7 Nokia Corporation - initial contribution. |
7 Nokia Corporation - initial contribution. |
8 Contributors: |
8 Contributors: |
9 --> |
9 --> |
10 <!DOCTYPE concept |
10 <!DOCTYPE concept |
11 PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd"> |
11 PUBLIC "-//OASIS//DTD DITA Concept//EN" "concept.dtd"> |
12 <concept id="GUID-3B6E25F7-C1A8-461F-97F7-421DB559BC98" xml:lang="en"><title>Process |
12 <concept id="GUID-3B6E25F7-C1A8-461F-97F7-421DB559BC98" xml:lang="en"><title>Process identification</title><prolog><metadata><keywords/></metadata></prolog><conbody> |
13 identification</title><prolog><metadata><keywords/></metadata></prolog><conbody> |
|
14 <p>Sometimes it is useful for security reasons to obtain more information |
13 <p>Sometimes it is useful for security reasons to obtain more information |
15 about server or application processes, and identify an application and even |
14 about server or application processes, and identify an application |
16 its vendor uniquely.</p> |
15 and even its vendor uniquely.</p> |
17 <ul> |
16 <ul> |
18 <li><p>To verify an application's identity, use <codeph><xref href="jar:GUID-35228542-8C95-4849-A73F-2B4F082F0C44.jar!/sdk/doc_source/reference/reference-cpp/Application_Architecture/RApaLsSessionClass.html" format="application/java-archive">RApaLsSession</xref></codeph> to retrieve the application's name and <i>Unique Identifier</i> UID, |
17 <li><p>To verify an application's identity, use <codeph><xref href="jar:GUID-35228542-8C95-4849-A73F-2B4F082F0C44.jar!/sdk/doc_source/reference/reference-cpp/Application_Architecture/RApaLsSessionClass.html" format="application/java-archive">RApaLsSession</xref></codeph> to retrieve the application's |
19 and compare them against known information.</p><p>For more information, |
18 name and <i>Unique Identifier</i> UID, and compare them against known |
20 see <xref href="GUID-EA05F9B6-52C7-4BD9-8B9A-4BA3456E70B5.dita">UID</xref>.</p> |
19 information.</p><p>For more information, see <xref href="GUID-EA05F9B6-52C7-4BD9-8B9A-4BA3456E70B5.dita">UID</xref>.</p> |
21 </li> |
20 </li> |
22 <li><p>Use the <codeph><xref href="jar:GUID-35228542-8C95-4849-A73F-2B4F082F0C44.jar!/sdk/doc_source/reference/reference-cpp/Application_Architecture/TApaTaskListClass.html" format="application/java-archive">TApaTaskList</xref></codeph> class |
21 <li><p>Use the <codeph><xref href="jar:GUID-35228542-8C95-4849-A73F-2B4F082F0C44.jar!/sdk/doc_source/reference/reference-cpp/Application_Architecture/TApaTaskListClass.html" format="application/java-archive">TApaTaskList</xref></codeph> class to get a list of currently |
23 to get a list of currently running applications.</p><p>In the platform |
22 running applications.</p><p>In the platform security architecture |
24 security architecture there are two different identifiers for applications: |
23 there are two different identifiers for applications: Secure Identifier |
25 Secure Identifier (SID) and Vendor Identifier (VID).</p></li> |
24 (SID) and Vendor Identifier (VID).</p></li> |
26 </ul> |
25 </ul> |
27 <p><b id="GUID-EEC50FC0-46D5-4ED7-AD95-67430D5EC652">Secure Identifier |
26 <p><b id="GUID-EEC50FC0-46D5-4ED7-AD95-67430D5EC652">Secure Identifier |
28 (SID)</b></p> |
27 (SID)</b></p> |
29 <p>Every executable has its own <i>Secure Identifier</i> (SID), which is |
28 <p>Every executable has its own <i>Secure Identifier</i> (SID), |
30 used to identify the running process launched from the executable. It can |
29 which is used to identify the running process launched from the executable. |
31 also be used to determine which private directory a process can access. SID |
