Hi Luke, There's quite a bit of discussion and thought has already gone into this topic and we are currently in the process of turning all that thought into a specific proposal. You'll see that shortly, but in the mean time I'd like to keep this thread focused on the topic at hand. As I think you've probably noticed, discussions get significantly less productive as their scope creeps. Thanks! Lucas.
On Apr 10, 2012, at 7:18 PM, lkcl luke wrote: > On Wed, Apr 11, 2012 at 12:21 AM, Lucas Adamski <ladam...@mozilla.com> wrote: > >> In the interests of time we may defer discussion of some of the lower >> priority APIs (eg. webNFC) for now, or >> B2G-specific APIs that are initially only intended to be exposed to >> certified apps. > > lukas, > > there's a really rather fundamental security discussion that also > needs to take place, rather urgently before anything's actually > implemented, and certainly needs to take place to underpin the whole > security concept in peoples' minds, and it's illustrated by a very > simple question: > > what is actually going to enforce these permissions? > > i.e. what is actually going to say "yes" or "no"? > > also, remember, there's two different types of security models: ACLs > and Capabilities. ACLs, the functionality is there - and potentially > visible, but the software is simply denied access to it. > Capabilities, the functionality is *removed* - there's not even a way > to *get* to it, if the software is not permitted to use it. > > btw the answer has to be "the kernel" if you want B2G to be taken > seriously. there's a very good reason why android has a kernel-based > security model. > > userspace is just too easy to compromise. that's fine (ok, it isn't, > but you know what i mean) to compromise security on firefox, because > the threat isn't so serious. but compromising a userspace application > with a buffer overflow, and then you can start making phone calls to > 0898 numbers? that's _really_ serious. > > i'm sorry to have to keep on about this, but i haven't seen a single > discussion which mentions "kernel". anywhere. everything's focussed > on "B2G", and that has me deeply concerned for the viability of the > project. > > l. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security