Friday, February 2, 2007

Computer Security: Trusted Computing Initiative Sets You As Your Own Computer Worst Threat - Protection Or Menace?

Sponsored Links

Trusted computing is a set of open specifications based on the idea that computer security can be achieved by implementing a particular microchip (called Trusted Platform Module), whose task is to allow users to install and utilize only "trusted" software (which is software that has been previously recognized and approved by the computer manufacturer).

Photo credit: Benjamin Stephan and Lutz Vogel

This concept has been developed in the past few years by the Trusted Computing Group and among its promoters there are major information technology companies such as Microsoft, Intel, IBM and Sun Microsystems Inc.

Despite the premises of the Trusted Computing Group, many critics - including academics, security experts and creators of free and open source software - contend that the overall effect (and perhaps ultimate intent) of trusted computing is to impose unreasonable restrictions on how people can use their computers.

Trusted computing has in fact become subject of multiple discussions, mostly related to the fact that in the TCG's vision it is the computer manufacturer that decides which software can be installed on the computer and which one must be considered a threat to security.

But which is the authority that decides what is secure and what's not? And according to which parameters?

How would you feel if I was to tell you that according to the TCG the real enemy to guard oneself against, when it comes to your computer security, is the computer owner herself?

Not very comforting I guess...

But that is indeed the Trusted Computing vision. At its core is the firm idea that the real enemy of computer security is - the user himself.

Photo credit: Benjamin Stephan and Lutz Vogel

Trusted computing stated goal is to make personal computers more secure through the use of dedicated hardware that monitors user's access to programs and only lets them use software that is considered "trustworthy".

Up until now, the end user could have literally installed whatever program suited her desires or needs, without having to deal with any restrictions - except for compatibility and other core demands set out by your operating system requirements.

But if trusted computing was going to be used in real-life scenarios, this might not be valid for much longer.

Before getting alarmed, let me review step-by-step what exactly trusted computing does and for which reasons.

Microsoft - one of the founders of the TCG - released some information about the trusted computing architecture, dividing all changes it has designed for a trusted computing experience into four groups, all of which require new hardware to be added to today's PCs.

Let me recap these items here for you:

Memory curtaining

Memory curtaining refers to the isolation of PC's memory to prevent programs from being able to read or write one another's memory. Today, a virus or malicious code can often read or alter data in a PC's memory. In the trusted computing design, even the operating system should not have access to curtained memory, so that a virus or hacker who gains control of the operating system would not be able to interfere with programs' secure memory.

Secure I/O

Secure input and output, or secure I/O, aims to defeat the threats posed by keyloggers and screen-grabbers, which are programs used by hackers to spy on computer users' activities. A keylogger records whatever you type on your keyboard, and a screen-grabber records what's displayed on the screen. With secure I/O, no other software running on the same PC will be able to find out what the user typed, or how the application responded. At the same time, secure I/O will allow programs to determine whether their input is provided by a physically present user, as distinct from another program impersonating a user.

Sealed storage

Sealed storage addresses the inability of a PC to securely store passwords. Usually, the passwords that protect private documents or accounts are stored on the computer's hard drive, together with the documents themselves. This procedure can be compared to leaving the combination to a safe in the same room with the safe itself. Hackers who enter a computer can frequently copy passwords from that computer's hard drive.

Sealed storage is an invention that generates passwords based in part on the identity of the software requesting to use them and in part on the identity of the computer on which that software is running.
If a program different from the program that originally encrypted, or "sealed", private data should attempt to decrypt, or "unseal", that data, the attempt is guaranteed to fail.

Remote attestation

Remote attestation is the most interesting of the four major feature groups described by Microsoft and it aims to allow "unauthorized" changes to software to be detected. If an hacker has replaced one of your applications, or a part of your operating system with a maliciously altered version, you should be able to tell.

Because the evidence is "remote", others with whom you interact should be able to know that, so that they can avoid sending data to a compromised computer.

While remote attestation is obviously useful, the current TCG approach fails to distinguish between applications that protect computer owners against attack and applications that protect a computer against its owner. In fact, the computer's owner is sometimes treated as an enemy who must be prevented from altering the computer's software.

Misconceptions about Trusted Computing

Video about Trusted Computing created by Benjamin Stephan and Lutz Vogel

At this point, you might wonder whether trusted computing PCs would really be able to run existing software.

While it is possible for manufacturers to build PCs incapable of running particular code, nothing in the TCG specifications insists on this. More importantly, the trusted computing architecture security model does not require insecure or undesirable software to be prevented from running. The trusted computing security model instead concentrates on preventing running applications from interfering with one another.

Only a rough security model would require prohibiting "bad" software running on a computer, and the NGSCB model does not do that.

In addition, that approach would require determining which software is "bad", which would truly be a discouraging task. Some proprietary systems assume that all software not signed by a recognized authority is "bad", but users insist on being able to use software without the prior approval of some authority.

The problem

Although trusted computing hardware seems to provide security benefits, it has been received skeptically and remains controversial. Some of the controversy deserves great attention, since trusted computing systems fundamentally alter trust relationships between the user and the computer manufacturer.

