Slashdot Mirror
One Laptop Per Child Security Spec Released
juwiley writes "The One Laptop Per Child project has released information about its advanced security platform called Bitfrost. Could children with a $100 laptop end up with a better security infrastructure than executives using $5000 laptops powered by Vista? 'What's deeply troubling — almost unbelievable — about [Unix style permissions] is that they've remained virtually the only real control mechanism that a user has over her personal documents today...In 1971, this might have been acceptable...We have set out to create a system that is both drastically more secure and provides drastically more usable security than any mainstream system currently on the market.'"
If my OLPC applications are completely isolated, how am I going to implement this new idea I have for cross-application communication based on shared pipes among apps.
I'm thinking it would work well to implement such a feature so that the writing widget can talk to the chat widget and the spreadsheet widget. I was planning on calling it, Dynamic Communication Over Methods, or DCOM for short.
Now I'm bummed!
The Kai's Semi-Updated Website Thingy
I don't know if this is a good idea or an awesome idea.
There are two types of people in the world: those who divide people into two types and those who don't.
So, I bet that my cell phone has better security than a $5000 vista laptop, but you can do stuff on that laptop that you can't on my phone. (not sure what, but i'm sure there's something porn related)
Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
"drastically more secure and provides drastically more usable security"
Drastic?
I'd be willing to work toward "acceptable" or "workable".
The problem with "drastic" is that it often envisions high frontier technologies when all that is needed is a really well thought out plan.
If the UNIX system worked well for nearly 40 years, and was fairly simple to implement, then another 40 years *might* be had with something equally simple.
"Rocky Rococo, at your cervix!"
What executive, or any human being do you know is using a $5000 laptop? Even the most hardcore geeks I know spend only up to about $2k for the best laptops.
Sounds like more slashdot FUD to me. It's amazing that even though slashbots rail against FUD when Microsoft does it, they exaggerate and lie with the best of them.
This example on the front page is more evidence of that.
At the moment every other OS has better security than Windows, what's new?
It would be nice (but completely unexpected) if the industry followed suit and built on some of those concepts. Perhaps the result would be improved security for everyone!
So, if someone tries to break the security, does Heimtdallr come out and kick their butts?
'Loose' is when your pants are three sizes too big. 'Lose' is when you misuse 'loose'.
http://plan9.bell-labs.com/magic/man2html/2/fork
RFCNAMEG If set, the new process starts with a clean name space. A new name space must be built from a mount of an open file descriptor.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
This would indeed be a nice step forward in security if they manage to complete all their principles and goals. It would be nice to have a system that I can hand out to users (or famliy members) that is basically secure out of the box but with a little reading and changing of settings I can obtain full control over. The idea that it would be open is certainly a nice boost to credibility and would, if successful, push all security forward and not just their own.
I'll meet you at the intersection of "Should be" and "Reality"
The two links given in the summary give an overview of the goals of the security system; the actual details are at http://dev.laptop.org/git.do?p=security;a=blob;hb= HEAD;f=bitfrost.txt
The idea of putting every application into a virtual machine is a good one, but the truism is that security *is* a process, not a checkbox on a feature-list. There is (and always will be) an inverse relationship between security and usability - the more of one, the less of the other. Compartmentalising the applications in such a draconian fashion would appear to be heavily leaning towards the security side, and not the usability side of the argument.
The article talks about the picture-viewer not being able to access the web. What if I *want* the picture-viewer to access the web ?
I tihnk I take issue with 99% of applications not needing interaction. If that's true (and I doubt it to be honest), I think that's a failing of software today, not a goal to be strived for. Most of the apps I use daily require web/internet access. I think that's only going to increase over time.
Simon
Physicists get Hadrons!
So, this company is going to provide a bunch of children in developing companies with laptops that need to be connected to the internet on a weekly basis to authenticate it's cryptography in order to keep working. I know the article says they have long range wifi but im sure Brazil has quite a hell of a lot of land that you can't get internet access from. Oh, and talk about a tempting target for hackers. If I manage to take down your authentication site then I get to nuke how many thousands of computers?
Even XP will let you use the OS if you don't authenticate, you just aren't privy to updates.
This really is a good idea and hopefully others will follow suit. Applications simply are not all trustworthy and the assumption that they are is a huge failing of most modern OS's. I hope they get this right. There are a lot of pieces here no one has perfected. They need restrictions, proper services between applications and to them, granular levels of trust, or ACL profiles, means of easily and accurately assigning those trust levels, and a well crafted UI for programs that want to override their trust level. Best of luck to them.
More secure? Kind of... More usable? Ummm, no... From TFA it seems that they are securing apps by running each application in a separate VM sandbox. However, that's going to destroy usability because none of the apps will be able to talk to one another. Which sounds to me like TFA is just not digging in deep enough to what is really going on. Otherwise, they are going to be creating A LOT more work than they really need to...
Also, with such a hugely fundamental change to how applications function in the OS, what current software is going to work with it?
1, 2, 3, 4, 5... That's the combination on my luggage!
Unix security and file permissions aren't enough??? Say it ain't so, Joe!
Next we'll have dogs and cats living together.
-- "In order to have power, I must be taken seriously." -Mojo Jojo
Netware was also better in this respect whilst it was still in mainstream use, despite being more of a runtime system than a real OS.
