Palladium operating system

The neutrality of this article is disputed.

Palladium was Microsoft's codename for their new "trusted computing" architecture. In 2003, Microsoft reacted to the negative publicity surrounding the Palladium operating system by dropping the name "Palladium". They now refer to it as the "next-generation secure computing base" (NGSCB).

Under Palladium, the Microsoft operating system, working with a secure cryptoprocessor embedded in the PC, will create a new class of applications which have special powers and protections and which run side by side with ordinary code. The stated aim is to fix the problems of current computer insecurity, and to create new kinds of distributed applications, where each component can know and trust the operation of other parts of the system, even when they are running on remote computers.

Opponents characterise it as an attempt to control the market for computer hardware and software, thus entrenching and extending Microsoft's existing desktop computer operating system and software monopoly. Opponents have also characterised it as an attempt to leverage this monopoly into a monopoly over Digital Rights Management, and hence effective control over the content delivery industry. They further fear that the Palladium platform will eventually control all aspects of computer operation, including web browsing and E-mail.

Microsoft has patent protection on several concepts relating to their "Digital Rights Management Operating System", although it is not clear at this point which of them will be part of Palladium when it is finally fielded.

A sidenote: the Palladium initiative is supposedly named after the Palladium, a legendary statue in ancient Troy. Supposedly, while the statue was safe, so was the city. Legend tells us that Troy fell to a Trojan horse attack.

Table of contents

1 Functionality of TCPA/NGSCB 2 Criticism 3 Virus Cure? 4 External links

Functionality of TCPA/NGSCB

Based on current information, NGSCB (Palladium) would work in the following ways:

1. At any time after booting, the user chooses to enable NGSCB, which will let him run "trusted" applications.
2. The Windows OS loads the NGSCB micro-kernel, called the Nexus, into a region of memory that it is only accessible in a new processor mode. Simultaneously, the NGSCB Security Support Component, SSC, takes and records a hash of the Nexus.
3. An NGSCB "trusted" module, called a Nexus Computing Agent or NCA, loads into the special curtained memory region. The SSC takes a hash of the software as it loads.
4. The NCA can make calls into the Nexus to make use of NGSCB functionality. This includes sealing (encrypting) data with the aid of the SSC, which can optionally lock the data to the hash of the NCA, making it impossible for other software to decrypt the data.
5. The NCA can also use the "attestation" feature of NGSCB to get the SSC to sign a message that reports on the NCA's hash, which the Nexus then sends to a remote system . This allows the remote system to be convinced of the identity of the software running locally.
6. The keyboard and display device can also be opened as secure channels by the NCA, allowing I/O to occur without other software being able to snoop on the data being displayed or typed.
7. The combination of these features allows distributed applications to exchange and store data via secure channels such that no entity other than these software programs can examine or change the data. The inherently supports DRM as well as a wide range of other security based applications.

Based on earlier information, it was thought at one time that TCPA and NGSCB would work in the following ways:

1. The actual PC hardware would require that the Operating System being loaded has been signed, so that Operating Systems that would ignore the below aspects of TCPA/NGSCB couldn't be loaded, as no signing authority would sign them.
2. Once loaded, the Operating System would refuse to run any program that wasn't signed, so that any program that would either ignore Digital Rights Management, is malicious (such as a virus) or has been infected with a virus (it's signature would become invalid) would be unable to run.
3. The Operating System would also look for various infringing content on a computer (based on a central blacklist) and delete it if found.
4. Individual programs could encrypt data files produced by that program so that other programs (including that same program on a different computer) could not access it.
5. Various files could be marked as uncopiable by the creators of those files, and this would be enforced by the operating system.
6. The networking capabilities of the Operating System would refuse to connect to or accept connections from any computer that was not running a signed TCPA Operating System.

