English
Language : 

L12-TCPA-PALLADIUM Datasheet, PDF (7/12 Pages) List of Unclassifed Manufacturers – TCPA and Palladium
7
Contrast this to smartcard OS or other closed system; security is higher in closed systems.
Nightmare Scenarios
“The hackers are standing on a pile of bricks spray-painting glass windows. They
haven’t yet discovered the bricks.”
Although there have been damaging viruses in the past, viruses can do a lot more damage than they
have been demonstrated to do. Imagine a virus/Trojan that launches something worse than a denial
of service attack:
• Trades a random stock
• Posts tax-records to newsgroup
• Orders random book from Amazon
• Grabs user/password for the host/websites and posts them to newsgroup
• Posts personal documents to a newsgroup
7 Architecture
Palladium at 50,000 ft
Standard (left-side) Trusted (right side)
User
Applications
Agents
Kernel OS
Nexus
Concern: Because one of the priorities of the current Windows OS is to be able to plug and play,
there is the concern that the kernel can be corrupted by a plug-in (e.g., trojaned driver). So, the
question is: How do you preserve the flexibility and extensibility of pluggable kernel modules while
providing security?
Solution: Subdivide the execution environment by adding a new mode flag to the CPU. The CPU is
either in standard or trusted mode. Pages of physical memory can be marked as “trusted”. Trusted
pages can only be accessed when the CPU is in trusted mode.
Thus, the execution environment is divided up into the standard environment (left side) and the
trusted environment (right side). The right side has to run without disrupting the left side, since
we don’t want to break anything that’s currently running.
The trusted parallels to the OS and applications are the nexus and the agents. The nexus (a.k.a.
trusted operating root (TOR) and nub) is a security kernel. Agents are user programs running in
the secured environment. Since agents need to let the user enter secrets, and display secrets to the
user, we need trusted I/O.