18 PLATFORM SECURITY CONCEPTS
Symbian OS has a micro-kernel that undertakes the role of the referencemonitor. The combination of the computer hardware, the security ker-nel, and other highly-privileged OS components together make up theTrusted Computing Base (TCB) – the portion of the system responsible forenforcing security restrictions.
2.1.2 Protection Mechanism Design Principles
According to [Saltzer and Schroeder 1975], there are eight design princi-ples that apply to protection mechanisms:1.
Economy of mechanism:
keep the design small and simple, enablingeasier veriﬁcation, such as line-by-line examination, of software thatimplements the protection mechanism. Symbian has adopted this byonly fully trusting a subset of Symbian OS (the TCB) which is smallenough to be effectively code-reviewed. The TCB is described indetail in Section 188.8.131.52.
decisions are basedon permission and, by default,software has no permission. The permissions to carry out particularservices can be called privileges – software built for Symbian OSby default has no privileges; procedures are in place to ensure thatprivileges can be granted to suitably trustworthy software. Theseprocedures, including ‘Symbian Signed‘, are described in Chapter 9.3.
access permission to a protected object mustalways be checked, and any temptation to cache decisions forperformance reasons must be examined skeptically. Symbian OSprovides this architecture in the client–server framework, describedin Chapter 5.4.
security should not depend on keeping the mech-anisms secret – such secrets are difﬁcult to keep, and forego thebeneﬁts of others reviewing the design. This principle was ﬁrst statedby Auguste Kerckhoffs . Symbian’s design is open – you’rereading about it!5.
Separation of privilege:
a protection mechanism that requires twokeys to unlock it is better than one requiring only one key. This isnot universally applicable, but there are cases where requiring twocompetent authorities to approve something is beneﬁcial. The abilityto require software to have more than one signature in order to begranted privileges is described in Chapter 8.6.
a program should operate with the smallest set of privilegesthatitrequirestodothejobforwhichithaspermission.Thisreduces the risk of damage through accident or error. This is similarto a military ‘need to know’ rule, which provides the best chance