Understanding NGSCB (fka Palladium)

[catch]

Essentially a trusted system is any system featuring a Trusted Computing Base (TCB), which is defined as:
The totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of a TCB to enforce correctly a unified security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters (e.g., a user's clearance level) related to the security policy.
- NCSC-TG-004 (Teal Green Book)

This TCB is the foundation of the system, all other security depends on the security policy it is enforcing. In systems like Next-Generation Secure Computing Base (NGSCB fka Palladium) the protection mechanisms start with the Fritz chip. This chip uses encryption technologies to determine what hardware and software can be considered "trusted." All hardware and software components of the TCB are trusted, but not all trusted components are part of the TCB. This ensures a high level of assurance to the TCB, while still allowing the user a great degree of flexibility.

Here is where things get a little trickier, and where the authors are clearly ignorant. Components of the TCB MUST undergo considerable formal validation and verification. Trusted components beyond the scope of the TCB merely require formal validation. All other components require no inspection of any kind. That's right, no inspection whatsoever! They could contain viruses, or other malware... heck they could even simple be malware. This is the beauty of the trusted systems.

Pictures 3 levels... the first level is the TCB. At this level no changes can be made without the express permission of (in this case) the Fritz chip. (This represents a giant leap forward from traditional trusted systems that are evaluated with very specific components.)
The second level is trusted non-TCB components, including but not limited to Digital Rights Management (DRM) and additional hardware components. Components at this level have a greater degree of assurance since the TCB can still monitor them for unauthorized manipulation, preventing boot sector viruses, NIC modifications, infected components, and perhaps even remote users from initiating actions limited to local users only, regardless the level of compromise the system may find itself in.
The third level is where untrusted components exist.

A hierarchical system of dominance must be overt for this system to work. For example, when playing a trusted DRM controlled media the system will launch its trusted media player as a trusted subject (assuming the user is trusted) however, if the media is untrusted DRM the TCB will need to provide a closed compartment for the trusted media player to operate as a trusted subject. This allows the DRM controls to be authenticated by the Fritz chip, yet protects the system from potentially damaging code within the media. Finally untrusted, non-DRM media is played by either the trusted media player running as an untrusted subject or an untrusted media player of the users choice. This ensures with even greater assurance against malware and doesn’t needlessly tap the Fritz chip capabilities.

Many users will complain that this technology removes the control they can exert over their system. This is true, however let us not forget SUN Microsystems’ slogan: “The Network is the Computer.” Security issues transcend the individual system so it only makes sense that security solutions must as well. Stop for a moment and think… why is it ok that other people with insecure computers can be compromised and force you the taxpayer (investigations cost for DDOS attacks etc) and you the customer (compromised accounts investigations) to eat those costs? You can’t have complete control over your car (safety and emissions standards), because you need to share the roads with the rest of us and can't just impose intolorable risks on us, why should your computer be any different?

Now, of course you can retain control over your system but rejecting this technology, but in time service providers and vendors and perhaps even ISPs will start only allowing specific trusted applications to access their services. This allows them to dramatically reduce their risks and since the technology is beneficial to most corporations (reduced security budget) and users (reduced worry) it will be more and more tolerable to utilize DRM based accesses.

I for one embrace the idea.

cheers,

catch

[rcgreen]

It's evil. Pure and simple. It represents a computing philosophy that was repudiated
thirty years ago with the introduction of personally owned computers. There's no way
we can be as productive in such an environment as we could if the bastards would
just leave things alone.

It's a classic case of a big comprehensive solution to a problem that doesn't exist.
For those who think of the PC as nothing more than a distribution medium for entertainment,
it smoothes the way for better distribution of music and movies with less unauthorized
copying. For the rest of us there are unforseen restrictions on the wonderful computing
power of our machines. No one will chronicle the story of what features will never be
developed because of this hobbling of the PC.

[halv]

What about OS developers that want access to this chip ? Will this chip be compatable to linux?

My gut instinct is no. The developers of this chip and system will proably require a nice fee to allow a 3rd party access to the protocols the chip will use. Could linux be installed on a computer with chip in it ? proably so, if it can be disabled in the bios .. or better yet a jumper on the MB (to thwart a nasty round of flash bios viri)

Could they make the protocols open source ? Or would that undermine the security that the chip is trying to enforce upon the system and user ?

this will be an interesting topic to follow.

~Halv

[rcgreen]

Could they make the protocols open source ?

Take a wild guess. This system would outlaw open source opreating systems by definition.
The system could never be implemented unless it was mandated by law.
The software companies who want this will have to bribe a lot of politicians to give them a legal
monopoly, because without a monopoly, it wouldn't function. Congress would effectively license
them to provide the protocols and they would own you.

