Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dartmouth Project Combines Linux With TCPA

Posted by timothy on from the smoosh dept.

SiliconEntity writes "A new project from Dartmouth College demonstrates significant advances in combining Linux with TCPA. The software turns a Linux PC into a 'virtual secure coprocessor', which is able to check that none of its software is compromised and even (in a future version) prove its integrity to a remote system. Full GPL source code is available for the 2.4 kernel. This work is separate from the earlier IBM research which also combined Linux with TCPA, with the new project apparently more complete and with a road map towards a very functional Linux based trusted computing system. This could be an important technology for Linux to challenge Microsoft as it pushes forward with NGSCB (aka Palladium)."

11 of 227 comments (clear)

  1. Re:Sweet by advocate_one · · Score: 4, Interesting

    I think you'll find Linux will have it well before MSFT does... and it'll work... and it won't require special hardware either. And you'll be able to double check the source code instead of having to take it on trust...

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  2. Not compatible with eachother ? by MoonFog · · Score: 5, Interesting

    From the PDF :
    The exact relation between TCPA and the former Palladium is not clear; one suspects that at some point in the TCPA design process, Microsoft decided to withdraw and build their own variant.
    This probably means the two technologies will not be compatible with eachother, files created under one will not be able to be opened under the other.

  3. Palladium is actually about security by Photo_Nut · · Score: 3, Interesting

    Think about this for a moment before you call me a troll, mark this post as flamebait, or bash me for being a MS supporter on the issue. It's not funny, it's serious.

    Palladium/TCPA is a security measure, not just a DRM platform. Enabling DRM is impossible in the sense that DRM doesn't cover the analog hole. As long as people have the ability to reproduce video and audio, DRM will only prevent people who do not have other recording mechanisms from copying raw data. Digital cameras get cheaper each day. Multimedia devices are falling in price and becoming higher quality every day. Today I saw a $50 DVD/CD/MP3 player. Star Trek like systems will be here before most of us die of cancer.

    Now lets get back to our topic. Security. Palladium. The thing which Palladium prevents is unsigned code from executing. It's literally a form of sandbox for x86 code. Say that you write a program which attempts to install itself into my system registry and that installer mechanism isn't signed, my computer can prevent you from installing software on it. Of course, if I (as the user of the machine) am given the choice, and let you install the software anyway, knowing it is unsigned, then at least I can share the blame for the insecurity.

    Bill Gates is no stupid man. It is right that these systems are systems based on trust. If you don't trust Microsoft, it doesn't work. If the magic key-granting-key for granting root keys is ever discovered or hacked at Microsoft headquarters in Redmond, then the game is over. Of course, in the Linux world, that magic key is somewhere else. Maybe there is a new key for each distribution.

    Now, I'm not saying that this system doesn't have potential for being abused. If I sign my worm for Red Hat Linux, then the protection system is useless. Worms might still be able to get inside via the older flawed software. Microsoft needs legacy applications to continue its business. The reason that MS owns so much of the computer market is that it had so much of the application share before and it didn't ruin feature compatibility with newer versions, among MS apps and with 3rd parties that were important.

    The initial hole in Palladium is the same hole in DRM: In order for it to be successful, it has to work. DRM doesn't work (analog hole, memory and simulation based attacks), and Palladium may make a huge dent in internet worms, but it won't stop Macro Viruses or prevent IE from popping up new windows.

    Palladium is one step in the right direction: locking down the OS to only perform installs of "trusted"/signed software. There are several other serious security measures which need to be taken:
    1) Buffer Overflow prevention
    2) Unsigned Device Driver prevention, and strict certification of Device Drivers
    3) Lock-Down of all user and administration activities into appropriate accounts
    4) Making all of the above trivial to set up for a newbie

    Microsoft isn't much farther along than Linux in any of these areas, but Linux won't gain any momentum among novice users if it doesn't improve in ease of use. The next 4 years should be very interesting in the software market. The industry has matured a great deal recently after its adolescence period/dot com crash.

    1. Re:Palladium is actually about security by Minna+Kirai · · Score: 2, Interesting

      Enabling DRM is impossible in the sense that DRM doesn't cover the analog hole.

