|
Palladium: Friend or Foe? |
|
Dateline: Toronto, ON, August 2002 Perhaps you have heard the whispers about
Palladium. So what is Palladium? Well, the answer lies in your
background. If you are a scientist then Palladium
(symbol: Pd, atomic number: 46) is a silvery white metal used in the making of
the Blackhawk helicopters. Dentists know
Pd as excellent crown material. If you live
for RPGs (role playing games), then Belisarius the Paladin surely knows
Palladium. If you are a poetry lover,
you may recognize it as the name of a poem by Matthew Arnold (1822-1888). If you are into Greek mythology or
architecture, you know the Palladium as a temple to Pallas, the Greek goddess
of wisdom. You can see excellent examples of Palladium architecture in
Palladium is an extension of the effort from
the TCPA (see TCPA: Who Can You Trust?), an alliance formed to
develop a trustworthy computer. Stung by
criticism of its current security, Microsoft is pinning its hopes for a truly
trustworthy operating system on Palladium. Palladium provides a computing platform where
you can’t tamper with the applications, and where these applications can communicate
securely with the vendor. The obvious application is digital rights management
(DRM). Let’s say you’re the one person who
buys Disney’s The Country Bears on
DVD. You will decrypt the DVD and run it
on a Palladium platform, but you can’t copy it (not that you would want to copy
it). So your neighbours must buy their
own copy! Music moguls also can sell you music downloads
that you can’t swap or copy. They can
sell you CDs that you only can play, say, three times, or only on your
birthday. The music industry might allow
you to lend (or not) your copy of some digital music to a friend, but your
backup copy isn’t playable until your friend gives you the original copy back. All sorts of new marketing possibilities abound.
A new industry could arise to rent software rather than sell it; and should you
stop paying the rent, then not only does the software stop working but so may
the files you created. The very data on
your hard drive ceases to be yours because it could self-destruct at any time.
You may end up paying rent to use your own data! Building upon the TCPA hardware, Microsoft plans
to incorporate Palladium in future versions of Windows. Microsoft has been working on Palladium’s
Trusted Operating Root Architecture (TORA) since around 1997 and Microsoft holds
or has filed patents for some of it. Microsoft has a vision that functionality now
built on top of bank cards will move into software once they can make the
applications tamper-resistant. In a
future where you pay for books that you read, and music you listen to, at the
rate of so many pennies per page or per minute, this is a requirement. Should this business model not work out, and
there are good arguments why it won’t, there clearly is a competitive issue for
a number of on-line payment systems, and there may be spill over effects for consumers. If, in ten years time, it’s inconvenient to
shop on-line with a credit card without using a Palladium platform, then this
could move a lot of people over to the platform. Essentially, Palladium defends effectively
against two classes of attacks: (1) Remote network-mounted attacks (for example, buffer overflows and other programming flaws, or malicious mobile code), because when someone installs some malicious code in one part of the system, it still can’t effectively subvert the policy of another part of the system.
(2) Local software-based attacks, including things like using a debugger to try to read a program’s internal state while it’s executing or to try to subvert its policy. Thus, Palladium probably can guarantee that you can’t write or download any software and nobody else can write or upload any software to you that would compromise the policy of software running locally, which is making use of Palladium trust features.
Microsoft could make Palladium secure against
almost all software attacks—barring development of a nub with a matching
signature, which statistically is improbable—and most hardware attacks. Hardware compromise likely will require substantial
modifications to the PC and will not break the security of unmodified PCs. The desire to bring all genres of entertainment
within their empire also motivates Microsoft.