The original design of the internet was to separate theory from practice, the abstract from the concrete,
the software from the hardware. Policy is not embedded in the hardware for lots of good reasons.
A hard drive, network card or monitor does not know anything about the abstract content
of your data. A router is not supposed to discriminate between poetry or porn, free pics of Britney
or self-published drivel.

Once you empower the hardware to distinguish between copyrighted material and free material,
you open a can of worms. Since open source does not, by nature, support secret proprietary
protocols, it would be essentially illegal to use an open source OS. This is a blatant attempt
by Microsoft to gain the total monopoly that has eluded them so far. The beauty of it is that
the Government would be giving it to them on a silver platter.

[catch]

Um rcgreen, that is two moronic responses in one thread... pace yourself.

This system would outlaw open source opreating systems by definition.

No, it wouldn't. You can run whatever you like in the untrusted ring of the system, including any open source software. Any open source software that would be considered trusted must have a viable change control system. That is the one major advantage, it keeps developers accountable, so they can't just throw together some random crap that does god knows what and ship it off to you. Ever package to be considered trusted must be clearly defined to the end user... aka no more hidden ad/spyware. Low assurance open source software is treated like any other untrusted application.
Open source operating systems are also acceptable, but again if they lack the proper change control architecture they will be delegated to the untrusted regions of the system and will gain no advantages of the TCB.

The system could never be implemented unless it was mandated by law.

This is not true either. The system not only can be implemented at anytime, other similar systems from Bodacion and WGS already exist, this will just be an attempt at a more commercially viable solution.

The software companies who want this will have to bribe a lot of politicians to give them a legal monopoly, because without a monopoly, it wouldn't function. Congress would effectively license them to provide the protocols and they would own you.

This is not only inaccurate as several companies are working in this area including the two I already mentioned, Solaris, AIX, and HP-UX are all being researched for this migration. Which of them has a monopoly?

The original design of the internet was to separate theory from practice, the abstract from the concrete, the software from the hardware.

No it isn't... have you ever even seen the OSI model?

Policy is not embedded in the hardware for lots of good reasons.

No... only one reason: Cost. Historically too expensive to develop and too modify. This system in fact doesn't have policy "embedded in the hardware" as you put it. The hardware merely maintains a key for authentication, much like a smart card. But I guess there must be lots of good reasons against those as well (and atm cards too, garage door openers, keyless entry on cars... wow the list goes on... *falls to knees* DAMN YOU EMBEDDED AUTHENTICATION INFORMATION!!! DAMN YOU TO HELL!!!)

A hard drive, network card or monitor does not know anything about the abstract content of your data. A router is not supposed to discriminate between poetry or porn, free pics of Britney or self-published drivel.

I'm not going to say your manifesto isn't interesting, but what does it have to do with the thread? All this system does is match cryptographic keys with no consideration to content. Same as a router matching signatures or a hardrive matching file headers.

Once you empower the hardware to distinguish between copyrighted material and free material, you open a can of worms.

It really warms my heart to see that you replied to this tutorial without even reading it, and just regurgitating what ever tripe The Register fed you most recently.
The hardware CANNOT differentiate between copy written material and free material, merely between trusted and untrusted. It is merely an additional layer of enforcement for the DRM protection that is ALREADY BEING USED.

Since open source does not, by nature, support secret proprietary proprietary
protocols, it would be essentially illegal to use an open source OS.

*sigh* You can use an open source OS all you like, you just won't be able to access DRM controlled material. You can still watch all your pirated movies and listen to all your non-protected mp3 files. You can still run all your open source applications.

Seriously, lose the paranoia.

It's evil. Pure and simple. It represents a computing philosophy that was repudiated thirty years ago with the introduction of personally owned computers. There's no way we can be as productive in such an environment as we could if the bastards would just leave things alone.

Wow, here you do everything from making a value judgment on a technology to stating that the best thing from computing is a lack of progress.
How... exactly does this system effect your productivity? What part of curbing DDOS attacks, wide spread virus attacks, and application level insecurities hurts your productivity?

halv, I addressed your questions above.

cheers,

catch

[Agent_Steal]

Catch could you post some links where I could read more about this.

Thanks.

[lumpyporridge]

TCG (formerly known as TCPA) is good and open source is already using it. Trusted gentoo is going and here is a clarification on tcg/drm...... by IBM http://www.research.ibm.com/gsal/tcpa/tcpa_rebuttal.pdf (this paper wins the most acronyms in 7 pages i have ever seen award)

[jinxy]

Agent_Steal

https://www.trustedcomputinggroup.org/home

Should point you in the right direction.

[rcgreen]

Um rcgreen, that is two moronic responses in one thread... pace yourself.

I have plenty more, don't worry.