PDA Logo.gif (6595 bytes)

Palladium: Friend or Foe?

home

our services

about Peter Davis+Assoc.

contact

security/audit info

Privacy Test

Security & Audit Tools

CyberScribblings

Windows NT Server IIS

Windows 95

Cookies

Java, JavaScript and ActiveX

Intrusion Detection Systems

Security Industry Shakeout

Securing Groupware

Client/Server Audit: One Bite At A Time

Configuring Cisco Denial of Service Security Features - Part 1

Configuring Cisco Denial of Service Security Features - Part 2

Configuring Cisco Lock-and-Key

Configuring Cisco Reflexive Access Lists

Dysfunctional Controls: Useless, Impractical, Inefficient and Poorly-Designed

TCPA: Who Can You Trust?

When Getting the Audit Done Is the Only Thing

Palladium: Friend or Foe?

Commentary: Quis Custodiet Ipsos Custodes?

Data Management: Data Destruction and Preservation

Security & Audit Products
 
Top Ten Security Links 
 
Security & Audit Checklists
 
Computer & Security
Glossary
 
Security & Audit Bibliography 
 
Search Page

legal info

privacy info

Dateline: Toronto, ON, August 2002

Perhaps you have heard the whispers about Palladium.  So what is Palladium?  Well, the answer lies in your background.  If you are a scientist then Palladium (symbol: Pd, atomic number: 46) is a silvery white metal used in the making of the Blackhawk helicopters.  Dentists know Pd as excellent crown material.  If you live for RPGs (role playing games), then Belisarius the Paladin surely knows Palladium.  If you are a poetry lover, you may recognize it as the name of a poem by Matthew Arnold (1822-1888).  If you are into Greek mythology or architecture, you know the Palladium as a temple to Pallas, the Greek goddess of wisdom. You can see excellent examples of Palladium architecture in Vicenza, Italia.  Alas, if you are a computer geek, then Palladium is an alchemists dream to turn silicon into gold for Microsoft and friends.

Palladium is an extension of the effort from the TCPA (see TCPA: Who Can You Trust?), an alliance formed to develop a trustworthy computer.  Stung by criticism of its current security, Microsoft is pinning its hopes for a truly trustworthy operating system on Palladium.

Palladium provides a computing platform where you can’t tamper with the applications, and where these applications can communicate securely with the vendor. The obvious application is digital rights management (DRM).  Let’s say you’re the one person who buys Disney’s The Country Bears on DVD.  You will decrypt the DVD and run it on a Palladium platform, but you can’t copy it (not that you would want to copy it).  So your neighbours must buy their own copy!

Music moguls also can sell you music downloads that you can’t swap or copy.  They can sell you CDs that you only can play, say, three times, or only on your birthday.  The music industry might allow you to lend (or not) your copy of some digital music to a friend, but your backup copy isn’t playable until your friend gives you the original copy back.

All sorts of new marketing possibilities abound. A new industry could arise to rent software rather than sell it; and should you stop paying the rent, then not only does the software stop working but so may the files you created.  The very data on your hard drive ceases to be yours because it could self-destruct at any time. You may end up paying rent to use your own data!

Building upon the TCPA hardware, Microsoft plans to incorporate Palladium in future versions of Windows.  Microsoft has been working on Palladium’s Trusted Operating Root Architecture (TORA) since around 1997 and Microsoft holds or has filed patents for some of it. 

Microsoft has a vision that functionality now built on top of bank cards will move into software once they can make the applications tamper-resistant.  In a future where you pay for books that you read, and music you listen to, at the rate of so many pennies per page or per minute, this is a requirement.  Should this business model not work out, and there are good arguments why it won’t, there clearly is a competitive issue for a number of on-line payment systems, and there may be spill over effects for consumers.  If, in ten years time, it’s inconvenient to shop on-line with a credit card without using a Palladium platform, then this could move a lot of people over to the platform.

Essentially, Palladium defends effectively against two classes of attacks:

(1)   Remote network-mounted attacks (for example, buffer overflows and other programming flaws, or malicious mobile code), because when someone installs some malicious code in one part of the system, it still can’t effectively subvert the policy of another part of the system.

 

(2)   Local software-based attacks, including things like using a debugger to try to read a program’s internal state while it’s executing or to try to subvert its policy.  Thus, Palladium probably can guarantee that you can’t write or download any software and nobody else can write or upload any software to you that would compromise the policy of software running locally, which is making use of Palladium trust features.

