Security: Difference between revisions

From OLPC
Jump to navigation Jump to search
mNo edit summary
m (Reverted edits by 200.89.84.90 (Talk) to last revision by Quozl)
 
(22 intermediate revisions by 5 users not shown)
Line 3: Line 3:
There are many ways that children involved in the OLPC effort might fail to benefit from their involvement. Some of these educational failures stem from security threats such as laptop theft, software interference, or socially malicious pranks. Therefore, we have created a [[Security#Threat Model|threat model]], a number of [[Security#Design|designs]], and several [[Security#Design|implementations]] that we think will help mitigate these threats. More information about these artifacts can be gleaned from other [[:Category:Security|pages on security]].
There are many ways that children involved in the OLPC effort might fail to benefit from their involvement. Some of these educational failures stem from security threats such as laptop theft, software interference, or socially malicious pranks. Therefore, we have created a [[Security#Threat Model|threat model]], a number of [[Security#Design|designs]], and several [[Security#Design|implementations]] that we think will help mitigate these threats. More information about these artifacts can be gleaned from other [[:Category:Security|pages on security]].


Unfortunately, providing truly dependable software is a '''challenging''' task at best. Fortunately, there are many ways that you can help out, both [[Developers|generically]] or [[Security#Contributions|particularly]]. Finally, if you are interested in speaking with [[security people]], know that they are readily available.
Unfortunately, providing truly dependable software is a '''challenging''' task at best. Fortunately, there are many ways that you can help out, both [[Developers|generically]] or [[Security#Contributions|particularly]]. Finally, if you are interested in speaking with [[Security credits#Active Contributors|security people]], know that they are readily available.


== Threat Model ==
== Threat Model ==
Line 9: Line 9:
The threat model for the OLPC XO running Sugar is discussed in the [[Bitfrost]] summary and in the [[OLPC Bitfrost|full specification]].
The threat model for the OLPC XO running Sugar is discussed in the [[Bitfrost]] summary and in the [[OLPC Bitfrost|full specification]].


NB: The ''authoritative'' version of this document is [http://dev.laptop.org/git?p=security;f=bitfrost.txt;hb=HEAD;a=blob bitfrost.txt].
NB: The ''authoritative'' version of this document is [http://dev.laptop.org/git/security/tree/bitfrost.txt bitfrost.txt].


== Design ==
== Design ==
Line 15: Line 15:
All software running on the XO could compromise the security goals of the XO users; however, only some of this software has been considered in light of the user's security goals and the Bitfrost threat model.
All software running on the XO could compromise the security goals of the XO users; however, only some of this software has been considered in light of the user's security goals and the Bitfrost threat model.


Some programs or classes of programs that have received particular scrutiny include:
Some programs, classes of programs, and features that have received particular scrutiny include:


; Activities
; Activities
: [[Rainbow]], [[Taste the Rainbow]], and [http://dev.laptop.org/git?p=security;f=rainbow.txt;hb=HEAD;a=blob; the Rainbow design spec] deal with implementation and design of the activity isolation model suggested by Bitfrost.
: [[Rainbow]] deals with implementation and design of the activity isolation model suggested by Bitfrost.


; [[Open Firmware]]
; [[Open Firmware]]
: [[Firmware security]] and [[Early boot]] discuss how we address the security considerations of the firmware-OS level.
: [[Firmware security]] and [[Early boot]] discuss how we address the security considerations of the firmware-OS level.

; [[Theft-deterrence protocol|Theft deterrence]]
: [[User:Mstone/Commentaries/Security_1]] examines the security requirements of the ''first-boot activation'', ''passive-kill'', and ''active-kill'' features. Elsewhere, the impact of [http://lists.laptop.org/pipermail/security/2008-June/000441.html signature delegation] on theft-deterrence goals and security is analyzed.

; Software update
: [[Software update]], [[Olpc-update]], [[OFW NAND FLASH Updater]], [[Nandblaster_for_XO-1]], [[Nandblaster_for_XO-1.5]] and others are programs for getting new software onto an XO.
: [[User:Mstone/Commentaries/Mass olpc-update]] discusses the interactions of [[olpc-update]] and the [[theft deterrence protocol]].


