Security/SAPI

From Tizen Wiki
Jump to: navigation, search


Warning: obsolete

SAPI is an historical concept. The current page remains here for memory.

The Face to face security meeting of Warsaw, july the 10th stated that:

If the concept of transparency of Core API and Secured Core API
remains, no automatic proxy/stub generation have to be made.

Link to get the presentation of SAPI made July 2014 the 10th.

Obsolete content

Situation of Tizen 2.x

The native API of Tizen is defining the C++ native API that must be used by the developers.

This C++ projects are relying on the more lowest level C projects belonging to platform/core/api/* that are also known as CAPI.

This situation is summarized by the following figure:

Security-fw-og.png

Why is must change?

From the Security perspective, this model isn't sure because the check of the privileges are made in the User space.

One of the solutions studied the proposal SAPI that this page is describing.

See also this presentation of the problem and its possible solutions.

The SAPI proposal

The SAPI (Secure CAPI) is proposing to call the CAPI through a proxy/stub implementation. The following figure summaries the concept:

Security-fw-ng.png

The principles is as follow:

  • SAPI is almost like CAPI;
  • CAPI remains usable by services in the System space;
  • In the User space, linking to SAPI in place of CAPI must work;
  • The calls to SAPI in are passed through fast IPC to the service SAPI by the proxy, it must be a light process;
  • The service SAPI checks the calls, calling Cynara when needed for checking the privileges;
  • The CAPI is then called for the implementation.

Advantages of the SAPI proposal

The advantages are numerous.

  • No need to rewrite existing applications, especially Native applications;
  • Unification (simplification) of the API across the applications;
  • Replacing CAPI by SAPI using LD_PRELOAD should work for debugging and testing;
  • Standardization of the security model through SAPI (see this discussion).

Automatisation of proxy/stub

We made some work for generating proxy/stub automatically. From our early work, we are thinking that more than 95% of the library can be treated that way.

Implementation of SAPI

Measures of the overhead

The details of the implementation have to be written here.

First simple measure, June 26th 2014

description

Using UDS (Unix Domain Socket), the SAPI client issues the following equivalent C code.

int f(int x) { return 1000 + x; }
int g(int x) { return 2000 + x; }
void test(int fd) {
  int i, a, b, c, d;
  connect();
  for (i = 1 ; i <= 3 ; i++) {
    a = msg1(2);
    b = msg2(3,fd); /* passing a file descriptor */
    c = msg3(4,f); /* the call back f */
    c = msg3(5,g); /* the call back g */
  }
  disconnect();
}

From this sample, we are measuring:

  • time to connect and disconnect
  • time of the first call without callback (because it loads many code in caches)
  • time of the first call using a callback (because it initialises the FFI closure of the callback)
  • the other calls without callback, it represents a typical simple call overhead
  • the other calls with callback, it represents a typical call with callback overhead

The measures are made on 3 platforms: ODROID, VTC1010, DELL PC desktop using the kernel function gettimeofday.

results

The results are given in milliseconds.

card odroid U3 (reference) VTC1010 (reference) dell
processor ARMv7 Processor rev 0 (v7l) Intel Atom E3827 @ 1.74GHz Intel Core i7-2600 @ 3.40GHz
cores 4 2 8
bogomips 2789 3494 6784
Measures in ms avg std min max avg std min max avg std min max
connection 0,16 0,14 0,08 0,33 0,90 0,36 0,62 1,31 0,03 0,01 0,02 0,04
deconnection 0,32 0,01 0,31 0,32 0,40 0,30 0,06 0,58 0,01 0,00 0,01 0,01
first message (without CB) 0,59 0,19 0,37 0,73 0,81 0,27 0,50 1,04 0,26 0,03 0,23 0,30
Next messages without CB 0,10 0,05 0,07 0,25 0,23 0,09 0,16 0,44 0,06 0,03 0,02 0,10
first message with CB 0,80 0,09 0,73 0,90 1,47 0,14 1,35 1,63 0,38 0,04 0,34 0,41
Next messages with CB 0,17 0,03 0,14 0,23 0,42 0,18 0,32 0,97 0,09 0,05 0,03 0,19

The bolds values are the relevant results to be considered. The expected cost of integrating SAPI is about 0.1 ms on ODROID and 0.23 ms on VTC1010.

Service List

Here the service list provided by Tizen: http://wiki.tizen.org/wiki/Service_List