Digg this story   Add to del.icio.us  
The Devil And The Deep Blue Sea
Jon Lasser, 2002-07-17

Why Microsoft's Palladium project threatens to send Linux and open-source into exile.

While open-source software's reputation for security has taken a hit lately, Microsoft's Palladium presents itself as an opportunity to improve security by eliminating entire classes of potential exploits. However, Palladium cannot protect us from most security threats -- and its aim may be to eliminate open source software on commodity hardware.

Nobody disputes that buffer overflows and similar attacks have been one of the most persistent sources of serious security problems in recent years. This class of attacks, in which particular input can cause the application to crash and subsequently execute the attacker's code, is at the heart of the recent OpenSSH and Apache vulnerabilities, among many others, including a number of IIS exploits.

Palladium might provide substantial security against these attacks, because it will require that all code be digitally signed before it can run. This will be enforced at the hardware level, to reduce the likelihood of serious implementation bugs. This model could plausibly eliminate attacks whereby low-level code might be erroneously executed by a privileged application.

It is also worth noting that a hodgepodge of existing techniques, including Immunix's StackGuard and FormatGuard, can be used with open-source operating systems to protect us from many of these attacks. It's because these technologies are woefully underused that so most systems remain vulnerable to buffer overflow attacks.

A Fake Fix
Palladium may seem a tempting proposition following the recent Apache and OpenSSH vulnerabilities. At this moment, the overall perception is that open-source software packages are very vulnerable to these attacks. While I believe that this perception is by-and-large unfounded, recent history can and will be used to strongly argue against the security of open-source code.

Furthermore, as noted by Nicholas C. Weaver in Peter Neumann's excellent RISKS Digest, volume 22, issue 15, the time between the release of an exploit and the release of a worm based on that exploit has shrunk dramatically over the last two years. Mr. Weaver also cites the present availability of a body of source code for worms that include active scanning for vulnerable sites and subsequent insertion of a backdoor into compromised systems. He suggests that worm creation kits might make it nearly as easy to release a worm as a basic exploit for a vulnerability.

The release of a number of previously-unknown exploits via a worm, especially for software as widely implemented as Apache or OpenSSH, would be devastating: the results would be as dramatic as any other security problem we've seen to date, and could be a lot worse, especially if the worm was designed to destroy data. The credibility of open source-code would be damaged even further, despite the history of worms that exploit similar vulnerabilities on Windows IIS servers.

Enter Palladium: Microsoft and its partners claim that their new security architecture can protect our systems. But it also presents a grave risk to our very ability to run open-source software on commodity hardware.

The definitive attacks on the technology have come via Robert X. Cringely and Ross Anderson. But both agree that Palladium will allow only authorized code to run on systems equipped with compliant hardware.

While this sounds like a good thing, its real purpose seems to be to protect content providers, to permit Microsoft to enforce draconian licensing schemes, and quite possibly to allow Microsoft to act as gatekeeper for all PC software, allowing them to collect royalties on that software as though those systems were nothing more than video game consoles.

Linux on a Leash
Unless Microsoft signs a particular Linux kernel, for example, it will almost certainly refuse to run on Palladium-equipped hardware. If a developer releases an open-source package for a Palladium-approved operating system, it will not run unless the binary has been signed. Because not every user will be able to sign binaries, end-users' ability to rebuild software from source may be eliminated entirely.

To top it all off, Palladium is unlikely to protect users from most exploits. There are a great number of attacks that can be executed within applications, as those applications have such power and reach. Microsoft Outlook viruses can continue to spread, as can other macro viruses. The cmd.exe execution vulnerability on IIS Web servers executes only trusted code -- but it does so in response to a Web request from an attacker.

From what I've seen, I don't think that Palladium can block any of these attacks, or most other application-layer attacks. While buffer overflows allow users to execute arbitrary code on systems, application attacks execute only approved code but nevertheless produce undesirable results. Those results can be every bit as serious as the buffer overflows that Palladium would eliminate.

In the end, hardware that does not enable Palladium to function will continue to be available -- but it will not be the consumer-grade hardware on which most open-source operating systems currently run. Open-source fanatics will be able to run Linux or NetBSD on Sun hardware, for example, but not on the substantially less expensive PC platform.

