Presentation Slides and Notes

for

Palladium
CS406

This PDF contains the Powerpoint slides, and also text notes for the more
graphical first half of the presentation. The notes finish approximately at the end
of the second page of slides, although the picture of the keystroke logger on page
three is also part of that section.

If you are at all interested in this subject, we strongly recommend that you
investigate the two Web sites listed on the last slide. The first concentrates on the
political questions, whereas the second is more concerned with the technical
features of the system.
Pete Verdon

Next-Generation Secure
Computing Base

(Palladium)
James Forrester
Julz Friedman
Pete Verdon

What isnt Palladium?

Fritz Chip
- Part of TCPA, not Palladium

What is Palladium?
A system to control what other
peoples computers can do with
your data.
- Where you are probably a large corporation or government

TCPA Scheme
Fritz Chip (a.k.a. TCM)
Controls the boot process
Known secure state
Cryptographic key made from hash of state

Hands over to enforcement software in

operating system
TCPA is now effectively replaced by Palladium

The Microsoft Version Palladium / NGSCB

Uses Fritz cryptographic key

Fritz continues to monitor and will only make the key
available if the environment remains in an approved
state.

How it Works

A real system.
Most functions moved to software, though
this relies on new hardware capabilities:

New operating mode (and opcode) in CPU

Chipset (to enable curtained RAM)
Palladium-capable I/O hardware
Secure Cryptographic coProcessor
microsoft.com

How it Works

A Secure Cryptographic coProcessor

microsoft.com

- Prototypes already available

How it Works

microsoft.com

How it Works

microsoft.com

Hardware Keystroke Logger

This slide intentionally left blank

Aims:
Anti-Virus

Stated Aims
Discussed aims and objectives, and
achievability, might differ
Some of them seem to be merely
advertising or spin (surely not!)
Some aims dont seem to be being
discussed very much, if at all.

Anti-Virus claims
Microsoft Windows reputation for susceptibility to
Virus attack

Would it work?
Only if computer is in complete lock-down
(only authorized programs allowed to run)

Still very minor effect

Most major virus attacks are scripting exploits with VB etc. in
trusted applications

This aim has since been retracted

Aims:
Anti-Spam
Meant as protection against Trojans etc.
Hope to prevent Trojan attacks taking over
computers and using them to create Spam
See previous slide, not very effective
Also retracted by Microsoft.

Aims:
Lock you into Intel system
Could be a problem in hardware-heavy
models, but not in Palladium
Initially widely declaimed by analysts
Not very believable, anyone can make a
trusted chip
Not anyone can hold the trusted keys
AMD now part of the collective

Aims:
Secure Media and Programs
Effective in primary cases
Disadvantages pointed to
What if youre not online?
What about an Open Source program or OS?

Problems
Need trusted GPU, soundcard etc. to be truly effective
Will people upgrade all of their hardware?
May actually be used only in certain environments

Aims:
Government/Corporate Leaks
Only allow documents to be viewed on certain PCs.
e.g. Governmental security (MOD, GCHQ, )

Self-destructing documents
Server instructs programs to destroy documents after 6 months;
only programs known to obey can open document

Home users unlikely to agree, but businesses will see a

compelling case

Aims:
Renting Media/Programs
Also quite effective, very plausible
New market for media companies, very
attractive
Again problem of limiting choice of viewer
application
See iTunes/iPod - just making it hard to copy is
enough for media companies

Conclusions: Does it work?

Well, yes and no:
It raises the bar significantly if there are no
links in the chain that are easy to exploit,
but
there are still problems, most notably
related to the analogue hole (humans).

Conclusions: Will it happen?

Changes required in peoples mental model
of the computer.
Not really in the interests of consumers,
nor content producers other than the big
companies (Disney, Sony Music, etc.)
Requires large investment to pull off
So no, probably not.

ANY (EASY) QUESTIONS?

