B2G security model (debian package management recommended) - help and advice needed

To: debian-devel@lists.debian.org
Subject: B2G security model (debian package management recommended) - help and advice needed
From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
Date: Thu, 22 Mar 2012 04:01:09 +0000
Message-id: <[🔎] CAPweEDyBf2xqzU=1h4R=RfKE3uiks22=-92KjiJHN4DQm91FGw@mail.gmail.com>
folks, hi,

please take a deep breath before reading.

i'm keenly aware of the view that many people hold of me in debian.
that i'm even bringing something to your attention and asking for your
help (not for me, personally) should therefore tell you a lot more
than needs to actually be said.

i'm presently coming up to nine hours of continuous non-stop typing
(just today) to deal with something on the B2G developer mailing
lists: the security model, and it's getting to the point where i'm i
serious need of some highly-technical (as well as social) assistance.

your patience greatly appreciated whilst i explain.

B2G is a new operating system where the Gecko web front-end doubles up
(triples up?) as the window manager as well as the applications
"runner".  they started from the android codebase, ripped out java,
ripped out webkit, dropped gecko in place using OpenGL _directly_
writing to the framebuffer, and then went, "ok, now we got the basics,
let's make this work".

as a concept, i find this both fascinating and exciting.  the
resources of the mozilla foundation with the non-profit-orientated
motivation to create an open alternative to google's android?
fantastic!

by the time they're done, there will be *another* FOSS operating
system out there - one with the potential to reach a hundred million
units or more, through mass-volume sales world-wide, via numerous
telephone companies.  applications could be developed by people that
could take off just as fast as any android or iphone application:
potentially millions of downloads per day if an app becomes highly
popular.

and the whole thing *won't* be tied to a particular vendor, or to a
profit-maximising company.  the mozilla foundation is a non-for-profit
organisation, so has the potential to take into consideration aspects
that are *not* over-ridden by profit maximisation (such as "increasing
revenue stream").

i have every confidence in the mozilla foundation to deliver the goods
on the U.I, on the apps example development, and much more besides.

what's of fundamental and deep concern to me is their ability to
comprehend the security implications of what they're doing.

and, you *know* me - it should come as absolutely no surprise to any
of you to learn that even the mozilla foundation is deploying
increasingly-hostile censorship measures to prevent me from
communicating with them.

ok, you can laugh now.  go on.  yeah, i know.  i did it again.

happy now? :)

but seriously: it should be reasonably clear as to why i've persisted
with this *despite* increasing resistance, and it should speak volumes
that i'm asking (requesting NOT demanding) - publicly - for people to
wander over and take (CONSIDER taking) a look at the security
discussion taking place.

why am i asking [requesting-not-demanding] that _you_ - debian
developers - get [CONSIDER getting] involved?  it's because the
application distribution model that i know best (that will also fulfil
the requirements) is... yep, debian.

why i am so deeply concerned about the discussion on the b2g-dev
mailing list has nothing to do with me, but has everything to do with
what the people in the mozilla foundation - those actively involved in
the b2g decision-making process - are recommending be used for
application distribution. it's SSL!

now, i know you know how debian package management works.  imagine if
someone on a debian list somewhere went "hey guys!  you know that
infrastructure you use to distribute debian packages?  i've got a
great idea for a replacement for the system you've been establishing
and refining for almost 20 years, it's called SSL!"

now that you've picked yourself up off the floor, either from shock or
from laughing so hard you couldn't stand upright, you may be wondering
if i've made some sort of hilarious techie joke.  i assure you i
haven't.

what _would_ be funny though would be if, after reading this, someone
who *really* knows how SSL well and truly works actually said "yes,
here's a workable technical solution which uses SSL and delivers the
goods, i did a complete paper on it, it easily scales to the numbers
you describe, but didn't mention it here on the debian lists ever
because they already have a fully-working solution, and i didn't wish
to make an ass of myself like you do on a regular basis, mr lkcl".

then i would be very very happy that the joke was entirely on me.

