PCs that incorporate Palladium, Microsoft's design for a trusted computer, would provide a wide variety of desireable security features. But the consequences of realizing Palladium, whether intentional or not, threaten the viability and future of Open Source software.
In 1997, Peter Biddle was part of a Microsoft skunkworks project to find ways to convince Hollywood to let DVDs play on personal computers. The entertainment industry was worried that DVD on the PC would somehow invite, or even abet, a tide of PC-enabled video piracy. Microsoft wanted to assuage that fear. To counter concerns, Biddle and his team of researchers came up with the idea of creating cryptographically protected areas in Windows — “virtual vaults,” they called them — where DVDs could be decrypted and played, but could not be viewed, unencrypted, or copied by other applications.
Although the scope of the initial project was limited, as research progressed Microsoft began to realize that its work could address a lot more than just DVD copying. Within a few years, the relatively minor effort grew to the point where its designs sought to fundamentally change the way PCs are built. Biddle’s virtual vaults would now store digital certificates that could control everything — operating systems, applications, media, and even documents — on Microsoft computers. Hollywood’s fears would be allayed because the system would prevent unauthorized duplication of music and DVDs. But more than that, Microsoft would now have a mechanism for better controlling what software would be trusted to run on personal computers.
In 1999, Microsoft, Intel, and three computer vendors signed up for what would become known as the Trusted Computing Platform Alliance — a multi-vendor effort to define a hardware profile for secure systems. Within a couple of years, the TCPA had released its first hardware specification — a design just now appearing in PC systems as part of Intel’s LeGrande processor architecture.
But Microsoft has started to diverge from the TCPA effort. In a story leaked to Newsweek this spring, Microsoft revealed plans to develop its own hardware and software specifications called Palladium (for a brief description of the Palladium architecture, see “Microsoft’s Scheme for Safeguards”). Though no code or detailed hardware specifications are expected before 2004, Microsoft says that Palladium and TCPA should be considered entirely separate. “If nothing in TCPA changes,” says Microsoft Product Unit Manager for Palladium Peter Biddle, “then nothing in TCPA and Palladium would be shared.”
Microsoft’s Scheme for Safeguards
Microsoft has not released a lot of specific details about how Palladium will work, but in essence, the company says its trusted computing initiative will be composed of the following hardware and software components.
- The Security Support Component (SSC). The SSC is an encryption module that would be soldered to the motherboard. Similar to the core of a smart card, the SSC is where the computer’s cryptographic key pairs would be stored. It would also be used to encrypt or decrypt data for applications running in Palladium.
- A modified CPU. Palladium specifies changes to the CPU’s memory controller so that it can create secured areas, called “vaults,” in memory that can be used only by authorized applications. The controller also must be modified so that it can perform an operation called “authorized boot,” which loads the Nexus (described below).
- A modified graphics card. Changes would be made to graphics cards so that whatever they displayed for one application could be made unviewable to others.
- A secure keyboard and mouse. Some device — possibly a USB dongle sitting between the computer port and the peripheral — would encrypt keystrokes and mouse movements to prevent them from being recorded.
- The Nexus. Microsoft refers to the Nexus as a “mini operating system kernel,” but this piece of software is, in fact, a scheduler shy of being a bona fide OS. When you want to turn on Palladium, you load the Nexus (by the way, it used to be called the Trusted Operating Root, or TOR), which provides a software interface to the Security Support Component. Microsoft says that it will publish the 40 or so APIs to its Nexus, which will contain software patents, and that others will be able to create their own nexuses. However, Microsoft is not saying whether or not a GPL’d Nexus will be possible, or even legal, under the terms of the GPL.
- Notarized Computing Agents. Notarized Computing Agents (NCAs) are programs or parts of programs that interface with the Nexus to consume security-related services.
According to backers of TCPA, the real question is whether Microsoft wants to work with the approximately 200 other backers of TCPA or not. Jim Ward, a PC Security Architect with IBM and a member of the TCPA steering committee, says that there is no reason why Palladium could not be built on top of the TCPA architecture. “I guess the big question is do they chose to pursue an open industry standard format for building those products, or do they go their own way,” he says.
However, security expert Bruce Schneier believes that Palladium, and not TCPA, will become the more important standard. “I expect TCPA to become irrelevant, since Microsoft is a monopoly player in the OS market,” he says.
The security features of Palladium are not inconsiderable. Microsoft claims that it will be able to reduce everything from viruses to spam to privacy breaches because users will be able to require cryptographic certification before they run applications or open documents on their system. At face value those features sound valuable: spammers wouldn’t be able to hide behind spoofed email addresses, and you could require that software be certified by a trusted authority before it would run on your Palladium system.
But who would actually perform this certification? This is one of the great unknowns of Palladium. Microsoft says that anyone — Verisign, the Free Software Foundation, Disney — could conceivably become a certificate authority. However, this ambiguity has raised a great deal of concern in the Open Source community, where developers worry that their software might be certified right out of existence. While Microsoft promises that Palladium will not stop any software from running, it looks like Palladium will make it more difficult for users to run non-commercial software or modified software within trusted environments.
Bruce Schneier says that Palladium should give Linux users cause for concern. “If Microsoft gets to decide what’s trustworthy,” he says, “it’s unlikely that anything that’s a serious competitor to their market share will get that moniker.”
One Key to Rule Them All
At the center of the Palladium architecture, which Microsoft, by the way, considers to be a work in progress and at least two years away from public release, is a unique set of private/public cryptographic keys that someone — Microsoft is unsure exactly who, but would most likely be chip or system vendors — will issue for each and every Palladium computer system. These keys will reside within a hardware module called the Security Support Component (SSC), and will provide the cornerstone of trusted computing as envisioned by Microsoft.
And, according to Open Source advocates, those same keys will undermine personal computing as we know it today.
“Everything in Palladium and TCPA is about who controls the keys and what keys are trusted by whom,” says Linux kernel developer Alan Cox. Cox says that by having these cryptographic keys assigned by a third party, users will be giving up control of their machines.
Cox and others are most worried about losing the ability to modify applications that are running in Palladium’s trusted space, and worse, they fear that computer companies will be able to add software, modify the system, remotely alter digital content, and even install monitoring software on your system without you being able to stop it — possibly without you even realizing that it’s happening. With TCPA and Palladium, says Cox, “In effect, you are a tenant renting your computer hardware.” (The sidebar, “Digital Rights Management, Palladium-style” explains how Palladium or TCPA might limit how software and data are used.)
Digital Rights Management, Palladium-style
Computers that incorporate Palladium or TCPA could provide a wide variety of security features, from preventing piracy of digital media to protecting personal or corporate information. Here are some examples of what might be possible.
Prevent Media Piracy
Palladium and TCPA would divide computers into two classes: trusted and everything else. A legitimate outlet of digital media might limit access to trusted computers, where the media could be “assigned” to the machine and the machine would preclude copying or redistribution. Here’s one possible scenario.
- Laura wants to download a music CD.
- The site that offers the CD verifies that Laura’s computer can be trusted.
- After Laura pays for the music, she downloads the CD. Parts of the music are keyed specifically to her computer, potentially encrypted, so that only her computer can decrypt and play back the music.
In a world without TCPA or Palladium, “bits is bits,” and all data is equal: once an asset — a picture, a document, a movie — is reduced to a digital form, any application that can transfer data transfers all assets equally well. Hence, encryption has to be used to protect confidential information. However, encryption isn’t a perfect solution: it can be hacked, or a malicious, but privileged party can distribute data after decrypting it.
As an example of how Palladium or TCPA might protect data, let’s say you’re the president of a small company, and you want to share financial results with your employees. The computers in your office are trusted (since each one has been certified by your company). Here is how you might share information confidently and confidentially.
- Create the spreadsheet with a trusted application and mark the file “Company Confidential.” By policy, “Company Confidential” prohibits the data from being opened on any computer not registered to your company.
- Attach the spreadsheet to an email message, which by the way, should be created in another trusted application. Mark the email as “Company Confidential,” too.
- Send the email to your employees.
Your employees can read the email and open the spreadsheet, but their trusted systems prevent them from using that data for any purpose that you did not authorize to begin with. What about printing? You could prohibit that, too.
Prevent Software Piracy
Though Microsoft says it doesn’t expect Palladium to have a major impact on software piracy, it is theoretically possible for software vendors to use the system to prevent unauthorized software copying. Here’s how it might work.
- A user, let’s call him Larry, purchases or downloads a software package — Microsoft Word, for example — comprised of two components: an installer, and an encrypted file containing the application. A third component, the decryption program for Microsoft Word, is not provided, but must be obtained during product registration.
- Running the installer, Larry is directed to the Microsoft registration site.
- Larry’s machine sends its unique public key to the Microsoft registration site.
- The registration site uses Larry’s public key to encrypt the Microsoft Word decryption program, and sends it to him. Because Larry’s key is unique to his machine, the decryption program will not run on any other machine.
- Within a secure (and unviewable) Palladium environment, Larry’s machine decrypts the decryption program, which in turn decrypts the copy of Word he purchased.
- Larry’s machine runs Word as a Palladium-protected process, preventing anyone and any other process from seeing or copying the decrypted code.
Security: App by App
Microsoft’s Biddle says that it is theoretically possible that hardware vendors could create systems with changeable keys, and he points out that Palladium will be an optional, not mandatory, feature that users can enable at will. And Linux, Windows, and applications he says, will run with or without Palladium.
“The platform can run any piece of software,” says Biddle. “Then it’s up to every application vendor to decide, ‘Do I trust this hardware and this software?’” He adds, “It basically brings the security model down to a per-application security model, as opposed to a per-system model.”
The plan to create this kind of application-level security presents some interesting opportunities for large organizations looking to control what applications can and cannot run on their networks, but it raises questions about how open source applications will interoperate in the Palladium model. Will Microsoft mail servers decide that they do not “trust” Mozilla mail clients? And what about modifying open source apps? Even if one version of the Apache Web server were certified as trusted, it would lose this trusted certification the instant it was modified.
So much for one of the major benefits of Open Source: the ability to fix your own code.
That Microsoft has long harbored an animus toward the GPL is no secret. Microsoft has long called Open Source an “intellectual property destroyer,” and in June 2001, Microsoft Chairman Bill Gates was quoted in C/Net, saying that the GPL, “makes it impossible for a commercial company to use any of that work, or build on any of that work.”
But many Free Software advocates see Palladium as a direct attack on the GPL. They wonder if it will even be possible to create a Palladium environment without violating the GPL, which may or may not require a GPL’d Nexus. Microsoft’s Biddle says he’s not sure about the ramifications for the GPL, but the Free Software Foundation’s Executive Director Bradley Kuhn says that creating such an environment is “possible,” though “surely not trivial.” Kuhn continues, “We are looking for ways to address this problem in GPL version 3, but this is a terribly difficult problem to solve under copyright law.”
Bruce Schneier thinks that the threat to the GPL and Open Source may be a simpler matter. He believes that once Palladium becomes prevalent in the market, most users will buy off-the-shelf systems with a pre-configured Palladium configuration approved by companies like Microsoft and Disney. “Software that those companies like — that is, software that doesn’t exercise things like fair-use in copyright — will be approved by that configuration. Everything else won’t [be approved].” Technically-adept users will be able to configure their machines to run open source software, he says, but the average user may not be so lucky.
It’s unclear whether these potential Open Source problems are intentional or merely collateral consequences. Alan Barr, a former Microsoft employee who was peripherally involved in Biddle’s DVD project, says that while Microsoft sees Palladium more as a way of placating Hollywood than attacking Open Source, he imagines the implications for Open Source have also been considered. “Is there some devious person inside Microsoft thinking, ‘Let’s use this to destroy Linux?’ Sure,” he says.
Clearly Palladium offers some very tangible benefits to Microsoft. Palladium grants Microsoft control over what goes on with the Windows operating system. Right now, the more third party software you install on Windows, the more likely you are to encounter a corrupt DLL or Windows Registry entry. In theory, Microsoft would be able to avoid that kind of DLL nastiness by placing application-specific DLLs or Registry entries into Palladium-protected spaces. The implication is that, without proper certification, no third party application could modify DLLs or the Registry. Kernel drivers could be run in a similar manner to prevent the all-too-common occurrence of a bad printer driver crashing the entire machine. Reducing all of these reliability problems with Windows has the very tangible benefit of cutting down on the company’s technical support costs.
But Adam Barr says that his ex-employer has yet another reason for wanting Palladium to succeed. According to him, Microsoft needed a strong Digital Rights Management (DRM) system to keep Hollywood’s content — music and DVDs — available on the PC platform. Barr expects that some consortium will eventually be set up to issue and manage digital rights certificates for Palladium systems.
Microsoft needs to walk a fine line in this regard. According to Gartner Dataquest Analyst Martin Reynolds, the greatest challenge Palladium faces is the possibility that, under pressure from Hollywood, Microsoft will enable some sort of overly-onerous DRM system that would spark a consumer revolt. “If it stops CDs from running, you’ll have approximately 1.5 million hackers trying to break it, and hack it they will,” says Reynolds, who predicts that by 2008, 80 percent of new PCs will incorporate Palladium technology. If Palladium were cracked, says Reynolds, it would seriously undermine its credibility as a trusted platform.
Microsoft could take a lesson from Intel here. Alan Cox compares Palladium and TCPA to Intel’s controversial 1999 Pentium III serial number initiative, when the chip-maker included hard-wired serial numbers in its chips that could be retrieved without a user’s knowledge. Intel claimed that the serial numbers were included to help secure e-commerce transactions, but Intel’s security mechanism was quickly cracked, and privacy advocates were outraged. “The Pentium III serial number was much less intrusive, but upset a lot of people. TCPA and all the things that can be done with it could upset a lot more people,” says Cox.
Cox says that the amount of danger represented by Palladium really depends on the chip makers, and whether or not they give users the authority to set their own keys.
“If they implement the ability to set the keys in the processors, they can solve some of the real trust problems in a very productive way. If they use hard-coded master keys, then it may be time to buy Apple shares.”
Worried that Palladium will be used against him, one Open Source advocate launched his own pre-emptive patent offensive.
When cypherpunk Lucky Green (a moniker) heard Microsoft’s Peter Biddle, speaking at last summer’s Usenix Security Symposium, say that Palladium could not be used to enforce software licensing, he didn’t buy it. So in an effort to cut Microsoft off at the pass, he went out and filed three patent applications, describing techniques for using Palladium to enforce software licensing, right after the conference.
Green says that while he has no intention of ever implementing any of these techniques, he will enforce his patents to prevent others from doing the same.
Robert McMillan is Editor at Large for Linux Magazine. He can be reached at firstname.lastname@example.org.