One Laptop per Child security

Ivan Krstić krstic at
Thu Feb 8 21:17:46 EST 2007

[Perry -- this is a very interesting discussion, but please feel free to
tell us to bugger off to the OLPC security list if you find it too

Nicolas Williams wrote:
> It tends to make me think that if an
> application wants to do something that I've not enabled it to do ahead
> of time then it fails. 

If an application wants to do something for which _it_ didn't request
permission ahead of time, it fails. The difficulty is in creating the
permission set with the proper mutual exclusions, and in such a way that
it's very hard to request a permission set required to do something
malicious. At the same time, it has to be easy for most applications to
request the permissions they need to get their work done. I've tried to
strike a decent balance.

> I'm imagining BitFrost as something like OpenBSD's systrace facility + a
> small number of well-profiled apps.  If this is a good analogy, please
> confirm it.

Think high-level systrace, with each application providing the policy at
install time, and the user being able to amend it at any time.

> In a world where web-based applications are all the applications you
> need, this attitude towards the browser leaves BitFrost with a big hole
> in it.

Protecting the browser is not in the scope of _system_ security. I'm
working on it separately, and want to see how to make it better, but to
the system security platform, a browser is just another application. To
that end, if the entire application is compromised, Bitfrost provides
very strong assurances about what an attacker can('t) do to the rest of
the system.

> I think you have to think of each site as a separate application, and
> profile that, if I understood BitFrost correctly.

No, the platform is too low in the security stack to have any idea about
what tabs and sites are. It sees a process, or some number of processes,
which are the browser.

Ivan Krstić <krstic at> | GPG: 0x147C722D

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list