Dell to Add Security Chip to PCs
Steven M. Bellovin
smb at cs.columbia.edu
Fri Feb 4 10:30:59 PST 2005
In message <42031E13.4040205 at doxpara.com>, Dan Kaminsky writes:
>
>>>Uh, you *really* have no idea how much the black hat community is
>>>looking forward to TCPA. For example, Office is going to have core
>>>components running inside a protected environment totally immune to
>>>antivirus.
>>>
>>>
>>
>>How? TCPA is only a cryptographic device, and some BIOS code, nothing
>>else. Does the coming of TCPA chips eliminate the bugs, buffer overflows,
>>stack overflows, or any other way to execute arbitrary code? If yes, isn't
>>that a wonderful thing? Obviously it doesn't (eliminate bugs and so on).
>>
>>
>>
>TCPA eliminates external checks and balances, such as antivirus. As the
>user, I'm not trusted to audit operations within a TCPA-established
>sandbox. Antivirus is essentially a user system auditing tool, and
>TCPA-based systems have these big black boxes AV isn't allowed to analyze.
>
>Imagine a sandbox that parses input code signed to an API-derivable
>public key. Imagine an exploit encrypted to that. Can AV decrypt the
>payload and prevent execution? No, of course not. Only the TCPA
>sandbox can. But since AV can't get inside of the TCPA sandbox,
>whatever content is "protected" in there is quite conspicuously unprotected.
>
>It's a little like having a serial killer in San Quentin. You feel
>really safe until you realize...uh, he's your cellmate.
>
>I don't know how clear I can say this, your threat model is broken, and
>the bad guys can't stop laughing about it.
>
I have no idea whether or not the bad guys are laughing about it, but
if they are, I agree with them -- I'm very afriad that this chip will
make matters worse, not better. With one exception -- preventing the
theft of very sensitive user-owned private keys -- I don't think that
the TCPA chip is solving the right problems. *Maybe* it will solve the
problems of a future operating system architecture; on today's systems,
it doesn't help, and probably makes matters worse.
TCPA is a way to raise the walls between programs executing in
different protection spaces. So far, so good. Now -- tell me the last
time you saw an OS flaw that directly exploited flaws in conventional
memory protection or process isolation? They're *very* rare.
The problems we see are code bugs and architectural failures. A buffer
overflow in a Web browser still compromises the browser; if the
now-evil browser is capable of writing files, registry entries, etc.,
the user's machine is still capable of being turned into a spam engine,
etc. Sure, in some new OS there might be restrictions on what such an
application can do, but you can implement those restrictions with
today's hardware. Again, the problem is in the OS architecture, not in
the limitations of its hardware isolation.
I can certainly imagine an operating system that does a much better job
of isolating processes. (In fact, I've worked on such things; if
you're interested, see my papers on sub-operating systems and separate
IP addresses per process group.) But I don't see that TCPA chips add
much over today's memory management architectures. Furthermore, as Dan
points out, it may make things worse -- the safety of the OS depends on
the userland/kernel interface, which in turn is heavily dependent on
the complexity of the privileged kernel modules. If you put too much
complex code in your kernel -- and from the talks I've heard this is
exactly what Microsoft is planning -- it's not going to help the
situation at all. Indeed, as Dan points out, it may make matters worse.
Microsoft's current secure coding initiative is a good idea, and from
what I've seen they're doing a good job of it. In 5 years, I wouldn't
be at all surprised if the rate of simple bugs -- the buffer overflows,
format string errors, race conditions, etc. -- was much lower in
Windows and Office than in competing open source products. (I would
add that this gain has come at a *very* high monetary cost -- training,
code reviews, etc., aren't cheap.) The remaining danger -- and it's a
big one -- is the architecture flaws, where ease of use and
functionality often lead to danger. Getting this right -- getting it
easy to use *and* secure -- is the real challenge. Nor are competing
products immune; the drive to make KDE and Gnome (and for that matter
MacOS X) as easy to use (well, easier to use) than Windows is likely to
lead to the same downward security sprial.
I'm ranting, and this is going off-topic. My bottom line: does this
chip solve real problems that aren't solvable with today's technology?
Other than protecting keys -- and, of course, DRM -- I'm very far from
convinced of it. "The fault, dear Brutus, is not in our stars but in
ourselves."
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
More information about the cypherpunks-legacy
mailing list