Introduction

The mobile devices and their related technologies have been developing significantly and have changed a lot during the last decade. With the passage of time the computing capabilities of these mobile devices have been increasing rapidly, which are now comparable to the personal computers that existed in the market five to eight years ago. The usability of these devices has also improved a great deal along with their computing power and there has been a considerable change in the way these mobile devices are deployed and the way people use them.
As a result these mobile devices have evolved from being devices dedicated only for communication purpose to general purpose computing platforms. Therefore the use of these mobile devices is not limited to making calls and sending text messages only, instead they are being used to consume a wide range of services e.g. browsing the web either using GPRS or Wi-Fi, running various softwares that can be used to carry out business transactions or sending emails, creating spreadsheets, presentations, word documents. Besides this these devices also host a variety of multimedia capabilities such as camera and imaging capabilities, music and jukebox capabilities, movies and video playback as well as a gaming capabilities etc. Therefore Mobile phones are now sophisticated smart phones that provide services beyond basic telephony, such as supporting third-party applications. These third-party applications may very well be security-critical in some cases, such as mobile banking, online business, e-governance and other commercial applications, other third party applications may be untrusted, such as games that have been downloaded from the internet.
As the nature of the usage of these devices has changed so have their security requirements. The nature of security threats encountered on the mobile devices is very much different from those found in the PC world. The major threat comes from the applications that are downloaded and executed on the mobile device. The malicious application can be downloaded by the user on to the device via GPRS, Wi-Fi, or may be received via Bluetooth from other mobile devices. These malicious applications might potentially damage the personal data of the user on the mobile device such as deleting the address book and the messages from the inbox, malicious applications can also delete or overwrite sensitive operating system files, a malicious application may send SMS or make voice calls to premium numbers without the consent of the user hence incurring a huge economic cost to the user.
More and more applications are being developed by third party application developers for these powerful mobile devices which are easily available for download from the internet. however the introduction of third party applications on the mobile phone gives rise to some very critical security concerns as these phones host a variety of trusted code and sensitive information that needs to be protected from third party applications and untrusted code. There is no shortage of sensitive applications such as the banking applications for mobile phones, which are valuable targets for the cyber criminals who discover and exploit any vulnerability that might exist on the platform. Cyber criminals have exploited many vulnerabilities of the Symbian platform to launch various kinds of worm attacks on the devices that run the Symbian operating system. As the Linux and Windows based smartphones grow in numbers, it is eminent that they are an obvious target for malwares. As a result of these developments, research activities in the field of mobile platform’s security has gained momentum as researchers try counter the threats faced by the trusted applications running on these versatile devices and to alleviate the concerns of their users.
In order to counter the threats faced by the mobile devices various access control mechanisms are deployed to protect the services running on the device as well as the data of the user stored on these devices. Discretionary access control is the predominant form of security mechanism that exists on an overwhelming majority of mobile phones. While this type of access control mechanism is simple however past experience has shown that it is insufficient to cater the security needs of an open platforms such as Linux and windows based operating systems for mobile phones. As more and more vulnerabilities have been discovered in mobile phones, researchers in the field of mobile phones security have taken rigorous initiative to counter the threats that are now staring in their eyes as a result research in this particular field is gathering momentum to keep up with the challenges that are arising in the wake of rapid advancements in the technology of mobile phones including the software and the hardware.
Recent research work has focused on leveraging the features of Mandatory access control which provides the foundation needed to build a secure environment where trusted and untrusted code co-exist on the platform in such a manner that the trusted code and sensitive data is protected from untrusted applications and unauthorized access.
The report is organized as follows the introduction section gives a general overview of the existing access control models including mandatory access control. The second section outlines the various implementations of mandatory access control mechanisms on PC and mobile platforms. The third section provides detailed information about SELinux while the last section provides technical details about the process of porting SELinux to the linux based openmoko mobile phone.

Access Control Systems

Access control system [1][2] determines the privileges that a user or a program has on the system and consequently determines the operations that can be performed by them. Access control systems regulate access to the resources of a system in order to ensure that the users of a computing platform and the processes running on it access these resources in a controlled and authorized manner. The access control system limits the actions of the users and the programs on the system based on the permissions that have been assigned to them in order to protect the system and its resources from being compromised and to counter the threats originating from malicious users as well as malware applications.
The access control system encompasses two key concepts of an access control policy and an access control mechanism. An access control policy provides high level guidelines about what type access is allowed and how the access control decision is going to be made by the reference monitor. Access control mechanism consists of a combination of hardware and software components of the system that are used to implement the access control policy.
An important concept associated with the access control mechanisms is that of a reference monitor [3]. The reference monitor intercepts and regulates the requests of users and applications to access various objects or resources in the system. The reference monitor then mediates the access requests and takes the decision of whether to allow or deny access based on the security policy of the platform which determines whether the user or the application is authorized to perform the underlying action on specified object.
Although access control mechanisms are vital for preserving the security of the computing platform however to be effective and to prevent the security of the system from being compromised, these mechanisms have to work in tandom with other security services of the platform such as authentication, auditing and administration. While the access control mechanism controls the actions that a user is allowed to perform, the authentication mechanism is responsible for identifying the user usually with the help of a username and a password, therefore the access control mechanism assumes that the user has been successfully authenticated prior to enforcement of the access control by the reference monitor.
All the actions of the users that are allowed by the reference monitor or denied are also examined by the auditing services of the platform and logs the relevant activity of the various users and applications running on the system.
Three types of access control policies are most commonly used in computing systems around the world
Discretionary access control
Mandatory access control
Role based access control

Effective access control systems in today’s computing environments use a combination of these security policies in the following subsections provide a brief introduction to the afore mentioned security policies.

References

  1. Access control: The neglected frontier. Sandhu, R. s.l. : Springer, 1996, Lecture Notes in Computer Science, pp. 219–227.
  2. Access control: Policies, models, and mechanisms. Samarati, P. and De Capitani di Vimercati, S. s.l. : Springer, 2001, Lecture Notes in Computer Science, pp. 137–196.
  3. Computer Security Technology Planning Study. Anderson, J.P. and others. s.l. : ANDERSON (JAMES P) AND CO FORT WASHINGTON PA, 1972.

Leave a Reply


(Required)

(Required)