I think it would be a lot easier to have a goal of putting one handcrankable desktop in every village. You could make something heavy, durable and difficult to steal. You may be able to set up a low bandwidth wireless connection so that isolated villages could communicate with the outside world (I'm thinking a low frequency radio signal with a lot of range, but low bandwidth). The BBC/UN/etc could broadcast news and other information on radio frequencies usually reserved for AM/FM radio. We are in such an information glut that we often forget that 2400 baud modems were useful in their day. We expect video, but text can still be very useful. The information technology needs of a Third World village are pretty limited and this would satisfy them. It would be very inexpensive and require little expertise to setup. If it failed, the consequences would be minimal. If it succeeded, then more elaborate steps could be taken.
The problem with the One Child Per Laptop is that it is too ambitous. The United States was quite capable of delivering one laptop per person trapped in New Orleans during Hurricane Katrina. Would that have solved their problem? No and that's in one of the most advanced countries in the world. If you give a laptop to a kid in Hati/Nigeria/Afghanistan, they are going to get it stolen. And that's just for the raw material of the laptop. Have you seen pictures of Chinese workers stripping old computers for their component materials? And there are countries a lot poorer than China. The idea of setting up reliable public wireless networks in the Third World is absurd. Talking someone with a non-technical university degree through a wireless setup for their house can quite frustrating. And we're supposed to believe that public wireless networks can be setup in the poorest cities in the world without a glitch? And for little money at that.
Why would we be concerned about security anyway? Wow, a poor kid just had his computer hacked and his homework was stolen. Does anyone think that any hacker would bother? It's much more likely that these laptops will be stolen and used for illegal purposes afterward. Unless they have terrible security, it won't be an issue.
Security is a lot like crypto: Designing your own system is a recipe for desaster. Security is hard, and aside from the conceptual stages, small failures in implementation can destroy the best concept.
So anyone coming up with a "new and improved" security concept is selling an untested solution. Because security is always tested in the field, never (at least never properly) in the lab.
And yes, Unix permissions are primitive. But they work, they are reliable and we know their shortcomings and limitations.
Assorted stuff I do sometimes: Lemuria.org
--"No lockdown. Though in their default settings, the laptop's security
systems may impose various prohibitions on the user's actions, there
must exist a way for these security systems to be disabled. When that is
the case, the machine will grant the user complete control."
That is the one of the key differences between Bitfrost and Microsoft
"trusted computing" schemes: you as owner of the box can get around it.
If it's good, then I'll probably see it in my Kubuntu in about a year and half (8.10 Irrepressible Iguana). See, this is what I like about free software. Borrow the good ideas from each other.
See subject line. They're hell-bent on locking you out of your
machine, the latest Vista antics are just the start, wait til
they become enforced in silicone.
(damn Slashdot, just copy linked pages like this one!)
Bitfrost is the OLPC security platform. A non-technical introduction to the security problems we're attempting to solve, and our goals and principles in doing so, follow on this page. They're taken from the complete Bitfrost specification, which we invite you to peruse and discuss on the public OLPC security mailing list.
Introduction and summary
In 1971, AT&T programmers Ken Thompson and Dennis Ritchie released the first version of UNIX. The operating system, which started in 1969 as an unpaid project called UNICS, got a name change and some official funding by Bell Labs when the programmers offered to add text processing support. Many of the big design ideas behind UNIX persist to this day: popular server operating systems like Linux, FreeBSD, and a host of others all share much of the basic UNIX design.
The 1971 version of UNIX supported the following security permissions on user files:
These permissions should look familiar, because they are very close to the same security permissions a user can set for her files today, in her operating system of choice. What's deeply troubling -- almost unbelievable -- about these permissions is that they've remained virtually the only real control mechanism that a user has over her personal documents today: a user can choose to protect her files from other people on the system, but has no control whatsoever over what her own programs are able to do with her files.
In 1971, this might have been acceptable: it was 20 years before the advent of the Web, and the threat model for most computer users was entirely different than the one that applies today. But how, then, is it a surprise that we can't stop viruses and malware now, when our defenses have remained largely unchanged from thirty-five years ago?
The crux of the problem lies in the assumption that any program executing on a system on the user's behalf should have the exact same abilities and permissions as any other program executing on behalf of the same user. 1971 was seven years before the first ever international packet-switched network came into existence. And the first wide-area network using TCP/IP, the communication suite used by the modern Internet, wasn't created until 1983, twelve years after Thompson and Ritchie designed the file permissions we're discussing. The bottom line is that in 1971, there was almost no conceivable way a program could "come to exist" on a computer except if the account owner -- the user -- physically transported it to a machine (for instance, on punched tape), or entered it there manually. And so the "all or nothing" security approach, where executing programs have full control over their owner's account, made quite a lot of sense: any code the user executed, she ipso facto trusted for all practical purposes.
Fast forward to today, and the situation couldn't be more different: the starkest contrast is perhaps the Web, where a user's web browser executes untrusted scripting code on just about every web page she visits! Browsers are growing increasingly complex sandboxing systems that try to restrict the abilities of such web scripts, but even the latest browser versions are still fixing bugs in their scripting engine implementations. And don't forget e-mail: anyone can send a user an executable program, and for many years the users' instinctive reaction was to open the attachment and run the program. Untrusted code is everywhere, and the only defense seems to be tedious user training and anti-virus software -- the latter assuming it's fully updated, and assuming the anti-virus makers have had time to deconstruct each latest virus and construct a defense for it.
