Slashdot Mirror

← Back to Stories (view on slashdot.org)

One Laptop Per Child Security Spec Released

Posted by ScuttleMonkey on from the no-school-like-the-old-school dept.

juwiley writes "The One Laptop Per Child project has released information about its advanced security platform called Bitfrost. Could children with a $100 laptop end up with a better security infrastructure than executives using $5000 laptops powered by Vista? 'What's deeply troubling — almost unbelievable — about [Unix style permissions] is that they've remained virtually the only real control mechanism that a user has over her personal documents today...In 1971, this might have been acceptable...We have set out to create a system that is both drastically more secure and provides drastically more usable security than any mainstream system currently on the market.'"

9 of 253 comments (clear)

  1. Yes, better security... by TinBromide · · Score: 5, Funny

    So, I bet that my cell phone has better security than a $5000 vista laptop, but you can do stuff on that laptop that you can't on my phone. (not sure what, but i'm sure there's something porn related)

    --
    Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
  2. Re:$5000 laptop? Pulleeze!! by Whiney+Mac+Fanboy · · Score: 5, Informative

    What executive, or any human being do you know is using a $5000 laptop? Even the most hardcore geeks I know spend only up to about $2k for the best laptops.

    Hardcore geek != executive.

    You've obviously never met an executive, they don't have the slightest problem splashing out (from the company account) well upwards of $5000. They think they're worth it.

    --
    There are shills on slashdot. Apparently, I'm one of them.
  3. very sceptical by Tom · · Score: 5, Insightful

    Security is a lot like crypto: Designing your own system is a recipe for desaster. Security is hard, and aside from the conceptual stages, small failures in implementation can destroy the best concept.

    So anyone coming up with a "new and improved" security concept is selling an untested solution. Because security is always tested in the field, never (at least never properly) in the lab.

    And yes, Unix permissions are primitive. But they work, they are reliable and we know their shortcomings and limitations.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:very sceptical by swillden · · Score: 5, Insightful

      So anyone coming up with a "new and improved" security concept is selling an untested solution.

      True, but inapplicable in this case. For two reasons.

      1. There are no new concepts in the XO security model.
      2. The traditional security model (used by Unix and Windows) cannot work for the OLPC, so something different is required.

      How can we have a new security model, but no new security model concepts? What's new is that ideas which have been reserved for high-security systems are being applied to a system that large numbers of people will actually use.

      The core ideas are:

      • Sandboxing, aka Mandatory Access Controls. Not only have research systems built on this concept existed for years, but we also have a decade of practical experience with Java sandboxes, and several years of extensive experience with MAC on Linux (SELinux). Specialized high-security operating systems have employed MAC for decades.
      • Chroot jails. Most sysadmins who are serious about security run all Internet-facing applications in jails, to limit the damage that can be done if the app is exploited. The only difference here is that the concept is being applied to all apps.
      • Digital signatures as a way to authorize applications to break out of their constrained (sandboxed and jailed) environments.
      • Allowing users to authorize applications to break out of their constrained environments.
      • Security by default. The system is secure out of the box.

      The only innovation here is in the decision to apply these known security models/tools to all applications on the OLPC. There is some good thought that has gone into determining what kinds of restrictions can be placed on apps, and the bit about constraining the permissions that apps can request during installation (e.g. either network or file access, not both -- without digital signature or explicit user authorization) is clever, but there's nothing fundamentally new.

      But the issue is somewhat deeper than that, as well.

      It's important to realize that the traditional security model does not work for OLPC machines. Why? Because (1) they're specifically designed as computers whose software is highly mutable and (2) they're specifically designed to live as part of a network. The traditional model works great if you can thoroughly prove the integrity of the software on the system and then lock it down -- but you can't do that on machines that are constantly connected to others and always exchanging bits of code and data.

      You can try, of course. And we do. And we've seen just how well it works. Massive botnets of zombies is the result as is high-powered machines dedicating a significant portion of their processing power to defending themselves against malicious code -- and failing.

      The traditional model is fundamentally broken in the networked age, and the OLPC machines are not only networked, but designed to facilitate every user becoming an at least minimally-competent programmer and to encourage widespread, free sharing of user-developed code.

      New problems require new solutions. In this case, it appears that we already had all of the tools required available, they just weren't widely used.

      My prediction: The XO security model will be an outstanding success story. It'll have its problems, and it'll have to be tweaked in various ways, but the basic ideas are so good, and so fundamentally simple, that it will work very well. Application authors will be able to achieve what they want, and security will be generally quite good.

