[OLPC Security] Security for plugins

Serguei Makarov SMakarov at uts.utoronto.ca
Sun Mar 18 22:53:33 EDT 2007 

            One thing the Bitfrost specification fails to address, and
that no one in the mailing list has raised is security for plugins and
extensions to activities. Look:

            * Some activity writers will want to write their activity as a
simple base with extensible plugins, in order to keep the base size small
while allowing children looking for specialized functionality to receive
it in a non-clunky fashion. Extensions to Squeak (which does have its own
security system for plugins), Develop (which should in the end be
extensible to allow, e.g. C development or a visual interface builder),
and Draw (where there might be demand for various esoteric features) come
to mind as examples.
            * Furthermore, many of these extensions will be written not by
random strangers but by the activity authors themselves. An extension
written and signed by the activity author should install without hassling
the user about security. Thus, such extensions are simply 
            * On the other hand, an extension written by someone else
*should* hassle the user and *should* be subject to the same sort of
restrictions Bitfrost puts on activities, so that a badly or maliciously
written third-party plug in can't screw up the activity's reputation with
the security monitor and can't corrupt the activity's files.
            * Ergo, the Bitfrost implementation should include an
easy-to-use library that allows plugins to be written and installed in a
secure and easy-to-use manner. Because activities don't need to have the
system know about extensions, this can even be shipped later, either in a
system update or as a library that activity writers can drop in.

            Anyone with influence agree that this will be something worth
taking a look at later on?

            The thing is, this isn't at all urgent. All of the example
extensions that came to mind are very much non-essential (Bezier curve
editing? Develop plugins? What are we, training a new generation of
designers and programmers?), but there will undoubtedly come a time when
an activity writer wants to allow their activity to be extended. Firefox,
for instance, has an extension system that puts it ahead of the
competition, and it has many extensions useful not only for professionals.

           Giving people a secure and official way to offer extensibility
will minimise instances where an activity is compromised with malicious
third party code, which under Bitfrost would not be as dangerous, but
would undoubtedly be *very* annoying.

            Serhei Makarov

           PS. Thank you for suffering through this long post; I hadn't
the time to write a short one..





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.laptop.org/pipermail/security/attachments/20070318/b9535a3d/attachment.html

More information about the Security mailing list