But they also stand to win big should Palladium become widespread, as
they could use it to cut down dramatically on software piracy. With Palladium, Microsoft could tie each PC
to its individual licensed copy of Office, and with TCPA they can tie each
motherboard to its individual licensed copy of Windows. Palladium is distinct from TCPA and has
technical differences from TCPA. It has
some architectural points in common with TCPA, including, most significantly,
the use of “trusted hardware” within a PC to establish a root of trust. Both TCPA and Palladium require modifications
to existing PC hardware architecture in order to work. In addition, they both require modifications
to software in order to use trust features. Both are intended to run existing
untrusted software without any modifications. The initial version of Palladium will require changes
to five parts of the PC’s hardware. It will require changes to the CPU, the
chipset (on the motherboard), the input devices (for example, a keyboard), and
the video output devices (for example, a graphics processor). In addition, you
must add a new component: a tamper-resistant secure cryptographic co-processor
(SCP). Palladium centers around a security kernel—the nub—that
executes at the highest-privilege level of the processor. The processor hardware protects the nub
against all software attack and, when compromised, invalidates its digital certificates. A compromised nub will continue to run but can’t
assert its identity in a trusted fashion. Windows runs in parallel with the nub and all
security processes pass through Windows to the nub. Therefore, Windows security
(and its associated security problems) potentially becomes irrelevant. Most commercial, third-party software,
including drivers, will come to rely on this infrastructure. Palladium’s changes to the CPU allow Palladium to
place the CPU into a new mode where it restricts certain areas of memory via a
technique called “code curtaining” to an ultra-privileged piece of code called
the “nub” or Trusted Operating Root (TOR).
The nub is a kind of trusted memory manager, which runs with more
privilege than the operating system kernel.
The nub also manages access to the SCP. The SCP is an 8-bit tamper-resistant cryptographic
smartcard that contains unique keys, including public key pairs for 2048-bit
RSA and symmetric keys for AES in CBC mode. These keys are unique to every machine
and the SCP will not reveal them to anything outside the SCP’s security
perimeter. It contains a variety of
cryptographic functionality, including SHA-1, RSA, AES, and other cipher
implementations, a small amount of memory, and a monotone counter. When you want to start a Palladium PC in
trusted mode, the system hardware performs what’s called an “authenticated
boot”, where the software places the system in a known state and loads the nub. Palladium’s authenticated boot is simpler than
TCPA’s version, because it takes only a single hash. Palladium does not attempt to measure the
hardware, BIOS, boot loader, and OS kernel, or at least not within the SCP. The SCP takes a SHA-1 hash of the just loaded nub,
and the platform configuration register (PCR) stores unalterably the 160-bit
hash, and it remains there for as long as the system continues to operate in trusted
mode. Then, the operating system kernel can boot, but the key to the trust in
the system is the authentication of the nub. As long as the system is up, the
SCP knows exactly the currently running nub.
Because of the way the CPU works, it is not possible for any other
software to modify the nub or its memory or subvert the nub’s policies. The nub is in some sense in charge of the
system at a low level, but it doesn’t usually do things that other software
would notice unless asked. The nub interfaces with other software on the
system by means of trusted agents (or TAs). The TAs can implement sophisticated
policies and authentication methods, whereas the nub and SCP just implement
fairly simple primitives. TAs will have the
capability to communicate with user-space programs. Other people can write their own nubs that
can support different kinds of TAs or even do without TAs entirely. Hardware protects one TA from another and
from the rest of the system. Even PCI DMA (Direct Memory Access) can’t read
or write memory that Palladium has reserved for a nub’s or TA’s use (including
the nub’s or TA’s code). This memory is completely inaccessible except indirectly
through API calls. The hardware vendor has modified the chipset on the
motherboard to enforce this restriction. The SCP provides a feature called “sealed
storage” by means of two API calls: SEAL and UNSEAL. The Microsoft nub provides
wrappers around these calls. When a TA
running on a system in trusted mode wants to use sealed storage, it can call
the APIs implemented in the nub. Microsoft will achieve sealed storage by means
of encryption (sealing) or decryption (unsealing) with a symmetric cipher (for
example, AES in CBC mode). When the SCP has data to seal, it will have two
arguments: the data itself and a 160-bit “nub identifier,” which is the SHA-1
hash of some nub and so uniquely identifies that nub. The SCP performs sealing by pre-pending the nub
identifier to the data for sealing, and then encrypting the result with a unique
private key. The SCP keeps the key,
which is a unique identifier for the machine that performed the sealing
operation. To prevent replay attacks and to protect
privacy, the SCP actually also adds a random nonce to the data for sealing before
encryption and discards the nonce upon decryption. The nonce feature prevents
someone from creating an application that records the output from sealing an
empty string and then using the result as a persistent unique identifier for
your machine. A program that tried this
would find that, because of the random nonce, the result from sealing a given
string is wildly different, and the sealing operation reveals no useful information