Most technologies and approaches that constitute the Bitfr
People use to leave keys in their car all the time in the olden days.
-- www.globaltics.net
Political discussion for a new world
Ain't this the truth.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
No, that's not it. ACLs aren't unique to Unix.
http://en.wikipedia.org/wiki/Access_control_list
Anyone else?
From TFA
"Beyond cyberthreats, the XO laptop will have an anti-theft system designed to render stolen laptops useless. Each XO is assigned a "lease," secured by cryptography, that allows it to operate for a limited period of time. The laptop connects to the internet daily and checks in with a country-specific server to see if it's been reported stolen. If not, the lease is extended another few weeks."
Congratulations, you have destroyed this projects credibility, desirability and much of the good will that the open source community was providing.
I wonder this would rule out any interaction with the GPL v3?
Loop, twist and loop again.
What do they imagine they're getting for that? Yeah yeah, I know, it's the status symbol of being able to blow $5,000 on a bit of $600 hardware.
Deleted
It's not hard to do this. Several groups had systems this tight working back in the 1980s. For that matter, Multics had it right in the late 1960s. Linux has it now, in NSA SELinux.
It breaks existing applications, of course. The OLPC people have a huge advantage - they don't care about existing applications. They can say to application developers, "these are the security constraints - design to them." That's a huge win.
Somebody should have done this by now for phones and palmtops, but, unfortunately, those things started out so underpowered they barely had an operating system. So they have their own legacy problems.
Pity they're so badly set by default. Unix could do with allowing groups within groups. It would allow admins to add group permissions to a resource and then add user groups to the resource group. Its sort of possible using NIS, but then you're stuck with NIS. The simplicity of Unix permissions is handy, but you can have that same simplicity using Windows just by managing the acls properly.
Still, the fact that Unix permissions are still around, being used and adequate for most people is a testament to the concept.
Deleted
Who are Pentagram? Why is the XO logo written as the jolly roger sign? Silly, I know, but still pretty fucking weird.
Who would love this feature.
Deleted
It's the sandboxing. A program run by a given user doesn't automatically get the user's full permissions -- it only gets a small subset. For example, it can't open files from the user's home directory other than by calling a trusted system File Open dialog, which allows the user to select the file and returns an open file handle to the application (or in OLPC's case hardlinks the file into the chroot jail).
In terms of research projects, see the secure scripting language E and the proof of concept CapDesk.
Interestingly, in the commercial world it only seems to turn up in safe bytecode runtimes -- there's very little out there for native code. For an example of something similar in concept look at JNLP or ClickOnce deployers.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
"Manufacturing data includes two unique identifiers: SN, the serial number, and U#, the randomly-generated UUID."
"On first boot, a program is run that asks the child for their name, takes their picture, and in the background generates an ECC key pair. The key pair is initially not protected by a passphrase, and is then used to sign the child's name and picture. This information and the signature are the child's 'digital identity'. The laptop transmits the (SN, UUID, digital identity) tuple to the activation server. The mapping between a laptop and the user's identity is maintained by the country or regional authority for anti-theft purposes, but never reaches OLPC."
Remember kids, file sharing is illegal and there is a database full of mugshots for the RIAA to find you.
I've got two things to say.
1. Bring these security additions to public linux distributions.
2. Would you (and the rest of
\
Don't get me wrong I think the project is the best thing since Tim Berners Lee invented the WWW, however:
"The sole purpose of these keys will be to verify the integrity of bundled software and content."
Sounds a bit like DRM? What if the child gets bored and decides to install another Linux distribution?
"If the lease expires, the XO's internet connectivity is turned off, and shortly thereafter the whole computer becomes a brick."
Er nice...
My little Linux and tech blog
Sorry, I don't have mod points.
But, yes, I find ACLs *very* hard to manage. In general, RWX is easy to work with -- may need to create extra groups, but I can follow, document, and understand.
Just another "Cubible(sic) Joe" 2 17 3061
>> how am I going to implement this new idea I have for cross-application communication based on shared pipes among apps.
Actually, it's even worse than your funny (but accurate) comment suggests:
In the Unix model, applications are often built out of multiple cooperating processes, each of which is isolated into its own address space, with strong barriers between processes enforced by the MMU hardware. This makes each separate part more robust, more comprehensible, and more secure.
In contrast, when Bitfrost throws away the ability of programs to talk to other programs, it is intrinsically encouraging a monolithic approach to program design, which is a huge step backwards both for security and for complexity management.
Bitfrost is right to deny free access by programs to a user's filestore objects as an important part of its new security framework, but if the price for that is to disallow strong application factoring and partitioning into separate but communicating processes then the cure may be worse than the disease.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
One could reasonably posit that at some point, you're going to want to use the OLPC to teach children
computer programming.
That means that in order to execute any such programs on their OLPC, those programs are going to need to be
"signed" by an "authority" before they can be executed. That gets old fairly quickly, so an alternative
obvious policy is that any program that was compiled on *this* OLPC is "safe" for this OLPC. Right.
The problem with Trusted Computing world views is that computers are simply *appliances*, with some 3rd party
in control of what this "appliance" can do. The end result is that rather than having a *truly* computer-literate
population, we instead perpetuate the elite software priesthood. Imagine a world where only the "priesthood"
are granted programming licenses, with technology like Trusted Computing (and this OLPC stuff) used to
"enforce" such licensing schemes.
There are lots and lots and lots of situations where non-programmers have reasonable need to write programs
from time to time. Think scientists writing simulations, engineers, artists, etc, etc. The minute you
actually grant your "appliance" Turing Completeness, you've lost its Trusted Computing properties.
I see this as an unresolvable dicotomy.
Oh, my! I feel so... so... exposed!
So let's make the default umask "077" for all UNIX- and Linux-based systems. Would that help? To a great extent. Would it decrease usability? Sure. But if that 'swhat it takes to have some semblance of system security, so be it. It seems that work on file-level security has taken steps backwards since the "do everything via a browser" mentality began taking root in UNIX/Linux. That us brings automatic execution of programs based on some file's extension (the so-called "helper" applications). Yep, that proved to be such a winner in the DOS/Windows arena that we should all start doing it. What little cool feature of the web that makes something easier to do hasn't proven to have gaping security holes in it? Every so-called "advance" in usability seems to have a detrimental effect on system security. Always has and, I'd bet, always will. Usabililty and security are playing a zero-sum game. You can't seem to have more of one without less of the other. But I digress...
I don't know what the ultimate solution will be but I'm thinking that liberal use of "umask 077", RBAC (especially on root) and ACLs, and a default policy of "drop" on one's firewalls will go a long way in protecting system(s). All of those have been available on UNIX/Linux for quite a while. So much for permission bits being "virtually the only real control mechanism that a user has over her personal documents today".
The creator of this "BitFrost" cryptographic security scheme says:
Frankly, I kept having the same feeling as I read the Wired article. I think what it was that he was missing was "simplicity". Dongles for laptops in rural villages? Local license servers for villages that have no internet access? Jeebus!
CUR ALLOC 20195.....5804M
That is the one of the key differences between Bitfrost and Microsoft
"trusted computing" schemes: you as owner of the box can get around it.
Yes? But the article also says:
Beyond cyberthreats, the XO laptop will have an anti-theft system designed to render stolen laptops useless. Each XO is assigned a "lease," secured by cryptography, that allows it to operate for a limited period of time. The laptop connects to the internet daily and checks in with a country-specific server to see if it's been reported stolen. If not, the lease is extended another few weeks. If the lease expires, the XO's internet connectivity is turned off, and shortly thereafter the whole computer becomes a brick.
Surely this is only possible with a TCPA-style system? Otherwise the thief could just disable the check after stealing the machine. It sounds worse than Windows Genuine Advantage: that doesn't try to stop you installing another OS, and it won't kill your machine if you can't go online for some reason.
Shortly thereafter the whole computer becomes a brick.
>north
You're an immobile computer, remember?
Shortly thereafter the whole computer becomes a brick.
The article strongly implies that the OLPC will be defective by design, as RMS would say. A central authentication system that locks users out if they don't authenticate regularly, being used in an environment without reliable net access? Yeah, great idea. Can't see any problems with that. Does it also prevent users loading their own applications or custom kernels?
Would someone from the OLPC project care to comment on this? What precautions have been taken to ensure that users are still in control of their machines, and can easily work around all digital restrictions if they want to? How does a user recover a machine that has been "bricked" by failed authentication or a WGA-style glitch?
>north
You're an immobile computer, remember?
FTFA:
Beyond cyberthreats, the XO laptop will have an anti-theft system designed to render stolen laptops useless. Each XO is assigned a "lease," secured by cryptography, that allows it to operate for a limited period of time. The laptop connects to the internet daily and checks in with a country-specific server to see if it's been reported stolen. If not, the lease is extended another few weeks.
If the lease expires, the XO's internet connectivity is turned off, and shortly thereafter the whole computer becomes a brick. In the case of an area without internet connectivity, a local school can extend the lease from its own server by Wi-Fi or with a USB dongle.
I've been hearing that they were going to do this for a while, and I think it's a terrible idea that will kill a lot of the potential of this wonderful project. What happens if these kids go to another area for a month or two and want to take the thing with them? Tough, it's a brick. Not to mention if they want to keep it and take it out of area after they graduate.
There's also this deeply worrying gem:
Users can manually assign more power to a particular program through the security control panel, but even there, they are limited.
"You cannot request a set of permissions that let you do bad things," Krstic said.
So much for a computer that students will have complete control over, can take everything apart and put it back together, etc. For a project so focussed on empowering kids as users, these two parts of an otherwise promising security plan sound an awful lot like the computer having control over the user, not the other way around.
I hope I've got this wrong, I hope that we aren't actually introducing third world kids to the world of DRM and Treacherous Computing, where "their" machines do things they can't control, where they "lease", not own. If so, it's really too bad. Yet another missed opportunity...
No jokes, please
Hard links don't help in general with the unix security model since they share an inode (where the owner, group, and mode is located). Extra hard links are just extra directory entries.
The one exception is when the location of a file is stored in two seperate folders with different traverse settings (execute on directories) which can control access by ability-to-name.
But that's an all or nothing method, and you can't hardlink subdirectories so you end up linking files individually, which is a bad approach unless automated as part of a file management system.
SELinux _is_ a good solution, provided that developers or third parties care enough to develop robust profiles for applications, with nods to different roles a user might take on in day to day usage of that software, and tailoring access needs to that. Fedora is thankfully going down this path, and establishing some best practices.
In SELinux, who can do what is determined largely by (multiple, simultaneous) user roles, application roles, and allowed transitions between them. Application roles that act on behalf of users are how requested capabilities on objects are granted. You grant an application role (called context) the ability to do operations on types of objects. Thus you tag files with object types (which is only important for file activity; other important types of permissions for operations on non-file objects can be delineated).
I think what's holding that back is that Administrators suffer from the lack of good tools to manipulate the various security descriptors for objects and to do what-if analysis.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Wow, I read the whole FA. I must be new here.
Seriously, I agree with most their findings and strategies to mitigate the risks of theft, lost privacy, etc. I also find it noteworthy that the Mic and Cam both have a direct wired LED to indicate activation of said components, where the LED can not be turned on/off by software at all. Thus eavesdropping becomes evident. The spec is a nice read and most points Ivan makes are (from my standpoint) well thought through and sensible for the environment in which the XO is to be deployed.
What I object against though, is point 8.12 (P_X) of the spec. As I understand it, as long as you happen to be in possession of a "trusted" key to the machine (which will certainly be OLPC and the government of the child in posession of the XO) you may eavesdrop on any resource of the X window system as you see fit? Correct me if I am wrong, but AFAIK the X protocol was never designed with security in mind. So sending commands to another program might also impicitly mean the ability to check the state of that program.
Would any X expert please confirm or dismiss this, as I can't becase I'm no X expert myself.
Meme of the day: I browse "Disable Sigs: Checked". So should you.
If you read a little higher in the spec, it says the anti-theft system is implemented as a system daemon that not even root can kill (so apparently the kernel was modified for this to make that app special). Looks like it's entirely done in software, and the OLPC country managers have to even specifically ask that it be enabled for their laptops.
Xfce: Lighter than some, heavier than others. Just right.
This $5000 laptop that came preloaded with Windows Vista, still isn't as secure as those $100 laptops used by poor third world children.
Damn, now that Lunix is getting primed to lose it's security through obscurity, we will soon see the flood waters gush through the sieve of their security.
Quick! Somebody make another text editor!
Thanks for the info.
Given that, it doesn't sound bad. Restrictions aren't a problem as long as the user can turn them off.
>north
You're an immobile computer, remember?
FYI, "irregardless" is not generally considered correct or appropriate English. You may want to catch yourself when you start to say or write it, and consider replacing it with either "irrespective" or "regardless."
So, they implemented SELinux/grsecurity/RSBAC policy. As in, not the system, but a policy file.
Support my political activism on Patreon.
"Millions of XO laptops are expected to go into production late in 2007, with Thailand, Brazil, Uruguay and Rwanda, among others, signed up for the launch."
Didn't Thailand pull out of the project because they're trying to strike a deal with Microsoft? Are they back in now?
re: anti-theft system
I think it's a terrible idea that will kill a lot of the potential of this wonderful project.
The spec says this:
971 The OLPC project has received very strong requests from certain countries
972 considering joining the program to provide a powerful anti-theft service that
973 would act as a theft deterrent against most thieves.
974
975 We provide such a service for interested countries to enable on the laptops.
So it looks like the decision is a political one. It suggests to me, though, that it would be possible to get or purchase (or steal) one from a country that isn't as paranoid.
"You cannot request a set of permissions that let you do bad things," Krstic said.
So much for a computer that students will have complete control over.
I think that's incorrect, and I think the article might have gotten it wrong. The spec mentions that there are sets of permissions that will be denied at install time; however, it also claims that one of it's design goals is "no lockdown" and that "there must exist a way for these
211 security systems to be disabled." That's pretty clear to me. If program X asks to install itself with P_KILL_BOB AND P_KILL_ME, then it will be rejected from the installation. It needs to install itself with either P_KILL_BOB OR P_KILL_ME, but not both, because only one of us needs to die.
I think the article may have taken Krstic's comment out of context.
Ya know, maybe they could add "No Bricks" to their design goals... Just a thought.
As with any sufficiently strong security system, the weakest link I foresee will be the people. In this case, not the people who *use* the XO, but the people who control various points along the keychain: developer keys, activation keys, etc.
The people who hold these keys are plenty vulnerable to corruption, intimidation and good old-fashioned trickery. This doesn't invalidate the security model, but I'd be interested to know how they mean to preserve the integrity of the keychain in case of theft, misuse, disaster, going-out-of-business and aliens.
L
If you RTFA, they specifically designed the security model so that children could write their own apps which can do *anything*. But they set up some defaults (which can be overridden) to protect the system.
What they are aiming at is a way to set sensible limits per-program, at install time: So at install time, a package (they call it a bundle IIRC) has a list of specific rights that the program will need in order to do its job. If the bundle doesn't ask for a certain right at install time and tries to use it later (because, say, it was maliciously modified), it will be denied.
