[maemo-developers] Security Guidance for N800 OS development

From: Dave Cridland dave at cridland.net
Date: Mon Feb 19 18:23:15 EET 2007
On Mon Feb 19 15:59:25 2007, Acadia Secure Networks wrote:
> Has Nokia published any documentation on the subject of how to 
> secure the N800 OS from attack from both a software developer 
> perspective as well as an end user perspective?
Not that I know of, but I'm not clear what the point would be.

> I mention this because, as more Internet aware/dependent 
> applications are developed for the N800 (it is an Internet tablet 
> after all) the "attack surface" for the product will increase. I 
> have asked previously about whether or not the N800 has a stateful 
> firewall but so far the answer seems to be no.
... because it would be pointless. Anyone opening passive sockets on 
such a device really needs so much more than mere firewalling. In 
general, I've found firewalling on Linux to be a waste of time if the 
idea is to protect the machine itself, even if you do have passive 
sockets open. In principle, the layer of software doing the stateful 
inspection is essentially the same software doing the processing - 
packets arriving which are in the wrong state get discarded *anyway*.

> And this does not even consider vulnerabilities introduced by 
> latent software defects (e.g. not safely/properly dealing with 
> malformed input), which as this community knows only too well, can 
> lead to openings for attack.
Well, where's the input coming from? This is typically only a 
security problem with multiuser systems or open network services. 
Malicious payloads (like, say, email, web pages) can cause issues, 
but in general they're much less of a serious issue, and they're 
certainly no different to any other platform.

> It would be interesting to know what, if anything, the Nokia 
> development team has in its OS software product plan regarding 
> further OS/TCP/IP stack/Application hardening. As more end users 
> come to depend upon this device to perform sensitive tasks (e.g. 
> online banking) then this issue will move to the forefront of 
> concern for those users.

I'm just really not clear that this is as much of a big deal as you 
seem to think, and I can't see anything specific to Maemo which needs 
addressing. If anything, the 770/N800 are a lot more secure than the 
average Linux box, let alone the average computer.

Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the maemo-developers mailing list