0
I Use This!
Activity Not Available

Project Summary

"In the old days we just had 0's,
   we had to pound them flat to get 1's..."
              -- Rodney Thayer, ÜberHaxxor

The mobile phone industry is expected to ship something on the order of 935 million phones in 2006, half of which will be so-called "Smart Phones." This number is expected to double in five years. Some of these phones will run Windows Mobile; some will run Symbian. But even if only 1% run some variety of Linux (a la MonteVista) or L4 (a la Qualcomm) that's still something like 20 million linux devices shipping in 2011. That's quite a few Unix based devices running around a wireless network.

Handset manufacturers, network operators and some corporate IT departments have fallen down on their responsibility to develop secure products in the past. But Basil II / Solvency II in Europe and Sarbanes-Oxley in the United States have raised awareness of IT security as a cross-cutting concern across an increasingly global business community.

The industry is looking for tools and techniques to limit the financial risk of exposure of corporate secrets or loss of assurance over the firm's financial control processes. In other words, corporations on both sides of the Atlantic are being asked by regulatory regimes to prove that their IT resources are resistant to assault from malicious attackers.

After being taken on a confusing ride on the "PKI express" in the late 1990's, IT consumers are interested in security again. But this time around they're looking at "global" technology solutions that create a "secure end-to-end experience." In the previous tech-cycle, corporate IT departments gained extensive experience with VPNs, Firewalls, PKIs, SSL, SSH, and basic key management. But the "Dot Com" era ended just as mobile device and web application security solutions were maturing.

Now that we find ourselves in something that looks like a recovery, it's time to start focusing on the harder problems of securing mobile applications.

Traditional Unix-like operating systems use the concept of the "user" as the basic subject for security policy decisions. An application's ability to access resources such as files and devices is based on the User ID it is running as. This was great for multi-user servers with tens, hundreds or thousands of concurrent users whose files must be protected from accidental (or malicious) access.

While user-mediated security enforcement for mobile applications is necessary, it is not sufficient to properly represent security policy for mobile devices; devices that traditionally have a single primary user.

The XeroBits project is an attempt to develop a toolkit for mobile device security. It is released under a BSD license with the hope that the more "corporate friendly" terms will encourage it's adoption by handset manufacturers, network operators and enterprise customers.

"Yes," you ask, "but what it it?"

XeroBits includes primitives that may be used to establish the origin of bits of code. The kernel may then use this information in an access-control decision, mediating access to a file descriptor, network socket, device or even a CDSA-style key repository.

XeroBits contains tools and libraries for:

* Digitally Signing Executables and shared object libraries
* Establishing an "appropriate" level of trust when shared object libraries from different protection domains are dynamically loaded into the same executable image.
* Generating and authenticating opaque tokens (think SASL here) that testify as to the inclusion of an executable in a given protection domain. This provides non-kernel processes with the ability to make access control decisions based on a subject's protection domain.
* Generating and authenticating opaque tokens based on stack-based attestation (a la NGSCB/Palladium.) This gives kernel and non-kernel processes the ability to make access control decisions based on the call-graph that led to a kernel trap or IPC call.)
* Remotely managing device security policy
* Protection domain specific and application specific secure out-of-process storage of shared secrets, secret keys and private keys.
* "Out of process" encryption, signing, decryption and verification using references to managed keys.
* Digital Certificate life-cycle management. This relieves application programmers of the requirement to maintain certificate meta-data.

Tags

cryptography linux policy security

In a Nutshell, xerobits...

 No code available to analyze

Open Hub computes statistics on FOSS projects by examining source code and commit history in source code management systems. This project has no code locations, and so Open Hub cannot perform this analysis

Is this project's source code hosted in a publicly available repository? Do you know the URL? If you do, click the button below and tell us so that Open Hub can generate statistics! It's fast and easy - try it and see!

Add a code location

BSD 4-clause (University of California-Specific)
Permitted

Place Warranty

Commercial Use

Modify

Distribute

Forbidden

Hold Liable

Use Trademarks

Required

Include Copyright

Include License

These details are provided for information only. No information here is legal advice and should not be used as such.

All Licenses

This Project has No vulnerabilities Reported Against it

Did You Know...

  • ...
    Black Duck offers a free trial so you can discover if there are open source vulnerabilities in your code
  • ...
    by exploring contributors within projects, you can view details on every commit they have made to that project
  • ...
    in 2016, 47% of companies did not have formal process in place to track OS code
  • ...
    data presented on the Open Hub is available through our API

 No code available to analyze

Open Hub computes statistics on FOSS projects by examining source code and commit history in source code management systems. This project has no code locations, and so Open Hub cannot perform this analysis

Is this project's source code hosted in a publicly available repository? Do you know the URL? If you do, click the button below and tell us so that Open Hub can generate statistics! It's fast and easy - try it and see!

Add a code location

Community Rating

Be the first to rate this project
Click to add your rating
   Spinner
Review this Project!
Sample ohloh analysis