Re: Palladium: technical limits and implications
Adam Back writes:
I have one gap in the picture:
In a previous message in this Peter Biddle said:
In Palladium, SW can actually know that it is running on a given platform and not being lied to by software. [...] (Pd can always be lied to by HW - we move the problem to HW, but we can't make it go away completely).
Obviously no application can reliably know anything if the OS is hostile. Any application can be meddled with arbitrarily by the OS. In fact every bit of the app can be changed so that it does something entirely different. So in this sense it is meaningless to speak of an app that can't be lied to by the OS. What Palladium can do, though, is arrange that the app can't get at previously sealed data if the OS has meddled with it. The sealing is done by hardware based on the app's hash. So if the OS has changed the app per the above, it won't be able to get at old sealed data. And of course remote attestation will not work either, if the app has been meddled with. This means that an app can start running, attest to its "clean" status to a remote server, download some data from that server, and seal it. Then at a later time, IF the app is able to unseal that data, then it is true that the app has not been meddled with and is not running on virtualized hardware. That is how I understand these sorts of claims.
some definitions: hw layer -- SCP which I think provides crypto key store, crypto co-processor for sealing, remote attesation ring 0 -- new layer which controls memory management unit and secured code compartments supervisor mode -- normal supervisor mode, which can now only read user space, but not trusted agents running in code compartments user mode -- legacy user level apps under complete control of supervisor mode and some ASCII art: +---------------+------------+ | trusted-agent | user mode | | space | app space | | (code +------------+ | compartment) | supervisor | | | mode | +---------------+------------+ | ring-0 / Memory mgmt unit | +----------------------------+ | hardware / SCP key manager | +----------------------------+ each layer below can decide policy and information disclosure through APIs to the layer above. The implications of which are: - the SCP can implement sealing with data separation against ring-0 (ring-0 can't bypass sealing data separation) - ring-0 can read all superviser, user, and trusted agent space, but - ring-0 and MMU can compartmentalize trusted agents so they can't tamper with each other, and - ring-0 and MMU can exclude supervisor mode from trusted agent space and ring-0 space; supervisor mode is itself just another compartmentalized trusted-agent level space. Therefore ring-0 can restrict what supervisor mode (where the normal OS is located) can do. whereas the normal protected CPU architecture is just: +------------+ | user mode | | app space | +------------+ | supervisor | | mode | +------------+ - from these assumptions it appears an OS could be implemented so that all OS calls pass through ring-0 APIs and mediation to get to supervisor mode OS. In this case the OS could observe system calls the trusted agent makes, but not in general read, debug, modify virtualize or modify trusted-agent code. The non-virtualization presumes encrypted trusted-agent code, which Peter said is not done, so this can't be how it works. I would be interested to hear what model takes for Palladium mapping the interactions and restrictions between Trusted Agents, user space, OS kernel, TOR to the hardware. We need this kind of detail to reason about limits of the Palladium and make distinctions between what is possible with Palladium implementation choices vs what other types of OSes could be built from the hardware features. One idea I think would be interest is as follows: - the TOR (which lives in ring-0) _could_ be used together with the OS to force all trusted-agent in-flows and out-flows (network traffic) to go through code under supervisor mode control. I don't think this is likely in the current design; but this change would be an improvement: - it would at least allow user audit and control of in-flows and out-flows; - the user could block suspicious phone-home information out-flows, - the user could read out-flows and demand un-encrypted documented formats, or if encrypted, encrypted with keys the supervisor mode gets copies of. - similarly in-flow control is interesting, because with no in-flows a trusted agent could be more liberally allowed to make out-flows (if it has no input knowledge, and is in a code compartment, and the user gave it no sensitive it doesn't know anything to leak.) (Even with encrypted code, or public code which could not otherwise be audited actively in the sense of debugging it's actual operation to see what it does in practice in your machine given your data and circumstances rather than looking at static code and third party certifications to try to deduce that. Not all apps may be unencrypted (a TOR and SCP could clearly be built to support this feature). So on anonymous comments about OS control:
Obviously no application can reliably know anything if the OS is hostile. Any application can be meddled with arbitrarily by the OS.
