One Laptop per Child security

James A. Donald jamesd at
Thu Feb 8 03:32:44 EST 2007

Steven M. Bellovin wrote:
 > The AV decision is more problematic.  While a good
 > security model can prevent system files from being
 > overwritten, most worms use purely user-level
 > abilities.  It would take a fairly radical OS design
 > to prevent a user-level worm from spreading.

It is a fairly radical OS design.  Programs do not
inherit the full authority of the user.  They cannot do
anything the user can do.

For many tasks, they have to call upon a small amount of
trusted code.  For example the normal way an editor
opens a file is that one gives the editor a file name,
and the editor, having full user authority to read or
change any file in the system, plays nice and opens and
changes *only* that file.   In this OS, instead the
editor asks trusted code for a file handle, and gets the
handle to a file chosen by the user, and can modify that
file and no other.

The nice thing about this OS architecture is that that
each executable is loaded and run in its own VM, instead
of having access to everything the user has access to.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list