"In the old days we just had 0's,
we had to pound them flat to get 1's..."
-- Rodney Thayer, ÜberHaxxor
The mobile phone industry is expected to ship something on the order of 935 million phones in 2006, half of which will be so-called "Smart Phones." This number is expected to double in five years. Some of these phones will run Windows Mobile; some will run Symbian. But even if only 1% run some variety of Linux (a la MonteVista) or L4 (a la Qualcomm) that's still something like 20 million linux devices shipping in 2011. That's quite a few Unix based devices running around a wireless network.
Handset manufacturers, network operators and some corporate IT departments have fallen down on their responsibility to develop secure products in the past. But Basil II / Solvency II in Europe and Sarbanes-Oxley in the United States have raised awareness of IT security as a cross-cutting concern across an increasingly global business community.
The industry is looking for tools and techniques to limit the financial risk of exposure of corporate secrets or loss of assurance over the firm's financial control processes. In other words, corporations on both sides of the Atlantic are being asked by regulatory regimes to prove that their IT resources are resistant to assault from malicious attackers.
After being taken on a confusing ride on the "PKI express" in the late 1990's, IT consumers are interested in security again. But this time around they're looking at "global" technology solutions that create a "secure end-to-end experience." In the previous tech-cycle, corporate IT departments gained extensive experience with VPNs, Firewalls, PKIs, SSL, SSH, and basic key management. But the "Dot Com" era ended just as mobile device and web application security solutions were maturing.
Now that we find ourselves in something that looks like a recovery, it's time to start focusing on the harder problems of securing mobile applications.
Traditional Unix-like operating systems use the concept of the "user" as the basic subject for security policy decisions. An application's ability to access resources such as files and devices is based on the User ID it is running as. This was great for multi-user servers with tens, hundreds or thousands of concurrent users whose files must be protected from accidental (or malicious) access.
While user-mediated security enforcement for mobile applications is necessary, it is not sufficient to properly represent security policy for mobile devices; devices that traditionally have a single primary user.
The XeroBits project is an attempt to develop a toolkit for mobile device security. It is released under a BSD license with the hope that the more "corporate friendly" terms will encourage it's adoption by handset manufacturers, network operators and enterprise customers.
"Yes," you ask, "but what it it?"
XeroBits includes primitives that may be used to establish the origin of bits of code. The kernel may then use this information in an access-control decision, mediating access to a file descriptor, network socket, device or even a CDSA-style key repository.
XeroBits contains tools and libraries for:
* Digitally Signing Executables and shared object libraries
* Establishing an "appropriate" level of trust when shared object libraries from different protection domains are dynamically loaded into the same executable image.
* Generating and authenticating opaque tokens (think SASL here) that testify as to the inclusion of an executable in a given protection domain. This provides non-kernel processes with the ability to make access control decisions based on a subject's protection domain.
* Generating and authenticating opaque tokens based on stack-based attestation (a la NGSCB/Palladium.) This gives kernel and non-kernel processes the ability to make access control decisions based on the call-graph that led to a kernel trap or IPC call.)
* Remotely managing device security policy
* Protection domain specific and application specific secure out-of-process storage of shared secrets, secret keys and private keys.
* "Out of process" encryption, signing, decryption and verification using references to managed keys.
* Digital Certificate life-cycle management. This relieves application programmers of the requirement to maintain certificate meta-data.
These details are provided for information only. No information here is legal advice and should not be used as such.