Re: Ross's TCPA paper
Seth Schoen writes:
The Palladium security model and features are different from Unix, but you can imagine by rough analogy a Unix implementation on a system with protected memory. Every process can have its own virtual memory space, read and write files, interact with the user, etc. But normally a program can't read another program's memory without the other program's permission.
The analogy starts to break down, though: in Unix a process running as the superuser or code running in kernel mode may be able to ignore memory protection and monitor or control an arbitrary process. In Palladium, if a system is started in a trusted mode, not even the OS kernel will have access to all system resources.
Wouldn't it be more accurate to say that a "trusted" OS will not peek at system resources that it is not supposed to? After all, since the OS loads the application, it has full power to molest that application in any way. Any embedded keys or certs in the app could be changed by the OS. There is no way for an application to protect itself against the OS. And there is no need; a trusted OS by definition does not interfere with the application's use of confidential data. It does not allow other applications to get access to that data. And it provides no back doors for "root" or the system owner or device drivers to get access to the application data, either. At http://vitanuova.loyalty.org/2002-07-03.html you provide more information about your meeting with Microsoft. It's an interesting writeup, but the part about the system somehow protecting the app from the OS can't be right. Apps don't have that kind of structural integrity. A chip in the system cannot protect them from an OS virtualizing that chip. What the chip does do is to let *remote* applications verify that the OS is running in trusted mode. But local apps can never achieve that degree of certainty, they are at the mercy of the OS which can twiddle their bits at will and make them "believe" anything it wants. Of course a "trusted" OS would never behave in such an uncouth manner.
That limitation doesn't stop you from writing your own application software or scripts.
Absolutely. The fantasies which have been floating here of filters preventing people from typing virus-triggering command lines are utterly absurd. What are people trying to prove by raising such nonsensical propositions? Palladium needs no such capability.
Interestingly, Palladium and TCPA both allow you to modify any part of the software installed on your system (though not your hardware). The worst thing which can happen to you as a result is that the system will know that it is no longer "trusted", or will otherwise be able to recognize or take account of the changes you made. In principle, there's nothing wrong with running "untrusted"; particular applications or services which relied on a trusted feature, including sealed storage (see below), may fail to operate.
Right, and you can boot untrusted OS's as well. Recently there was discussion here of HP making a trusted form of Linux that would work with the TCPA hardware. So you will have options in both the closed source and open source worlds to boot trusted OS's, or you can boot untrusted ones, like old versions of Windows. The user will have more choice, not less.
Palladium and TCPA both allow an application to make use of hardware-based encryption and decryption in a scheme called "sealed storage" which uses a hash of the running system's software as part of the key. One result of this is that, if you change relevant parts of the software, the hardware will no longer be able to perform the decryption step. To oversimplify slightly, you could imagine that the hardware uses the currently-running OS kernel's hash as part of this key. Then, if you change the kernel in any way (which you're permitted to do), applications running under it will find that they're no longer able to decrypt "sealed" files which were created under the original kernel. Rebooting with the original kernel will restore the ability to decrypt, because the hash will again match the original kernel's hash.
Yes, your web page goes into somewhat more detail about how this would work. This way a program can run under a secure OS and store sensitive data on the disk, such that booting into another OS will then make it impossible to decrypt that data. Some concerns have been raised here about upgrades. Did Microsoft discuss how that was planned to work, migrating from one version of a secure OS to another? Presumably they have different hashes, but it is necessary for the new one to be able to unseal data sealed by the old one. One obvious solution would be for the new OS to present a cert to the chip which basically said that its OS hash should be treated as an "alias" of the older OS's hash. So the chip would unseal using the old OS hash even when the new OS was running, based on the fact that this cert was signed by the TCPA trusted root key. This seems to put more power than we would like into a single trusted key, though. It would be interesting to hear what Microsoft has in mind along these lines.
(I've been reading TCPA specs and recently met with some Microsoft Palladium team members. But I'm still learning about both systems and may well have made some mistakes in my description.)
If you've read the TCPA specs you're way ahead of most of the commentators here. You have undoubtedly noted how little connection there is between the flights of fancy and speculation which have appeared recently and the actual functionality of the TCPA system.
