[maemo-developers] Security Guidance for N800 OS development

From: Acadia Secure Networks acadiasecurenets at aol.com
Date: Mon Feb 19 17:59:25 EET 2007 
All,

Has Nokia published any documentation on the subject of how to secure 
the N800 OS from attack from both a software developer perspective as 
well as an end user perspective?

I mention this because, as more Internet aware/dependent applications 
are developed for the N800 (it is an Internet tablet after all) the 
"attack surface" for the product will increase. I have asked previously 
about whether or not the N800 has a stateful firewall but so far the 
answer seems to be no.

To provide a context for the question of OS and application security, 
here is the url to a www page at the SANS institute Internet Storm 
Center www site whose purpose is to provide the viewer with a 
perspective on the time between attacks on various kinds of systems:

          http://isc.sans.org/survivaltime.html


The data used to collect this information is not country source or 
country destination specific thus it represents a reasonable proxy for 
what goes on every day on the Internet from wherever one makes a 
connection. The idea behind the output graph rendered by this www page 
is that, given that

                a) your Internet connected system WILL be attacked at 
the intervals indicated in the graph 

then

                b) your system  will eventually be successfully 
compromised unless you do something to prevent that from happening 
beforehand.

The "survival time"  shown in the graph thus attempts to estimate the 
time interval between

                a) when you connect your system  to the Internet
and
                b) when your system gets compromised by something, to be 
as shown in the graph for the kind of system or app you are using.

I realize that the 770/N800 OS is only  a subset of what is possible to 
incorporate into a Linux distro and I am sure that the software and 
security engineers at Nokia carefully considered the pros and cons of 
different  OS components/extensions from a security perspective before 
deciding whether or not to include them in the Nokia OS200X 
distribution.  Having said that,  as this community continues its 
excellent work to add functionality to the base system, this question 
of  OS/stack/app hardening and attack surface minimization becomes a 
more important issue to consider. And this does not even consider 
vulnerabilities introduced by latent software defects (e.g. not 
safely/properly dealing with malformed input), which as this community 
knows only too well, can lead to openings for attack.

It would be interesting to know what, if anything, the Nokia development 
team has in its OS software product plan regarding further OS/TCP/IP 
stack/Application hardening. As more end users come to depend upon this 
device to perform sensitive tasks (e.g. online banking) then this issue 
will move to the forefront of concern for those users.

-- 

Best Regards,

 

John Holmblad


 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.maemo.org/pipermail/maemo-developers/attachments/20070219/93c651d2/attachment.htm
More information about the maemo-developers mailing list