 

Microsoft could make Palladium secure against almost all software attacks—barring development of a nub with a matching signature, which statistically is improbable—and most hardware attacks.  Hardware compromise likely will require substantial modifications to the PC and will not break the security of unmodified PCs.

The desire to bring all genres of entertainment within their empire also motivates Microsoft.  But they also stand to win big should Palladium become widespread, as they could use it to cut down dramatically on software piracy.  With Palladium, Microsoft could tie each PC to its individual licensed copy of Office, and with TCPA they can tie each motherboard to its individual licensed copy of Windows.

Palladium is distinct from TCPA and has technical differences from TCPA.  It has some architectural points in common with TCPA, including, most significantly, the use of “trusted hardware” within a PC to establish a root of trust.  Both TCPA and Palladium require modifications to existing PC hardware architecture in order to work.  In addition, they both require modifications to software in order to use trust features. Both are intended to run existing untrusted software without any modifications.

The initial version of Palladium will require changes to five parts of the PC’s hardware. It will require changes to the CPU, the chipset (on the motherboard), the input devices (for example, a keyboard), and the video output devices (for example, a graphics processor). In addition, you must add a new component: a tamper-resistant secure cryptographic co-processor (SCP).

Palladium centers around a security kernel—the nub—that executes at the highest-privilege level of the processor.  The processor hardware protects the nub against all software attack and, when compromised, invalidates its digital certificates.  A compromised nub will continue to run but can’t assert its identity in a trusted fashion.

Windows runs in parallel with the nub and all security processes pass through Windows to the nub. Therefore, Windows security (and its associated security problems) potentially becomes irrelevant.  Most commercial, third-party software, including drivers, will come to rely on this infrastructure.

Palladium’s changes to the CPU allow Palladium to place the CPU into a new mode where it restricts certain areas of memory via a technique called “code curtaining” to an ultra-privileged piece of code called the “nub” or Trusted Operating Root (TOR).  The nub is a kind of trusted memory manager, which runs with more privilege than the operating system kernel.  The nub also manages access to the SCP.

The SCP is an 8-bit tamper-resistant cryptographic smartcard that contains unique keys, including public key pairs for 2048-bit RSA and symmetric keys for AES in CBC mode. These keys are unique to every machine and the SCP will not reveal them to anything outside the SCP’s security perimeter.  It contains a variety of cryptographic functionality, including SHA-1, RSA, AES, and other cipher implementations, a small amount of memory, and a monotone counter.

When you want to start a Palladium PC in trusted mode, the system hardware performs what’s called an “authenticated boot”, where the software places the system in a known state and loads the nub.  Palladium’s authenticated boot is simpler than TCPA’s version, because it takes only a single hash.  Palladium does not attempt to measure the hardware, BIOS, boot loader, and OS kernel, or at least not within the SCP.

The SCP takes a SHA-1 hash of the just loaded nub, and the platform configuration register (PCR) stores unalterably the 160-bit hash, and it remains there for as long as the system continues to operate in trusted mode. Then, the operating system kernel can boot, but the key to the trust in the system is the authentication of the nub. As long as the system is up, the SCP knows exactly the currently running nub.  Because of the way the CPU works, it is not possible for any other software to modify the nub or its memory or subvert the nub’s policies.  The nub is in some sense in charge of the system at a low level, but it doesn’t usually do things that other software would notice unless asked.

The nub interfaces with other software on the system by means of trusted agents (or TAs). The TAs can implement sophisticated policies and authentication methods, whereas the nub and SCP just implement fairly simple primitives.  TAs will have the capability to communicate with user-space programs.  Other people can write their own nubs that can support different kinds of TAs or even do without TAs entirely.  Hardware protects one TA from another and from the rest of the system.

Even PCI DMA (Direct Memory Access) can’t read or write memory that Palladium has reserved for a nub’s or TA’s use (including the nub’s or TA’s code). This memory is completely inaccessible except indirectly through API calls. The hardware vendor has modified the chipset on the motherboard to enforce this restriction.

The SCP provides a feature called “sealed storage” by means of two API calls: SEAL and UNSEAL. The Microsoft nub provides wrappers around these calls.  When a TA running on a system in trusted mode wants to use sealed storage, it can call the APIs implemented in the nub.

Microsoft will achieve sealed storage by means of encryption (sealing) or decryption (unsealing) with a symmetric cipher (for example, AES in CBC mode). When the SCP has data to seal, it will have two arguments: the data itself and a 160-bit “nub identifier,” which is the SHA-1 hash of some nub and so uniquely identifies that nub.