If an app *is* signed by OLPC, it can have any right that it specifically asks for at install time. Otherwise, there are some rules about what subsets of rights are allowable together (i.e. asking for certain rights will exclude certain others by default). But again, the whole thing can be overridden.
This is nothing like Trusted Computing or DRM. It's more like a wrapper around SELinux (I don't know if that's actually how they implemented it).
Programming is allowed. There is even a "view source" button on the keyboard!
Sharing programs (binary executables) with your friends is easy and encouraged. All programs are severely sandboxed by default, so there is no problem unless the attacker finds a bug in the CPU hardware. The sandboxing is really well thought out; an app bundle (install package) can request camera access or net access but not both. Apps never get more permissions than they requested at install time, excepting when an advanced child modifies the permissions.
Linux has a few features that make this possible. The first is of course SE Linux policy, which could be adjusted by the app installer. The second is CLONE_NEWNS with bind mounts, allowing app-specific views of the filesystem that simply lack any unneeded files.
The only mildly troublesome restriction is that kernel and firmware modifications require that the child request a laptop-specific developer key from OLPC. There is a 14-day waiting period intended to allow time for laptop theft to be reported; you can't get a developer key for a stolen laptop.
Our rfork() is called clone(), or unshare() if you don't need a new thread/process.
When you want a new namespace, you specify the CLONE_NEWNS flag. (root only, sorry, because of setuid concerns)
Once you have a new namespace, you can unmount things you don't need. You can do bind mounts, which let you graft directories onto other places. You can use a bind mount to make a read-only copy of something, then unmount the original... all without mucking up processes that aren't part of the same CLONE_NEWNS group. Portions of the filesystem tree can be shared as well, in case you really do want changes to appear to both sides of the CLONE_NEWNS. Access to things can be permanently given up within the CLONE_NEWNS group, making for a rather fine jail that generally beats jail(8) quite severely.
There are extra goodies for stuff like isolating the view of system time, the view of executing processes, etc.
You have an extremely valid point, which I didn't even think of in my original post. Given that almost any modern app - save a "Hello World" tutorial - is going to communicate on some level with other applications, this model may get very old quickly. Even in my simplistic Linux system, I'm running Firefox, which is communicating processes and threads with the Window Manager KDE, and the various sub-components of that.
It is too late to think about this now.
The Kai's Semi-Updated Website Thingy
Basically all UNIX-like systems support ACLs now.
The ACLs are usually almost like the ones Windows uses, with a few minor differences:
a. UNIX-like systems normally still use rwx.
b. Windows normally disables checking permissions on parent directories.
c. Windows does a funny sort of inheritance thing that kills performance. (thus the above speed hack)
The stuff OLPC is using is way more powerful though. An ACL on your own data file will not protect your data from being damaged by a trojan. The OLPC project uses mandatory access control (mostly a domain-type-role enforcement mechanism) to stop such problems.
TFA:
"Beyond cyberthreats, the XO laptop will have an anti-theft system designed to render stolen laptops useless. Each XO is assigned a "lease," secured by cryptography, that allows it to operate for a limited period of time. The laptop connects to the internet daily and checks in with a country-specific server to see if it's been reported stolen. If not, the lease is extended another few weeks.
If the lease expires, the XO's internet connectivity is turned off, and shortly thereafter the whole computer becomes a brick. In the case of an area without internet connectivity, a local school can extend the lease from its own server by Wi-Fi or with a USB dongle."
Wow. So someone else has the power to brick my machine remotely? I thought this was MY laptop? This sounds more like a loan than a gift. It sounds way to close to some DRM vendor's wet dream than a teaching tool.
The concept, called mandatory access control, goes back decades. It comes from the US military. It was originally based on the classified info system (SECRET, TOP SECRET, etc.) and was intended to stop insiders causing leaks. Insiders tend to make dumb security mistakes, and sometimes even sell secrets to the enemy. Mandatory access control stops that cold.
A few years back, the NSA wrote an implementation of this for Linux. It's called SE Linux. It's a bit modernized, supporting more than just the old military-style security levels.
Linux also has CLONE_NEWNS, which is based on features from an old research OS called Plan 9. That, combined with some neat tricks involving mount points, gives you something like chroot() with extra power.
Most of the code has been around for years. OLPC just integrated it nicely into the app installer and made the user experience tolerable.
If you edited your SE Linux policy, you'd be half-way there. The other part, jailing the apps, requires severe GNOME/KDE hacking.
The child can request a laptop-specific developer key.
The kernel and firmware can be upgraded via this key. (writing regular apps does not require the key)
There is a 14-day waiting period to give time for stolen laptops to be reported. Keys are obviously not provided for stolen laptops.
The GPLv3 merly requires that the key be provided upon request. I don't think 14 days would be disqualifying. In any case, neither the kernel nor the firmware are GPLv3.
In contrast, when Bitfrost throws away the ability of programs to talk to other programs, it is intrinsically encouraging a monolithic approach to program design
But a program and a process are not the same thing. If an OLPC app is structured as several processes, then they will all run in the same jail and will all be able to communicate with each other.