about the identity of the machine. After encryption, the SCP returns the encrypted
result as the return value of the SEAL operation. When the SCP has encrypted data to UNSEAL, it
internally attempts to decrypt the encrypted data using its platform-specific
key. This means that, when a different machine originally sealed the encrypted
data, the UNSEAL operation will unconditionally fail. You can’t take a sealed file and transfer it
to another machine and unseal it there; because you cannot extract the platform-specific
key used for encryption and decryption from the SCP, you only can UNSEAL data
on the same machine that originally sealed it. If the decryption is successful, the SCP
performs a second check: it examines the nub identifier residing within the
decrypted data. The nub identifier was
specified at the time the data was originally sealed, and indicates the nub allowed
to receive the decrypted data. If the
nub identifier for the decrypted data is identical to the nub identifier
currently stored in the PCR (which is the SHA-1 hash of the currently-running
nub on the machine at the moment UNSEAL was called), the UNSEAL is successful
and the decrypted data is returned to the calling nub. However, should the nub identifier not match
the contents of the PCR, the SCP concludes that the nub currently running is
not entitled to receive this data, and discards it. Thus, sealing is specific to a physical
machine and also specific to a nub. A different machine or nub cannot decrypt data
sealed on one machine for a particular nub.
An application that trusts a particular nub (and is running under that
nub) can seal important secret data and then store the resulting sealed data
safely on an untrusted hard drive, or even send it over a network. Should you reboot the machine with a debugging
program, there is no problem, so you can debug the software that created the
encrypted file. However, since you aren’t
running the correct nub, the debugger will work, but the UNSEAL call won’t. The
SCP will receive the UNSEAL call, examine the PCR, and conclude that the
currently-running nub cannot receive the sealed data. Your applications only can decrypt sealed
data when they are running under the same machine and under the same software
environment that originally sealed that data. This is unquestionably clever. When you are running under a trusted nub,
your applications can use the SCP to decrypt and process data, but you can’t
run software that subverts a TA’s policy (because the nub will not permit you
to subvert the policy). When you are not
running under a trusted nub, you can run software that subverts a TA’s policy (because
the nub can’t prevent it), but your applications can no longer decrypt any
sealed data, because the SCP won’t be willing to perform the decryption. The default with sealed storage is that any
sealed data is unusable when migrated to a new system. In principle, nub and kernel are independent,
so a non-Microsoft kernel could run on a Microsoft nub, or vice versa. Patent and copyright issues might prevent
this from being done in practice, but it is apparently technically possible
within the design of Palladium. Microsoft swears Palladium is for security
purposes. The question is: Security for
whom? How will this stop the “I just inadvertently
e-mailed you a virus” problem? You would like to stop worrying about viruses,
but Palladium will offer no help. Viruses
exploit the way software applications, such as Microsoft Office and Outlook, use
scripting. Spam might annoy you, but
that won’t get fixed either. Microsoft
implies that by filtering out all unsigned messages the problem goes away, but
the spammers will just buy compliant PCs.
You’re better off using your existing mail client to filter out mail
from people you don’t know and putting it in a folder you scan quickly once a
day. You might worry about privacy, but
Palladium won’t fix that; since almost all privacy violations result from the
abuse of authorized access, often obtained by coercing consent. How does this stop your personal information
being sucked from your PC using cookies? It won’t.
Solving these particular problems is not Palladium’s real purpose, which
is to increase Microsoft’s market share.
Palladium is a marketing concept sold as the solution to a problem, but
it won’t really help you secure your machine. There is no attempt to stop people from booting
whatever code they currently use or may write in the future. In addition, specially-adapted software can
potentially use the hardware trust features, regardless of what operating
system is running. It is possible to imagine that you could create a Palladium-hardware-aware
version of Linux that could make full use of Palladium’s hardware features to
achieve trust comparable to the Windows implementation. Microsoft only is writing an implementation for
Windows. Although the SCP is tamper-resistant, likely a
skilled attacker with physical access to the inside of a Palladium PC could
compromise it or subvert its policies in some way. You could replace the system RAM with special
RAM to allow the read or modification of its contents by an external
circuit. So it is possible that an
attacker with physical access still can compromise the system, even though the
SCP is tamper-resistant, partly because other components (for example, RAM) are
less robust against modification. Seen in these terms, Palladium does not so much
provide security for the user as for the PC vendor, the software supplier, and
the content industry. It does not add
value for the user, but destroy it. It will
constrain what you can do with your PC so application and service vendors can
extract more money from you. This is the
classic definition of an exploitative cartel: an industry agreement that
changes the terms of trade so as to diminish consumer surplus. Software companies also can make it harder for
you to switch to a competitor’s product.