Criticism

If the above (obsolete, mistaken) functionality of TCPA/NGSCB were in the final product, it would have the following drawbacks:

1. Everyone would have to buy a signed Operating System, and Open Source would become a thing of the past. The current business model of Microsoft would make this a huge advantage for them, and can be seen as an incentive for the creation of NGSCB.
2. Everyone would have to buy signed programs, with no Open Source alternative again.
3. Only "trusted" NGSCB hardware could be used to execute the signed software. This would greatly reduce the number of competitors in the processor and motherboard markets.
4. File Blacklists have an enormous potential for abuse. The blacklisting may start of perfectly innocently, such as the blacklisting of pirate software and/or paedophilia, but then content damaging to various groups that could fund expensive lawyers (for example Scientology) would be banned as well. Then the governments would start blacklisting content damaging to them - imagine if NGSCB had been around when Nixon was president and the Watergate evidence was deleted as it was stored on an NGSCB computer and got blacklisted...
5. The current free competition within the software industry would be a thing of the past, as programs could not load each other's files due to the encryption the saving program can put on files created. One software company would gain dominance over a particular industry and it would be impossible to dislodge them.
6. Those who attempt to circumvent the security restrictions of NGSCB could be sued under the Digital Millennium Copyright Act.
7. Uncopiable files are just as abusable as blacklists. Organised crime groups, dishonest politicians and dishonest corporations could mark files containing evidence of their wrongdoing as uncopiable, making the activities of whistleblowers impossible. Supposedly there will be a 'back door' so that law enforcement can get at these files, but it is hard to see how a back door can exist without the secret of how to use it getting out and rendering the Digital Rights Management part of NGSCB useless. This may make any creator of a signed Operating System guilty of perverting the course of justice (their Operating Systems impede the apprehension of criminals).
8. Requiring a NGSCB computer on both ends of any network connection would mean that an NGSCB computer would be unable to access a large portion of the internet. This may work to the advantage of the anti-NGSCB people, as it would seriously slow down the spread of NGSCB computers.

Currently, Microsoft is asking users to trust that it will not engage in the above abuses. However, given some of Microsoft's past abuses of it's power, some of which have been proved in court, this request for trust is viewed by some as completely farcical.

Virus Cure?

On August 28 2003 Microsoft made an announcement saying that to combat the thread of future viruses like SoBig.F NGSCB was needed.

Simon Conant, a 'security expert' (quoted verbatim from the source article, the UK Metro) working for Microsoft said 'We need to go back to the drawing board with a brand new architecture for the PC'.

This argument has several flaws in it:

1. SoBig.F only affects Microsoft operating systems, and even then only those who use Outlook or Outlook Express as their mail program. A mail program which either has no scripting language at all or has a scripting language which is too secure to be exploited is completely immune to the virus. Therefore using a non-Microsoft operating system and/or a mail program with no Outlook-style flaws is a perfectly adequate defense against Mail viruses.
2. NGSCB's main contribution is to provide "trusted" programs immunity to attack from other programs, including viruses. Programs can still be infected, however, and script viruses that run from emails would still run.
3. Even if a way can be found to stop malicious scripts inside signed programs as well on an NGSCB, it is complete overkill to introduce NGSCB when a simple change to a non-Microsoft OS and/or mail program would be sufficient, especially given all the disadvantages of NGSCB.

Microsoft is not presently making strong claims that NGSCB would solve the virus problem. In their Technical FAQ linked from the Microsoft NGSCB page, they say, "Since the nexus and NCAs do not interfere with the operation of any program running in the regular Windows environment, everything, including the native operating system and viruses, runs there as it does today. Therefore, users are still going to need antivirus monitoring and detection software in Windows".

The FAQ goes on to describe the contribution of NGSCB against viruses in more modest terms: "However, the NGSCB architecture does provide features that can be used by an antivirus program to help guarantee that it has not been corrupted. The antivirus software can be grounded in such a way that it can bootstrap itself into a protected execution state, something it cannot do today."

A conspiracy theorist view on this is that Microsoft have deliberately left the flaws in Outlook/Outlook Express so that an email virus can cripple a computer and Microsoft can then announce NGSCB as the saviour. Certainly there is no valid reason for an incoming email to have access to a client's address book (the primary way the email viruses spread).

External links

• Microsoft's NGSCB page
• Ross Anderson's TCPA/Palladium FAQ
• Microsoft patents "Digital Rights Management Operating System"
• Microsoft's "Digital Rights Management Operating System" patent
• Register story criticising Palladium
• MSNBC article
• Register story: MS security patch EULA gives Billg admin privileges on your box
• The Trojan Palladium
• News.com story: What's in a name? Not Palladium
• Richard Stallman's The Right to Read
• EFF's Trusted Computing: Promise and Risk
• Microsoft moves to integrate Windows with BIOS