Intel to include DRM in new Pentium 4 series processors

Brian Gladman Brian Gladman" <brg at gladman.plus.com
Sun, 15 Sep 2002 16:04:17 +0800 

From: "David Wagner" <daw@mozart.cs.berkeley.edu>
Newsgroups: isaac.lists.ukcrypto
To: <ukcrypto@chiark.greenend.org.uk>
Sent: Sunday, September 15, 2002 6:34 AM
Subject: Re: Intel to include DRM in new Pentium 4 series processors

[snip]
> I'm arguing that we should view this as a risk management problem.
> There are lots of possible attacks, but not all are equally probable,
> and not all deserve equal attention.

Ok we agree here that this is about risk managment.

But whether an attack should be eliminated is not just down to its
probability of occurence but also depends on the seriousness of the result.
BIOS attacks are rarely detetcted and very often stay in place for the life
of a machine so they may not be frequent but they are serious when they
occur.

It is also perfectly logical to solve an attack that is lower in a list of
priorities when it can be solved even if there are ones higher up that
cannot.

> I rank the risks by their probabilities of occurrence and their impact
> if they do occur.  I claim that the risk from "insecure boot" attacks
> is orders of magnitude smaller than the risk from buffer overruns and
> the like.  For typical users, they are a much rarer form of attack, and
> the impact may not be much greater than the impact of buffer overruns
> and the like.
>
> If my claim is accurate, then "insecure boot" attacks are in the noise.
> Even if we have a perfect fix for "insecure boot" attacks, it will make
> only a very small difference to the total risk.  And from Amdahl's law,
> we know that, all else being equal, it is better to focus our energies
> on the terms that make the largest contribution to the total risk,
> not the marginal stuff.

They are only in the noise on average. For some users (including myself)
they are very definitely above noise level.  And I don't think it makes
sense to rank attacks on average probabilities in the way you are doing
because the ranking depends very much on the threat model and can this can
change rankings on particular forms of attack by many orders of magnitude.

In a network of computers some systems impact on the security and integrity
of the whole system in a major way and an undetectable, long life entry
point on just one such system can compromise the whole system.   By strictly
limiting the OS and application functionality on such systems and by using
secure boot and code metrics the assurance of thier correct operation can be
significantly increased.

> Sure, attacks are possible.  I'm not sure whether TCPA has value in
> defending against them (what's wrong with booting off of a floppy or
> CD-ROM?), but for the sake of this discussion, I'll accept for the moment
> that TCPA may provide an effective defense.  But that's not enough for
> TCPA to provide an order of magnitude improvement in security.

This is not what I said.  I said that the _combination_ of Free/Open Source
software with secure boot and code metrics provided for this.  And in a
subsequent post I clarified what I meant by 'order of magnitude'.

And I have explained in other posts some of the reasons why booting off a CD
or a floppy does not stop BIOS attacks.

I suspect that we are going to have to agree to disagree on this since I am
not sure that I can add much to what I have said here and in other posts.

   Brian