I'm not sure if anonymous is just generalising when he says the app can't in any circumstances know anything if the OS is hostile, but I think it could potentially know things if the OS is hostile. As I described with the control and layer I think the palladium hardware uses. It seems possible to build some of separations and exclude the OS from certain types of application. It depends what you include in the OS; if the OS includes the TOR, then no. But it was stated that the TOR is somewhat independent from the OS. You could mix and match and use an MS Palladium TOR with linux potentially (though perhaps not in practice, it would have to be designed to allow it). It also depends on how the OS, trusted agents and supervisor mode is mapped to the hardware.
What Palladium can do, though, is arrange that the app can't get at previously sealed data if the OS has meddled with it. The sealing is done by hardware based on the app's hash. So if the OS has changed the app per the above, it won't be able to get at old sealed data.
Peter seemed to claim these kinds of assurance. Sealing doesn't prevent application virtualization, it just prevents the sealed data being shared between non-virtualized instances of the apps and virtualized instances. So I was wondering how Peter could simultaneously claim that encryption was not used and that "SW can known that it is running on a given platform."
And of course remote attestation will not work either, if the app has been meddled with.
Remote attestation, which is not itself general -- just a remote dongle thing -- if not tied to remote dongle controlled sealing which is necessary for the main application function could be nopped out. So in the general case it seems that remote attestation is also effectively virtualizable, modifiable and debuggable by first nopping out remote attestation checks. (This is not strictly virtualizable as the remote dongle call nopping modification makes it no longer the same application, but as I said unless this is necessary for the application it doesn't otherwise change it's behavior, so it's effectively virtualizable). Adam
AARG!Anonymous wrote:
Adam Back writes:
I have one gap in the picture:
In a previous message in this Peter Biddle said:
In Palladium, SW can actually know that it is running on a given platform and not being lied to by software. [...] (Pd can always be lied to by HW - we move the problem to HW, but we can't make it go away completely).
Obviously no application can reliably know anything if the OS is hostile. Any application can be meddled with arbitrarily by the OS. In fact every bit of the app can be changed so that it does something entirely different. So in this sense it is meaningless to speak of an app that can't be lied to by the OS.
What Palladium can do, though, is arrange that the app can't get at previously sealed data if the OS has meddled with it. The sealing is done by hardware based on the app's hash. So if the OS has changed the app per the above, it won't be able to get at old sealed data.
I don't buy this: how does Palladium know what an app is without the OS' help? Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
On Mon, Aug 12, 2002 at 01:52:39PM +0100, Ben Laurie wrote:
AARG!Anonymous wrote:
[...] What Palladium can do, though, is arrange that the app can't get at previously sealed data if the OS has meddled with it. The sealing is done by hardware based on the app's hash. So if the OS has changed the app per the above, it won't be able to get at old sealed data.
I don't buy this: how does Palladium know what an app is without the OS' help?
Here's a slightly updated version of the diagram I posted earlier: +---------------+------------+ | trusted-agent | user mode | | space | app space | | (code +------------+ | compartment) | supervisor | | | mode / OS | +---------------+------------+ | ring -1 / TOR | +----------------------------+ | hardware / SCP key manager | +----------------------------+ Integrity Metrics in a given level are computed by the level below. The TOR starts Trusted Agents, the Trusted Agents are outside the OS control. Therefore a remote application based on remote attestation can know about the integrity of the trusted-agent, and TOR. ring -1/TOR is computed by SCP/hardware; Trusted Agent is computed by TOR; The parallel stack to the right: OS is computed by TOR; Application is computed OS. So for general applications you still have to trust the OS, but the OS could itself have it's integrity measured by the TOR. Of course given the rate of OS exploits especially in Microsoft products, it seems likley that the aspect of the OS that checks integrity of loaded applications could itself be tampered with using a remote exploit. Probably the latter problem is the reason Microsoft introduced ring -1 in palladium (it seems to be missing in TCPA). Adam -- http://www.cypherspace.org/adam/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
participants (3)
-
AARG! Anonymous
-
Adam Back
-
Ben Laurie