      I also think that the OLPC project is one of the most amazing stories in the history of computing. It's giving a bunch of brilliant people the opportunity to completely re-imagine computing, and they're doing it with a laser focus on the needs of the people who use the computers, rather than the needs of those who sell the computers and the software.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  4. The one major difference to MS "trusted" computing by gd23ka · · Score: 5, Insightful

    --"No lockdown. Though in their default settings, the laptop's security
      systems may impose various prohibitions on the user's actions, there
    must exist a way for these security systems to be disabled. When that is
    the case, the machine will grant the user complete control."

    That is the one of the key differences between Bitfrost and Microsoft
    "trusted computing" schemes: you as owner of the box can get around it.

  5. Re:chmod, chown, etc.? by pla · · Score: 5, Insightful

    I wonder if the author's used chmod, chown, etc.? What's the essential difference between Unix style permissions and other permission systems?

    Well, Windows uses the ACL system of permissions it stole from VMS. It actually does provide more control (that you don't need 99.9% of the time), such as multiple groups having different levels of permissions.

    Increasingly complex file-level security does come with one major drawback, however... I can look at a file under Linux and instantly tell (possibly with a quick check of the members of a single group) who has what access to it. Under Windows, good luck with that. XP actually has an advanced security tab, "Effective Permissions", solely for the purpose of testing what access a given user has to a file or directory. Short of that tool, some of the more complex possible configurations (which don't take any sort of unrealistically contrived setups to get, such as a combination of local and domain groups having both inherited and locally set permissions) would leave you feeling very uncomfortable guessing who has access to a given file. And of course, that tab only lets you check one user or group at a time, so it proves utterly useless in answering the simple question "Who can overwrite this file".

    In fairness, you could write a script to test every user and group against a given set of files and directories and generate a report off the output, but seriously, would anyone really consider that "better" than "0750, yup, that looks good"?

  6. Re:One Desktop per Village would be a better start by Goaway · · Score: 5, Insightful

    I can't help but notice that the people working on this "too ambitious" project are actually out there doing it, while you are... posting on Slashdot?

  7. It's worse than that, it prevents app partitioning by Morgaine · · Score: 5, Insightful

    >> how am I going to implement this new idea I have for cross-application communication based on shared pipes among apps.

    Actually, it's even worse than your funny (but accurate) comment suggests:

    In the Unix model, applications are often built out of multiple cooperating processes, each of which is isolated into its own address space, with strong barriers between processes enforced by the MMU hardware. This makes each separate part more robust, more comprehensible, and more secure.

    In contrast, when Bitfrost throws away the ability of programs to talk to other programs, it is intrinsically encouraging a monolithic approach to program design, which is a huge step backwards both for security and for complexity management.

    Bitfrost is right to deny free access by programs to a user's filestore objects as an important part of its new security framework, but if the price for that is to disallow strong application factoring and partitioning into separate but communicating processes then the cure may be worse than the disease.

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
  8. Origin/rationale for name by dewarrn1 · · Score: 5, Interesting
    From the spec linked from the article, section 11:

    1227 In Norse mythology, Bifrost is the bridge which keeps mortals, inhabitants of
    1228 the realm of Midgard, from venturing into Asgard, the realm of the gods. In
    1229 effect, Bifrost is a powerful security system designed to keep out unwanted
    1230 intruders.
    1231
    1232 This is not why the OLPC security platform's name is a play on the name of the
    1233 mythical bridge, however. What's particularly interesting about Bifrost is a
    1234 story that 12th century Icelandic historian and poet Snorri Sturluson tells in
    1235 the first part of his poetics manual called the Prose Edda. Here is the
    1236 relevant excerpt from the 1916 translation by Arthur Gilchrist Brodeur:
    1237
    1238 Then said Gangleri: "What is the way to heaven from earth?"
    1239
    1240 Then Harr answered, and laughed aloud: "Now, that is not wisely asked; has
    1241 it not been told thee, that the gods made a bridge from earth, to heaven,
    1242 called Bifrost? Thou must have seen it; it may be that ye call it rainbow.'
    1243 It is of three colors, and very strong, and made with cunning and with more
    1244 magic art than other works of craftsmanship. But strong as it is, yet must
    1245 it be broken, when the sons of Muspell shall go forth harrying and ride it,
    1246 and swim their horses over great rivers; thus they shall proceed."
    1247
    1248 Then said Gangleri: "To my thinking the gods did not build the bridge
    1249 honestly, seeing that it could be broken, and they able to make it as they
    1250 would."
    1251
    1252 Then Harr replied: "The gods are not deserving of reproof because of this
    1253 work of skill: a good bridge is Bifrost, but nothing in this world is of
    1254 such nature that it may be relied on when the sons of Muspell go
    1255 a-harrying."
    1256
    1257 This story is quite remarkable, as it amounts to a 13th century recognition of
    1258 the idea that there's no such thing as a perfect security system.