[ISN] High Security for $100 Laptop

From: InfoSec News (alerts@private)
Date: Wed Feb 07 2007 - 22:36:29 PST


By Ryan Singel
Feb, 07, 2007

SAN FRANCISCO -- The One Laptop Per Child project, which proposes to 
give every child in the developing world a computer of his own, dazzled 
fans with the unveiling of its little green "$100 laptop" in November 
2005. Now it's impressing hard-bitten security geeks with a plan to lock 
down the hundreds of millions of educational machines against spyware 
and computer intruders.

The laptop, officially called the XO, includes a swiveling LCD screen 
that can switch between low-resolution color and higher-resolution 
black-and-white. It also has a camera and microphone that enable clear 
video calls, three USB ports, 128 MB of RAM, 512 MB of flash storage, 
built-in Wi-Fi with extraordinary range, a long-lasting battery 
rechargeable by a cord or car battery, and a custom, Linux-based 
operating system that prefers tags to a traditional file system. Every 
full-grown geek who sees the 7.5-inch screen asks how they can buy one.

Millions of XO laptops are expected to go into production late in 2007, 
with Thailand, Brazil, Uruguay and Rwanda, among others, signed up for 
the launch. If all goes according to plan, that will make the XO 
laptop's operating system one of the more common platforms in the world. 
And with kids as young as 6 as target users, hackers may already be 
dreaming of taking computers from babies through rogue code.

But it should come as no surprise -- given how thoroughly the project 
has rewritten the conventions of what a laptop should be -- that the 
XO's security isn't built on firewalls and antivirus software.

Instead, the XO will premiere a security system that takes a radical 
approach to computer protection. For starters, it does away with the 
ubiquitous security prompts so familiar to users of Windows and 
antivirus software, said Ivan Krstic, a young security guru on break 
from Harvard who's in charge of security for the XO.

"How can you expect a 6-year-old to make a sensible decision when 
40-year-olds can't?" Krstic asked in a session at the RSA Conference. 
Those boxes simply train users to check "yes," he argued.

Krstic's system, known as the BitFrost platform, has only one user 
prompt (turning on the camera) and imposes limits on every program's 
powers. Under BitFrost, every program runs in its own virtual machine 
with a limited set of permissions. Thus a picture viewer can't access 
the web, so even if a hacker comes up with an exploit that lets him 
control the program, he couldn't use it to grab all the photos on the 
laptop and upload them to the internet.

"Applications can no longer run rampant," Krstic said. "Spyware becomes 
very, very hard. It can't spy on the keyboard. You can only spy on how a 
user uses their program."

Krstic contrasts this approach to Microsoft's Windows XP where every 
program, including Solitaire, has the right to access the web, turn on 
the video camera, open spreadsheets and send e-mail.

Programs downloaded to the computer have no permissions, unless that 
software has been certified by a trusted authority. The certifier -- 
it's unclear who that will be -- will have the job of ensuring that no 
program has enough access to the computer to do damage. Users can 
manually assign more power to a particular program through the security 
control panel, but even there, they are limited.

"You cannot request a set of permissions that let you do bad things," 
Krstic said.

Krstic's objectives are to attack the problem of malware by removing the 
economic incentive to attack, and to make security usable.

While the idea of limiting permissions program by program dates back as 
far as 1959, according to Krstic, it's not been adopted widely because 
it puts the burden on application writers to deal with security.

Other Linux/Unix-based systems -- including Apple's Mac OS -- run 
programs with authority limited to a local user, but that's not enough, 
said Krstic, because the program can still delete user files, even if it 
can't touch the underlying system files.

Krstic's no fan of Microsoft's security, either -- despite Vista's 
imposition of limited permissions on programs, and its isolation of 
Internet Explorer in a virtual sandbox. "Vista's sandboxing is trying to 
impale sandboxing on something broken," Krstic said.

Still, Krstic admits there's a drawback to his system: It limits 
interactions between applications.

"This kind of model makes it more difficult for glue between 
applications to be built," Krstic said. "But 99 percent don't need 

The project plans to release a detailed description of the system on the 
laptop.org site Wednesday.

Beyond cyberthreats, the XO laptop will have an anti-theft system 
designed to render stolen laptops useless. Each XO is assigned a 
"lease," secured by cryptography, that allows it to operate for a 
limited period of time. The laptop connects to the internet daily and 
checks in with a country-specific server to see if it's been reported 
stolen. If not, the lease is extended another few weeks.

If the lease expires, the XO's internet connectivity is turned off, and 
shortly thereafter the whole computer becomes a brick. In the case of an 
area without internet connectivity, a local school can extend the lease 
from its own server by Wi-Fi or with a USB dongle.

Despite the meticulous planning, Krstic admits he has one big concern as 
the planned rollout nears.

"I fear there is something I missed," he said.

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Wed Feb 07 2007 - 22:57:47 PST