[OLPC Security] Application bundles and delegation

[Ivan Krstić]

Hi Ping,

Ka-Ping Yee wrote:
> I felt very encouraged upon reading the Bitfrost specification today.
> Congratulations on what you've accomplished so far.  It makes me very
> glad to see the up-front acknowledgement, in your introduction, of the
> key problem in security -- the wholesale granting of authority that
> happens when applications "run as" users.  When I saw Simson's name
> and the O'Reilly book mentioned I was even more excited.

A lot of my ideas about security really clicked together when I first
read your SID paper many years ago. It's been a big inspiration for my
work on Bitfrost, so thank you -- shoulders of giants.

> Is there a specification of the
> application bundle system in more detail that I can read somewhere?

The Sugar guys have a work in progress spec here:

    http://wiki.laptop.org/go/Activity_bundles

It's not finalized, and still requires quite a bit of work. I think
they're planning to get around to it soon.

> Is there an API that the installer provides to distributed packages?

Not yet. In the pipeline for the next couple of months.

> Somewhat related to that, what are your thoughts on delegation
> between applications?  When a program launches another program or
> invokes a library routine to carry out a task, how are authorities
> transferred from one to the other?  Perhaps the more technical
> document will talk about this?

Yes, I'll cover this in the technical spec, but the short version is
that we don't sandbox by executable, but by application. This includes
all its libraries. Normally, a program can't launch other programs on
the system (except for other executables in its own bundle), simply
because it doesn't have sufficient privilege to see that they even
exist. I have ideas about addressing the problem of inter-application
glue being hard to write.

Cheers,

-- 
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | GPG: 0x147C722D