Further Reading
Trusted Computing FAQ - Ross Anderson
Good overview, cynical/sceptical.
http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html

Palladium Summary - Seth Schoen

Notes from a meeting with Microsoft, takes a neutral to
faintly positive line.
http://vitanuova.loyalty.org/2002-07-05.html

Palladium presentation notes

03/12/2004 13:47:31PM

Title Slide
You've probably heard of it
Probably don't fully understand it
We're going to try to make clear what it is, what it can do,
more importantly what it probably will and won't do

What is Palladium?
Originated in 1997 with Peter Biddle at Microsoft as a DRM
system
He recognised that this is an instance of a general problem
- entrusting your bits to someone else but with conditions
as to what they can and can't do with them.
This is the same problem as privacy and some types of
security, so Palladium will work for those too.
In existing PC hardware it is not possible to ensure that
data goes only where it should.
You can dummy sound or video cards, you can run
debuggers on programs, you can read the decrypted file
straight out of memory - and you can write programs so
that inexperienced people can do this easily.
Thus Palladium involves adding hardware to the PC.

What isn't Palladium?

Trusted Computing Platform Alliance were developing their
own similar DRM system
Fritz is part of that
Several influential members including Microsoft started a
new group - Trusted Computing Group
Purported to be the successor to TCPA - invited TCPA
members to join
TCPA now pushes Palladium
This does confuse matters - two schemes, two sets of
terms, companies involved deliberately mingling them

TCPA Scheme

Page 1

Palladium presentation notes

03/12/2004 13:47:31PM

TCPA Scheme
Very much tied to DRM. Basically, there's a key to unlock
your content, and a hardware chip keeps an eye on
everything and only lets you have that key if everything's in
an approved state.
Very hardware-heavy, inflexible, and difficult to implement.

Microsoft Version
"A real system", by which I mean this looks like being the
one we'll get. Much more developed - documentation is
available for programming for it, definitely to be included in
some form in Longhorn, though hardware not necessarily
in place.
IO Hardware - initially graphics card, probably closely
followed by sound card. But eventually have secure
everything available, even keyboards.

How It Works
SSC
Holds crypto keys specific to the machine
Can't be used to identify you remotely - actually gone
to some trouble to make this impossible. Not to say you
can't be, but it won't be by these keys.
Performs encryption and decryption under the control of
the Nexus
Encrypted data can only be read by this Nexus on this
machine.

Nexus
AKA "nub" in older documentation.
A kind of secure kernel or memory manager - the main
OS kernel is untrusted.
Controls access to curtained RAM.
Provides services to Nexus Computing Agents
Controls other Palladium-aware hardware.

Page 2

Palladium presentation notes

03/12/2004 13:47:31PM

Controls other Palladium-aware hardware.

Nexus is trusted, but a meddled-with Nexus can be
identified
Hardware will only let a Nexus read its own data, so
the meddled one can't get at stuff saved by the real
one
You can't lie about what Nexus you're running (though
you can choose not to say) so data providers can
choose only to dish out data to known-good Nexii.
No technical reason why you can't write your own Nexus
- technical people at Microsoft insist the Linux people are
welcome to do it, though it remains to be see whether
that actually happens.

Nexus Computing Agents

If Nexus is the kernel, these are the applications. Small
secure programs that run in curtained memory and can't
access each other or the outside except through the
Nexus
Developer documentation suggests that small securityfocussed apps be written completely as NCAs; larger
apps that need some Palladium features would be mostly
untrusted but have an associated NCA to perform the
security-critical tasks.

Kernel / Apps
Is untrusted. On other side of brick wall. (Terms "right
hand side" and "left hand side" are apparently used semiofficially at Microsoft.)
Not really important what kernel it is. Intention (from a
technical point of view, anyway) is that all current
operating systems (free ones included) would be able to
run on a Palladium PC.

Hardware
An attempt to close the "analogue hole". Initial work

Page 3

Palladium presentation notes

03/12/2004 13:47:31PM

An attempt to close the "analogue hole". Initial work

focusses on graphics card - NCAs can ask that stuff be
sent there and ordinary apps can't see it or mess with it.
No doubt similar for sound.
USB Hub for keyboards - not a DRM feature, but enables
lots of other security possibilities. Stops someone using
one of these beasties on you.
Doesn't say anywhere, but it would be stupid to assume
that Palladium requires all compliant hardware. More
likely the system will say what there is, and it's up to the
program whether it wants to run with the security
available.

Page 4