7.1. Secure Agent

Intent

Minimize security risks by separating out security-critical code into a separate process from non-critical code.

AKA

Isolate Highly Trusted Code

7.1.1. Problem

7.1.1.1. Context

You are developing an application or service which includes functionality requiring high security privileges[] together with a similar or greater proportion of functionality which can run with lesser or no security privileges.

[] Using APIs which require capabilities granted by the device manufacturer or running in the kernel.

7.1.1.2. Summary
  • It is more difficult to find and fix security vulnerabilities in components which include both security-critical and other code ('economy of mechanism').

  • Developers of components which require high security privileges should minimize any liability they may be exposed to due to errors in design or implementation ('least privilege').

  • You wish to make it as easy as possible to create and distribute updates to your code.

  • When using any security privilege, but especially the device-manufacturer-approved capabilities, you are required to ensure that the privileges are not leaked and unauthorized software cannot use them.

7.1.1.3. Description

The most straightforward architecture for an application or service may be to structure it as a single Symbian OS process or device driver; however if some of its functions require device manufacturer capabilities such as TCB, AllFiles or DRM there are likely to be longer-term drawbacks in having the highly ...

Get Common Design Patterns for Symbian OS: The Foundations of Smartphone Software now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.