xref: /src/doc/roadmaps/security

$NetBSD: security,v 1.1 2017/01/13 10:14:58 dholland Exp $

NetBSD Security Roadmap
=======================

This roadmap discusses security-related features.

The following elements, projects, and goals are considered strategic
priorities for the project:

 1. PaX aslr, mprotect, and segvguard are on by default now; this will
    be in 8.0.
 2. Transparent full-disk encryption (discussed in the storage roadmap)
 3. User-switching and secure attention key (see desktop roadmap)

The following elements, projects, and goals are not strategic
priorities but are still important undertakings worth doing:

 4. Security restriction framework for large/less trusted applications
 5. Interface for location, accelerometer, and similar sensitive services


Explanations
============


4. Security restriction framework for large/less trusted applications

Traditionally in Unix permissions go with the user logged in, and all
programs that are run execute with the credentials and permissions of
that user. (Except for setugid programs, which execute with additional
permissions.)

This makes sense for programs like cat(1) or grep(1) that work with
user data in the traditional shell environment. However, it is
unsatisfactory for large semi-trusted applications such as web
browsers, and entirely unsuitable for 3rd-party "apps" such as found
on phones, which routinely contain spyware.

We would like to have a permissions framework that works on a
per-application basis and allows imposing restrictions on what apps
may do, what data apps may read, and also supports policies like
"cannot talk on the network after reading user data".

Such a framework is entirely different from traditional Unix
permissions and requires careful thought and design. Prior art is
mostly not very good; e.g. Android's app permissions framework is both
not expressive enough to pose serious barriers to spyware, and too
complicated for typical users to cope with effectively. Meanwhile,
system-call-based restrictions like seccomp/seccomp-bpf in Linux are
messy and complicated and hard to use effectively. OpenBSD's "pledge"
has been widely criticized for a range of reasons. Most of these
models also do not provide for lying to apps that demand access you
don't want to give them.

dholland was working on this with some undergrads a while back and
there's a design that may be of some value, although the prototype
implementation was not a success.

 - As of January 2017 nobody is known to be working on this.
 - There is currently no clear timeframe or release target.
 - Contact dholland for further information.


5. Interface for location, accelerometer, and similar sensitive services

Currently in NetBSD we have no infrastructure for the "new" hardware
interfaces typically found in phones, like GPS location information,
accelerometer and orientation data, and so forth.

There is probably no need to invent new APIs for retrieving this data,
but we do need a sound underlying framework with security controls in
place, as many of these data sources provide information that is
either sensitive or can be used to derive sensitive information.

(Note also that it's been shown that location data can be derived from
monitoring battery level so that one's also sensitive.)

 - As of January 2017 nobody is known to be working on this.
 - There is currently no clear timeframe or release target.
 - Contact: ? (XXX)