One Laptop Per Child Security Spec Released

juwiley writes "The One Laptop Per Child project has released information about its advanced security platform called Bitfrost. Could children with a $100 laptop end up with a better security infrastructure than executives using $5000 laptops powered by Vista? 'What's deeply troubling — almost unbelievable — about [Unix style permissions] is that they've remained virtually the only real control mechanism that a user has over her personal documents today...In 1971, this might have been acceptable...We have set out to create a system that is both drastically more secure and provides drastically more usable security than any mainstream system currently on the market.'"

It isn't about ACLs.

[jhantin]

It's the sandboxing. A program run by a given user doesn't automatically get the user's full permissions -- it only gets a small subset. For example, it can't open files from the user's home directory other than by calling a trusted system File Open dialog, which allows the user to select the file and returns an open file handle to the application (or in OLPC's case hardlinks the file into the chroot jail).

In terms of research projects, see the secure scripting language E and the proof of concept CapDesk.

Interestingly, in the commercial world it only seems to turn up in safe bytecode runtimes -- there's very little out there for native code. For an example of something similar in concept look at JNLP or ClickOnce deployers.

Origin/rationale for name

[dewarrn1]

From the spec linked from the article, section 11:

1227 In Norse mythology, Bifrost is the bridge which keeps mortals, inhabitants of
1228 the realm of Midgard, from venturing into Asgard, the realm of the gods. In
1229 effect, Bifrost is a powerful security system designed to keep out unwanted
1230 intruders.
1231
1232 This is not why the OLPC security platform's name is a play on the name of the
1233 mythical bridge, however. What's particularly interesting about Bifrost is a
1234 story that 12th century Icelandic historian and poet Snorri Sturluson tells in
1235 the first part of his poetics manual called the Prose Edda. Here is the
1236 relevant excerpt from the 1916 translation by Arthur Gilchrist Brodeur:
1237
1238 Then said Gangleri: "What is the way to heaven from earth?"
1239
1240 Then Harr answered, and laughed aloud: "Now, that is not wisely asked; has
1241 it not been told thee, that the gods made a bridge from earth, to heaven,
1242 called Bifrost? Thou must have seen it; it may be that ye call it rainbow.'
1243 It is of three colors, and very strong, and made with cunning and with more
1244 magic art than other works of craftsmanship. But strong as it is, yet must
1245 it be broken, when the sons of Muspell shall go forth harrying and ride it,
1246 and swim their horses over great rivers; thus they shall proceed."
1247
1248 Then said Gangleri: "To my thinking the gods did not build the bridge
1249 honestly, seeing that it could be broken, and they able to make it as they
1250 would."
1251
1252 Then Harr replied: "The gods are not deserving of reproof because of this
1253 work of skill: a good bridge is Bifrost, but nothing in this world is of
1254 such nature that it may be relied on when the sons of Muspell go
1255 a-harrying."
1256
1257 This story is quite remarkable, as it amounts to a 13th century recognition of
1258 the idea that there's no such thing as a perfect security system.

Re:One Treacherous computer per Child

[kelnos]

Are you just trolling?

If you'll RTFA (yeah, I know, no one does that...), the system can be completely disabled if the user so wishes. The purpose of the PKI is not to force someone to only use certain software; it's to help ensure that security updates haven't been compromised before getting to the laptop.

As for installing another Linux distribution, would that even be possible at present? I doubt any other distro would run properly on the OLPC's custom hardware without extensive modifications. Sure, you can argue "but they should have the freedom to break it if they want" -- and they do, as the article says. All this stuff can be disabled. Overwriting the OS should disable the anti-theft daemon, since the anti-theft system is implemented entirely in software.

I think the anti-theft provisions that turn the laptop into a brick are a bit much, but the actual spec (which I'm sure you didn't read either, as you're misquoting it) notes that the lease period can be set to any value (chosen by the country manager who distributes the laptop). A lease period of 3 months is given as an example. And in extreme circumstances, a USB drive with credentials that can be used to extend the lease period without needing access to the internet.

At any rate, the spec mentions that the anti-theft system is only installed and enabled on the request of the country purchasing the laptops. So it's not like the OLPC group is forcing this on anyone. If the countries are spending the cash on these things, I think it's reasonable that they should be able to try to protect their investment.

I have a decent number of reservations about the entire OLPC program, but c'mon, at least don't make up shit about it that isn't true.