      The technologies being used to enable DRM hardware create user-hostile computers and are a step along the way to plugging the "analog hole". You mention that digital cameras (still or video) are getting cheaper and better all the time. But digital watermarking already exists, and digital shape-recognition is getting better and better. Long-term, the advances in software will overwhelm hardware improvements. Hardware may open an analog hole, but software will close it.

      Future scenario:
      20 years from now, a friend visits you with a laptop, and he plays music while your webcam dumps his whole visit into a 3 terabyte AVI.

      Weeks later, you'll order a few MP8 songs with your credit card. A click-through license agreement gives the publisher certain rights to monitior your compliance. In collaboration with your OS vendor, they transmit a program onto your PC during a routine system update. This program runs automatically during periods of low CPU use and scans your audio data for any patterns resembling something the publisher owns (not just the songs you rented, but anything in their vast catalog). The software is fast, because it only needs to read user-recorded files. The majority of your songs were legally downloaded and have a copy-protect flag, so they can be skipped.

      If an unprotected file gets a 98% confidence match on anything they own, it is automatically uploaded to a lawyer on another continent. This man doesn't know what user's computer it came from, and is sworn not to violate your privacy if the file turns out to be anything other than an analog copy of his client's work. After a quick human-verification that the file sounds the same, the publisher's HQ sends an emergency message to both the OS vendor and the FBI. Instantaneously, your computer freezes up to protect evidence, and an arrest warrant pours out of the fax machine of the nearest police department.

  4. Re:Not the right idea... by paulhar · · Score: 3, Interesting

    Why this may or may not be a worthy cause I don't believe it's got a fundamental weakness. While each application relies on and uses the data it receives it may still take actions that weren't intended by the designer of the system.

    Most "office" type applications execute the data directly (e.g. macros, vbscript, etc) and it would be a large step backwards to disable this even for the increase in security it would bring. We could turn it all off today (java, jscript, vbscript, macros etc) and we're still vunerable to bugs that get exploited.

    Tricking "signed" applications to doing things they aren't supposed to do was demonstrated to great effect with the XBox hack.

  5. The owner of the PC does NOT own the master keys by NZheretic · · Score: 4, Interesting

    The long term problem with IBM's model of the TCPA is exactly the same with that of clipper chip encryption, the owner of the PC does NOT control the attestation master keys. This leads to the same escrow agent model which is far to open to exploitation by The New American Corporate Soviet.

  6. Re:Trustworthy digestion by Anonymous Coward · · Score: 1, Interesting
    "Data can be protected with a secure pathway from the keyboard through the computer to the monitor screen, preventing it from being secretly intercepted or spied on"

    Food can be protected with a secure pathway from the mouth through the bowels to the toilet, preventing it from being secretly intercepted or spied on as well, but that doesn't make eating safe.

    And how does this prevent people from looking over your shoulder?

  7. What about an emulator? by Yartrebo · · Score: 2, Interesting

    Couldn't this be defeated by running a Pentium-with-palladium emulator. It would implment all the normal instructions (like add, jmp, etc) properly, it would handle the authentication instructions by always saying yes, and it would handle encryption and decryption opcods with noops. For the icing on the cake, it could log all keys sent to it to /var/www/html/keys.txt.

    You would start with a freshly formatted harddrive (prefferably non-DRM crippled, but as long as it can run Linux and your emulator, it's fine) and install Linux on it. Then you would install your Pentium emulator with fake DRM support (a bit like Wine). Then you would install your Windows-with-DRM through the emulator. All the DRM software wouldn't know the difference.

    Assuming that a DRM system will allow unsigned code to run (and just stop you from modifying/copying signed data), this will allow crackers and rippers to make perfectly functional non-DRM programs and media files that will run on normal (DRM-crippled) systems, and if not, then there will be a HUGE incentive to get uncrippled machines, much like mod chips for game consoles.

  8. Re:Difference between Palladium and TCPA by sjames · · Score: 5, Interesting

    Like many things, TCPA is a neutral technology. If the TCPA just sits on the board unused, you'd never know it's there at all. With Palladium, your system will be actively user hostile and RIAA/MPAA/MS friendly.

    TCPA in itself won't prevent booting Linux. The fear is that a BIOS could then be written that won't load an OS that isn't signed by Bill Gates. TCPA merely enables that non-functionality. In addition, it is entirely possible to have a CPU come up in crippled mode until it validates the BIOS against the TCPA so that an unsigned BIOS won't run either. That is the fear, a total lock-down.