-- On 5 Jul 2002 at 14:45, AARG! Anonymous wrote:
Right, and you can boot untrusted OS's as well. Recently there was discussion here of HP making a trusted form of Linux that would work with the TCPA hardware. So you will have options in both the closed source and open source worlds to boot trusted OS's, or you can boot untrusted ones, like old versions of Windows. The user will have more choice, not less.
Yes he will, but the big expansion of choice is for the the seller of content and software, who will have more choices as to how he can cripple what he sells you. For example he can sell you music that will only play on a particular music player on your particular machine. But that is not enough to give the content industry what it wants, for someone can still break it on one machine, perhaps by intercepting the bitstream to the the DA, and having broken it on one machine, can run it on all machines all over the internet. Break once, run everywhere. Microsoft has also been talking out of both sides of its mouth, by saying that this will also protect against break once, run everywhere. The only way that this can protect against break-once-run-everywhere is to reduce user choice, to make it mandatory that the user can only run government trusted software, and to reduce seller choice, prohibit sellers from providing unacceptable software, such as napster like software. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG XQJ33SB0W84Cm4Mw0+3lnN4nsUtaB4B6cIa1dP/2 2s67UXEL+Y5FHrr52MYArwzRuptDlBNVQIJOj/n/8
On Fri, 5 Jul 2002, AARG!Anonymous wrote: < ... />
Right, and you can boot untrusted OS's as well. Recently there was discussion here of HP making a trusted form of Linux that would work with the TCPA hardware. So you will have options in both the closed source and open source worlds to boot trusted OS's, or you can boot untrusted ones, like old versions of Windows. The user will have more choice, not less.
< ... /> Nonsense. Let us remember what Palladium is: Palladium is a system designed to enable a few large corporations and governments to run source secret, indeed, well-encrypted, code on home user's machines in such a way that the home user cannot see, modify, or control the running code. The Orwellian, strictly Animal Farmish, claim runs: "Why it is all just perfectly OK, because anyone can run source secret, well encrypted, code in an uncontrolled manner on anyone's machine at will! We are all equal, it is just that some, that is, We the Englobulators, will in practice get to run source secret, well-encrypted, code on hundreds of millions of users' machines while you, you will never run such code on anybody else's machine except at a hobbyists' fair, precisely to demonstrate we are all equal.". There are other advantages to Palladium: No free kernel will ever freely boot on a Palladium machine. And there is more. If Palladium is instituted: Microsoft will support the most vicious interpretation of the DMCA and press for passage of the SSSCA, in order that the first crack does not prove to the world that Palladium cannot prevent all copyright infringement. Microsoft will be able to say "See, it is these GNU/BSD/XFree/Sendmail/Apache/CLISP folk who are causing all this dreadful copyright infringement. Why owning a non-Palladium machine should be declared, no, not illegal, we are not monsters after all, but probative evidence that the owner is an infringer, and more, a general infringer and a member of the Copyright Infringement Conspiracy. Why some of them even write such code as the well known, and in CIC circles, widely used, tool of infringement called 'cp'. Senator, I know you will be as shocked as I was when I learned what 'cp' stands for. It stands for 'copy'. And I do not mean safe Englobulator-Certified Fair Use Copying, such as is provided by the Triple X Box, which, for a reasonable license fee, allows up to six copy-protected copies to be made before settling of accounts and re-certification of the Box over the net. No, I mean, raw, completely promiscuous copying of any file on the machine, as many times as the infringer wishes. Without record, without payment to the artist, without restraint. Senator, I prefer to call cp 'The Boston Strangler', because that is exactly what it is. And every single non-Palladium operating system in the world comes with cp already loaded, loaded and running.". oo--JS. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
