Questions for a Lecture on Microsoft's Palladium?

An anonymous reader asks: "Microsoft is going to be giving a lecture on Palladium for my Computer and Network Security class at MIT this Thursday. We're told that it's going to be the most technically detailed lecture publically given to date, and that we should be armed with questions as a result. Any suggestions from the Slashdot crowd? What technical details have you been dying to know about Palladium?" It would be interesting to hear back from someone who is planning on attending this. For those who wish they were, but can't for one reason or another, what would you have asked by proxy?

LawMeme article with good facts

[The Importance of]

Read this [yale.edu] for some good info.

Re:Ramifications for Independent Content

[Entropy_ah]

Therefore, this infringes upon my right to the "pursuit of happiness", as ordained by the constitution.

I'm not sure if you were joking or not, but that phrase is from the declaration of independence, not the constitution

Re:major palladium concerns

[Yankovic]

The answer is yes. I don't know exactly where you have gathered this, it's completely wrong. Here's a link to an interview with the group product manager for Palladium with the answer:

DIDW [didw.com]

And the relavant quote (with important part bolded):
DIDW: So flexibility is a big goal, with nothing traceable locked in and no specific required PKI structure it must be part of?

Juarez: The architecture is designed to be an open platform and open environment. As an ISV or service provider you can build anything you want on top of this platform and offer up a value proposition with consumers, or with other businesses. It can do all kinds of interesting things. But there's nothing in the system that says, for example, that if you run something in one of these vaults that you've got to have the code signed, or you have to have things authenticated. It's a very basic, open environment and we're not trying to build any elements of it that are going to require verification or the participation of anything other than the ISV and the person who is using the services want to have happen.

Re:major palladium concerns

[brw215]

Look at this aritcle [salon.com] on salon.com . A direct quote:

The strongest part of Palladium will be its ability to determine whether a given software application should run on a machine. The system will be shipped with these functions turned off, but "we actually think it's likely that users will say, 'I'm only going to run code that's been signed,'" Biddle says. By "signed," Biddle means that the application has been cryptographically tagged by a "signing authority." The Palladium system would run the code only if the user has approved that specific authority.

Re:An obvious question from the /. crowd

[SiliconEntity]

How can user written software run on a 'trusted' system?

It's obvious, if you're familiar with the Palladium information that has been released. All software, whoever writes it, will be able to make use of Palladium features via a new API.

What are the Palladium features? Your software will be able to create a "virtual vault" that other software can't see into (an encrypted disk file locked to a hash of your software). You can have a "trusted agent" that runs in a secure memory area which is immune to being inspected or changed using debuggers, virtualizers, etc. You can get the OS to securely report a hash of your software to third parties, cryptographically signed by a key which is locked in the Palladium hardware.

The sense in which these features entitle your software to be called "trusted" is beyond the scope of this reply.

I strongly suggest that the OP read the Palladium docs that are available to familiarize himself with the system before he goes to this lecture.

Re:Engineering holes

[SiliconEntity]

what do you do when someone exploits a buffer overrun or a backdoor--or a macro in Word 95--to run arbitrary code, and disable all Palladium features

Palladium has a concept called "curtained memory". It is immune to being touched by ordinary code, you have to be in a new CPU mode which is being defined as part of the Palladium spec (some observers call it "ring -1"). Most buffer overruns and similar bugs will not escalate your privileges high enough to touch the Palladium secure area, even if you can get into (normal) kernel mode.

My understanding is that you'd have to find a bug in the OS kernel software component that runs in the curtained area, which Microsoft calls the "nub" or "Trusted Operating Root". They intend to publish this relatively small software component for review in the hopes that it can be made bug free. If so then bugs in other parts of the software will not defeat Palladium security.

Re:Question for MIT students/faculty

[Anonymous Coward]

I assume that this [mit.edu] is the seminar that is being referred to.

Re:Reasons

[PerryMason]

I can think of one very obvious reason, ie Microsoft see the internet as a competitor to the multiplex. They figure that if they can get a stranglehold on the online distribution of multimedia, when the time comes that you can pay-per-view a movie from the internet at DVD quality, they will have the reins on both what can be viewed from the viewers end and what can be distributed from the distribution end (you want a DRM certificate? Beg biatch!).

To me it looks a lot like MS is trying to 'AOL' the whole multimedia side of the net. You will only be able to view what they consider appropriate/profitable.

Re:An obvious question from the /. crowd

[SiliconEntity]

This still leaves mostly the same question, if my machine is offline. Of course, that really could be a question in and of itself.. how does the system function with a non-networked computer?

If your system is offline or un-networked, you can still use the Palladium "virtual vault" and "curtained memory". This would allow your software to create a crypto key and store some data encrypted with it, such that no other software would be able to read that data. Not even the owner of the computer could get to that data except under the rules that your software enforced. He couldn't virtualize it, he couldn't emulate it, he couldn't use a debugger or patch the software.

The reason he can't virtualize your software or run it on an emulation layer is that the data is encrypted with a key that is locked in the crypto chip. The emulator doesn't have that key and so it can't decrypt the data. The reason he can't use a debugger is because (part of) your software runs in the special memory region which is off limits to debuggers. And the reason he can't patch your software (on the disk, say) is because that changes the software hash, which the crypto chip checks when it goes to decrypt the data, to see if it matches what it was then the data was encrypted. Changing the software changes the hash; changing the hash keeps you from getting at the data.

He could still get at the data if he used some hardware hacks, like dual-ported ram or exotic techniques to extract data from the secure crypto chip. These are probably outside of the expertise of the average hacker, though.

So what does "trusted" mean here? It means that your software can manage data and behave in a predictable manner, enforcing specified rules for manipulating the data.

Re:Secure Palladium?

[LordLucless]

Regarding mod-chipping

I believe that Palladium is coming in two stages. First stage has a Fritz chip on the mobo that handles security. If you can intercept data on the bus between the fritz and the rest of the machine, you can get the advantageous of being declared secure by the fritz, without actually having your machine sanitized.

However, later on they plan on integrating fritz into the cpu. This would make mod-chipping next to impossible. The only way to be able to do that, Id guess, is to reverse engineer the methods they have for authenticating a computers trusted status.

What "optional" means to you...

[tlambert]

What "optional" means to you is that you have the option of not running DRM.

Exercising this option is functionally equivalent to exercising the option to not have access to any digital content whatsoever.

So it's "optional" as in "breathing", not "optional" as in "comes with a sunroof".

-- Terry

Palladium confusion

[MongoMike]

One might think everyone here was brainwashed. If you're attending this lecture, you're advised to read the appropriate FAQs first. From what I've seen, the general /. crowd isn't ready to go to this talk. :)

One such faq was:http://www.microsoft.com/technet/treeview/defa ult.asp?url=/technet/security/news/PallFAQ2.asp [microsoft.com]

Few important notes:

• Palladium can be turned on/off at will.
• Palladium runs on top of the OS.
• Palladium enables better privacy. You can keep personal information from leaking from your machine, even when running untrusted programs on your machine.
• DRM is something that can be built *on* Palladium. DRM is a possible outcome of Palladium. Is that reason to hate/protest Palladium? By analogy, the DCMA is right to disallow software which can enable copyright infringement, despite what that software can also be used for.
• Palladium is designed to prevent against subversion tactics from software. It makes no guarantees against physical compromise of the local machine.

Overall, I think the biggest problem with Palladium is the potential it has to hurt other OSs. If media companies decide to use it because of it's security, it'll mean that they'll be developing exclusively for Windows, and not Linux. Unfortunately, I can't really see how one might develop an open source version of Palladium. :|

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion