[OLPC Security] Public release: OLPC Bitfrost security platform specification

Ivan Krstić krstic at solarsail.hcs.harvard.edu
Wed Feb 7 14:36:13 EST 2007


Yoshiki Ohshima wrote:
> engine shouldn't have too strong protection by default to allow some
> interesting stuff by children.  (The user seems to "install" such a
> Python code as a "program", and upon that installation, he seems to
> have a chance to modify the protection.  Is this right?)

Yes. A program can, at installation time, request the privileges it
needs. There are some permissions that aren't requestable, and some that
are mutually exclusive with others when requested. The way the system is
built, these requestable permissions should be enough for the vast
majority of software (though there are exceptions), while not allowing a
program to ask for a set of permissions that would allow it to do
something particularly malicious.

There are two modifiers to this mechanism: the user is able to manually
assign any privileges she wishes to any piece of installed software, and
software that's cryptographically signed by a trusted authority (e.g.
OLPC, the country, or a regional educational authority) is able to
request whichever permissions it needs to get its job done.

An environment such as EToys is a clear target to be signed by OLPC.
Even without a sig, a user who installs it could give it all the
permissions it needs. "No lockdown" is one of the key Bitfrost principles.

-- 
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D



More information about the Devel mailing list