Adam Back writes:

some definitions:

hw layer -- SCP which I think provides crypto key store, crypto co-processor for sealing, remote attesation

ring 0 -- new layer which controls memory management unit and secured code compartments

supervisor mode -- normal supervisor mode, which can now only read user space, but not trusted agents running in code compartments

user mode -- legacy user level apps under complete control of supervisor mode

and some ASCII art:

+---------------+------------+ | trusted-agent | user mode | | space | app space | | (code +------------+ | compartment) | supervisor | | | mode | +---------------+------------+ | ring-0 / Memory mgmt unit | +----------------------------+ | hardware / SCP key manager | +----------------------------+

each layer below can decide policy and information disclosure through APIs to the layer above.

I don't think this is right, as Peter said that the Palladium stuff could load many days after boot. So I don't think the "ring-0" mode underlies normal supervisor mode as you have shown it. Instead I think they are relatively orthogonal. I'm not sure how to draw it, but I would envision the TOR as a device driver which controls two devices: the trusted execution space, which is some special memory (on the cpu?), and the SCP, the crypto processor. Let us suppose that there is a special instruction to load a block of code into the trusted execution space and give it a new process ID. At the same time this causes the SCP to hash it so that it can attest to it later. Let us also suppose that the ring-0 mode is used only when running code out of the trusted execution space (TE space). What is special about ring-0? Two things: first, it can see the code in the TE space so that it can execute it. And second, it doesn't trap into supervisor mode for things like debugger single-stepping. I'm not familiar with the details of the Pentium family but on most CPUs the debugger single-steps things by setting a flag and returning into the code. The code executes one instruction and then automatically traps into supervisor mode, which hands off to the debugger. This process must be suppressed in ring-0 mode, and likewise for any other features which can force a ring-0 process to trap involuntarily into supervisor mode, which exposes the registers and such. The TOR would then manage the various processes running in the TE space, and their interactions with ordinary code, and possibly the interactions of both with the SCP. I'm not sure if the TOR runs in ring-0 mode and in the TE space; probably it does, as the SCP can attest to it, and we wouldn't want non-Palladium processes to debug it. So really the whole TOR/SCP/TE-space/trusted-agents stuff is relatively orthogonal to the rest of windows. It's almost like you had a fully functional 2nd CPU in there that you could load code into and have it run; that CPU's memory is the TE space, its mode is the ring-0, it has access to the SCP, and it runs the TOR and trusted agents. But Palladium has to use the regular CPU for this so they firewall it off with the ring-0 mode which locks it into this restrictive mode. That's just a guess, probably wrong in many details, but consistent with what I understand so far. Mostly I am hoping to encourage Peter to come forward and correct our misconceptions.

The implications of which are:

- the SCP can implement sealing with data separation against ring-0 (ring-0 can't bypass sealing data separation)

I have this as well; loading a user agent into TE space creates the hash "fingerprint" which will be used for sealing and attestation; other ring-0 agents will have their own fingerprints and won't be able to unseal what this agent does. The SCP compares fingerprints at unseal time to what it was at seal time and (optionally) won't unseal if they don't match. (This is one of multiple sealing options.)

- ring-0 can read all superviser, user, and trusted agent space, but

I don't think so; not necessary in my model, would require significant re-architecting of Windows which won't happen, and inconsistent with the claim that Palladium can load days after boot.

- ring-0 and MMU can compartmentalize trusted agents so they can't tamper with each other, and

Must be true. Some questions: how big is the TE space? How many agents can live there at once? Do they swap in/out? Does data go there, or just code?

- ring-0 and MMU can exclude supervisor mode from trusted agent space and ring-0 space; supervisor mode is itself just another compartmentalized trusted-agent level space. Therefore ring-0 can restrict what supervisor mode (where the normal OS is located) can do.

But ring-0 cannot make arbitrary restrictions on sup. mode. Remember they can't afford to re-architect either the entire CPU nor the entire OS for this. The simplest is that in ring-0 mode you disable certain functions that could trap you into supervisor mode thereby losing control of the CPU, and this ring-0 mode gains you access to the TE space.

whereas the normal protected CPU architecture is just:

+------------+ | user mode | | app space | +------------+ | supervisor | | mode | +------------+

I'm not much of artist but I would put the new stuff off to the side of this in its own tower. Ring-0 mode at the bottom, running the TOR which is shown above it, which manages the user agents which would be on top. The SCP is further off to the side, perhaps managed by the TOR.

- from these assumptions it appears an OS could be implemented so that all OS calls pass through ring-0 APIs and mediation to get to supervisor mode OS. In this case the OS could observe system calls the trusted agent makes, but not in general read, debug, modify virtualize or modify trusted-agent code. The non-virtualization presumes encrypted trusted-agent code, which Peter said is not done, so this can't be how it works.

