Re: [Execution and Security Model] Proposal from Samsung Electronics

On 27/02/13 00:36, Jonas Sicking wrote:
> That said, I still agree with what you are saying, we just have to be
> very explicit about who makes which decisions. In Firefox OS the
> runtime trusts a set of stores, and those stores decides which
> applications should get access to which privileged APIs. Likely we'll
> expand this so that Firefox OS trusts certain stores to only can hand
> out certain privileges.

On 26/02/13 12:38, John Lyle wrote:
> We discussed this issue internally within webinos.  We assume that the
> main value of an app store is in revocation rather than prevention*.
> E.g., it gives the app store the ability to remove a malicious app, not
> prevent it from being present on the app store in the first place.
>
> Unless the app store is charging developers a lot of money to submit an
> application, it wont be cost-effective to review each application for
> malicious behaviour. As a result, malware will definitely get through.
> That's not to dilute the app store's importance: it makes the impact of
> any malware much lower as it would hopefully be removed by the app store
> fairly quickly after complaints are received.  But it is only one of
> several measures.

I think both systems should be allowed by the specification and I do not
think that the specification should forces a particular system. My
current idea is to have a chain of trust:
 - the runtime trusts some marketplaces;
 - the marketplace marks some applications as trusted.
If the user install an application marked as trusted by the marketplace
and the marketplace is trusted, the application will have access to
privileged APIs.

I think the advantage of that system is that the marketplace can simply
decide how an application is marked trusted. It can be through reviews,
because the source is trusted, because the application has been
reviewed, because the developer paid for it, or whatever reason.
Trusting all applications could even be a solution.

Then, it is up to the runtime to decide if the marketplace is
trustworthy and should be allowed to instal privileged applications.
(I wonder if the runtime SHOULD allow the user to mark a marketplace as
trusted?)

I think that this solution is dynamic, can produce competition and
innovation. In other words, marketplaces can be a real ecosystem.

--
Mounir

Received on Wednesday, 27 February 2013 22:01:31 UTC