Moblin Security

Note: This technology is being actively worked on for the future. It is not yet part of the Moblin distribution or images.

The main goal for the security architecture is to enable Moblin as an "open but secure" device platform. This implies the user’s ability to install any native application without compromising security. The tall order of this promise is met through multiple security mechanisms implemented in Moblin. Some of them will require support from hardware. In the absence of hardware based security support, certain threats to the platform may remain unmitigated.

We will divide this project into the following categories/subprojects:

1. Trusted or secure boot: Only needed if the device needs to support trusted applications/services (such as telephony, DRM)
2. Application Sandboxing: These are the main objectives for this project:
   1. Make sure that a compromised application cannot cause damage to the rest of the platform. This means the attacker may not be able to use one vulnerable application as a springbox for attacking the rest of the device.
   2. Hide information / data associated with applications from rest of the applications running on the platform.
   3. Restricting access to only the parts of the system that an application needs access to, to do its particular function.
3. Access Control for critical services: This is typically needed in two cases:
1. The device supports trusted services and needs to make sure that only select few applications have access to it.
2. Applications and services need to protect access to user privacy sensitive data. For example, the GPS managing service should not provide access to current location information to every application on the platform. Content manager should protect access to all user data and allow access to only policy specified applications.
   The user needs to have the ability to mediate this access control, where allowed.
4. Package Isolation: To make sure the untrusted applications do not cause any damage at the installation time, there needs to be packaging level isolation. The packages corresponding to the untrusted applications needs to be isolated from all the system and trusted application packages.
5. Hardened software stack: In addition to employing the trusted boot and application isolation techniques, the Linux OS software stack needs tightening to minimize the attack vectors.

We will add more details on these subprojects soon.