Palladium

[Peter Clay]

I've been trying to figure out whether the following attack will be
feasible in a Pd system, and what would have to be incorporated to prevent
against it.

Alice runs "trusted" application T on her computer. This is some sort of
media application, which acts on encoded data streamed over the
internet. Mallory persuades Alice to stream data which causes a buffer
overrun in T. The malicious code, running with all of T's privileges:

- abducts choice valuable data protected by T (e.g. individual book keys
for ebooks)
- builds its own vault with its own key
- installs a modified version of T, V, in that vault with access to the
valuable data
- trashes T's vault

The viral application V is then in an interesting position. Alice has two
choices:

- nuke V and lose all her data (possibly including all backups, depending
on how backup of vaults works)
- allow V to act freely

I haven't seen enough detail yet to be able to flesh this out, but it does
highlight some areas of concern:

- how do users back up vaults?
- there really needs to be a master override to deal with misbehaving
trusted apps.

Pete
-- 
Peter Clay                                         | Campaign for   _  _| .__
                                                   | Digital       /  / | |
                                                   | Rights!       \_ \_| |
                                                   | http://uk.eurorights.org


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com