Also, it's not correct to say that Bitfrost doesn't allow programs to communicate at all. Obviously programs communicate with the X server. And the document mentions D-BUS, so programs are probably allowed to communicate that way.
Bitfrost isn't one single technology. It's the integration of several existing Linux technologies with a nice GUI, installer, set of keys, etc.
The neat jailing feature has been in Linux for years, though mostly unused. You can access it via either the clone() or unshare() system call. In combination with bind mounts and PID namespaces, you get the ability to jail quite effectively. To learn more:
man 2 clone
man 2 unshare
man 8 mount
SE Linux is of course the other major underlying ability, and then there's the new GUI and app installer to tie it all together in a usable way.
Beyond the up's and down's of the OLPC/Bitfrost approach. It seems very valid to suggest that it is time to look at the lower level of how system security is handled.
The rate that new networking systems are developed and distributed is alarmingly high and seemingly well past, or at least just in front of, our ability to secure these systems.
OS level security that accounts for the fact that the OS is connected to a virtually uncountable number of other(friendly or unfriendly) systems seems perfectly logical if not down right critical to the health and safety of what has quickly become a monstrously huge, and shared, system of computers and data.
I don't think the OLPC/Bitfrost system makes much sense for all of us, but t looks like a very solid way for a user who's needs aren't much past the capabilities of a smartphone or PDA (as nearly as i can tell thats just about all the OLPC really is, with a bigger screen).
I hope to see some other reworks of the main security model more tailored to the current, and supposed future, reality of where our systems are.
What if the OS consisted of Virtual systems, one that is local and one that is networked? The networked VirtualOS is jailed and unaware of any other OS's that are not likewize networked, and a LocalOS that is aware only of itself and the networked VirtualOS that it hosts. "Local" could access neteworked data by proxy, but the networked VirtualOS could never explicitly modify the LocalOS.
Does that make any kind of sense?
Yeah so there's my bit.
any thoughts ?
Support bacteria, the only culture most people have.
They used "she" in a reference to the original UNIX developers.
Let's see, which one is the woman? Ken, Dennis, or Brian?
Note: the names are not Kendra, Denise, and Brianna!
These guys are called "greybeards" even, because they have grey beards. Transvestite bearded ladies? Eeeew.
I'm reminded of the icky 9-11 statue showing 3 firefighters raising a US flag over the ruins of the World Trade Center. In reality, all were white. In the statue: black, hispanic, asian.
Your appositive is faulty. KDE ain't a window manager. KWin is though.
And your pedantry is stupid.
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
The strengh of linux is it's customizability, and there are already several distros specially customized for small memory foot prints, etc. Like Damn Small Linux (Debian variant specially tuned to provide a nice graphic desktop even on computers as old as 486 with 24MB ram. And if it can run on that piece of trash, surely it can run on the OLPC (even if it can't run all special extensions like the dual resolution e-ink screen).
I don't know why, but every time I read "Linux" on the web, it automatically means "RedHat", "with both KDE and GNOME installed".
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Try right-clicking 1000 files, it gets real old, real fast... ...and that's the real problem with GUIs. They're fine for personal productivity apps but useless for administrative work.
No sig today...
I'd rather hang on to x-y-z antivirus than have a secure
digital fortress where the guards tell _me_ what to do.
"when Bitfrost throws away the ability of programs to talk to other programs"
I read the whole article but I don't remember reading that anywhere.
I read some stuff about programs not being able to look at other program's files, but that's not the same thing at all.
I'm pretty sure OLPC uses IP, and that means sockets. If you've got sockets then you've got inter-process communication.
Unless you've got proof that OLPC doesn't have named pipes, etc. then I suspect you're pulling misinformation out of somwhere the sun don't shine.
No sig today...
if it's so secure how come the web browser doesn't display the URL a person is on? exposing them to phishing.
D@rkSh4d0wSep1roth1992, as a 1337 ScriptKiddie and Pwnz0rs of your box, can get around it and botnet it.
OR :
Sony, as owner of the disc for which you just bough a "Limited Listening License" and therefore, by extension, owner of anything you may try to play it on, can get around it and root-kit it.
OR :
The **AAs as owner of the government that they paid to create DMCA, can legally get around it, and spy everything they can just to gather enough evidence (a.k.a. false-positives) to sue your 5 ears old's communist pirate ass for copyright infringement.
OR :
FBI / CIA / NSA / Men-In-Blacks / NTAC / World conspiracy of black copters / a small girl called "Jenny", as owner of the divine right to protect justice and owner of a device used to brainwash microsoft programmers, can get around it using backdoors specially planted for that purpose and spy every information needed to chase you, guilty unless proven otherwise, god-hating, porno-terrorist. Think of the Children !
OR :
Software bugs, as true owner of your OS and hardware, don't need to get around it (they're already in the OS) and can fuck up your peripherals and drive the machine into spontaneous combustion, as you helplessly look at it with an astonished expression, discovering what actually the "Wow" factor meant for Vista.
OR
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
They switch that feature off until they get back.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
No one seems to be mentioning chflags, first appeared in 4.4BSD and they make it possible for a user to protect files from themselves, even from root. I haven't read the full Bitfrost specs yet but from the short wiki introduction it sounds like they're missing things that protect files from the processes run by the owner of the files. Chflags does this.