... but my instincts and experience with SSL (so far) and with the
debian package management system (so far), tell me otherwise (to
date).

the problem is: i've rather comprehensively fucked up relations
with... i think it's now about... ooo, getting on for 30+ people in
mozilla, who are getting so incensed that i'm quotes telling them what
to do quotes that in true terry pratchett style it's going beyond
annoying, gone out the other side and is bordering on becoming funny.

i think saying "i know there are many of you who wish i was dead so
that i'd stop typing" probably did it, this time.

anyway, enough of that: seriously, for those of you who feel some
semblance of duty and responsibility to free software in general, can
i please urge you to look this document over (should you so choose),
https://wiki.mozilla.org/Apps/Security
or to join the discussion on the dev-b2g mailing list (should you so choose).
https://groups.google.com/forum/#!forum/mozilla.dev.b2g

 my assessment of the situation so far is this (please feel free to
entirely ignore this):

* the required security is divided into four (thoroughly-interlinked) areas:
  1) secure application distribution [*1]
  2) app permissions enforcement (think: android's kernel-level
security model, SE/Linux etc).
  3) decisions on what permissions are *required* to be enforced
      (e.g. app can make phone calls,
       e.g. app can access GPS,
       e.g. app can legitimately access IMEI number etc.)
  4) "standard" web security (normally known as XSS in AJAX)
* the mozilla team is giving the impression that they can handle
comprehensively and extremely competently handle jobs 3 and 4.
* the mozilla team is giving the impression that they couldn't find a
solution for 1) or 2) with both hands if it was imprinted on *all* of
their backsides.
* the use of debian's package management and distribution system would
be a significant augmentation of what the B2G team is doing, as well
as comprehensively fulfilling the requirements
* the mozilla team's expertise in operating system security is...
severely limited.
* the mozilla team's expertise in SSL and in Gecko is second-to-none
* the mozilla team's expertise in SSL and in Gecko is bordering on
tunnel-vision.
* i'm not helping by repeating things - even patiently - even though
other people in the mozilla foundation keep repeating "what about SSL,
surely that will work?".

[*2]

even the name of the wiki pages chosen should give you a massive clue
- and should, if you have any security knowledge or expertise, be
ringing massive alarm bells.  all pages are named "App Security".
there *is* no top-level wiki page named "B2G Operating System
Security".

so the bottom line is: can someone, who has a clue and the patience,
please take a look at what they're doing, with a view to helping them
evaluate and develop a proper and comprehensive security model - one
that takes into account all 4 aspects?

i've done my best, but i know when i'm getting out of my depth, and
when it's time to ask for help.  i've done my best to document what i
believe the B2G team can benefit from the use of debian's package
distribution infrastructure, but they're not really taking it
on-board, for so many reasons it's hard to believe let alone describe
[*3]

thanks folks.  really.

anything i haven't thought of, please do email me.  just... give me a
day to recover from today's late night :)

/peace

l.

[*1] apps in B2G are actually javacript+HTML source code, but don't
let that fool you: those javascript apps, through extensions to the
functions available to the javascript namespace, have the power to
initiate phone calls or to push your details up to a company's web
site, entirely without your permission or even knowledge, if there
wasn't any security.
[*2] do you note how i go to some lengths to praise the expertise of
various teams for what they *can* do, so very very well?  it's
genuine.  just as genuine as the way that i go to the exact same
lengths to make it a joke or just plain state outright - honest, plain
and simple - when pointing out the *lack* of expertise in certain
areas.  as best i can.  many people - debian developers included -
ignore the former and focus on the latter.  oh well.  sorry.
[*3] just one example: i've encountered and listed _seven_ separate
and distinct reasons why the use of SSL as an application distribution
"security" measure does not fulfil the requirements, each of which
purely on their own should be sufficient to pull the plug on further
discussion of the use of SSL, yet i think there have been *nine*
people so far who have all gone "so what about this particular aspect
of SSL security, that'll help, right?"  it's... truly, truly
astounding.
Reply to:
Prev by Date: Re: debian/rules VS debian/copyright.
Next by Date: Re: mass bug filing against packages that don't remove alternatives
Previous by thread: Bug#664979: ITP: m2vrequantiser -- MPEG-2 streams requantization
Next by thread: Re: mass bug filing against packages that don't remove alternatives
Index(es):
- Date
- Thread