The SCP performs sealing by pre-pending the nub identifier to the data for sealing, and then encrypting the result with a unique private key.  The SCP keeps the key, which is a unique identifier for the machine that performed the sealing operation.

To prevent replay attacks and to protect privacy, the SCP actually also adds a random nonce to the data for sealing before encryption and discards the nonce upon decryption. The nonce feature prevents someone from creating an application that records the output from sealing an empty string and then using the result as a persistent unique identifier for your machine.  A program that tried this would find that, because of the random nonce, the result from sealing a given string is wildly different, and the sealing operation reveals no useful information about the identity of the machine.

After encryption, the SCP returns the encrypted result as the return value of the SEAL operation.

When the SCP has encrypted data to UNSEAL, it internally attempts to decrypt the encrypted data using its platform-specific key. This means that, when a different machine originally sealed the encrypted data, the UNSEAL operation will unconditionally fail.  You can’t take a sealed file and transfer it to another machine and unseal it there; because you cannot extract the platform-specific key used for encryption and decryption from the SCP, you only can UNSEAL data on the same machine that originally sealed it.

If the decryption is successful, the SCP performs a second check: it examines the nub identifier residing within the decrypted data.  The nub identifier was specified at the time the data was originally sealed, and indicates the nub allowed to receive the decrypted data.  If the nub identifier for the decrypted data is identical to the nub identifier currently stored in the PCR (which is the SHA-1 hash of the currently-running nub on the machine at the moment UNSEAL was called), the UNSEAL is successful and the decrypted data is returned to the calling nub.  However, should the nub identifier not match the contents of the PCR, the SCP concludes that the nub currently running is not entitled to receive this data, and discards it.  Thus, sealing is specific to a physical machine and also specific to a nub.

A different machine or nub cannot decrypt data sealed on one machine for a particular nub.  An application that trusts a particular nub (and is running under that nub) can seal important secret data and then store the resulting sealed data safely on an untrusted hard drive, or even send it over a network.

Should you reboot the machine with a debugging program, there is no problem, so you can debug the software that created the encrypted file.  However, since you aren’t running the correct nub, the debugger will work, but the UNSEAL call won’t. The SCP will receive the UNSEAL call, examine the PCR, and conclude that the currently-running nub cannot receive the sealed data.  Your applications only can decrypt sealed data when they are running under the same machine and under the same software environment that originally sealed that data.

This is unquestionably clever.  When you are running under a trusted nub, your applications can use the SCP to decrypt and process data, but you can’t run software that subverts a TA’s policy (because the nub will not permit you to subvert the policy).  When you are not running under a trusted nub, you can run software that subverts a TA’s policy (because the nub can’t prevent it), but your applications can no longer decrypt any sealed data, because the SCP won’t be willing to perform the decryption.  The default with sealed storage is that any sealed data is unusable when migrated to a new system.

In principle, nub and kernel are independent, so a non-Microsoft kernel could run on a Microsoft nub, or vice versa.  Patent and copyright issues might prevent this from being done in practice, but it is apparently technically possible within the design of Palladium.

Microsoft swears Palladium is for security purposes.  The question is: Security for whom?  How will this stop the “I just inadvertently e-mailed you a virus” problem? You would like to stop worrying about viruses, but Palladium will offer no help.  Viruses exploit the way software applications, such as Microsoft Office and Outlook, use scripting.  Spam might annoy you, but that won’t get fixed either.  Microsoft implies that by filtering out all unsigned messages the problem goes away, but the spammers will just buy compliant PCs.  You’re better off using your existing mail client to filter out mail from people you don’t know and putting it in a folder you scan quickly once a day.  You might worry about privacy, but Palladium won’t fix that; since almost all privacy violations result from the abuse of authorized access, often obtained by coercing consent.  How does this stop your personal information being sucked from your PC using cookies?  It won’t.  Solving these particular problems is not Palladium’s real purpose, which is to increase Microsoft’s market share.  Palladium is a marketing concept sold as the solution to a problem, but it won’t really help you secure your machine.

There is no attempt to stop people from booting whatever code they currently use or may write in the future.  In addition, specially-adapted software can potentially use the hardware trust features, regardless of what operating system is running. It is possible to imagine that you could create a Palladium-hardware-aware version of Linux that could make full use of Palladium’s hardware features to achieve trust comparable to the Windows implementation.  Microsoft only is writing an implementation for Windows.