That seems pretty clear to me. Programs don't have access to the web, in other words they have no access to sockets. And that means no IPC, so programs have to be non-communicating and hence monolithic by default.
The article also says that all default security blocks can be overridden, but unless an application developer knows about the security system as well then the natural design for his app will be a monolithic one.
And to remove any further doubt, here are the lead architect's own words:
I teach about children and technology, so my statement is not strange, but I've always believed that young learners (if they're going to use digital technology at all, which is a different issue) should have the best. In the old days, you'd see a child with a 256 colour display trying to do something using cassette tapes to load programs while we whizzed away with the best stuff. It seemed strange to provde the developing mind with the most limited set of tools when a business exec who never did much with it anyway and the brightest and shiniest. Of course the child is seen as less valuable. My attitude is, and was before I started teaching about childrean and tech., that you give the best [insert variable] to the children to get the best children, and that the best children lead to the best adults. But we give the worst to children. (I've used best and worst for their vague sense of value without specifics to keep with the notion of the article). I don't know if the OLPC project is the best thing for children, though I've been following the topic for longer than this specific project's been around, but they might as well have the best possible security, since the world does such a poor job of keeping them safe in most other categories.
https://www.tandfonline.com/doi/full/10.1080/1369118X.2013.808365
I ated the purple berries.
Programs can communicate but the process should be supervised by the o/s. The very common "buffer overflow" security breach would be impossible when the o/s, in a separate and priveleged part of the machine brokers the exchanges and enforces strict definitions of requests, e.g. size, beginning address, ending address, appropriate authority, duration, initializations, etc. Most desktop systems run programs that have all of the same priveleges as the o/s. Put another way, these o/s's are simply very large user applications running bareback on the processor. It's no wonder that pc security is a joke.
Far be it from me to knock this before I've tried it, and that's not my intention anyway; but there's a reason why unix file permissions have lasted so long, and that is that they're actually quite good for the job they are supposed to do.
Sure, you could have finer grained, ACL-based permissions. But that would be over-complicated for most real-life situations, with the result that they would end up not being used properly -- and that might well make things more dangerous. The idea of dividing the world into "user", "group" and "others" each having separate permissions to read, write and execute (or not) is simple enough for non-security experts to understand, while working well enough most of the time. It's that x bit, and the fact that you have to turn it on by performing some deliberate action, that really makes the difference between unix-based and DOS-based systems.
If you want to limit a user or a process to a particular area of the filesystem and a subset of commands, there's always chroot.
Je fume. Tu fumes. Nous fûmes!
We all know that XP is insecure, but how many people would of NEVER installed updates unless automatic updates were turned on? How many bots are out there because people don't bother with simple anti-virus software
The people who are going to use this laptop are NOT even on the level of a Dumb American User (DAU). These are people who will use it for, at best, for e-mail. Any other applications that are installed would HAVE to work and not be corrupting the system. Lets face it, if you lived in a farm in South America for a few generations, its not like your going to acquire the security skills, overnight, to run XP on the web.
Though, my real issue is corruption though. Have they really developed a good system for keeping the signed keys from people who mean harm? What if the local country officials use this whole "lease" idea to threaten a local because he didn't vote right?
I'm certainly an amateur programmer at best, and haven't worked extensively in security, so I don't know if what I'm about to say makes sense. But if I understand this whole thing correctly, basically each program is given a set of things it's allowed to do and is denied access to everything that's not on this list. So, if interoperability is a problem, couldn't he just include an item such as "interaction with program/module X on Such-and-Such File" or something equally restrictive to be a possible item on this list?
Sorry if that made no sense whatsoever.
I like my women how I like my sugar.. granulated.
The problem is not software or hardware and how you protect it - it's the end user.
You make a choice here: either you enable self management of the system, which opens the potential for socially engineering a user into doing something they shouldn't, or you close the box tightly and thus incur an administration overhead (which would annul the low costs of any OLPC machine) and/or lose the flexibility. The latter may be feasible with OLPC if you made it fixed purpose (i.e. set loadset with no deviation), but that strikes me as defeating the whole concept.
Look at most trojans and virus infections: they rely on the user doing something stupid, and they do so - with gusto. We got a new admin girl and the first thing she did when she got her machine was complain she couldn't install 'her' programs on it. On inspection she would have made the box a botnet zombie as well as a spam relay, all because the programs were 'cute'.
The same is happening with children. There are plenty of sites luring children with games, whilst surreptitiously probing the box for vulnerabilities through which to install malware - or it's made to look like another game so that the child will install it. And thanks to the carelessness in coding most of the "official" kid games, plenty of parents have set the child up with admin rights because the games won't work otherwise. And those are the ones that had at least the idea of creating separate accounts - plenty of machines just go live as administrator with parents and children just using "the computer".
Go ahead, fix the computer, unless you fix/educate the users at the same time you're still losing the battle.
Insert
Generally, a nice idea - automated backups. However, the overall design (no passwords, etc.) seems to imply that this information will all be stored in the clear. That means the centralized repository can be regularly scanned by any party with access.
Maybe if they added functionality to allow for encrypted directories (or "drives", ala TrueCrypt), and ensured that any virtual-memory/swap-partition was always scrambled with a boot-specific randomized key...