One of the systems security projects we’re working on in Oxford is webinos – a secure, cross-device web application environment. Webinos will provide a set of standard APIs so that developers who want to use particular device capabilities – such as location services, or media playback – don’t need to customise their mobile web app to work on every platform. This should help prevent the fragmentation of the web application market and is an opportunity to introduce a common security model for access control to device APIs. Webinos is aimed at mobile phones, cars, smart TVs and PCs, and will probably be implemented initially as a heavy-weight web browser plugin on Android and other platforms.
By a staggering coincidence, the Meego project has a similar idea and a similarly broad ranges of devices it intends to work on. However, Meego is aimed at native applications, and is built around the Qt framework. Meego is also a complete platform rather than a browser plugin, containing a Linux kernel. Meego requires that all applications are signed, and can enforce mandatory access controls through the SMACK Linux Security Module.
In terms of security, these two projects have some important differences. Meego can take advantage of all kinds of interesting trusted infrastructure concepts, including Trusted Execution Environments and Trusted Platform Modules, as it can instrument the operating system to support hardware security features. Meego can claim complete control of the whole platform, and mediate all attempts to run applications, checking that only those with trusted certificates are allowed (whitelisting). Webinos has neither of these luxuries. It can’t insist on a certain operating system (in fact, we would rather it didn’t) and can only control access to web applications, not other user-space programs. This greatly limits the number of security guarantees we can make, as our root of trust is the webinos software itself rather than an operating system kernel or tamper-proof hardware.
This raises an interesting question. If I am the developer of a system such as webinos, can I provide security to users – who may entrust my system with private and valuable data – without having full control of the complete software stack? Is the inclusion of a hardened operating system necessary for me to create a secure application? Is it reasonable for me to offload this concern to the user and the user’s system administrator (who are likely to be the same person?)
While it seems impractical for developers to ship an entire operating system environment with every application they create, isn’t this exactly what is happening with the rise of virtualization?