This document specifies a policy framework for device APIs.

Introduction

The policy framework described in this document is intended to be applicable both to widgets and web applications (web site access to Device APIs).

This security model is based on a clear separation between the definition of the general framework and the creation of specific trust and access policies. This allows the configured policies of a web runtime to be adapted to the needs of different stakeholders at any time during the lifecycle of a product. This includes, but is not limited to, the embedding and configuration of web runtimes at manufacture as well as post-sales installation of web runtimes.

As a general high-level objective, it should be noted that the security framework is intended to protect the device and its user from web applications that pose a security risk from unintentional but undetected implementation flaws as well as those that are malicious.

The intention is that the framework, at the most general level, allows a very wide range of policies to be represented (although manageability and interoperability concerns require there to be a certain level of similarity and compatibility in policy structure). However, the framework must permit fine-grained security policies to be represented as well as policies based on broad groupings of APIs and assignment of web applications to a small number of trust domains. For example, a fine-grained access policy is necessary to grant or deny access to individual APIs for individual web applications.

This framework is based on a very general model that governs both trust domain access by subjects to resources based on a hierarchy of trust policies, access policies and policy sets, where each policy consists of a number of rules. A subject corresponds to an entity that may attempt security-relevant actions and represents a single identity. This identity can describe either a widget resource or a website. Resources are associated with the API features and device capabilities used to access device features or services (e.g. the location module or PIM database) that are being protected. Subjects and resources are characterised by a number of defined subject attributes and resource attributes, respectively. A range of attributes is defined so that access policies can be expressed based on a widget resource signer's identity, or an individual widget resource identity, or the widget resource signature’s root certificate, or a website's URL. Therefore, the generality of this framework derives from the range of attributes that are supported, as well as the flexible structure of policies and policy sets in the security model.

The XACML Policy Profile for Device APIs specifies a profile of XACML 2.0 [[XACML20]] for the framework described in this document [[DAP-XACML-POLICY-PROFILE]].

Core Concepts

Trust Domains

Content properties such as content origin and signatures can be used to map to trust domains. Trust policies may be used to specify these mappings. For example, a policy can specify the set of origin URLs corresponding to a trust domain, or map a certificate associated with a widget signature to a trust domain. Trust domains may be assigned when content is installed or at run time. In the first case, the installer determines a trust domain from the trust engine and saves this securely to the installed content registry. When content is run, the runtime can retrieve the saved trust domain from the registry. In the second case, the runtime gets the trust domain directly from the trust engine when the content is run. In both cases, the runtime must maintain a reference to the trust domain associated with the content in such a way that the trust domain can be specified when requesting an access control decision.

Trust domains can be based on origin, signatures or be "Untrusted", to list three common cases.

Access control is a two step process. First the trust domain is determined, and then based on that trust domain the appropriate access control policy is used to make a policy decision.

Features

A feature is a set of one or more capabilities that in combination forms a logical construct that may require access control. (or shall we define a feature in terms of high level methods).

feature

A feature is the unit of expression of dependencies by web applications. (This definition needs clarification).

Feature dependencies are expressed as an IRI. It is the responsibility of the author of the feature in question to define the feature and any associated API, and to advertise the corresponding IRI. It is also possible, using standard IRI techniques, to create a family of IRIs so that the feature definition is "parameterised". It is up to the author of the feature definition to specify the valid usage and meaning of the associated IRIs in this case. For widgets, features are identified in the configuration document by the feature element's name attribute [[!WIDGETS]].

An example of a feature IRI would be: TBD

Need to define: what constitutes a feature, how/where features IRIs are defined, feature IRI examples. See BONDI A&S document, pages 31 and 32.

Capabilities

device capability

A device capability is a device resource or device functionality that may require access control.

Examples of device capabilities are the ability to read a local file, or to discover nearby Bluetooth devices, or to send an SMS message. Device capabilities may be defined in a way that is independent of the specific Device APIs that an application uses to access them. Although there are simple Device APIs that provide access only to a single Device Capability, there are also more complex APIs that expose multiple Device Capabilities; examples might include a camera API that provides the ability to geotag a photo with the current location, or a messaging API that provides the ability to access documents stored locally and attach them to outgoing messages. Therefore, enabling or disabling access to a specific Device Capability may not directly correspond to enabling or disabling access to a single Device API interface.

The paragraph above repeats material in the requirements document.

Framework Architecture

Layered Model

A web application uses a mechanism specified in this document to gain access to (or bind to) a JavaScript API by stating one or more features exposed by the JavaScript API. This access is given on a basis of the trust domain that has been assigned to the web application. The implementation of the API, in turn, makes use of one or more device capabilities, defined in terms of facilities that might be provided by APIs at the device, platform or OS level, but without reference to any particular API. Where a JavaScript API is defined within the this model, each function definition specifies which feature it implements, and which device capabilities it uses.

