« Facemail: Showing Faces of Recipients to Prevent Misdirected Email
SOUPS 2007 Closing Remarks »

The One Laptop Per Child Security Model

July 20, 2007 by Richard Conlan

http://cups.cs.cmu.edu/soups/2007/proceedings/p132_krstic.pdf

It is simply the case that there is a huge number of children in the world with little to no access to a quality education system.  There are people working on building schools and creating infrastructure, but that is no reason not to try and get laptops out there now.  The OLPC laptop is incredibly power efficient and has a pretty decent range of hardware functionality intended to just such deployment.

Threat model:

  • Software attacks on hardware (such as the harddrive)
  • Attacks on OS integrity
  • User data loss
  • Privacy

These concerns are exacerbated by the fact that the laptops are intended to be open to hacking and exploration.  To protect the system the OLPC project has implemented a security framework named Bitfrost.

Bitfrost design goals

  • Prevent hardware damage
  • Provide software recoverability without lockdown
  • Provide strong, unobtrusive, out-of-the-box security (cannot assume reliable Internet access)

The basic idea behind Bitfrost is to impose container-based virtualization which effectively quardon off the software on the machine so that each app is effectively independent.  The hardware is designed with a hardware latch to protect the BIOS from modification by the OS.  Each container has a token bucket that limits how often it can write to the NAND flash (to combat the fact that flash memory dies after too many reads).  There are hard-wired LEDs for the camera and microphone that authoritatively indicate when the device is on and off.  The base OS is never exposed to the user without a special “developer key”, granting only “copy-on-write” access to the typical user - this ensures the child can still customize and experiment with the OS, but can revert to a known good state at any time.

Laptops ship from the factory “deactivated” and require an activation key delivered out of band from the laptops for initial activation.  This should help ensure that the laptop is not stolen on the way to its destination.  Thereafter the laptops requires daily access to a “lease” server, or else it locks down until it is reactivated, which should help curtain individual laptop theft.

If you’re interested in seeing the OLPC code: http://dev.laptop.org/

This entry was posted on Friday, July 20, 2007 at 10:20 under General. You can leave a comment here or trackback from your own site. Use the comment feed to follow comments on this entry.

Paul Snively wrote:
August 2nd, 2007 at 08:44

Wow. Please tell me that this is some kind of bizarre joke. This approach doesn’t have a prayer of working in the “first world,” let alone the third.

Reply to this comment
 
Doug wrote:
August 2nd, 2007 at 01:46

“Thereafter the laptops requires daily access to a “lease” server, or else it locks down until it is reactivated”

I sure hope you are wrong about that. I would never purchase a product that deactivated itself if I went a day without using it or without internet access.

In fact according to the P_THEFT section of page that’s not exactly correct:
http://wiki.laptop.org/go/OLPC_Bitfrost

“It works by running, as a privileged process that cannot be disabled or terminated even by the root user, an anti-theft daemon which detects Internet access, and performs a call-home request—no more than once a day—to the country’s anti-theft servers. In so doing, it is able to securely use NTP to set the machine RTC to the current time, and then obtain a cryptographic lease to keep running for some amount of time, e.g. 21 days. The lease duration is controlled by each country.”

So it’s basically a lease (21 days not 1 day) but also a method to disable laptops that have been reported stolen.

Reply to this comment