The $100 laptop designed for the children of the developing world poses one of today's most challenging sets of computer security problems. These laptops will be widely deployed to children who have no training in computer security, computer use or much of anything else, in some cases.
They will belong to the children, go home with children and be customised by the children. And the laptops will provide internet access using a new mesh network design that turns the laptops into wireless routers, allowing hundreds of children spread out across a village to share a single internet connection. (See Building the £50 laptop.)
Such a proposal would spell a security nightmare if these laptops were all running a stock copy of Windows, MacOS or even Linux. Hackers could steal a laptop, find a vulnerability and then write a worm to wirelessly hop from laptop to laptop, turning them all into the largest botnet that the world had ever seen.
Even worse, the One Laptop per Child project has enemies - from people who see $100 laptops as a waste of resources when many communities don't even have clean water, to fundamentalists who are ideologically opposed to educating children with secular materials. Such enemies would almost certainly be motivated to create a piece of software to wipe the laptop's operating system and turn it into a $100 brick.
Although botnets and bricks are a persistent fear of the laptop development team, the team is incorporating security measures into the design that are aimed at preventing both disasters from unfolding. Other security measures should reduce the incentives for thieves to steal the laptops, for parents to sell their children's laptops and even for kids to change their ‘From’ address and get their classmates in trouble.
The $100 laptop, officially called the XO-1 or Children's Machine, is a marvel of engineering, but it isn't a laptop that most adults would want to use. The laptop's keyboard is a small plastic membrane stretched over a circuit board: it's resistant to water, and there are no moving parts, and it's definitely designed for children, not adults. The screen has a low-resolution colour mode and a high-resolution black-and-white mode, in which it looks almost as good as paper but it's the size of a paperback book. The computer's CPU runs standard x86 instructions, but it's slow - only a few hundred megahertz. The machine has just 128MB of RAM, 512MB of main flash memory, 1MB of BIOS flash and no hard drive. There are also three USB ports, a Secure Digital slot, a microphone and a camera.
BIOS, to boot
The BIOS flash is the laptop's primary defence against becoming a brick. As long as the BIOS is intact, the laptop can always boot from an external drive and have its operating system reinstalled. The BIOS also protects itself: It lives in write-protected memory that can be written only when the computer first boots. The BIOS will allow itself to be overwritten only with a new BIOS that is signed with four different digital signatures, the keys for which will be kept in a bank vault.
The XO laptop's operating system is a stripped-down version of Red Hat's Fedora Core Linux running a new user interface environment called Sugar. The goal of Sugar is to allow students to both read and create all kinds of documents, to collaborate wirelessly, and even to write and share programs with one another. Yet Sugar also has to protect a student's work from malicious code and allow students to easily recover from mistakes.
Sugar accomplishes this magic through the use of lightweight virtual machines. Each program that a student might want to run (or write) operates in its own virtual machine that's isolated from the rest of the computer. The application has access to three directories - one for temporary files, one for configuration information and one for data. This gives a game a reasonable place to store its high-score file. The rest of the computer's file system is invisible.
Of course, there are many kinds of data that should be shared between applications - like photographs, movies and word processor files. Sugar stores such documents in a special set of directories managed by an application called the Journal. The Journal automatically indexes its information by media type, contents and the date that it was created or modified. The idea is to free children from having to be file clerks - something that even adults don't do particularly well. (Ever see the desktop of a Windows or Mac computer littered with several hundred icons?)
When students wish to work with an image or on an essay, they'll pick the data inside the Journal. The Journal will then open the file and hand a reference to the opened file to the activity. An application can also instruct the Journal to ask the user to choose an object - for example, to specify a photo that might be included in a word processor document. Once again, the Journal returns to the application a reference to the opened file - the application never gets to run the open system call itself. This prevents a variety of attacks that are endemic on PCs today - for example, the malicious screen saver that surreptitiously opens and edits the contents of your word processing files.
Despite its strengths, the XO's radical hardware design opens up the potential for some new kinds of attacks - attacks that need to be prevented before the laptop can be deployed.
Consider the XO's flash storage. Unlike conventional RAM or hard drives, flash memory is limited as to the total number of times that it can be erased and rewritten. A malicious program could try to break the XO's flash by repeatedly rewriting the contents of one or more files until that lifetime has been exhausted. To prevent this kind of attack, every running activity on the computer is given a quota for how many sectors it can erase and rewrite per minute. Activities that use up their quota get slowed down and eventually suspended until their quota is replenished.
Another potential attack is made possible through the XO's microphone and video camera. A hostile program could turn these on and use them to eavesdrop on a child - or that child's family. Such attacks have already happened in the United States, with literal spyware turning on desktop webcams and transmitting the images to nefarious voyeurs. The XO's designers have addressed this potential problem with two bright LEDs mounted next to the videocamera: One LED turns on whenever the microphone is energized, the other alerts that the videocamera is in use.
Theft is a serious problem in many of the countries where the laptop is sure to be deployed. Although the XO's child-size keyboard, tiny screen and bright green colour should hopefully be theft deterrents, One Laptop Per Child has also designed an antitheft system that the countries purchasing the laptop can choose to enable and operate.
The antitheft system works a lot like Microsoft's Windows Update or the Activation feature that's built into Windows Vista. Each laptop has a unique serial number that's assigned when the laptop is created. Every day the laptop tries to make a connection over the internet to a centralised server run by the customer (that is, by the country or education system, or whoever bought the laptops). Once the connection is made, the XO reports on its health and checks for updates. If updates are available, they are automatically downloaded, checked for a valid digital signature and then installed.
Laptops that are reported stolen are given a special update that causes the laptop to disable itself until it is returned to the school where its owner is registered - and from where the original theft report was filed. If the laptop is never returned, it will never work again. If the laptop is returned, it can be reactivated. Laptops can also be configured to automatically disable themselves if they haven't been able to reach the update server for a predetermined period of time - say, one or two weeks.
One area where the laptop's security approach will be very different from Microsoft's, however, is identity management. The current plan is for each laptop to create its own digital certificate when it’s activated by its student owner. That certificate might contain the student's first name, photograph and other information - but it won't be digitally signed by the school, the ministry of education or anyone else. So these certificates could be used to sign chat and email messages (so that students can't forge messages from one another), but they won't work as the basis of a national electronic identity system.
If these security measures seem familiar, they should: many of them have been taken from other systems currently in the field or being tested in the lab. But the XO is the first system that puts them all together, and the first example of a computer maker trading compatibility with legacy applications in favour of strong security. If the XO is successful, my guess is that many computer users might be interested in making a similar trade for themselves. Expect to see these ideas showing up not just in Linux, but on MacOS and even Windows in coming years.
Simson Garfinkel, CISSP, is researching computer forensics and human thought at Harvard University. Send feedback to firstname.lastname@example.org.