Security, IPC and buses The discussion has mixed systems which need to control with those that merely read data. Irrespective of what security model MeeGo adopts, the best kind of security is air-gap. Systems that do not need to control hardware should not be electrically connected to that hardware or able to send software messages to it over a bus, period. We should not implement capabilities that are unsafe and then disallow them in a policy framework: we just shouldn't implement them in the first place.
>From the IVI point of view, most applications will be consumers rather than producers of data, meaning that a pub-sub (server-client) model of communication is adequate. The advantage of pub-sub is that the speed of a bus protocol is less relevant. If simple displays can acquire the information they need from a database or XML log, they need not communicate with the producer at all. Note that *control* systems would still read from the sensor and its bus directly, via IPC, not from a log (where bad data might be injected by an attacker). A logfile can be made more secure if writers calculate a hash that they publish, for example a Linux md5sum. Hash calculations are low-cost and can easily be included in IVI even if regular MeeGo Security Framework does not incorporate them. The md5sum can be encrypted if need be. A logfile can also be protected by extended file attributes in SELinux. User abstraction Another point about IVI security has to do with multiple inputs and displays. Traditionally in Linux and Unix, we've had different users with different privileges. Extending this paradigm to the automotive case makes perfect sense, as the driver should be a more privileged user than backseat passengers. Example: while we may want to allow the backseat passengers to via the same navigation map as the driver, we may not want to allow them to change the destination of the trip and the associated routing information that the driver sees. -- Alison Chaiken (650) 279-5600 (cell) http://www.exerciseforthereader.org/ Spend much time at the cutting edge and you're liable to get cut. _______________________________________________ MeeGo-ivi mailing list [email protected] http://lists.meego.com/listinfo/meego-ivi
