Meredith L. Patterson
University of Iowa
Len Sassaman
Katholieke Universiteit Leuven
David Chaum
Katholieke Universiteit Leuven
Due to concerns about theft, the XO design team has taken measures to render the laptop a less attractive target for illicit resale. Most components are soldered directly to the motherboard, to discourage parting out the machines. The XO also implements a software and firmware security platform, dubbed Bitfrost, aimed at preventing theft, damage from malicious software, compromise of user privacy, and compromise by software which harms other network users (e.g. botnets or spam relays) [11]. Although these are noble goals, many of Bitfrost’s provisions present much more dramatic risks to XO users than those the policy is intended to deter.
In this paper, we analyze the technical weaknesses of the Bitfrost security policy; enumerate the dangers which Bitfrost not only fails to prevent, but indeed actively encourages; and discuss the sociological ramifications of the human-computer interaction model which Bitfrost is poised to unleash on an unsuspecting user-base.
Bitfrost also establishes a five-point software threat model, intended to encompass the categories of “ ‘bad things’ that software could do.” It comprises:
These are quite reasonable threats to consider, and Bitfrost shows much promise in protecting its users from unauthorized abuses (intentional or accidental) from misbehavior of software applications.
The Bitfrost specification includes a lengthy list of hardware/firmware, kernel-space, and user-space policies and chroot environments intended to prevent malicious software from accomplishing any of the above goals. The OLPC XO is designed such that it cannot be activated without complying with these policies, thus discouraging attempts to divert XOs away from the supply chain and onto the black market (a goal stated in section 3 of the specification). These measures will be costly and inconvenient to subvert.
However, many of Bitfrost’s policies introduce more problems than they solve. We will examine several of these policies in detail, identifying areas where Bitfrost generates a scenario which diverges considerably from the rosy picture which its principles and goals paint.
Were Bitfrost still merely a proposal, this would not be such a cause for concern. However, 1000 XOs have already been deployed in Mongolia [17], and 8000 in Uruguay, with another 90,000 to be deployed in the next several months [12]. A de facto standard has thus been defined, in the form of the source code of the release builds of the operating system. Although the source code is publicly available, this alone does not constitute a standards specification. A true specification provides implementors with reference guidelines to use to verify the correctness of the implementation, and to ensure interoperability.1 The lack of a formal specification bespeaks poor management practices, and leads us to question the quality of the implementation--if there is no standard, how is the platform to be tested?
In the remainder of this section, we discuss policies as they are described in the available documentation.
As the very first step of this process, the XO asks for the child’s name and takes a digital photograph2 of the child. It also generates an ECC keypair (without a passphrase; the key size is unspecified) and signs the name and photograph with this key. The resulting 8-tuple forms the child’s digital identity. It is immediately transmitted to the activation server (which serves as the primary backup server) and the country’s central backup server.
Thus, the child is immediately linkable, by name and appearance, to the laptop he or she has been issued--and, more importantly, to a long-lived keypair which is now no longer under his or her sole control. We question the need for such invasive measures. The specification provides no rationale for storing the name and photograph, but presumably it is so that if a stolen laptop is recovered, its owner can strongly identify herself. Other biometric factors, e.g. voiceprints, might be a less privacy-invasive but equivalently strong means of satisfying this goal.
The P_DOCUMENT_BACKUP policy also allows any server advertising itself as a “backup service” to trigger automatic incremental backups of an XO’s data. Although these backups are encrypted to the user’s ECC key, this provides negligible protection against a skilled third party. Any individual who gains access to the key store (via “black-bag cryptanalysis” or “aluminum-briefcase cryptanalysis”) can set up a backup service as a honeypot and compromise the private data of any XO in the “neighborhood”.
The P_IDENT policy states that “all digital peer interactions or communication (e-mails, instant messages, and so forth) can be cryptographically signed to maintain integrity even as they’re routed through potentially malicious peers on the mesh.” Since the policy does not state the conditions under which traffic will or will not be signed, and the “unobtrusive security” goal emphasizes that “strong unobtrusive security” will occur “behind the scenes” unless it impacts usability--not privacy--we must assume that all outgoing traffic will be signed by default when possible. Since IP, TCP and UDP provide no mechanism for signing, this operation presumably takes place at the application layer, through overt message signing as described, or by signing the message body and embedding the signature in a header--the From request-header of HTTP [7] is an obvious candidate.
Signing, whether at the message or packet level, implies non-repudiability of all signed messages or packets. Ergo, it is impossible for XO users to use any form of anonymous communication with confidence.
The P_IDENT policy is thus a threat to many forms of speech which have been shielded by anonymity in the past: political speech, “whistleblowing” against corporate or governmental abuses of power, and religious speech, to name a few. (Granted, in the West, schoolchildren are not often in a position to expose corporate or governmental malfeasance--but in the Third World, corruption is often far more overt due to the belief of those in power that no one can do anything about it. The XO has great potential to empower the common citizen, but not if citizens cannot speak without fear of repercussion. In nations where it is not uncommon for schoolchildren to be drafted as soldiers, it is certainly possible for children to become whistleblowers.) The United Nations Universal Declaration of Human Rights protects not only the freedom of expression, but the right to privacy for member states’ citizens [8]. Given that the OLPC project transacts with the national governments of UN member states, much more attention should have been paid to the security policy’s effects on protected speech.
This policy additionally limits the utility of the XO by making it an unsuitable platform for networked voting systems in elections that require secret ballots. Nevertheless, S.T.I.R.M.E., an electronic voting project for the XO platform, is being developed [23]. If it is used beyond its current scope of classroom and open source project elections, S.T.I.R.M.E. could place users at risk or compromise election integrity due to the implications of the P_IDENT policy.
