Securing 100 Million Laptops

The one laptop per child project will create largest-ever computing monoculture

If the plan is perfectly executed, Nicholas Negropontes One Laptop Per Child project will deploy 100 million laptops in the first year. In one fell swoop, the nonprofit organization will create the largest computing monoculture in history.

Wary of the security risks associated with a computing monoculture—millions of machines with hardware and software of identical design—OLPC officials are seeking help from the worlds best hackers to review the full specifications of the $100 laptops security model.

"This is an enormous challenge for us," said Ivan Krstic´, director of the security and information platform efforts for the OLPC project, in Cambridge, Mass. "Security for these machines is hands down the hardest thing Ive ever worked on."

Krstic´ has spent a large portion of 2006 slipping into security conferences around the world, schmoozing with hackers, and trying to recruit computer security experts to look at the design and threat model and provide useful feedback.

"We want hackers to get in touch, look at the documentation, play with the machine and try to break into it. We run the risk of getting parts of this wrong, and thats not something we can afford," Krstic´ said in an interview with eWeek.

A former director of research at the Medical Informatics Laboratory at Zagreb Childrens Hospital, in Croatia, Krstic´ said he is well aware of the dangers of the monoculture. "If this succeeds, well have created the largest monoculture in the computer industry. To answer whether thats scary or not is a nontrivial question. The security implications are deeply frightening," he said.

The overall design goals already have been released to the OLPCs security panel for review, and Krstic´ plans to publicly release the specs to generate feedback from the open-source community.

Krstic´s team has already pinned down the security policy and threat model for the BIOS, the built-in software that runs when the machine is turned on. The machine, named the 2B1, will feature a completely secure BIOS solution that allows fully automatic upgrades without user intervention and fully protects against phishing and automated worm attacks, he said.

"Many of these kids will have never seen a computer before; they wont have a clue about computer security. That means that a lot of mechanisms in computers today just wont work for them," Krstic´ said, stressing that everything on the laptop will be open by design and will not rely on passwords for authentication.

"One of the main goals is to provide unobtrusive security," Krstic´ added. "Were doing security in a way that doesnt depend on the user reading or responding to a prompt on the screen."

The key design goal, Krstic´ explained, is to avoid irreversible damage to the machines. The laptops will force applications to run in a "walled garden" that isolates files from certain sensitive locations like the kernel. Even if the computer is damaged, the security model calls for a trivial reinstall of the operating system to put the machine back into full functionality.

Despite the security fears, Krstic´ is optimistic OLPC has a few aces up its sleeve. "We dont have backward compatibility on our list of concerns. Thats a huge advantage," he said. Without having to worry about existing applications, Krstic´ said OLPC can actually define the security policy for every piece of software built for the machine.

"We can tell people, If youre developing software, this is the policy," Krstic´ said. "We dont have to worry about thousands of apps that will retroactively break. It gives us an enormous level of control."

Still, there are crucial security decisions that are still up in the air. For example, the group is still brainstorming about whether to include automatic updates by default. Krstic´ is leaning toward implementing automatic updates, but, ideally, if the security model holds up, he expects 2B1 to have a level of isolation between the operating system, applications and user data that will reduce the need to issue lots and lots of updates.

"If we discover vulnerabilities, the security model must hold up enough that even a machine that is unpatched wont be easily exploitable. This gives us a bit of diversity to avoid the monoculture trap," Krstic´ said.

The issue of automatic updates, he said, remains "tricky" because of the difficulty in making strong assumptions about connectivity. The $100 laptops will feature built-in wireless mesh networking—allowing each laptop to connect to other laptops and work as a wireless mesh router when it is powered down—but the absence of strong connectivity to pull down updates could be awkward.

"The focus of my work is to make sure that dependence on updates is as minimal as possible," Krstic´ added.

Dave Aitel, an open-source advocate and vulnerability researcher at Immunity, in Miami, said fears of an OLPC monoculture presenting a major security risk may be a bit overblown. "Who wants to [hack] these children anyway? These laptops are not [Microsofts] Windows 95, and, in many ways, theyre more advanced than [Windows] Vista," Aitel said in an interview.

"Its a monoculture of hard targets," Aitel said, noting that the laptops will use a modern implementation of Linux hardened with ASLR (Address Space Layout Randomization) to handle code-scrambling diversity and Exec Shield, a security patch that flags data memory as nonexecutable and program memory as nonwritable.

Walter Bender, president of software and content at OLPC, said the foundations long-term goal expressly encourages computing diversity and argued that the "monoculture" tab might be a bit strong.

"Were designing this machine as an open platform with the expectation that its going to evolve," Bender said in an interview. "Even though were launching a monoculture, experience has shown that these open platforms evolve and change. Theres no reason to think this wont happen with these machines.

"We dont expect that a monoculture in the strict sense, where were controlling everything, will last very long," Bender added.

Bender insists that the overall goal of the OLPC foundation is to encourage diversity. "In the short term, were trying to launch something," he said. "Were a nonprofit, educational organization; were not a laptop manufacturer. Were developing an ecosystem that people can expand and bring to kids. Its anything but a monoculture."

The OLPC foundation, which traces its roots to Massachusetts Institute of Technology, is sponsored by a roster of big-name companies, including Advanced Micro Devices, eBay, Google, News Corp., Nortel Networks and Red Hat.

Getting down with OLPCs 2B1

What is it?

* The 2B1 is a Linux-based notebook with a 500MHz processor, 128MB of DRAM (dynamic RAM) and 500MB of flash memory. It does not have a hard disk but will have four USB ports.

Whos making them?

* Quanta Computer, of Taipei, Taiwan, has been chosen as the original design manufacturer. The preliminary schedule calls for the units to be ready for shipment by the end of 2006 or early 2007. Manufacturing will begin when 5 million to 10 million machines have been ordered and paid for in advance.

Who will use them?

* The laptops will be sold to governments and issued to children by schools on a basis of one laptop per child. Initial discussions have been held with Argentina, Brazil, China, Egypt, India, Nigeria and Thailand.

Source: OLPC Foundation