Why Microsoft's Palladium project threatens to send Linux and open-source into exile.
Unless Microsoft signs a particular Linux kernel, it will almost certainly refuse to run on Palladium-equipped hardware.
Nobody disputes that buffer overflows and similar attacks have been one of the most persistent sources of serious security problems in recent years. This class of attacks, in which particular input can cause the application to crash and subsequently execute the attacker's code, is at the heart of the recent OpenSSH and Apache vulnerabilities, among many others, including a number of IIS exploits.
Palladium might provide substantial security against these attacks, because it will require that all code be digitally signed before it can run. This will be enforced at the hardware level, to reduce the likelihood of serious implementation bugs. This model could plausibly eliminate attacks whereby low-level code might be erroneously executed by a privileged application.
It is also worth noting that a hodgepodge of existing techniques, including
A Fake Fix
Palladium may seem a tempting proposition following the recent Apache and OpenSSH vulnerabilities. At this moment, the overall perception is that open-source software packages are very vulnerable to these attacks. While I believe that this perception is by-and-large unfounded, recent history can and will be used to strongly argue against the security of open-source code.
Furthermore, as noted by Nicholas C. Weaver in Peter Neumann's excellent
The release of a number of previously-unknown exploits via a worm, especially for software as widely implemented as Apache or OpenSSH, would be devastating: the results would be as dramatic as any other security problem we've seen to date, and could be a lot worse, especially if the worm was designed to destroy data. The credibility of open source-code would be damaged even further, despite the history of worms that exploit similar vulnerabilities on Windows IIS servers.
Enter Palladium: Microsoft and its partners claim that their new security architecture can protect our systems. But it also presents a grave risk to our very ability to run open-source software on commodity hardware.
The definitive attacks on the technology have come via
While this sounds like a good thing, its real purpose seems to be to protect content providers, to permit Microsoft to enforce draconian licensing schemes, and quite possibly to allow Microsoft to act as gatekeeper for all PC software, allowing them to collect royalties on that software as though those systems were nothing more than video game consoles.
Linux on a Leash
Unless Microsoft signs a particular Linux kernel, for example, it will almost certainly refuse to run on Palladium-equipped hardware. If a developer releases an open-source package for a Palladium-approved operating system, it will not run unless the binary has been signed. Because not every user will be able to sign binaries, end-users' ability to rebuild software from source may be eliminated entirely.
To top it all off, Palladium is unlikely to protect users from most exploits. There are a great number of attacks that can be executed within applications, as those applications have such power and reach. Microsoft Outlook viruses can continue to spread, as can other macro viruses. The cmd.exe execution vulnerability on IIS Web servers executes only trusted code -- but it does so in response to a Web request from an attacker.
From what I've seen, I don't think that Palladium can block any of these attacks, or most other application-layer attacks. While buffer overflows allow users to execute arbitrary code on systems, application attacks execute only approved code but nevertheless produce undesirable results. Those results can be every bit as serious as the buffer overflows that Palladium would eliminate.
In the end, hardware that does not enable Palladium to function will continue to be available -- but it will not be the consumer-grade hardware on which most open-source operating systems currently run. Open-source fanatics will be able to run Linux or NetBSD on Sun hardware, for example, but not on the substantially less expensive PC platform.
Open-source appears vulnerable at present, due to a serious episode of bad timing. While Palladium promises to eliminate buffer overflows, in doing so it may eliminate all open-source as well. Worse still, it will fail to protect users from serious security risks. For these reasons, I oppose Palladium completely. I will buy neither compliant hardware nor compliant software should they become available. I encourage all of my readers to read the above links, to understand what they are saying, and to stand firm against Palladium.