Security
Introduction
There are many ways that children involved in the OLPC effort might fail to benefit from their involvement. Some of these educational failures stem from security threats such as laptop theft, software interference, or socially malicious pranks. Therefore, we have created a threat model, a number of designs, and several implementations that we think will help mitigate these threats. More information about these artifacts can be gleaned from other pages on security.
Unfortunately, providing truly dependable software is a challenging task at best. Fortunately, there are many ways that you can help out, both generically or particularly. Finally, if you are interested in speaking with security people, know that they are readily available.
Threat Model
The threat model for the OLPC XO running Sugar is discussed in the Bitfrost summary and in the full specification.
NB: The authoritative version of this document is bitfrost.txt.
Design
All software running on the XO could compromise the security goals of the XO users; however, only some of this software has been considered in light of the user's security goals and the Bitfrost threat model.
Some programs, classes of programs, and features that have received particular scrutiny include:
- Activities
- Rainbow deals with implementation and design of the activity isolation model suggested by Bitfrost.
- Open Firmware
- Firmware security and Early boot discuss how we address the security considerations of the firmware-OS level.
- Theft deterrence
- User:Mstone/Commentaries/Security_1 examines the security requirements of the first-boot activation, passive-kill, and active-kill features. Elsewhere, the impact of signature delegation on theft-deterrence goals and security is analyzed.
- Software update
- Software update, Olpc-update, OFW NAND FLASH Updater, Multicast_NAND_FLASH_Update and others are programs for getting new software onto an XO.
- User:Mstone/Commentaries/Mass olpc-update discusses the interactions of olpc-update and the theft deterrence protocol.
Contributions
You can contribute to the education received by hundreds of thousands of children this year by:
- writing software
- Review the documentation cited above, then bring your questions and patches to the security mailing list (subscribe).
- refining the threat model and mitigation strategies
- Did we miss an important threat (e.g. to privacy)? If so, please work with us to fix our model.
- Alternately, if you have expertise in a related field like sociology (what notion of identity should our software reify?) or criminology (the who/what/where/why/how of stolen laptops), please improve our theories and recommended practices.
- breaking assumptions
- Software 'security' is proven under fire. Here's your opportunity to crank up the heat.
- organizing other people
- Many people are capable of improving the security of their software but for the lack of some critical resource like knowledge, motivation, or criticism. Find and provide the missing piece.
- spreading the word
- Many of our ideas on software security are transferable to other operating systems and environments -- particularly to other Unix-like machines. Help port our ideas or software to another platform so that others can benefit from them and can help us improve them on their own terms.
Procedures
Some day soon, we'll try to write up some simple procedures to ease the task of making the security contributions described above. Ping the security list (subscribe) if you want this up.
Thanks
Many people, both named and anonymous have contributed to the security of software available on the XO and hence to the quality and power of the education received by hundreds of thousands of kids this year. If you or your organization would like to be recognized for your contributions, please add your name and affiliation to the Security credits page along with a brief description of what you worked on.