Resources | Resources |



Privileges and digital signing

In Brew MP, applications require privileges to access services and data through APIs. Digital signing is the mechanism that protects privileges by guaranteeing that they cannot be undetectably changed after the application and its resource file (.mif, which contains the privileges), have been signed. In other words, privileges are granted when the signature is issued. Before granting the requested privileges, the signing authority typically considers what privileges the code requires given its intended function, applying the principal of least privilege.

The principle of least privilege

Least privilege is a fundamental security principle specifying that entities (in this case the code intended to run on a device) are only given enough privilege or ability to accomplish their intended and advertised task or purpose and no more. Application of this principal helps limit the potential for damage to the consumer, the device, or the network if the application is malicious or exploited by an attacker. Brew MP allows the application of this principal by providing a fine-grained mechanism for the granting of privileges.

For example, a developer might submit a simple game application (e.g. bowling) and request privileges for address book or network access. The signing authority should (according to the principle of least privilege) reject such a submission, requiring that the developer either justify and demonstrate the need for such privileges or resubmit their applications without the unnecessary privileges.

Constraining a certificate authority's privileges

In Brew MP, a device manufacturer can decide to constrain the privileges that a root certificate may confer by configuring the root certificate to only grant certain privileges. These constraints are managed in the root configuration.

Constraining a signing authority's privileges

A certificate authority can constrain the privileges a signing authority may confer. These constraints are included in the signing certificate issued that is issued by the certificate authority to the signing authority.

What privileges does the code receive?

For an application to be granted a privilege by Brew MP, the privilege must be:

  • Included in the MIF that has been digitally signed
  • Included in the signing certificate that is issued to the signing authority by the certificate authority
  • Authorized in the corresponding root certificate configuration by the device manufacturer

For both a root certificate configuration and a signing certificate, if no list or range of privileges is specified, the root or signing certificate is assumed to be capable of granting any privilege.

Privileges for extensions

Brew MP supports dynamic code that is not an application or a service and only executes when it is called by an application. The application's .mif specifies what code is an extension. When the extension is called and executes, it is granted only the privileges of the code from which it was called.

Configuring privileges

Subsequent chapters provide a more detailed discussion on how to configure privileges in Brew MP devices and signing certificates.