[Ovmsdev] Command security

Mark Webb-Johnson mark at webb-johnson.net
Sun Mar 18 16:43:12 HKT 2018 

Steve,

Thanks for this. Very helpful at this critical stage.

In general, I think your criteria is correct:

> My assumption going in is that all someone should be able to do before
> enabling is to look at status that does not include sensitive info.


When not in secure mode, only very basic stuff should be usable. So, boot, enable, echo, exit, help, etc, are all ok. The ‘time status’ is fine, but no ‘time set’. etc.

The others should not be visible, imho. Metrics, Module, obdii; all should be secure mode only.

To answer your specific questions:

> 1. obdii, server and simcom appear to allow their full functionality,
> including starting and stopping operations, in non-secure mode.  That
> seems wrong.

The “simcom status”, “server v2 status”, “server v3 status” are fine, but the others should be secure only.

> 2. event, metrics and notify all allow tracing to be turned on or
> off.  Is that safe?

I think these should be secure only.

Metrics should probably be secure only as there is some private information shown there (such as ICCID, etc).

> 3. time allows setting the time in non-secure mode.  That may not be
> critical in this system, but could mess up timed activities.

The “time status” is fine, but “time set” is secure mode only.

> 4. Setting the vehicle module should require being enabled, no?

Yes. Secure mode only.

> 5. Is it OK to list the metrics in non-secure mode?  Is any of that
> information sensitive enough that it should be prevented?  (We don't
> have the option to show some metrics and not others at this point.)

No. Better not. Secure mode only.

> 6. The module command only allowed the subcommand 'factory' which did
> not allow any subcommand, so the right fix there is to just make the
> whole command require secure mode.  This observation exposed a bug in
> the code to construct the usage string, which I fixed.


Yes. Secure mode for the whole thing.

Regards, Mark

> On 18 Mar 2018, at 3:23 PM, Stephen Casner <casner at acm.org> wrote:
> 
> Mark asked me to check whether the 'secure' flag is set appropriately
> in the various command invocation contexts.  I began with the console
> command list where there are a number of questionable settings.  My
> assumption going in is that all someone should be able to do before
> enabling is to look at status that does not include sensitive info.
> However, there are several commands that do more.
> 
> All of these commands are at least partially enabled in non-secure
> mode:
> 
> OVMS > ?
> boot                 BOOT framework
> echo                 Test getchar
> enable               Enter secure mode
> event                EVENT framework
> exit                 End console session
> help                 Ask for help
> metrics              METRICS framework
> module               MODULE framework
> network              NETWORK framework
> notify               NOTIFICATION framework
> obdii                OBDII framework
> server               OVMS Server Connection framework
> simcom               SIMCOM framework
> time                 TIME framework
> vehicle              Vehicle framework
> 
> The harmless ones are 'boot', which just shows status, 'echo', 'exit'
> and 'help'.  Of course, 'enable' needs to be here to change state.
> But I have questions about all the others:
> 
> 1. obdii, server and simcom appear to allow their full functionality,
> including starting and stopping operations, in non-secure mode.  That
> seems wrong.
> 
> 2. event, metrics and notify all allow tracing to be turned on or
> off.  Is that safe?
> 
> 3. time allows setting the time in non-secure mode.  That may not be
> critical in this system, but could mess up timed activities.
> 
> 4. Setting the vehicle module should require being enabled, no?
> 
> 5. Is it OK to list the metrics in non-secure mode?  Is any of that
> information sensitive enough that it should be prevented?  (We don't
> have the option to show some metrics and not others at this point.)
> 
> 6. The module command only allowed the subcommand 'factory' which did
> not allow any subcommand, so the right fix there is to just make the
> whole command require secure mode.  This observation exposed a bug in
> the code to construct the usage string, which I fixed.
> 
> So, basically, the question is what do we want someone to be able to
> do in non-secure mode?
> 
>                                                        -- Steve
> _______________________________________________
> OvmsDev mailing list
> OvmsDev at lists.teslaclub.hk
> http://lists.teslaclub.hk/mailman/listinfo/ovmsdev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvehicles.com/pipermail/ovmsdev/attachments/20180318/cc6e19b3/attachment.htm>

More information about the OvmsDev mailing list