|
By Jon Lasser (author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.)
While open-source software's reputation for security has taken a hit lately, Microsoft's
Palladium presents itself as an opportunity to improve security by eliminating entire classes
of potential exploits. However, Palladium cannot protect us from most security threats --
and its aim may be to eliminate open source software on commodity hardware.
Nobody disputes that buffer overflows and similar attacks have been one of the most
persistent sources of serious security problems in recent years. This class of attacks, in
which particular input can cause the application to crash and subsequently execute the
attacker's code, is at the heart of the recent OpenSSH and Apache vulnerabilities, among
many others, including a number of IIS exploits.
Palladium might provide substantial security against these attacks, because it will require
that all code be digitally signed before it can run. This will be enforced at the hardware
level, to reduce the likelihood of serious implementation bugs. This model could plausibly
eliminate attacks whereby low-level code might be erroneously executed by a privileged
application.
It is also worth noting that a hodgepodge of existing techniques, including Immunix's
StackGuard and FormatGuard, can be used with open-source operating systems to
protect us from many of these attacks. It's because these technologies are woefully
underused that so most systems remain vulnerable to buffer overflow attacks.
Unless Microsoft signs a particular Linux kernel, it will almost certainly refuse to
run on Palladium-equipped hardware.
A Fake Fix
Palladium may seem a tempting proposition following the recent Apache and OpenSSH
vulnerabilities. At this moment, the overall perception is that open-source software
packages are very vulnerable to these attacks. While I believe that this perception is
by-and-large unfounded, recent history can and will be used to strongly argue against the
security of open-source code.
Furthermore, as noted by Nicholas C. Weaver in Peter Neumann's excellent RISKS
Digest, volume 22, issue 15, the time between the release of an exploit and the release of a
worm based on that exploit has shrunk dramatically over the last two years. Mr. Weaver
also cites the present availability of a body of source code for worms that include active
scanning for vulnerable sites and subsequent insertion of a backdoor into compromised
systems. He suggests that worm creation kits might make it nearly as easy to release a
worm as a basic exploit for a vulnerability.
The release of a number of previously-unknown exploits via a worm, especially for
software as widely implemented as Apache or OpenSSH, would be devastating: the results
would be as dramatic as any other security problem we've seen to date, and could be a lot
worse, especially if the worm was designed to destroy data. The credibility of open
source-code would be damaged even further, despite the history of worms that exploit
similar vulnerabilities on Windows IIS servers.
Enter Palladium: Microsoft and its partners claim that their new security architecture can
protect our systems. But it also presents a grave risk to our very ability to run open-source
software on commodity hardware.
The definitive attacks on the technology have come via Robert X. Cringely and Ross
Anderson. But both agree that Palladium will allow only authorized code to run on systems
equipped with compliant hardware.
While this sounds like a good thing, its real purpose seems to be to protect content
providers, to permit Microsoft to enforce draconian licensing schemes, and quite possibly
to allow Microsoft to act as gatekeeper for all PC software, allowing them to collect
royalties on that software as though those systems were nothing more than video game
consoles.
Linux on a Leash
Unless Microsoft signs a particular Linux kernel, for example, it will almost certainly refuse
to run on Palladium-equipped hardware. If a developer releases an open-source package
for a Palladium-approved operating system, it will not run unless the binary has been
signed. Because not every user will be able to sign binaries, end-users' ability to rebuild
software from source may be eliminated entirely.
To top it all off, Palladium is unlikely to protect users from most exploits. There are a great
number of attacks that can be executed within applications, as those applications have such
power and reach. Microsoft Outlook viruses can continue to spread, as can other macro
viruses. The cmd.exe execution vulnerability on IIS Web servers executes only trusted
code -- but it does so in response to a Web request from an attacker.
From what I've seen, I don't think that Palladium can block any of these attacks, or most
other application-layer attacks. While buffer overflows allow users to execute arbitrary
code on systems, application attacks execute only approved code but nevertheless
produce undesirable results. Those results can be every bit as serious as the buffer
overflows that Palladium would eliminate.
In the end, hardware that does not enable Palladium to function will continue to be
available -- but it will not be the consumer-grade hardware on which most open-source
operating systems currently run. Open-source fanatics will be able to run Linux or NetBSD
on Sun hardware, for example, but not on the substantially less expensive PC platform.
Open-source appears vulnerable at present, due to a serious episode of bad timing. While
Palladium promises to eliminate buffer overflows, in doing so it may eliminate all
open-source as well. Worse still, it will fail to protect users from serious security risks. For
these reasons, I oppose Palladium completely. I will buy neither compliant hardware nor
compliant software should they become available. I encourage all of my readers to read the
above links, to understand what they are saying, and to stand firm against Palladium.
|
Threaded Mode
