By Ryan Singel
Feb, 07, 2007
SAN FRANCISCO -- The One Laptop Per Child project, which proposes to
give every child in the developing world a computer of his own, dazzled
fans with the unveiling of its little green "$100 laptop" in November
2005. Now it's impressing hard-bitten security geeks with a plan to lock
down the hundreds of millions of educational machines against spyware
and computer intruders.
The laptop, officially called the XO, includes a swiveling LCD screen
that can switch between low-resolution color and higher-resolution
black-and-white. It also has a camera and microphone that enable clear
video calls, three USB ports, 128 MB of RAM, 512 MB of flash storage,
built-in Wi-Fi with extraordinary range, a long-lasting battery
rechargeable by a cord or car battery, and a custom, Linux-based
operating system that prefers tags to a traditional file system. Every
full-grown geek who sees the 7.5-inch screen asks how they can buy one.
Millions of XO laptops are expected to go into production late in 2007,
with Thailand, Brazil, Uruguay and Rwanda, among others, signed up for
the launch. If all goes according to plan, that will make the XO
laptop's operating system one of the more common platforms in the world.
And with kids as young as 6 as target users, hackers may already be
dreaming of taking computers from babies through rogue code.
But it should come as no surprise -- given how thoroughly the project
has rewritten the conventions of what a laptop should be -- that the
XO's security isn't built on firewalls and antivirus software.
Instead, the XO will premiere a security system that takes a radical
approach to computer protection. For starters, it does away with the
ubiquitous security prompts so familiar to users of Windows and
antivirus software, said Ivan Krstic, a young security guru on break
from Harvard who's in charge of security for the XO.
"How can you expect a 6-year-old to make a sensible decision when
40-year-olds can't?" Krstic asked in a session at the RSA Conference.
Those boxes simply train users to check "yes," he argued.
Krstic's system, known as the BitFrost platform, has only one user
prompt (turning on the camera) and imposes limits on every program's
powers. Under BitFrost, every program runs in its own virtual machine
with a limited set of permissions. Thus a picture viewer can't access
the web, so even if a hacker comes up with an exploit that lets him
control the program, he couldn't use it to grab all the photos on the
laptop and upload them to the internet.
"Applications can no longer run rampant," Krstic said. "Spyware becomes
very, very hard. It can't spy on the keyboard. You can only spy on how a
user uses their program."
Krstic contrasts this approach to Microsoft's Windows XP where every
program, including Solitaire, has the right to access the web, turn on
the video camera, open spreadsheets and send e-mail.
Programs downloaded to the computer have no permissions, unless that
software has been certified by a trusted authority. The certifier --
it's unclear who that will be -- will have the job of ensuring that no
program has enough access to the computer to do damage. Users can
manually assign more power to a particular program through the security
control panel, but even there, they are limited.
"You cannot request a set of permissions that let you do bad things,"
Krstic's objectives are to attack the problem of malware by removing the
economic incentive to attack, and to make security usable.
While the idea of limiting permissions program by program dates back as
far as 1959, according to Krstic, it's not been adopted widely because
it puts the burden on application writers to deal with security.
Other Linux/Unix-based systems -- including Apple's Mac OS -- run
programs with authority limited to a local user, but that's not enough,
said Krstic, because the program can still delete user files, even if it
can't touch the underlying system files.
Krstic's no fan of Microsoft's security, either -- despite Vista's
imposition of limited permissions on programs, and its isolation of
Internet Explorer in a virtual sandbox. "Vista's sandboxing is trying to
impale sandboxing on something broken," Krstic said.
Still, Krstic admits there's a drawback to his system: It limits
interactions between applications.
"This kind of model makes it more difficult for glue between
applications to be built," Krstic said. "But 99 percent don't need
The project plans to release a detailed description of the system on the
laptop.org site Wednesday.
Beyond cyberthreats, the XO laptop will have an anti-theft system
designed to render stolen laptops useless. Each XO is assigned a
"lease," secured by cryptography, that allows it to operate for a
limited period of time. The laptop connects to the internet daily and
checks in with a country-specific server to see if it's been reported
stolen. If not, the lease is extended another few weeks.
If the lease expires, the XO's internet connectivity is turned off, and
shortly thereafter the whole computer becomes a brick. In the case of an
area without internet connectivity, a local school can extend the lease
from its own server by Wi-Fi or with a USB dongle.
Despite the meticulous planning, Krstic admits he has one big concern as
the planned rollout nears.
"I fear there is something I missed," he said.
Subscribe to the InfoSec News RSS Feed