Bitfrost

Bitfrost architecture

The Bitfrost architecture was largely developed by Ivan Krstic, a project participant at One Laptop per Child until 2008, who has been working for Apple since May 11, 2009. According to its own information, it contains concepts known from the specialist literature. However, the connection of these previously separate concepts to a functioning overall system is to be regarded as a further development. This novel combination of security concepts is intended to provide a level of computer security that has never been achieved before.

The concept is currently only partially implemented in the XO laptop and is therefore still subject to changes.

Passwords

According to the Bitfrost concept, no passwords should be entered in order to access the computer or content. From previous experience it is known that the typical user either uses insecure passwords that can be easily guessed by an attacker, and on the other hand a password system can not be used for small children who may still be illiterate .

The aim is to reduce security queries to a minimum. The system should itself assess the danger in the background and decide if necessary. This should be achieved through a coherent concept. If, in exceptional cases, the user has to decide himself, the dialogues should be formulated in an understandable manner and reduced to a simple yes / no decision. The aim of the concept is to relieve the user as much as possible.

Individualization of the laptop

In order to ensure that children can use it, the laptop is individualized for a specific person. For this purpose, before handing over to the student, when the laptop is started for the first time, a digital picture is taken of the student using the built-in video camera and his first and last name is entered by the supervisor. In addition, a digital key is generated for this student, which establishes a connection between the student and the MAC address of the notebook.

With every restart, the student's picture and their first and last name are displayed during the boot process, along with a note that this person is the authorized user. This customization is firmly integrated in the operating system and can only be reversed with a digital signature from a specially authorized person. A complete reinstallation of the operating system with overwriting of the personal data is also only possible after entering the digital signature.

Theft protection

Every laptop checks its status against a server at certain time intervals . If a laptop is reported as stolen, the laptop is entered as stolen in a database . If the check reveals that it is a stolen laptop, the laptop switches off and can then no longer be activated. This block can then only be lifted by the authorized person.

Whether and how often such a loss report is checked can be determined by the respective country of deployment at its own discretion. A review is recommended every one to three months.

The laptops are designed for a service life of up to five years. At the end of these five years, the anti-theft device is switched off and a possible block is deleted from the system.

Rights management

During the installation, the required rights such as read and write access, access to printer or video camera are registered with the operating system. As a rule, the required rights are automatically registered by the program during installation. If necessary, however, an extension or restriction of rights for an individual program can also be carried out subsequently by the user himself. This extension of rights takes place via a special menu in the operating system.

A sandbox is automatically set up for the installed program . In this shielded environment, the running program should no longer be able to damage the operating system, or only to a limited extent. Likewise, the program does not have uncontrolled access to the operating system in order to secretly assign access and usage rights to itself.

By default, the system prohibits certain combinations of access, for example access to the video camera and the Internet. This is to protect the privacy of the user. Exceptionally, however, problematic combinations can also be registered automatically by software. However, the program and its rights registration must be digitally signed by an authorized body in order to prevent misuse.

System modifications

The user can customize the laptop's operating system , a special version of Fedora - Linux with the new Sugar user interface .

In contrast, corrupted applications or even Trojans that try to manipulate the operating system have only limited access to the files of the operating system. Each running program is "packed" into its own virtual machine . So it does not have unrestricted access to the files of GNU / Linux . At runtime , an application is allocated only limited system resources such as computing capacity or main memory , so that a corrupted application cannot "freeze" the computer system. If the malicious program terminates, the virtual machine is also deleted.

To protect against willful or accidental destruction of the software by the user, a copy of the operating system and the software package is stored as an emergency system in a non-changeable memory area. A user can only adjust the background copy of the system and the BIOS using a developer key. This developer key is only valid for a single machine.

This emergency system can be activated every time the XO laptop is restarted by pressing a certain key combination during the boot process. In this case, the existing Linux operating system with its software package is replaced by the intact emergency system. The user information and other adjustments are already integrated in the emergency system, the personal data are stored on a different storage partition and can therefore not be lost. The reinstallation takes about two to three minutes, after which the newly installed software is started.

If the automatic emergency procedure fails, new software or a copy of the emergency system can be imported via a USB stick. Such an external emergency system is automatically searched for during the boot process. If one is found, the emergency procedure starts again; the emergency system on the USB stick is copied to the laptop. Before that, however, the external emergency system must prove its integrity and thus its freedom from viruses by means of a digital signature .

Microphone and camera

The camera and the microphone are permanently wired with status LEDs so that the user always knows whether they are working. This cannot be controlled by software.

data backup

Data loss is to be prevented by automatically backing up your own data when you contact a server. The data backup should mainly take place via WLAN and automatically in the background. If there is a loss of data on your own laptop, this data should be written back to the laptop when the WiFi contact is made to the backup server.

The WLAN transmission takes place via tap-proof WLAN. For reasons of data protection , consideration is being given to encrypting personal data on the server .

Others

The name "Bitfrost" is an allusion to Bifröst , in Norse mythology the bridge between the world of mortals and the land of the gods. The bridge was built to be extremely stable, but in the end it will break. The bridge is a very early recognition of the idea that there is no such thing as a perfect security system.

For this reason, its developer Ivan Krstic called on the entire open source community to check this concept for possible weaknesses and, if necessary, to report them via the official mailing list . Several published conceptual vulnerabilities were ignored; the official specification has not changed since the first draft was published.

swell