Although the SCP is tamper-resistant, likely a skilled attacker with physical access to the inside of a Palladium PC could compromise it or subvert its policies in some way.  You could replace the system RAM with special RAM to allow the read or modification of its contents by an external circuit.  So it is possible that an attacker with physical access still can compromise the system, even though the SCP is tamper-resistant, partly because other components (for example, RAM) are less robust against modification.

Seen in these terms, Palladium does not so much provide security for the user as for the PC vendor, the software supplier, and the content industry.  It does not add value for the user, but destroy it.  It will constrain what you can do with your PC so application and service vendors can extract more money from you.  This is the classic definition of an exploitative cartel: an industry agreement that changes the terms of trade so as to diminish consumer surplus.

Software companies also can make it harder for you to switch to a competitor’s product.  Microsoft would like to make it more expensive for people to switch away from their products (such as Office) to rival products (such as OpenOffice or StarOffice).  Then, they can charge more for upgrades without making their users jump ship.  For example, Word could encrypt all your documents using keys that only Microsoft products could access; this would mean that you could only read them using Microsoft products, not with any competing word processor.

So much for Linux and Open Source, but it goes even further than that.  So much for competitors like Apple and the Macintosh.  As well, Microsoft will use Palladium as a means of killing off the LAMP (Linux/Apache/MySQL/PHP) camp.  Their public relations shills will make you forget all about the numerous security advisories for Windows, IIS, SQL Server and ASP.

Stop me if you have heard this one before.  Microsoft forms a union to work on software (substitute OS/2 for TCPA).  Microsoft decides to continue to support alliance initiative, but starts work on its own software (substitute Windows Advanced Server for Palladium).  Microsoft co-opts market and develops a virtual monopoly.

If that doesn’t make you sit up and take notice, then consider a recent update for the Windows Media Player that caused controversy by insisting that users agree to future anti-piracy measures, which may include measures that delete pirated content found on your computer.  Also, since Windows 2000, Microsoft has been working on certifying all device drivers; should you try to load an unsigned driver, XP will complain.

Although it’s attracting a lot of attention, Microsoft has been very vague about the technical details of the Palladium secure computing initiative.  Ironically, Microsoft says they will reveal Palladium’s source code, which is little more than a nod and a wink toward the Open Source movement.  Nobody at Microsoft is saying anything about giving the ownership of that source code away or of allowing anyone to change it.  But based on past history, you should know what will occur.  In late March, Microsoft published a document outlining how third-party developers can use Common Internet File Sharing (CIFS), a Microsoft protocol that specifies how Windows PCs share files with servers.  Although publishing the document should have made it easier to write software incorporating CIFS, it contained a crucial restriction that prohibits using information in the document to build software governed by the General Public License (GPL).  Some believe that any licence connected to Palladium will have a similar tone.

Enterprises looking at implementing trusted computing systems have to know who manages the trust and—since the whole purpose of the exercise is to deny any form of access to the untrustworthy user, program or data—how the trust mechanism works.  Do you trust Microsoft?  That is the nub of the matter.  Not me, that’s for sure.  Should you really trust Microsoft, which has been found guilty in the highest court in the U.S. of breaking laws in a way that might have harmed consumers, to build a trusted platform for you?

Microsoft exposed its motivation for Palladium when, on filing a core patent for the technology, it used the term Digital Rights Management Operating System.  Far from providing authenticity, integrity and privacy of data, Microsoft actually wants to police copyright laws.

All auditors need to analyze the impact of Palladium on their organization and formulate a strategy to deal with it.  You’ll definitely need to develop an implementation plan to ensure a smooth and orderly transition within your organization.  No doubt Microsoft will bundle Palladium with new must-have features so that the package as a whole appears to add value in the short term, but the long-term economic, social and legal implications require serious thought.  Palladium’s potential impact is enormous.  So educate yourself and others.  You can find more information about Palladium at:

I Told You So (http://www.pbs.org/cringely/pulpit/pulpit20020627.html)

Microsoft says: Trust Me (http://techupdate.zdnet.co.uk/story/0,,t481-s2118653,00.html)

Microsoft security initiative could face backlash (http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2872703,00.html)

Palladium Details (http://www.activewin.com/articles/2002/pd.shtml)

TCPA / Palladium Frequently Asked Questions (http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html)

Who trusts Microsoft's Palladium? Not me (http://zdnet.com.com/2100-1107-939817.html)

Why we can’t trust Microsoft’s ‘trustworthy’ OS (http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2873168,00.html)

Abridged version of a commentary published in EDPACS by Auerbach Publications 2002.

Tell a friend about this page!
Their Name:
Their Email:
Your Name:
Your Email: