[Meego-security-discussion] MeeGo Security Goals

Joseph Cihula joseph.cihula at intel.com
Thu Apr 14 15:37:19 PDT 2011 

 <casey.schaufler at ...> writes:

> 
> > ________________________________________
> > From: meego-security-discussion-bounces at ...
> [meego-security-discussion-bounces at ...] on behalf of ext
> Ryan Ware [ware at ...]
> > Sent: Wednesday, April 13, 2011 12:59 PM
> > To: meego-security-discussion at ...
> > Subject: [Meego-security-discussion] MeeGo Security Goals
> 
> > One of the things that has come up in some of the recent discussions is
> > what are we trying to do at a high-level.  I'd like to use a methodology
> > I've used in the past that will help put this together for everyone.  This
> > methodology uses high-level statements that define the security goals of
> > the project.  These goals themselves are not requirements but security
> > requirements should be able to trace themselves to one or more of the
> > security goals.
> > 
> > Additionally, along with security goals I would like to identify security
> > non-goals.  These non-goals are statements about things are security
> > solution specifically will not protect from.  These goals are not for 1.2
> > but are for the 1.3 - 1.4 timeline.
> > 
> 
> OK, you're about to see what happens when you turn an Orange Book
> Lawyer who also worked on POSIX drafts loose on a set of security
> requirements. You're going to see a whole bunch of stuff that you'll be
> tempted to respond with "use your common sense!". In the requirment
> specification process it is important to be unsensibly precise.
> 
> > Security Goals:
> > 
> > * MeeGo shall enable end-users to control which applications are allowed
> > to access their personal data.  (End-users should be able to protect their
> > privacy)
> 
> Change "control" to "restrict".
> 
> You don't want to require an application to use "personal data" in leiu of
> "system data". The system should not be required to allow the user to push
> information to an application. The system should provide ultimate control
> while allowing the user to designate personal data as inappropriate for use
> by particular applications.
> 
> Do we need to define what constitutes a MeeGo user? Consider the smart
> toaster. Are the darkness setting statistics personal data? Is the toaster
> required to provide a user interface by which the protection of this data can
> be specified?

I completely agree that a clear definition of 'user' will be needed.  And these
controls may also need to encompass the notion that data can be owned by more
than one entity, e.g. corporate data such as emails.

It would also be useful to further refine this goal to allow users to restrict
*how* applications can access/use personal data.

That said, while mechanisms to restrict this are certainly required, they are
mostly useful to the security knowledgeable.  Android has a user-granted
privilege/access model and it hasn't helped prevent most privacy attacks.  What
MeeGo really needs to do is to help the user to make the "right" choices (and
hey, if I knew exactly how to do that I could retire by now ;-) ).  This will be
the interesting discussion about privacy!

Joe

More information about the MeeGo-security-discussion mailing list