The mechanisms provided in this specification to bind to APIs, and to control access (both to the features and the device capabilities exposed by them) are generic, and are not themselves dependent on any particular set of JavaScript APIs. This model envisages that these controls apply, irrespective of whether the APIs in use are defined by DAP or any independent entity.

Trust Domain Control Layer

The trust domain control layer controls the assignment of the appropiate trust domain to the web application via the relevant trust policy. In general, trust policies will select one trust domain or another depending on the subject attributes and environment attributes that identify the web application.

JavaScript API Access Control Layer

The JavaScript API access control layer controls access to JavaScript APIs exposed by the web runtime. Each feature is identified uniquely by IRI, and this security layer mediates access to features on the basis of that ID.

Device Capability Access Control Layer

The device capability access control layer controls access to the underlying capabilities of the device when used from JavaScript APIs. These device capabilities themselves are identified so that it is possible to write security policies that control access to specific capabilities independently of the JavaScript APIs used to access them.

For both JavaScript API and device capability access control layers, access permissions are guaranteed or restricted on a basis of via access control policies. In general, access control policies will select the effect of a particular access request depending on the resources attributes captured when the request happened.

Considerations

This explicit separation of features and their dependent device capabilities addresses a number of significant requirements, as follows.

  • Extensibility is an intrinsic part of the security model. It is expected that APIs will be defined and implemented independently, and the nature of those APIs will not necessarily be known to the author of a security policy. Therefore, if a security policy author wishes to deny access to a specific device capability, then there must be a way of doing this that is independent of the JavaScript API being used.

  • The web runtime must only grant access to features that are advertised as being dependencies of the web application. The access control system must ensure that only requested features are accessible to the web application. This requires that the access control system is able to control access based on the ID of a Feature.

  • There will not be a direct 1-1 correspondence between JavaScript APIs and device capabilities. Although there will be simple JavaScript APIs that provide access only to a single device capability, it must be expected that there are also more complex APIs that expose multiple device capabilities; examples might include a camera API that provides the ability to geotag a photo with the current location, or a messaging API that provides the ability to access documents stored locally and attach them to outgoing messages. Therefore, enabling or disabling access to a specific device capability will not directly correspond to enabling or disabling access to a single JavaScript API.

  • Implementations of JavaScript APIs need not be as highly trusted as the web runtime. Authors of access policies may require the ability to control access to specific JavaScript APIs, or families of APIs, based on the identity of the API (and not just the device capabilities it exposes), according to the trustworthiness of the author of the API.

  • It must be possible to represent both trust and access policies portably. This implies that all identifiers used in a security policy (both for features and for device capabilities) must be portably defined, and not (for example) based on any platform-specific API names. This requires that the identifiers for device capabilities are defined in a platform-independent way.

Logical Model

On the one hand, the trust domain control system explained in this document, from a logical perspective, represents the system by which a web application that attempts to access device capabilities using JavaScript APIs, is assigned a trust or security domain. This trust domain will then be used in subsequent access requests, simplifying the whole process. On the other hand, the access control system, implementing a specific access control policy, has the sole effect of making and enforcing an access control decision in relation to each attempted access. (In order to make that decision the access control system may request interactive confirmation from the user, but this is invisible to the requesting web application.)

Both the trust and access control systems consist of a number of logically distinct elements. This logical breakdown and associated terminology is adopted from XACML [[XACML20]] and illustrated below.

graphical representation of the data flow

The specified functional components are as follows:

OMA DM reference missing?

Should we include this?: In the present phase, DAP does not define any specific external interface requirements for the PAP, although this may be in scope for later phases. The security policy itself is not defined by DAP, although a default policy may be recommended by DAP at a future stage.

The functionality required in each of these components is specified in terms of the following entities:

subject

the web application that requires access to JavaScript APIs. Examples of subjects are websites and widgets.

An entity that may attempt security-relevant actions and corresponds to a single "identity". (In practice, some web applications might have multiple identities – for example is a widget resource is signed by multiple signers – but for the purposes of this model, each access control query is considered to involve a single subject and hence a single identity.)

The website identity type applies to all operations occurring in the execution of a remotely-hosted document, whether this is the top-level document of the website or is associated with some child browsing context (such as an iframe).

subject attribute

Every subject is associated with a set of attributes. Subject attributes allow the identification of the web application that is attempting access to device capabilities using device APIs. The identified web application is then assigned a trust domain according to the appropriate trust policy. Subject attributes include specific attributes that represent the identity of the web application attempting access to a resource. Valid identity attributes include the widget identifier URI for widgets and the URL for websites; other identifiers may be supported. Subject attributes also include the credentials used to verify the authenticity and integrity of the subject, e.g. a TLS or code signing digital certificate. Other credentials may be supported.

All subject attributes are determined for the applicable application execution phases: widget-install, widget-instantiate.

resource

the resources that subjects may request access to. The device features or services (e.g. the location module or PIM database) are the actual resources that are being protected, but from the point of view of the security framework these resources are associated with the API Features and device capabilities used to access them.