== Contributions ==
== Contributions ==
Line 38: Line 45:


; organizing other people
; organizing other people
: Many people are capable of improving the security of their software but they some critical resource like knowledge, motivation, or criticism. Be a matchmaker.
: Many people are capable of improving the security of their software but for the lack of some critical resource like knowledge, motivation, or criticism. Find and provide the missing piece.


; spreading the word
; spreading the word
: Many of our ideas on software security are transferable to other operating systems and environment -- particularly to other Unix-like machines. Help port our software to another platform so that others can benefit from it and can help us improve it on their own terms.
: Many of our ideas on software security are transferable to other operating systems and environments -- particularly to other Unix-like machines. Help port our ideas or software to another platform so that others can benefit from them and can help us improve them on their own terms.


== Procedures ==
== Procedures ==
Line 52: Line 59:


[[category:security]]
[[category:security]]
[[Category:Subsystems]]

Latest revision as of 14:02, 8 October 2010

Introduction

There are many ways that children involved in the OLPC effort might fail to benefit from their involvement. Some of these educational failures stem from security threats such as laptop theft, software interference, or socially malicious pranks. Therefore, we have created a threat model, a number of designs, and several implementations that we think will help mitigate these threats. More information about these artifacts can be gleaned from other pages on security.

Unfortunately, providing truly dependable software is a challenging task at best. Fortunately, there are many ways that you can help out, both generically or particularly. Finally, if you are interested in speaking with security people, know that they are readily available.

Threat Model

The threat model for the OLPC XO running Sugar is discussed in the Bitfrost summary and in the full specification.

NB: The authoritative version of this document is bitfrost.txt.

Design

All software running on the XO could compromise the security goals of the XO users; however, only some of this software has been considered in light of the user's security goals and the Bitfrost threat model.

Some programs, classes of programs, and features that have received particular scrutiny include:

Activities
Rainbow deals with implementation and design of the activity isolation model suggested by Bitfrost.
Open Firmware
Firmware security and Early boot discuss how we address the security considerations of the firmware-OS level.
Theft deterrence
User:Mstone/Commentaries/Security_1 examines the security requirements of the first-boot activation, passive-kill, and active-kill features. Elsewhere, the impact of signature delegation on theft-deterrence goals and security is analyzed.
Software update
Software update, Olpc-update, OFW NAND FLASH Updater, Nandblaster_for_XO-1, Nandblaster_for_XO-1.5 and others are programs for getting new software onto an XO.
User:Mstone/Commentaries/Mass olpc-update discusses the interactions of olpc-update and the theft deterrence protocol.

Contributions

You can contribute to the education received by hundreds of thousands of children this year by:

writing software
Review the documentation cited above, then bring your questions and patches to the security mailing list (subscribe).
refining the threat model and mitigation strategies
Did we miss an important threat (e.g. to privacy)? If so, please work with us to fix our model.
Alternately, if you have expertise in a related field like sociology (what notion of identity should our software reify?) or criminology (the who/what/where/why/how of stolen laptops), please improve our theories and recommended practices.
breaking assumptions
Software 'security' is proven under fire. Here's your opportunity to crank up the heat.
organizing other people
Many people are capable of improving the security of their software but for the lack of some critical resource like knowledge, motivation, or criticism. Find and provide the missing piece.
spreading the word
Many of our ideas on software security are transferable to other operating systems and environments -- particularly to other Unix-like machines. Help port our ideas or software to another platform so that others can benefit from them and can help us improve them on their own terms.

Procedures

Some day soon, we'll try to write up some simple procedures to ease the task of making the security contributions described above. Ping the security list (subscribe) if you want this up.

Thanks

Many people, both named and anonymous have contributed to the security of software available on the XO and hence to the quality and power of the education received by hundreds of thousands of kids this year. If you or your organization would like to be recognized for your contributions, please add your name and affiliation to the Security credits page along with a brief description of what you worked on.