Rice University logo
 
Top blue bar image
Just another weblog
 

Archive for October, 2013


2013 October Week 3 Weekly Report

October 23rd, 2013 by dws5

There are total of 18 build failures and of those 18 failures, two of them failed due to missing build dependencies.

1. libva needs pvr-bin-mdfld-devel.
2. libzypp-bindings needs swig.

16 of them fail becuase of rpmbuild issue.

1. privacy-popup-tizen2.2-armv7l: privacy-popup.xml is missing during cmake.
2. python-doc-tizen2.2-armv7l: python-doc.spec has unknown tag “Enhances: python=2.7.1”.
3. osp-common-service-tizen2.2-armv7l: FMsg_MessagingMessageTypes.h, FMsg_Types.h, FSys_RuntimeInfo.h, FSys_DeviceManager.h, and FSys_PowerManager.h missing during build.
4. osp-security-service-tizen2.2-armv7l: /usr/include/chromium/base/tuple.h:886:3: error: cannot convert ‘Tizen::Io::_IpcBuffer*’ to ‘Tizen::Base::ByteBuffer*’ in argument passing
5. osp-messaging-tizen2.2-armv7l: /home/abuild/rpmbuild/BUILD/osp-messaging-1.2.2.0/src/inc/FMsg_MessagingMessageTypes.h:64:1: error: ‘MessagingMsgStart’ was not declared in this scope

other osp libraries does not manifest their errors.

2013 October Week 2 Weekly Report

October 15th, 2013 by dws5

Daniel and Minhong are having same rpm build problem. Reported the issue to Tizen people

 

=== the following packages failed to build due to missing build dependencies (2) ===
libva:
nothing provides pvr-bin-mdfld-devel
libzypp-bindings:
nothing provides swig == 1.3.40

=== the following packages failed to build due to rpmbuild issue (16) ===
privacy-popup-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/privacy-popup-0.0.1-0/log
osp-security-service-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-security-service-1.2.2.0-1/log
osp-app-controls-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-app-controls-1.2.2.0-2/log
osp-content-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-content-1.2.2.0-0/log
osp-appfw-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-appfw-1.2.2.1-1/log
osp-web-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-web-1.2.2.0-2/log
osp-media-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-media-1.2.2.0-1/log
osp-common-service-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-common-service-1.2.2.0-1/log
osp-face-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-face-1.2.2.0-2/log
osp-nfc-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-nfc-1.2.2.0-2/log
osp-messaging-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-messaging-1.2.2.0-2/log
osp-ime-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-ime-1.2.2.0-1/log
osp-uifw-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-uifw-1.2.2.1-62/log
python-doc-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/python-doc-2.7-12/log
osp-image-core-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-image-core-1.2.2.0-1/log
osp-social-tizen2.2-armv7l: /home/daniel/GBS-ROOT/local/repos/tizen2.2/armv7l/logs/fail/osp-social-1.2.2.0-1/log

 

COMP527 Final Project Research Proposal: Tizen Framework Security Analysis

October 7th, 2013 by dws5

COMP 527 Final Project Research Proposal

Daniel Song and Min Hong Yun

Introduction

The primary focus of the Tizen Framework Security Analysis is to find security vulnerabilities among Tizen platform using static taint analysis. Excessive dependence on Android platform has raised an awareness among the Samsung management which led to creating their own platform ‘Tizen’. However, LiMo based Tizen smartphone OS has embraced Bada’s Open Services Platform without careful inspection of the overall merged architecture. Our goal is to find anything that violates the Tizen security policy using static taint analysis.

Background

Tizen provides API-level access control to safely operate the applications. Any applications using sensitive APIs which may lead to privacy leak must declare their ‘privilege level’ in the manifest file. There are four levels of privileges; Public, Partner, Platform, and one more that is not disclosed. (Even though Samsung developers told us that there are four levels of privileges, only three of them are revealed in the developer document.)

  

Tizen API Call Graph

APIs regarded as Public can be used by all Tizen application developers. APIs regarded as Partner can only be used by developers registered as partners on the Tizen store. APIs regarded as Platform are used in system APIs for managing the Tizen platform. There is total of 128 privileged APIs that can be invoked by the native application. The privileged APIs are part of the OSP (Bada’s Open Services Platform) library which eventually call C API. C API will then call libc which eventually be a system call. API call graph is directional and cannot directly call the API beneath that API call;  OSP library cannot directly call libc and C API cannot call OSP library.       

Bad API Call Examples

Goal

Tizen allows both web-based application and native application which can be challenging to propose one big policy that can be applied to both. For this project, we will focus on the native application. We will first migrate from the gcc compiler to the LLVM compiler for the Tizen source code to obtain LLVM bitcode. Then our static taint analysis tool developed by Jisheng Zhao for the LLVM bitcode will be used to draw the whole API graph. Finally, the whole graph API will be analyzed to find any violation in the Tizen security policy.

Reference

[1] https://developer.tizen.org/