Microsoft would like to make it more expensive for people to switch away
from their products (such as Office) to rival products (such as OpenOffice or
StarOffice). Then, they can charge more
for upgrades without making their users jump ship. For example, Word could encrypt all your
documents using keys that only Microsoft products could access; this would mean
that you could only read them using Microsoft products, not with any competing word
processor. So much for Linux and Open Source, but it goes
even further than that. So much for competitors
like Apple and the Macintosh. As well, Microsoft
will use Palladium as a means of killing off the LAMP (Linux/Apache/MySQL/PHP)
camp. Their public relations shills will
make you forget all about the numerous security advisories for Windows, IIS,
SQL Server and ASP. Stop me if you have heard this one before. Microsoft forms a union to work on software
(substitute OS/2 for TCPA). Microsoft
decides to continue to support alliance initiative, but starts work on its own
software (substitute Windows Advanced Server for Palladium). Microsoft co-opts market and develops a
virtual monopoly. If that doesn’t make you sit up and take
notice, then consider a recent update for the Windows Media Player that caused
controversy by insisting that users agree to future anti-piracy measures, which
may include measures that delete pirated content found on your computer. Also, since Windows 2000, Microsoft has been
working on certifying all device drivers; should you try to load an unsigned
driver, XP will complain. Although it’s attracting a lot of attention,
Microsoft has been very vague about the technical details of the Palladium
secure computing initiative. Ironically,
Microsoft says they will reveal Palladium’s source code, which is little more than
a nod and a wink toward the Open Source movement. Nobody at Microsoft is saying anything about
giving the ownership of that source code away or of allowing anyone to change
it. But based on past history, you
should know what will occur. In late
March, Microsoft published a document outlining how third-party developers can use
Common Internet File Sharing (CIFS), a Microsoft protocol that specifies how
Windows PCs share files with servers. Although
publishing the document should have made it easier to write software incorporating
CIFS, it contained a crucial restriction that prohibits using information in
the document to build software governed by the General Public License
(GPL). Some believe that any licence
connected to Palladium will have a similar tone. Enterprises looking at implementing trusted computing
systems have to know who manages the trust and—since the whole purpose of the
exercise is to deny any form of access to the untrustworthy user, program or
data—how the trust mechanism works. Do
you trust Microsoft? That is the nub of
the matter. Not me, that’s for sure. Should you really trust Microsoft, which has
been found guilty in the highest court in the Microsoft exposed its motivation for Palladium
when, on filing a core patent for the technology, it used the term Digital Rights
Management Operating System. Far from
providing authenticity, integrity and privacy of data, Microsoft actually wants
to police copyright laws. All auditors need to analyze the impact of
Palladium on their organization and formulate a strategy to deal with it. You’ll definitely need to develop an
implementation plan to ensure a smooth and orderly transition within your
organization. No doubt Microsoft will
bundle Palladium with new must-have features so that the package as a whole
appears to add value in the short term, but the long-term economic, social and
legal implications require serious thought.
Palladium’s potential impact is enormous. So educate yourself and others. You can find more information about Palladium
at: I Told You So (http://www.pbs.org/cringely/pulpit/pulpit20020627.html) Microsoft says: Trust Me (http://techupdate.zdnet.co.uk/story/0,,t481-s2118653,00.html) Microsoft security initiative could face
backlash (http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2872703,00.html) Palladium Details (http://www.activewin.com/articles/2002/pd.shtml) TCPA / Palladium Frequently Asked Questions (http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html) Who trusts Microsoft's Palladium? Not me (http://zdnet.com.com/2100-1107-939817.html) Why we can’t trust Microsoft’s ‘trustworthy’ OS
(http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2873168,00.html) Abridged version of a commentary published in EDPACS by Auerbach Publications 2002. |