The Trusted PC: Skin-Deep Security

T he rapid growth of the World Wide Web and advances in networking technology have made it more important than ever to secure personal computers and operating systems. Individual users as well as enterprises need to know that the systems they are using will not divulge personal or copyrighted information to hackers or accept viruses, worms, Trojan horses, or unsolicited e-mail that can slow or damage systems. To address this problem, a consortium led by Intel formed the Trusted Computing Platform Alliance Cofounder Microsoft recently announced Palladium, a parallel implementation of the trusted PC that may be available next year. Unfortunately, the TCPA approaches generally, and Microsoft's in particular, offer a robust solution against software but not hardware attacks. This weakness is a design tradeoff based on the assumption that mounting a hardware attack is too costly for individuals. However, a study of Microsoft's Xbox gaming console implements security techniques parallel to those proposed for Palladium, indicates just how easy it can be for an end user to penetrate PC hardware. The Xbox is essentially a PC with small hardware enhancements that nominally make it impossible to access and modify the console's kernel via a software-only attack. However, once the cover is off the console, extracting the key and algorithm to decrypt the kernel is a fairly straightforward task. A read-only memory chip in the southbridge application-specific integrated circuit stores the core crypto routines that protect the Xbox. The electrical and protocol details of the high-speed internal bus that transmits these routines to the CPU are easily inferred by comparing the console's hardware to well-documented PC hardware and the HyperTransport bus standard (http://www.hypertransport.org). Observing traffic on this bus provides the information necessary to decrypt and encrypt kernel images. I custom-built the equipment required in less than three weeks for about US$50; you could also rent a piece of stock test equipment capable of extracting data from the bus for less than US$500 per month. The hardware's power-on initializa-tion procedures contain other back doors, which let users indirectly obtain the kernel plaintext as well as gain control of the console's program counter. These weaknesses make it possible to leverage the Xbox's test points and diagnostic ports to implement cheap hardware attacks. They also underline the challenge of securing a platform designed to be open and user-serviceable , with little concern for hardware security. Palladium and other TCPA-compliant platforms employ a technique …