Security design necessarily includes specifying what has to be considered a threat for the PC and the most fundamental concern is that trusted computing systems are being designed to support threat models in which the owner of a "trusted" computer is considered a threat.

Attestation is appropriate for preventing the software on a computer from being changed without the knowledge of the computer's owner (for instance, by a virus). Unfortunately, the attestation model in TCG's current design can equally prevent the software on a computer from being changed by the computer owner with his or her full knowledge and consent.

Third parties currently cannot tell what software you are using and they have no reliable way to force you to use the software of their choice. This is almost always a benefit for computer owners (and not a bug that has to be eliminated), since it improves competition and owners' ability to control their computers.

Possible consequences of Trusted Computing

Let me now take into consideration a few examples of how the attestation approach promoted by trusted computing can compromise interoperability or be used against computer owners.

I will refer here to the research conducted by Seth Schoen, a technologist for the Electronic Frontiers Foundation (a technology civil rights organisation that is particularly concerned with the implementation of trusted computing).

On the Web

A web site could demand a software attestation from people wishing to read it. If they declined to provide an attestation, the site would refuse to deal with them at all; if the attestation showed that they were using "unapproved" software, the site would likewise decline to interact with them. Only those who could produce a digital certificate proving that their computers' software was satisfactory to the remote site would be permitted to use it.

In a well known case, MSN, the Microsoft Network, refused to serve web pages to non-Microsoft browsers. In the meantime, users of competitive products were able to fool MSN into thinking they were running Internet Explorer. This would be impossible in an environment of routine NGSCB-style remote attestations.

Many sites arbitrarily prevent the use of disfavored software - they say - for security reasons.

Indeed, their reasons may be entirely different. In some cases, a site operator wants to force you to use a particular program in order to subject you to advertising.

Software interoperability

Software interoperability is also at risk. If a user has data stored inside a proprietary system, and the system communicates only with client software written by the proprietary system's publisher, it may be extremely hard for the user to move his or her data to a new software system. When the new system tries to communicate with the old system in order to extract the data, the old system may refuse to respond.

Similarly, instant messaging (IM) services have frequently tried to lock out their competitors' clients and, in some cases, free/open source IM clients. An attestation mechanism would be a powerful tool for limiting competition and interoperability in IM services.

Digital Rights Management

Many people have speculated that trusted computing technology is a way of bringing digital rights management (DRM) technology to the PC platform. However, trusted computing developers deny that DRM is the main focus of their efforts, and trusted computing is useful for many applications besides DRM.

Among the elements characterizing trusted computing, remote attestation is the key player of DRM policy enforcement. If a remote system lacks reliable knowledge of your software environment, it can never have confidence that your software will enforce policies against you.

Other consumer-unfriendly software behaviors which can be implemented by means of attestation, combined with sealed storage, include preventing a program or a file from being transferred from one computer to another, forcing software upgrades or downgrades, and enabling some spyware.

The real enemy: YOU - the computer owner

One thing is sure: the current version of remote attestation facilitates the enforcement of policies against the wishes of computer owners.

If the software you use is written with that goal in mind, the trusted computing architecture will not only protect data against intruders and viruses, but also against you. In effect, YOU, the computer owner, are treated as an enemy.

If you give an attestation to a service provider who wants to help you detect unauthorized modifications to your computer, attestation benefits you. If you're required to give an attestation to someone who aims to forbid you from using the software of your choice, attestation harms you.

In an ideal situation, it is the computer owner, YOU - and not a third party - that should be able to decide whether the information or software you have acquired from a third party is accurate and trustable. Only in this way you can be sure that the attestation capability will not be used in a way contrary to YOUR interests, as a computer owner.

Suggested solutions

The lack of owner control on the content of attestations is the central problem with the current trusted computing proposals.

A simple measure conceived by Seth Schoen and called "Owner Override" could fix the problem by restoring third-parties' inability to know precisely what software you're running - unless you decide you would be better off if they knew.

Currently, attestation tells remote parties whether the software on your computer has been changed. Attestation plus Owner Override would let remote parties know if the software on your computer has been changed without your knowledge.

Owner Override fixes trusted computing so that it protects the computer owner and authorized users against attacks, without limiting the computer owner's authority to decide precisely which policies should be enforced.

However, the Trusted Computing Group members have refused to implement Owner Override and proponents of trusted computing believe that Owner Override defeats effective trust detection in other computers, since remote attestation could be forged by the owner.

Conclusions

Trusted computing represents an important stage of security research, whose aim is to find a way to prevent computers from threats and privacy violations.

Like all solutions designed to accomplish the goal of providing greater security, trusted computing risks to become a new form of control and thus a threat itself to the freedom of those computer owners that trusted computing would be claiming to protect.

The voice of many authoritative critics, such as the "father" of open source software Richard Stallman, synthesizes the apprehension of the critical mass of computer users, who are afraid to lose control over their own machines because of a strategic corporate agreement that might stand behind the concept of trusted computing.

Ultimately, the real menace that trusted computing wants to prevent seems to be nothing but the computer owner himself, because of her power to choose which software suits his needs without relaying on third party suggestions.

Do you want to keep choosing or do you prefer to hand over this ability to a TGC chip in the name of greater security on your computer network?

To you the final decision.

References