Microsoft Corp.s vision for its Palladium security architecture is jelling as the software maker prepares software development kits and a detailed road map for the technology.
But as the Redmond, Wash., vendor shares more details of Palladium, there is a growing unease in the security community about not only the technology but also Microsofts intentions.
Some critics see Palladium as an attempt by Microsoft to use security to extend its operating system monopoly. Others say that the technologys capabilities will give Microsoft near-complete control of what applications customers can run on their machines.
“Im … afraid of what this means for their monopoly. I think its heinously evil,” said Crispin Cowan, chief scientist at WireX Communications Inc., a security vendor in Portland, Ore.
Cowan said Palladium would be better if users were allowed to load their own customized certifications, but the system still wouldnt be able to guarantee security. “Palladiums signed code requirement will prevent the installation and execution of new, malicious code, but it will not prevent attackers from running existing code in malicious ways, and buffer overflows are the primary way to get there,” he said.
Proponents say that while Palladium has room for abuse, it has the potential to improve the overall security of PCs and networks. “I dont think Palladium needs to be thrown out because its being started by a big company. The fundamental issue is giving users control,” said Bill Arbaugh, assistant professor of computer science at the University of Maryland, in College Park, and co-author of the 1997 paper describing the technology at the heart of Palladium. “If the technology has that capability to give users choice, it will be a benefit to everyone.”
Page Two
: How Palladium Works”>
Palladium is Microsofts name for a set of security enhancements to Windows. It is designed to run on machines with special hardware security features, such as those built on the Trusted Computing Platform Alliance specification.
Officials said Palladium will include a TOR (Trusted Operating Root), which will act as a controller for the system and include a master certificate for each machine. The TOR will reside in a sealed portion of memory called a “trusted space” and communicate with “trusted agents,” software applications capable of running on Palladium machines.
The TOR will execute only code that has been signed by an approved entity, which presumably will prevent malicious programs such as viruses and Trojan horses from running, officials said. Although Palladium enables users to load their own TOR, critics worry that this functionality will enable Microsoft to prevent users from running other operating systems or applications or playing audio or video files.
“To listen to music and watch videos, youll have to use an app thats acceptable to the Hollywood folks. That will be bound into the vanilla trust structure signed by Wintel,” said Ross Anderson, head of the security group at the University of Cambridge Computer Laboratory, in Cambridge, England.
“Security always comes with a price in terms of loss of functionality. Palladium seems like a massive step backward in functionality,” said WireXs Cowan. “My hope is when consumers find out that theres no more MP3 playing and no more DVD playing, theyll drop [Palladium] like a hot rock and run backward to their old systems.”
Microsoft officials said they intend to make Palladium an open platform and that users ultimately will be responsible for choosing whether to use Palladium features on their machines.
“We want to make our solution broadly attractive to customers,” said Alan Geller, group program manager for Palladium. Microsoft plans to deliver a detailed road map, but no ship date, for Palladium by years end and will have a software developers kit in 12 months, Geller said. The technology will ship in a future Windows release. Microsofts key hardware partners for Palladium, Intel Corp. and Advanced Micro Devices Inc., are working on the chip set and cryptographic coprocessor for the system, officials said.
Related stories:
- Palladium Talk Riles OEMs
- Microsoft to Boost Security Response
- Microsoft Warns of SQL Server Flaws
- Microsoft Shelled Out Millions on Security
- Microsofts Palladium: A New Security Initiative (Extreme Tech)
- Interview: Trusting in Microsoft