I was listening to a fascinating
presentation (video)by Ivan
Krstić, the director of security architecture of the One Laptop Per Child (
OLPC) project. What struck me most was the extent to which
virtualization is being used. Unless you have been living under a rock, you know that
virtualization is a 'hot' area now. But this must be one of the few attempts to use it to provide desktop security (Incidentally Anti-virus tools routinely use virtual machine containers) The
Bitfrost security model involves running each application in its own virtual machine container. As the
Wikipedia entry explains,
Every program, when first installed, requests certain bundles of rights, for instance "accessing the camera", or "accessing the Internet". The system keeps track of these rights, and the program is later executed in an environment which makes only the requested resources available. This is implemented by a fully-fledged, container-based virtual machine.
By default, the system denies certain combinations of rights; for instance, a program would not be granted both the right to access the camera and to access the internet. Anybody can write and distribute programs that request allowable right combinations. Programs that require normally unapproved right combinations need a cryptographic signature by some authority. The laptop's user can use the built-in security panel to grant additional rights to any application.
Running each application inside a virtual machine is a scary idea, especially given the hardware configuration of the
OLPC laptop.
Krstic explained that the Linux kernel
VServer patch had been extended to do
OLPC specific tasks. Perhaps, the most fascinating piece of information that I learnt from the whole talk was the low overhead associated with such Linux
VServer virtual machines. Quote from
Krstic's presentation:
"The interesting thing about this, by the way is you know people are terrified of how are you going to do virtualization with 466MHZ CPU - turns out with Linux Vserver that the overhead you pay is 32 K per task struct, but there is 0% measurable CPU overhead with up to 65,000 Virtual Machines running ."
I have mixed feelings about this approach. Having done
virtualization related work for the last two years, I find this approach fascinating;but, it could also start a disturbing trend of people opting for this approach instead of trying to solve security problems at a more fundamental level. But I got to admit that the clever Copy-on-Write approach of the
VServer just blew me away. As
Krstic said after explaining the low overhead associated with the virtual machines,
"I will let that sink in for about two seconds"