The widget identity type applies to all operations associated with a widget resource, or occurring in the execution of a document belonging to a widget resource.

Operations occurring in the execution of a remotely hosted document that has been loaded by a widget (for example in an iframe) use a website identity.

resource attribute

Every resource is associated with a set of attributes. Resource attributes include an identifier. Other attributes may be associated with a resource, and these can include specific parameters that are specified as part of the request when attempting access. Resource attributes serve as input of access control policies.

The device features or services (e.g. the location module or PIM database) are the actual resources that are being protected, but from the point of view of the security framework these resources are associated with the API features and device capabilities used to access them.

environment attribute

The collection of device status and context attributes that may be relevant to the circumstances of a resource access attempt, but are not directly associated with either the subject or resource. For example, environment attributes can include terminal charging, network connection status, whether roaming. Environment attributes serve as input of access control policies.

Attributes of the environment capture contextual information relating to the device or other circumstances of the access attempt.

Application Execution Phases

The execution phase of a web application reflects the state of that application at the time an associated trust domain or access control query is made. The defined execution phases are listed below.

Execution Phases Table
Execution Phase Description
widget-install Applies to trust domain or access control queries made by a widget user agent during the processing of a widget resource as part of an installation or update operation.
widget-instantiate Applies to trust domain or access control queries made by a widget user agent during the instantiation of a widget.
website-bind Applies to access control queries made in response to a call to requestFeature() in the course of execution of a website
invoke Applies to access control queries made in response to invocation of a JavaScript API in the course of execution of a web application

Need to define "requestFeature()" ?

In BONDI, the requestFeature() API is itself a Feature. Websites have access to this API automatically and this is the sole means of expression of Feature dependencies by Websites.

Policy

Policy Structure

Both trust domain and access control policies share the same underlying structure. The policy in effect in any given context is logically expressed as a collection of specific access control rules. The rules are organised into groups, termed policies, and these in turn are organised into groups termed policy sets. This structuring serves a number of purposes:

rule

Simplistically, each rule is specified by defining a condition, which is a set of statements which must be satisfied in order for that particular rule to apply, and an effect which represents the rule's outcome – ie the trust domain for trust domain requests and whether that rule indicates that the access request should be permitted or not for access requests.

graphical representation of the XACML policy language model

Processing Rules

The following steps illustrate the logical processing required when trust and access control policies are used to determine the outcome of a particular access attempt:

Trust Processing Rules

  • The identity of the calling web application, subject, is known and is used to determine the subject attributes for that web application;

  • these subject attributes are embodied in the trust domain query which is evaluated in the context of the top-level trust policy set associated with the configured trust policy;

  • based on the subject attribute values presented in the trust domain query, the conditions associated with each rule and target can be evaluated, and the applicable rules, policies and trust policy sets can be determined;

  • as a result of the evaluation of the trust policy the effect of each applicable rule is determined;

  • based on the evaluated effect of each applicable rule, the relevant combining rules are used to determine the policies, policy sets and rules with precedence, which in turn determines the overall effect of evaluating the access control query. This effect is represented by the trust domain name that will be associated to the web application in successive device API and capability access requests.

We need to agree on what the output of a trust policy is: a string (=name of the trust domain?), how will this string be stored/managed?

From a logical perspective, a trust domain query can be evaluated when the necessary attribute values become available. For widgets, a trust domain query will be evaluated at installation time, when the subject attributes can be already determined.

Feature and Capability Processing Rules

  • When the application in question attempts an action (attempts to invoke a JavaScript API, say). This identifies the resource and all associated resource attributes.

  • the environment attributes are also captured;

  • the set of resource and environment attribute values captured is embodied in an access query which is evaluated in the context of the top-level access control policy set associated with the configured access control policy;

  • the access query also contains the name of the trust domain that has been assigned by the trust policy;

  • based on the trust domain name, resource and environment attribute values presented in the query, the conditions associated with each rule and target can be evaluated, and the applicable rules, access control policies and access control policy sets can be determined;

  • the effect of each applicable rule is determined;

  • based on the evaluated effect of each applicable rule, the relevant combining rules are used to determine the policies, policy sets and rules with precedence, which in turn determines the overall effect of evaluating the access control query;

  • if the effect requires the user to be prompted, this is done, and the results of the user’s decision are recorded where appropriate.

From a logical perspective, an access control query can be evaluated at any time between the point that the necessary attribute values become available and when the attempted operation is performed. In the case of a JavaScript API call for which arguments supplied to the call are designated resource attributes, the relevant attributes are only known once the API call has been made by the calling web application. However, in other cases the information may be known earlier. For example, if all feature requirements are stated in a widget configuration document, and none of the API access operations have conditions depending on API call parameters, then all access control queries may be evaluated fully at widget resource installation time.

Conformance

TBD

Acknowledgements

The editors would like to extend special thanks to Nokia, OMTP BONDI, and PhoneGap for their contributions.