Palladium and What You Use Security

A good article explaining Microsoft's Palladium initiative. What interesting about Palladium is that it provides a mechanism to not just authenticate who you are but also what software you are using. For the purposes of this article I will refer to this as What You Use (WYU) security. In reading this article please keep in mind that I know nothing about Palladium so the following comments only apply to WYU style security systems in general and in no way reflects Palladium's past, present or future plans.

Let's imagine that your company has its extremely sensitive financial results spreadsheet available on its internal server machine named or FinRes for short. You are one of the privileged few allowed to see the Financial Results however you are running an un-patched version of the Flipper Spreadsheet program that has some horrible flaw that would allow a black hat (e.g. a bad person) to take over your spreadsheet and see everything you see. When you contact the FinRes server to download the spreadsheet the FinRes server would run a WYU security check on your system and refuse to let you access the file because you are running the un-patched version of the Flipper Spreadsheet program and so pose a security risk. Notice what happened, you weren't rejected because of who you are, you were rejected because of the software you use.[1]

A similar scenario is that you are using a proper version of the Flipper Spreadsheet program but you have been infected by a virus that has altered the spreadsheet program's code. WYU security would also reject this scenario because it would see that the spreadsheet software has been changed and so reject your access attempt.

Now lets say that instead of using the incredibly popular and widely supported Flipper spreadsheet program you decided to use OpenSheet, a not as widely popular spreadsheet program. When you contact the FinRes server it will use WYU to validate your spreadsheet program and find out that you are using OpenSheet. Because OpenSheet isn't as popular as Flipper the FinRes server was never programmed to accept OpenSheet. So your request will be rejected. It will not be rejected because OpenSheet is insecure, it will be rejected because OpenSheet isn't on the 'accepted' spreadsheet list for the FinRes server.

As a big fan of OpenSheet you complain to the FinRes server's administrator and get them to add OpenSheet to their accepted software list. All is well and good until you try to access the the highly confidential sales projections spreadsheet. This spreadsheet lives on a different server, the or SalesForce server. Like the FinRes server, the SalesForce server is automatically configured to accept the widely popular Flipper spreadsheet program but doesn't know anything about OpenSheet. So you will have to complain to the SalesForce server's administrator to get them to add OpenSheet to their configuration list. The question then is – exactly how many times will you repeat the process of begging for OpenSheet to be added to each and every server, both by your own company's servers and by all of your partner's servers before you give up on OpenSheet and just use Flipper?

WYU provides an almost insurmountable adoption obstacle to any new software. In a WYU world you can't just download the latest and greatest new program and use an inter-operable network protocol to communicate with a remote system. In a WYU world you first have to get the remote system to accept talking to your latest and greatest software.[2]

I expect that many IT people will love WYU security. It gives them a way to keep users from running unsupported software and potentially even prevents users from running supported software in unsupported configurations. It's not that you can't install or run the software, it's that the software won't be able to inter-operate with anything else on the system.

Another area I think we can expect to see a lot of use of WYU security is for digital rights management (DRM). It is effectively impossible to build a useful DRM system without WYU security. Imagine you are downloading a MP3 file to your MP3 player which lets you do things like burn the MP3 to a CD. The MP3 file's owner doesn't want you to have that capability. So they use WYU security to make sure that only MP3 players that do not allow you to burn a CD are able to play the file. They can also make sure that your MP3 player will only send the file to other MP3 players to play the MP3 if they enforce the MP3 owner's DRM policy. WYU allows one to create a hermetically sealed world in which systems will only communicate if they can verifiably trust each other.

[1] WYU security is based on the idea that burned into your PC will be a piece of hardware with an embedded public/private key pair. The remote system will send a request to that piece of embedded hardware who will perform the software verification and then sign its results with its private key and send them back to the remote system. The remote system will verify the signature and know that a piece of trusted hardware has verified the program that is running. Since you won't know the private key and since, at least in theory, you can't hack the embedded hardware to recover it there should be no way to get around the security. This begs the question – why does the remote system trust the key on the machine? The answer will be that the machine's key will itself be signed by some mutually trusted third party. This is how SSL certificates work today. When you go to a website and your browser says 'secure connection' what has happened is that the remote site has given your computer a digital certificate saying 'someone who your browser trusts says I am who I say I am.' Verisign is probably the most popular company who provides this service.

[2] The obvious question is – what happens when a new version of Flipper comes out? The answer is almost certainly that the WYU servers will be configured by default to talk to the Flipper server and receive notifications when a new version comes out and so automatically update their authorization list. This same mechanism will also be used to disable access to older versions of Flipper if a hole is discovered or if the manufacturer just decides they really don't want to support that version anymore. All of these settings can almost certainly be overridden and reconfigured in arbitrary ways but how many system administrators will bother?

Leave a Reply

Your email address will not be published. Required fields are marked *