Palladium operating system

The neutrality of this article is disputed.

Palladium was Microsoft's codename for their new "trusted computing" architecture. In 2003, Microsoft reacted to the negative publicity surrounding the Palladium operating system by dropping the name "Palladium". They now refer to it as the "next-generation secure computing base" (NGSCB).

Under Palladium, the Microsoft operating system, working with a secure cryptoprocessor embedded in the PC, will create a new class of applications which have special powers and protections and which run side by side with ordinary code. The stated aim is to fix the problems of current computer insecurity, and to create new kinds of distributed applications, where each component can know and trust the operation of other parts of the system, even when they are running on remote computers.

Opponents characterise it as an attempt to control the market for computer hardware and software, thus entrenching and extending Microsoft's existing desktop computer operating system and software monopoly. Opponents have also characterised it as an attempt to leverage this monopoly into a monopoly over Digital Rights Management, and hence effective control over the content delivery industry. They further fear that the Palladium platform will eventually control all aspects of computer operation, including web browsing and E-mail.

Microsoft has patent protection on several concepts relating to their "Digital Rights Management Operating System", although it is not clear at this point which of them will be part of Palladium when it is finally fielded.

A sidenote: the Palladium initiative is supposedly named after the Palladium, a legendary statue in ancient Troy. Supposedly, while the statue was safe, so was the city. Legend tells us that Troy fell to a Trojan horse attack.

Table of contents

1 Functionality of TCPA/NGSCB 2 Criticism 3 Virus Cure? 4 External links

Functionality of TCPA/NGSCB

Based on current information, NGSCB (Palladium) would work in the following ways:

1. At any time after booting, the user chooses to enable NGSCB, which will let him run "trusted" applications.
2. The Windows OS loads the NGSCB micro-kernel, called the Nexus, into a region of memory that it is only accessible in a new processor mode. Simultaneously, the NGSCB Security Support Component, SSC, takes and records a hash of the Nexus.
3. An NGSCB "trusted" module, called a Nexus Computing Agent or NCA, loads into the special curtained memory region. The SSC takes a hash of the software as it loads.
4. The NCA can make calls into the Nexus to make use of NGSCB functionality. This includes sealing (encrypting) data with the aid of the SSC, which can optionally lock the data to the hash of the NCA, making it impossible for other software to decrypt the data.
5. The NCA can also use the "attestation" feature of NGSCB to get the SSC to sign a message that reports on the NCA's hash, which the Nexus then sends to a remote system . This allows the remote system to be convinced of the identity of the software running locally.
6. The keyboard and display device can also be opened as secure channels by the NCA, allowing I/O to occur without other software being able to snoop on the data being displayed or typed.
7. The combination of these features allows distributed applications to exchange and store data via secure channels such that no entity other than these software programs can examine or change the data. The inherently supports DRM as well as a wide range of other security based applications.

Criticism

If the above functionality of TCPA/NGSCB were in the final product, it would have the following drawbacks:

1. The current free competition within the software industry would be a thing of the past, as programs could not load each other's files due to the encryption the saving program can put on files created. One software company would gain dominance over a particular industry and it would be impossible to dislodge them.
2. Those who attempt to circumvent the security restrictions of NGSCB could be sued under the Digital Millennium Copyright Act.
3. Uncopiable files are just as abusable as blacklists. Organised crime groups, dishonest politicians and dishonest corporations could mark files containing evidence of their wrongdoing as uncopiable, making the activities of whistleblowers impossible. This may make any creator of a signed Operating System guilty of perverting the course of justice (their Operating Systems impede the apprehension of criminals).

Virus Cure?

On August 28 2003 Microsoft made an announcement saying that to combat the thread of future viruses like SoBig.F NGSCB was needed.

Simon Conant, a 'security expert' (quoted verbatim from the source article, the UK Metro) working for Microsoft said 'We need to go back to the drawing board with a brand new architecture for the PC'.

This argument has several flaws in it:

1. SoBig.F only affects Microsoft operating systems, and even then only those who use Outlook or Outlook Express as their mail program. A mail program which either has no scripting language at all or has a scripting language which is too secure to be exploited is completely immune to the virus. Therefore using a non-Microsoft operating system and/or a mail program with no Outlook-style flaws is a perfectly adequate defense against Mail viruses.
2. NGSCB's main contribution is to provide "trusted" programs immunity to attack from other programs, including viruses. Programs can still be infected, however, and script viruses that run from emails would still run.
3. Even if a way can be found to stop malicious scripts inside signed programs as well on an NGSCB, it is complete overkill to introduce NGSCB when a simple change to a non-Microsoft OS and/or mail program would be sufficient, especially given all the disadvantages of NGSCB.

Microsoft is not presently making strong claims that NGSCB would solve the virus problem. In their Technical FAQ linked from the Microsoft NGSCB page, they say, "Since the nexus and NCAs do not interfere with the operation of any program running in the regular Windows environment, everything, including the native operating system and viruses, runs there as it does today. Therefore, users are still going to need antivirus monitoring and detection software in Windows".

The FAQ goes on to describe the contribution of NGSCB against viruses in more modest terms: "However, the NGSCB architecture does provide features that can be used by an antivirus program to help guarantee that it has not been corrupted. The antivirus software can be grounded in such a way that it can bootstrap itself into a protected execution state, something it cannot do today."

A conspiracy theorist view on this is that Microsoft have deliberately left the flaws in Outlook/Outlook Express so that an email virus can cripple a computer and Microsoft can then announce NGSCB as the saviour. Certainly there is no valid reason for an incoming email to have access to a client's address book (the primary way the email viruses spread).

External links

• Microsoft's NGSCB page
• Ross Anderson's TCPA/Palladium FAQ
• Microsoft patents "Digital Rights Management Operating System"
• Microsoft's "Digital Rights Management Operating System" patent
• Register story criticising Palladium
• MSNBC article
• Register story: MS security patch EULA gives Billg admin privileges on your box
• The Trojan Palladium
• News.com story: What's in a name? Not Palladium
• Richard Stallman's The Right to Read
• EFF's Trusted Computing: Promise and Risk
• Microsoft moves to integrate Windows with BIOS