    On the other hand, if the user has the signing key (I say user, since in reality, whoever has the signing key is the owner), TCPA permits (but does not assure) user friendly, outsider hostile strong system security.

    The problem is that we are all aware that certain corporations in the U.S. would happily torture all of their customers to death if it was shown that after all of the lawsuits are settled, they make an extra $0.10 over the next 5 years than they would otherwise. They will be more than happy to build a user hostile system and lease it to their customers if they can find a way to kill off the competition.

    Even if the lease is called a sale, I maintain that it's in reality a lifetime lease since, as I said, whoever has the signing key is the real owner of the system.

    One possible roadblock to that would be to get the above paragraph enshrined in law. Not only would that force vendors to be more honest in their sales of Palladium enabled systems, it would place a nice large tax burden on a corporate holder of the signing key since they would be forced to acknowledge that they actually own all that hardware out there. More likely, it would kill the whole thing since under that law, hardware vendors would have to treat the transaction as a gift to MS and themselves as a lease broker for MS.

  9. Tinfoil for the mad hatter by poptones · · Score: 2, Interesting
    If you have a collection of AVI movies and MP3 songs, where did you get those? Is there some great archive sites I've never heard of where movie and music studios are giving away tens of thousands of high quality downloads? Is McGraw-Hill offering all their new books in PDF downloads? See, I keep hearing "content provider this" and "content provider that" but I still don't see any evidence this new scnario represents any sort of change from the one we have already...

    Are there any websites that offer high quality streaming video? Or even high quality downloadable movies? How about high quality MP3s? Anything at all the publishers are offering "legally" in a format of higher quality than I have been getting (for years) absolutely free via USENET?

    How about plain ol' "information" websites? Hmmm... let's see. Geocities might be a good example. No streaming video (big deal) but they host tens of thousands of home pages. So does AOL. So let's say they decided to use this Palladium-Longhorny stuff to keep their "members pages" available only to those willing to use their client software.

    Uhhhh... so what? I can't recall the last time I visited a geocities page (much less an AOL members page), and I'm pretty sure if I go over the proxy logs I'll not find anything more than a few "404" pages with their name on'em. Yahoo? I used to read a couple of their groups, but they're gonna send spam to you one way or another so I quit that long ago. There's just as much content in usenet, and I get to call the shots.

    See? This doomsday scenario really isn't much different than what we have now - it's just more of the same but with encryption. I really don't give a shit if universal wants to put their movies online and lock them away behind MS-centric operating systems, because I wouldn't use the service even if they slapped a Penguin on the door and made the "movie viewer" part of the RH12 base distribution. I wouldn't use it because a) I don't have broadband and b) if I want my own copy of a movie I will rent the DVD and rip it myself, or do a sneakernet trade for a copy from someone I trust to do a good job of it.

    "Content providers" will lock away only as much as is economically viable. If there's no money in it, they won't lock any of it away. But right now they have it all "locked" away (at least as much as they are able). So what does any of this "evil" new technology change?

    Having a system I can trust even if it's hanging out on a raw IP is a very good thing. If the tradeoff I have to accept is that Universal will use the same technology to sell movies to people with plenty of disposable income, more power to'em.

  10. There's a lot of talk by Kickasso · · Score: 2, Interesting
    about how TCPA will kill open source. This outcome is very probable. But they can also work fine together. There is a solution, and open source people would do good by pursuing it instead of blindly fighting the inevitable.

    TCPA needs an agreed-upon, standard microkernel around which different OSes could be built. A whole bunch of new open source OSes and, yes, new Microsoft OSes. This microkernel would be developed by an independent body and signed by DRM-loving vendors. Because it would be very small, and change very rarely, there should be little problem with it. Yes, end-users won't be able to modify it; that's the price one pays. They won't want to do it very much because the microkernel provides very little functionality.

    Hardware vendors would release drivers for their wares that would work with this microkernel. These drivers would be otherwise OS-independent and would include decryptors and decoders needed for playing content. The vendors would get their drivers signed, too. (And open-source OSes will get closed-source drivers for free: a nice bonus!)

    The rest of the OS and the entire universe of user apps would need not be trusted at all. They would run in user space and be totally unprivileged.

    So I think open-source people should approach TCPA and offer to work together along these lines. There's nothing to lose, and much to gain, so why not at least try it?