Bitfrost (OLPC) solved the desktop security problem
I've run into a very interesting presentation from Ivan Krstić (via Risque Management) who, as director of security architecture for the One Laptop per Child (OLPC) project, designed a new code execution platform—Bitfrost—to avoid the security issues that plague the desktop systems in use today. Bitfrost uses capabilities to restrict what each program can do, irrespective of the user account it runs under. You may be familiar with the concept from SELinux, GRsecurity or AppArmour, or, more recently, Caja.
By designing Bitfrost, OLPC did something remarkable: it gave up compatibility (with other platforms) in exchange for a secure execution environment. It's a decision so unusual that it must be applauded. So it's no wonder that Ivan resigned in March of 2008 after OLPC had appeared to have changed focus and Windows XP on its laptops became a reality. Judging from the status page, it appears that Bitfrost is not complete yet, so I wonder how it will progress now that Ivan is not with OLPC any more.
The presentation is full of interesting observations that I fully agree with. For example, the main point:
We have failed as an industry, and modern desktop security is completely broken as a result.
And this statement:
Key symptom: desktop security relies on the user to make informed, sensible choices... About things they don’t at all understand.
And this one:
So we weasel off responsibility to the user, stick our head in the sand, and pretend this was the right thing to do. But the user knows as much about computer security as they do about gravitational waves, closed strings and D-branes.
Please go and read the presentation for yourself so that I don't have to quote it here in its entirety. (What's a D-brane?)
Backward compatibility, by the way, is the main reason why everything is so insecure today. We made these very bad choices years ago, when the circumstances were vastly different, yet we are refusing to put things right today. It is a genuine challenge, even if you put the interests of various industries aside. If you were to come out with a perfectly secure operating system today people wouldn't jump to use it only because it's secure. Only Apple could have pulled that off, by doing things right in Mac OS X, but they wasted that opportunity.
The really sad fact is that the next opportunity to fix things is passing us by at this very moment. The whole world is moving to the Web, where desktop applications don't matter, but, instead of doing things right, we are just moving from one insecure platform to another.
I've come to the conclusion that people (e.g. developers) must be forced to do the right thing by not allowing them to do the wrong thing. The low adoption of the Java security model is a perfect example of this. Java has had a very good capabilities-based security model since version 1.2 (released in 1998), but hardly anyone is using it today. Why? Because it's optional.