Open-source appears vulnerable at present, due to a serious episode of bad timing. While Palladium promises to eliminate buffer overflows, in doing so it may eliminate all open-source as well. Worse still, it will fail to protect users from serious security risks. For these reasons, I oppose Palladium completely. I will buy neither compliant hardware nor compliant software should they become available. I encourage all of my readers to read the above links, to understand what they are saying, and to stand firm against Palladium.


SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
    Digg this story   Add to del.icio.us  
Comments Mode:
The Devil And The Deep Blue Sea 2002-07-18
Anonymous (6 replies)
The Devil And The Deep Blue Sea 2002-07-18
Anonymous
The Devil And The Deep Blue Sea 2002-07-19
Anonymous
The Devil And The Deep Blue Sea 2002-07-19
Anonymous (1 replies)
The Devil And The Deep Blue Sea 2002-07-23
Anonymous
The Devil And The Deep Blue Sea 2002-07-19
Anonymous
The Devil And The Deep Blue Sea 2002-07-19
Anonymous
The Devil And The Deep Blue Sea 2002-07-22
Anonymous
The Devil And The Deep Blue Sea 2002-07-18
Anonymous
Unbelieveable 2002-07-18
Anonymous (5 replies)
Unbelieveable 2002-07-19
Anonymous (2 replies)
Unbelieveable 2002-07-20
Anonymous
Unbelieveable 2002-07-21
Anonymous
Unbelieveable 2002-07-19
Anonymous
Unbelieveable 2002-07-19
Martin Schoch
Unbelieveable 2002-07-20
Anonymous
Unbelieveable 2002-07-20
Anonymous
The Devil And The Deep Blue Sea 2002-07-18
blacklight (1 replies)
The Devil And The Deep Blue Sea 2002-07-23
Anonymous
Take a chill pill 2002-07-18
Anonymous Bastard (3 replies)
take your own advice 2002-07-19
rsullivan@art-line.com (1 replies)
Re: take your own advice 2002-07-19
Anonymous Bastard (2 replies)
Re: take your own advice 2002-07-19
Anonymous (2 replies)
happy x86 processor world? riiiiight... 2002-07-19
Anonymous (1 replies)
Re: take your own advice 2002-07-21
Anonymous
Re: take your own advice 2002-07-19
Anonymous
Re: Take a chill pill 2002-07-19
Jm4n
Take a chill pill 2002-07-21
Anonymous
The Devil And The Deep Blue Sea 2002-07-19
Anonymous (1 replies)
OSS version of Palladium 2002-07-20
Abri
The Devil And The Deep Blue Sea 2002-07-19
Anonymous
The Devil And The Deep Blue Sea 2002-07-19
SkyLeach
Palladium and buffer overflows 2002-07-19
Anonymous (6 replies)
Palladium and buffer overflows 2002-07-19
Anonymous
Palladium and buffer overflows 2002-07-19
Anonymous
Palladium and buffer overflows 2002-07-20
bufferoverwhelmed
Palladium and buffer overflows 2002-07-20
Anonymous
Palladium and buffer overflows 2002-07-21
Anonymous
Pride goeth before a Fall 2002-07-19
Anonymous
No evidence for these claims 2002-07-19
Tamperbell (2 replies)
No evidence for these claims 2002-07-22
Anonymous
No evidence for these claims 2002-07-23
Anonymous
The Devil And The Deep Blue Sea 2002-07-19
Anonymous
Alternate hardware 2002-07-20
Anonymous
The Devil And The Deep Blue Sea 2002-07-20
Anonymous
THE DEVIL AND THE DEEP BLUE SEE 2002-07-20
NSS ( Network Ssecurity Systems)
It's all about trust 2002-07-20
Anonymous
The Devil And The Deep Blue Sea 2002-07-21
Anonymous
The Devil And The Deep Blue Sea 2002-07-22
Anonymous
The Devil And The Deep Blue Sea 2002-07-22
Anonymous (1 replies)
The Devil And The Deep Blue Sea 2002-07-23
Anonymous
The Devil And The Deep Blue Sea 2002-07-22
Anonymous
The Devil And The Deep Blue Sea 2002-07-23
Anonymous (1 replies)
The Devil And The Deep Blue Sea 2002-07-23
Anonymous
Copyright and Anti-piracy laws 2002-07-29
Anonymous
It is time for "security enhanced linux" to be put on the front burner NOW! 2002-07-29
100% of distros should be 100% SE Linux


 

Privacy Statement
Copyright 2010, SecurityFocus