sapi yang mengandung...

microsoft speech api - sapisapi.areadeservico.com/relatorio...

karkas sapi

ransum sapi

1 secured transactions assignment 32 secured creditors...

penggemukan sapi

setiyoko -...

pencernaan sapi

repository.ugm.ac.id · 2020. 2. 25. · sapi-sapi banpree...

flpchrt sapi

ufs-boyden 1.5-m telescope and education programme ·...

final desktop publishing user manual spring 2008 · 2.3.4...

pakan sapi

logistik sapi potong daerah sapi penduduk ratio di ... sapi...

no.1275, 2014 kementan. sapi bakalan. sapi indukan. sapi...

sapi brujul

sapi zebu non india & sapi inggris kel 6

perkandangan sapi

manajemen pemeliharaan pedet sapi perah di peternakan sapi

peternakan sapi