http://www.eeye.com/html/Research/Advisories/AD20020710.html This vulnerability can be exploited by the Outlook user simply selecting a "malicious" email, the opening of an attachment is not required. ... [NAI] have released a patch for the latest versions of the PGP Outlook plug-in to protect systems from this flaw. Users can download the patch from: http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp ============================= By TED BRIDIS, Associated Press Writer WASHINGTON (AP) - The world's most popular software for scrambling sensitive e-mails suffers from a programming flaw that could allow hackers to attack a user's computer and, in some circumstances, unscramble messages. The software, called Pretty Good Privacy, or PGP, is the de facto standard for encrypting e-mails and is widely used by corporate and government offices, including some FBI ( news - web sites) agents and U.S. intelligence agencies. The scrambling technology is so powerful that until 1999 the federal government sought to restrict its sale out of fears that criminals, terrorists and foreign nations might use it. The new vulnerability, discovered weeks ago by researchers at eEye Digital Security Inc., does not exploit any weakness in the complex encrypting formulas used to scramble messages into gibberish. Instead, hackers are able to attack a programming flaw in an important piece of companion software, called a plug-in, that helps users of Microsoft Corp.'s Outlook e-mail program encrypt messages with a few mouse clicks. Outlook itself has emerged as the world's standard for e-mail software, with tens of millions of users inside many of the world's largest corporations and government offices. Smaller numbers use the Outlook plug-in to scramble their most sensitive messages so that only the recipient can read them. "It's not the number of people using PGP but the fact that they're using it because they're trying to safeguard their data," said Marc Maiffret, the eEye executive and researcher who discovered the problem. "Whatever the percentage is, it's very important data." Maiffret said there was no evidence anyone had successfully attacked users of the encryption software with this technique. He said the programming flaw was "not totally obvious," even to trained researchers examining the software blueprints. Network Associates Inc. of Santa Clara, Calif., which until February distributed both commercial and free versions of PGP, made available on its Web site a free download to fix the software. The company announced earlier it was suspending new sales of the software, which hasn't been profitable, but moved within weeks to repair the problem in existing versions. The company's shares fell 50 cents to $17.70 in Tuesday trading on the New York Stock Exchange ( news - web sites). Free versions of PGP are widely available on the World Wide Web. The flaw allows a hacker to send a specially coded e-mail - which would appear as a blank message followed by an error warning - and effectively seize control of the victim's computer. The hacker could then install spy software to record keystrokes, steal financial records or copy a person's secret unlocking keys to unscramble their sensitive e-mails. Other protective technology, such as corporate firewalls, could make this more difficult. "You can do whatever you want - execute code, read e-mails, install a backdoor, steal their keys. You could intercept all that stuff," Maiffret said. Experts said the convenience of the plug-ins for popular e-mail programs broadened the risk from this latest threat, since encryption software is famously cumbersome to use without them. Even the creator of PGP, Philip Zimmermann, relies on such a plug-in, although Zimmermann uses one that works with Eudora e-mail software and does not suffer the same vulnerability as Outlook's. A plug-in for Microsoft's Outlook Express - a scaled-down version of Outlook - is not affected by the flaw. Maiffret said his company immediately deactivated the vulnerable software on all its computers, which can be done with nine mouse-clicks using Outlook, until it could apply the repairs from Network Associates. The decision improved security but "makes it kind of a pain" to send encrypted e-mails, he said. Zimmermann, in an interview, said PGP software is used "quite extensively" by U.S. agencies, based on sales when he formerly worked at Network Associates. He also said use of the vulnerable companion plug-in was widespread. Zimmermann declined to specify which U.S. agencies might be at risk, but other experts have described trading scrambled e-mails using PGP and Outlook with employees at the FBI, the Energy Department and even the super-secret National Security Agency. In theory, only nonclassified U.S. information would be at risk from this flaw. Agencies impose strict rules against transmitting any classified messages - encrypted or not - over the Internet, using the government's own secret networks instead. "The only time the government would use PGP is when it's dealing with sensitive but unclassified information and has a reasonable degree of assurance that both parties have PGP," said Mark Rasch, a former U.S. prosecutor and expert on computer security. "It's hardly used on a routine basis." __ On the Net: eEye Digital Security: http://www.eeye.com/ Network Associates: http://www.nai.com/ MIT's PGP site: http://web.mit.edu/network/pgp.html --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
participants (4)
-
AARG! Anonymous
-
jamesd@echeque.com
-
Jay Sulzberger
-
John S. Denker