30 It can also be used to determine which private directory a process |
32 is stored in the executable binary, so it has the same security as any executable |
31 can access. SID is stored in the executable binary, so it has the |
33 code. The SID value is not relevant for <codeph>dll</codeph>.</p> |
32 same security as any executable code. The SID value is not relevant |
34 <p>SID values are requested from the <xref href="http://www.symbiansigned.com" scope="external">Symbian |
33 for <codeph>dll</codeph>.</p> |
35 Signed</xref> web site. The <xref href="GUID-1293DE8C-E803-4ADF-9FA8-862519337331.dita">Software |
34 <p>SID values are requested from the <xref href="http://www.symbiansigned.com" scope="external">Symbian Signed</xref> web site. |
36 Installer</xref> ensures that no two applications have the same SID value |
35 The <xref href="GUID-1293DE8C-E803-4ADF-9FA8-862519337331.dita">Software |
37 on a particular target device.</p> |
36 Installer</xref> ensures that no two applications have the same SID |
38 <p>To retrieve the SID of a process, use the <codeph><xref href="jar:GUID-35228542-8C95-4849-A73F-2B4F082F0C44.jar!/sdk/doc_source/reference/reference-cpp/Kernel_Architecture_2/RProcessClass.html#%3a%3aRProcess%3a%3aSecureId%28%29const" format="application/java-archive">RProcess::SecureId()</xref></codeph> method . During inter process communication, use the <codeph><xref href="jar:GUID-35228542-8C95-4849-A73F-2B4F082F0C44.jar!/sdk/doc_source/reference/reference-cpp/Kernel_Architecture_2/TSecurityPolicyClass.html" format="application/java-archive">TSecurityPolicy</xref></codeph> class to specify a security policy consisting of both <xref href="GUID-6971B0A2-F79B-4E05-8AF3-BB1FC1932A22.dita">capability</xref> and |
37 value on a particular target device.</p> |
39 SID checks.</p> |
38 <p>To retrieve the SID of a process, use the <codeph><xref href="jar:GUID-35228542-8C95-4849-A73F-2B4F082F0C44.jar!/sdk/doc_source/reference/reference-cpp/Kernel_Architecture_2/RProcessClass.html#%3a%3aRProcess%3a%3aSecureId%28%29const" format="application/java-archive">RProcess::SecureId()</xref></codeph> method . During inter |
40 <p>For information on how to define the SID in the <codeph>mmp</codeph> file, |
39 process communication, use the <codeph><xref href="jar:GUID-35228542-8C95-4849-A73F-2B4F082F0C44.jar!/sdk/doc_source/reference/reference-cpp/Kernel_Architecture_2/TSecurityPolicyClass.html" format="application/java-archive">TSecurityPolicy</xref></codeph> class to specify a security |
41 see <codeph><xref href="GUID-A98F7AA2-A908-527E-9AEC-54DDD10A49C1.dita">secureid</xref></codeph>. |
40 policy consisting of both <xref href="GUID-6971B0A2-F79B-4E05-8AF3-BB1FC1932A22.dita">capability</xref> and SID checks.</p> |
42 If SID is not specified in the <codeph>mmp</codeph> file, the value of UID3 |
41 <p>For information on how to define the SID in the <codeph>mmp</codeph> file, see <codeph>secureid</codeph>. If SID is not specified in |
43 is used as the SID.</p> |
42 the <codeph>mmp</codeph> file, the value of UID3 is used as the SID.</p> |
44 <p><b id="GUID-EEC50FC0-46D5-4ED7-AD95-67430D5EC654">Vendor Identifier |
43 <p><b id="GUID-EEC50FC0-46D5-4ED7-AD95-67430D5EC654">Vendor Identifier |
45 (VID)</b></p> |
44 (VID)</b></p> |
46 <p>In addition to SID, signed applications have a <i>Vendor Identifier</i> (VID) |
45 <p>In addition to SID, signed applications have a <i>Vendor Identifier</i> (VID) which can be used to identify the source of the application. |
47 which can be used to identify the source of the application. Applications |
46 Applications from one vendor usually share a common VID, but the vendor |
48 from one vendor usually share a common VID, but the vendor may have different |
47 may have different VIDs for different product families. VIDs can also |
49 VIDs for different product families. VIDs can also be used to group servers |
48 be used to group servers and clients into logical groups providing |
50 and clients into logical groups providing services to each other.</p> |
49 services to each other.</p> |
51 <p>Note that the VID cannot be reused for any other entity. For example, |
50 <p>Note that the VID cannot be reused for any other entity. For |
52 the Nokia VID (<codeph>0x101FB657</codeph>) is property of Nokia.</p> |
51 example, the Nokia VID (<codeph>0x101FB657</codeph>) is property of |
53 <p>For information on how to define the VID in the <codeph>mmp</codeph> file, |
52 Nokia.</p> |
54 see <codeph><xref href="GUID-535793F2-08F1-5B4E-AD32-783985C53124.dita">vendorid</xref></codeph>.</p> |
53 <p>For information on how to define the VID in the <codeph>mmp</codeph> file, see <codeph>vendorid</codeph>.</p> |
55 <section id="GUID-09668673-7926-453D-BD33-9894F5631C90"><title>Secure inter |
54 <section id="GUID-09668673-7926-453D-BD33-9894F5631C90"><title>Secure |
56 process communication</title> |
55 inter process communication</title> |
57 <p>Authentication can be done in different ways. The server can decide |
56 <p>Authentication can be done in different ways. The server can |
58 to request (or not to request) capabilities from the client. The client's |
57 decide to request (or not to request) capabilities from the client. |
59 options are more limited, the server is usually authenticated by name. The <codeph>ProtServ</codeph> <xref href="GUID-6971B0A2-F79B-4E05-8AF3-BB1FC1932A22.dita">capability</xref> allows |
58 The client's options are more limited, the server is usually authenticated |
60 the server to insert an "!" in front of its name, indicating that the server |
59 by name. The <codeph>ProtServ</codeph> <xref href="GUID-6971B0A2-F79B-4E05-8AF3-BB1FC1932A22.dita">capability</xref> allows the server to insert an "!" in front of its name, indicating |
61 can be trusted. Nameless servers are also possible, but no client can connect |
60 that the server can be trusted. Nameless servers are also possible, |
62 to them without a handle to the server. The server can also authenticate the |
61 but no client can connect to them without a handle to the server. |
63 client with SID and VID.</p> |
62 The server can also authenticate the client with SID and VID.</p> |
64 <p>Every server should define the following security policies:</p> |
63 <p>Every server should define the following security policies:</p> |
65 <ul> |
64 <ul> |
66 <li><p>Which capabilities are required by the calling application</p> |
65 <li><p>Which capabilities are required by the calling application</p> |
67 </li> |
66 </li> |
68 <li><p>Which SID and VID are required by the calling application</p> |
67 <li><p>Which SID and VID are required by the calling application</p> |
69 </li> |
68 </li> |
70 <li><p>What actions are possible or must be done with the information |
69 <li><p>What actions are possible or must be done with the |
71 provided:</p> |
70 information provided:</p> |
72 <ul> |
71 <ul> |
73 <li><p>Can input data be trusted?</p></li> |
72 <li><p>Can input data be trusted?</p></li> |
74 <li><p>Is user acceptance needed for this operation?</p></li> |
73 <li><p>Is user acceptance needed for this operation?</p> |
|
74 </li> |
75 <li><p>Can this server act as a proxy towards other components?</p> |
75 <li><p>Can this server act as a proxy towards other components?</p> |
76 </li> |
76 </li> |
77 </ul> |
77 </ul> |
78 </li> |
78 </li> |
79 </ul> |
79 </ul> |