Hi,
True, "All -TCB" is much more than is needed.
I also myself did use "All -TCB" but we can get with less.
br
Sasha
[email protected] wrote:
qml.exe is compiled with "ALL-TCB" capabilities.
I think this is too much, for the following reasons:
1. attack surface
any bugs in qml that can be exploited via a qml script will allow the
hacker access to almost all of the system.
I don't think you'd install the qml player on linux as setuid root, or
on windows with run as administrator.
It is dangerous to give so many capabilities to an application that
can run arbitrary untrusted scripts.
2. ability to load plugins
Third party developers who are working with the SDK have access to
only a limited set of capabilities.
See
http://developer.symbian.org/wiki/index.php/Capabilities_(Symbian_Signed)
User capabilities are available to anyone
System capabilities require you to upload your DLL to a website and
get a signed version back via email every time you make a change.
Unless you are a registered company with a publisher ID, in which case
you can get a "developer certificate" that you can use for signing on
your pc.
Restricted capabilities are only available to registered companies
with publisher ID
Manufacturer capabilities require the developer to get special
permission from Nokia (which is rarely given for DRM and TCB)
Therefore if qml.exe has more than the user set of capabilities it
will be difficult for developers who download the SDK to test their
plugin dlls.
Of course, when building qml.exe yourself, you can change the
capabilities as needed.
3. requirements of underlying APIs
All Qt's APIs can be used with just the "user capabilities" set, with
the exception of QProcess::kill() / QProcess::terminate() which
require PowerMgmt
4. difference between exe and dll capabilities.
A process (exe) can load dlls with equal or greater capabilites to the
process.
The process capabilities are not changed when loading dlls, and
security checks are always done on a process.
So, capabilities of a general purpose DLL should be broad (so they can
be used by many processes).
Capabilities of an EXE should be narrow (to limit the attack surface
if it contains exploitable bugs).
Ideally, an EXE should have exactly the capabilities for the APIs it
uses, and no more.
Ideally, a general purpose DLL should only have capabilities it is
trusted with - higher capability DLLs should be reviewed more
stringently. (in practice, this is only done for TCB and to a limited
extent, DRM)
Ideally, plugins should have the same capabilities as the process that
loads then (if there is only one process that should load a particular
plugin)
5. Recommendation:
I recommend that qml.exe is built with the "user capabilities" set, to
give benefit to the most developers.
Qml applications should be built with their own wrapper exe with the
correct capabilities.
--
Communications with Accenture or any of its group companies
("Accenture Group") including telephone calls and emails (including
content), may be monitored by our systems for the purposes of security
and the assessment of internal compliance with company policy.
Accenture Group does not accept service by e-mail of court
proceedings, other processes or formal notices of any kind.
Accenture means Accenture (UK) Limited (registered number 4757301),
Accenture Technology Solutions Limited (registered number 4442596), or
Accenture HR Services Limited (registered number 3957974), all
registered in England and Wales with registered addresses at 30
Fenchurch Street, London EC3M 3BD, as the case may be.
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have
received it in error, please notify the sender immediately and delete
the original. Any other use of the email by you is prohibited.
_______________________________________________
Qt-qml mailing list
[email protected]
http://lists.trolltech.com/mailman/listinfo/qt-qml