Leases can be renewed manually by means of a USB drive manually delivered to a school’s activation server, but we question the utility of this approach in the event of natural disasters. Many of the target XO deployment locations are in remote, difficult-to-access areas which could be cut off from travel by earthquakes, floods or other catastrophes. If a school unexpectedly loses its Internet access for a long enough time, all its attached XOs will automatically deactivate, leaving students out of contact even after connectivity is restored (e.g., by repairing a broken satellite dish). This is at best inconvenient, and at worst, a serious hazard if people have come to rely on XOs as a primary means for long-distance communication.
More relevant from a security and privacy perspective, however, this policy is rife with potential for abuse. Combined with the anti-anonymity features of P_IDENT, P_THEFT is an extremely effective way of silencing specific individuals. Signed messages are linked to the XO they came from, so a government need only flag that XO as “stolen” in the anti-theft database in order to shut it off permanently. A country can also shut off all its XOs in one fell swoop by flagging them all, or simply shutting off the anti-theft server and waiting for all the leases to expire.
According to the legal doctrine of chilling effects, an activity, e.g. criticizing a corrupt regime, “is chilled if people are deterred from participating in that activity”, whether through punishment or merely the threat thereof [20]. Bitfrost’s design may not intend to facilitate surveillance on children, but as we have shown, it certainly does so. Combined with the powers the P_THEFT policy provides, it is easy to envision a scenario where a child blogs or e-mails a document which the government wants to quash, it is traced back to the child, and the child’s XO is suddenly reported “stolen” and deactivated. Fear of a similar punishment would certainly chill controversial speech on the part of other XO users.
The XO’s target audience is children between the ages of 6 and 12 [16]. In Piaget’s theory of cognitive development [19], this corresponds to the concrete operational stage, when children acquire logical reasoning abilities and use them to form automatic working models of the world, or schemas. Erikson’s theory of psychosocial development associates this age group with the psychosocial crisis of “industry vs. inferiority,” wherein children are eager to learn but afraid of failure and punishment [6]. This is a pivotal stage of emotional growth, and the schemas children form during this timeframe persist for years. Traumatic events--particularly ones indirectly connected to a cause, such as being punished for “unapproved” speech by having one’s laptop suddenly deactivate seemingly on its own--may have dramatic and long-lived negative effects on a child’s view of the world and her place in it [4]. Even seemingly innocuous events can have an insidious effect on schema formation; children who grow up learning that handing over their identity to a remote authority is the “price” of Internet access may internalize giving up their right to privacy as a commonplace, expected event.4
Elliot Turiel’s domain theory distinguishes between moral values, which are universalizable beliefs founded in concepts of justice, rights, and welfare; and social conventions, context-dependent standards of behavior tied to the social system [22]. Bitfrost’s policies enforce a set of social conventions starkly at odds with those of the broader Internet. On the Bitfrost Internet, children may learn to view controversial speech as dangerous due to the risk of punishment, rather than a fact of life. This puts them at risk of failing to develop an autonomous sense of social responsibility, since the imposed social convention makes it difficult for children to identify the moral values which underpin responsible Internet citizenship [24]; given the conditioning they are subject to, they may come to advocate censorship and anti-anonymity policies which negatively affect the rest of the world, as well.
The Internet’s predecessor, DARPAnet, was designed to be robust in the event of physical damage, providing flexible re-routing if a previous path becomes unusable. This architecture has given rise to John Gilmore’s famous remark, “The Internet perceives censorship as damage and routes around it.” However, if the P_IDENT policy extends to signing of all traffic, or if the P_DOCUMENT_BACKUP policy extends to archiving students’ browsing histories (which can then be examined for “forbidden” content), this is no longer an option--a child’s Internet access can simply be cut off at the source. This is a profoundly depersonalizing act, and one which threatens a child’s sense of individuality and personal agency [14]. People have a right to expect that what they read, write and create, their correspondence and recreation, are a matter of personal choice. Subjecting children to constant surveillance damages their ability to establish personal boundaries and identify as an individual within a society; and yet the Bitfrost model opens the door to precisely that.
Further research into the impact the XO local network and Internet interaction has upon the users of these systems will be needed once live deployments can be studied.
As there has been much work on privacy-preserving systems in recent years, it is our intuition that most, if not all, of the problematic aspects of Bitfrost can be eliminated by refining the specification to consider the dangers we have highlighted in this paper, while also considering the existing threat models. It would be ideal if we were able to work from a static specification, but we intend to experiment with replacement primitives for existing components in the draft spec to achieve the same security properties while eliminating the threats that the current methods introduce.
The work of Len Sassaman and David Chaum was supported in part by the Concerted Research Action (GOA) Ambiorics 2005/11 of the Flemish Government, by the IBBT (Flemish Government) and by the IAP Programme P6/26 BCRYPT of the Belgian State (Belgian Science Policy). Additional support was provided by the EU within the PRIME Project under contract IST-2002-507591.
This document was generated using the LaTeX2HTML translator Version 2002-2-1 (1.71)
Copyright © 1993, 1994, 1995, 1996,
Nikos Drakos,
Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999,
Ross Moore,
Mathematics Department, Macquarie University, Sydney.
The command line arguments were:
latex2html -split 0 -show_section_numbers -local_icons -no_navigation olpc.tex
The translation was initiated by Meredith L. Patterson on 2008-03-19