I'm not sure what you mean by the OS observing system calls. By definition, system calls go into the OS. So I don't think that will ever stop happening. But it does mean that when a ring-0 trusted agent makes a system call, we change to normal supervisor mode which makes the trusted space invisible. The point we are dancing around is this. How does it protect the data, along the whole path from the remote machine, through where it is processed locally, until it is sealed on the local disk? It seems that it must be in the clear for a while on the local machine. Where is that - in regular memory, or TE space? It's not that big a deal to be unable to read TE *code*. From what Peter says, that is typically not encrypted on the disk. So the code is no secret. What we must be unable to read are the data being handled by this code: the registers, the contents of memory that are sensitive. And by the registers I include the PC, since that would leak information about the data. We can't single-step it, we can't put breakpoints into it, we can't change it while it is running.

I would be interested to hear what model takes for Palladium mapping the interactions and restrictions between Trusted Agents, user space, OS kernel, TOR to the hardware. We need this kind of detail to reason about limits of the Palladium and make distinctions between what is possible with Palladium implementation choices vs what other types of OSes could be built from the hardware features.

I am curious about this from the technical perspective. I think this is one of the most interesting developments in many years on the security front. But frankly I don't think it will do them much good to tell you and most other cypherpunks about it, because whatever they say, you and others will twist it and lie if necessary a la Lucky to turn it into some horrible perversion. Even if the design were totally benign, that doesn't mean Microsoft/Intel couldn't change it someday, right? They could put a machine gun into every PC aimed at the user, and a camera over his head. That's the level of reasoning in Lucky's Defcon presentation, except that he says that they've already done it. I applaud Peter's patience but pity him for his naive belief that he is engaging in a good faith exchange where he will get a fair hearing.

One idea I think would be interest is as follows:

- the TOR (which lives in ring-0) _could_ be used together with the OS to force all trusted-agent in-flows and out-flows (network traffic) to go through code under supervisor mode control.

I think this is pretty likely, but with the data encrypted by the time the supervisor mode sees it.

I don't think this is likely in the current design; but this change would be an improvement:

- it would at least allow user audit and control of in-flows and out-flows;

If the data is in the clear, it would undermine the security guarantees! Look at my online poker game - if the dealer can tap into the data going out, he will learn what everyone else's hands are. Look at the anonymous network - an eavesdropper can learn where all the data is and how it is flowing. The data must not be made available in the clear anywhere the user can get at it, to provide the proper security.

- the user could block suspicious phone-home information out-flows,

Well, he *does* know at least the address the data is going to. There's no way to hide that (short of anonymous message forwarding).

- the user could read out-flows and demand un-encrypted documented formats, or if encrypted, encrypted with keys the supervisor mode gets copies of.

There are some applications which will still work if all the users can *see* all of the data, but just not modify it. Maybe my digital cash example would fall into that category. You can see how much you're spending, but you can't manipulate your wallet. But there are many others, such as those above, where being able to hide even information disclosure from network participants adds tremendous power. You remember the Eternity network, how one concept had files being shared across multiple nodes such that no one knew which files were on his own computer. That was crucially important for non-repudiation and censorship-resistance. This was done with cryptography, but the point is the same: hiding information from network participants can greatly increase security. With TCPA/Palladium you can get some of the same security properties with much simpler ode (with admittedly lower levels of security until hardware improves). Skipping down...

...

And of course remote attestation will not work either, if the app has been meddled with.

Remote attestation, which is not itself general -- just a remote dongle thing -- if not tied to remote dongle controlled sealing which is necessary for the main application function could be nopped out.

I am assuming that you are attesting to the remote system, and you only can control your local one. You want to get something from the remote, and it will only give it if you are running "clean" on real hardware. So you can't virtualize and still attest, since ultimately you don't have a TPM endorsement key (or Palladium equivalent) with a nice TPME endorsement certificate issued on it. Of course if you have control of the server machine, you can ignore attestation. But that just says that the operator of the remote machine can choose for himself which apps to run. He can run an app that checks remote client integrity or he can run one which doesn't care.

So in the general case it seems that remote attestation is also effectively virtualizable, modifiable and debuggable by first nopping out remote attestation checks. (This is not strictly virtualizable as the remote dongle call nopping modification makes it no longer the same application, but as I said unless this is necessary for the application it doesn't otherwise change it's behavior, so it's effectively virtualizable).

I'm not sure I follow this, but it sounds like you are talking about manipulating the server machine doing the checks, while in most cases you can only manipulate the client machine making the request.