[OLPC Security] Email-attached/IM-shared applications and worms
Mike C. Fletcher
mcfletch at vrplumber.com
Tue Jun 5 15:07:46 EDT 2007
The correlation document[1] has a number of sections describing threats
from email-attached executables. I don't see where we have explicitly
stated this restriction to provide protection, so here it is:
* document mount-points within an application's chroot must be
no-execute-bit restricted
o restricts installation of new software so that files stored
by the application are not directly executable
+ user can download a package to install, but they
cannot run it directly from email/web
o it does not protect against corrupted "executable files"
(e.g. scripted web-pages or macros embedded in office documents)
o to be installed on a non-execute-bit restricted file-system
(e.g. an application's r/o installation image) the software
must be transferred to the file-system location by the
installer service
o installer service should be a *separate* activity from the
activity which downloaded the package description
+ installer can be asked to open a given package/xo/rpm
from the Journal
+ might be possible to launch the activity with the
installer activity *iff* we support the general case
of opening a file/journal from the Journal interface
with a given, specified activity (not the original
activity)
o installer is where the capability restrictions are added to
the executable
o the executable cannot be directly launched from the activity
without installation via the installer service first, and on
doing so it becomes a separate activity *without* access to
the introducing activity's resources
Have fun,
Mike
http://wiki.laptop.org/go/Correlating_Bitfrost_and_Threats#Safest_Categories_for_Application_Installation
--
________________________________________________
Mike C. Fletcher
Designer, VR Plumber, Coder
http://www.vrplumber.com
http://blog.vrplumber.com
More information about the Security
mailing list