S 3 review of MEx E release 99
- Slides: 17
S 3 review of MEx. E release 99 security Tim Wright, Vodafone UK 3 GPP SA 3, ETSI SMG 10 timothy. wright@vf. vodafone. co. uk 17/11/99 S 3 and MEx. E 1
Contents • MEx. E refresher course • Specification history and S 3/SMG 10 involvement • Break for clarification • Issues raised by Colin Blanchard and self • Questions and discussions 17/11/99 S 3 and MEx. E 2
MEx. E refresher course • Mobile Execution Environment • A spec to create a standardised execution environment on mobile terminals, similar to PDA, such as Palm, Psion • Classmark 1 is WAP • Classmark 2 is Java, specifically the Personal. Java virtual machine 17/11/99 S 3 and MEx. E 3
Execution domains • Operator, manufacturer and third party execution domains • Applications can only execute in a domain if authorised for that domain • Broadly similar capabilities for each domain • Untrusted domain 17/11/99 S 3 and MEx. E 4
Domain authorisation • Apps that can run in a domain must have a a digitally signature that can be verified by the terminal using valid certificates • Certificates are verified with root public keys for each domain • Operator and third party root keys can be on the SIM • Untrusted apps are unsigned 17/11/99 S 3 and MEx. E 5
Third party Administrator • Third party roots may be installed by manufacturer and user (and operator) • Operator may have no control over signing policy of a third party root controller • Therefore, Operator may (but is not obliged to) elect to be Administrator and can then control which Third Party roots are valid (but cannot delete or revoke) 17/11/99 S 3 and MEx. E 6
User permission • Apps cannot be installed without user permission • Apps cannot carry out functions without user permission • Three types of user permission – Single action – Session – Blanket 17/11/99 S 3 and MEx. E 7
Specification history • MEx. E begun within ETSI in January 1998 • Stage 1 approved in February (March? ) 1998 • Release 98 stage 1 and 2 approved in July 1999 • Release 99 to be approved in December 1999 17/11/99 S 3 and MEx. E 8
S 3/SMG 10 involvement • Some review of specs since February • Little real interaction until December 1998 • Productive MEx. E/SMG 10 meeting in February 1999 • S 3 took responsibility for MEx. E security in August 1999 17/11/99 S 3 and MEx. E 9
Goal of this session • MEx. E (and) WAP are powerful developments with enormous potential to change the way phones are used • Security is a key issue • MEx. E has worked hard on security and deserve credit • Time, and last chance, for S 3 to take corporate responsibility 17/11/99 S 3 and MEx. E 10
Clarifications 17/11/99 S 3 and MEx. E 11
Issues raised by CB • Application could be downloaded that would: – Eavesdrop on user – Perform internal denial of service – Make bogus calls and so complicate law enforcement 17/11/99 S 3 and MEx. E 12
Issues raised by CB • User would have to give permission for installation • Process of giving permission by user must be clear - can this be ensured? • Above apps would have to be trusted • Issue of whether third parties can be trusted 17/11/99 S 3 and MEx. E 13
VF issues - Security table • Security table is currently very complex • List actions that can be performed by each domain and that are forbidden for each domain • Status of actions not listed uncertain • Suggest - security table lists forbidden actions only • Would be clearer and more likely to be implemented 17/11/99 S 3 and MEx. E 14
VF issues - external port access • Difficult to manage permissions if don’t know what is attached to the port • for example, location info in phone is forbidden to an app • but it can be accessed via port if GPS attached to phone • Have to rely on user/ • Warnings should be given 17/11/99 S 3 and MEx. E 15
VF issues - untrusted applications • Can acess screen and keyboard without user permission • Apps are long lived - Trojan horses • App could listen to keyboard and pick up PINs • Could interfere with UI and get user to perform actions they did not want 17/11/99 S 3 and MEx. E 16
VF issues - untrusted applications • But untrusted apps could be a popular market sector • What can be done? • Rules for precedence in screen access • Session user permission? • ? 17/11/99 S 3 and MEx. E 17
- Extended release vs sustained release
- Sustained release
- Osmotic pump
- Windbg api
- Arrobadtgd.mex
- X mex
- Taco rico menu
- Nader amin-salehi
- Traditional and systematic review venn diagram
- Chapter review motion part a vocabulary review answer key
- Narrative review vs systematic review
- Ap gov final review
- Zotero 4
- Adh release
- Disintegration definition tablet
- Release muscle
- Gauteng rapid land release programme
- Release 4