Microsoft to reveal Palladium source code

The software giant plans to release the source code to a key Palladium component to help foster trust, despite a history of arguing that doing so would hurt security.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Microsoft, long a proponent of keeping source code secret, plans to publish the source code to a critical part of its Palladium project to enhance security, a representative of the software giant said Monday.

The component--some thousands of lines of source code--is the basic foundation of the security proposed in Microsoft's project and, as such, is the linchpin for the software giant's trusted-computing platform.

"We will be publishing the source code because people will need to trust this," said Mario Juarez, group product manager for the Palladium project at Microsoft. "To get people to believe in what is happening in that little piece of code is critical."

On Monday, Microsoft took the wraps off its project, code-named Palladium, to design new hardware and software that could better guarantee the security of user data and let companies control data that they "own" while on a consumer's PC.

However, as part of the public push for acceptance of its technology, Microsoft plans to release the source code to the guts of the software component, called the "secure processing environment."

In the past, Microsoft has argued that opening such critical code could undermine security. But Juarez doesn't think so. "Not at all," he said. "In fact, it enhances the security of the code. The RSA (encryption) algorithm was published at the outset; that's why it's trusted today."

That admission could undermine the company's repeated claims that opening the Windows source code would hurt the security of the company's flagship operating system. The company has used the assertions to fight against potential antitrust penalties that would require it to show competitors pieces--or all--of its code.

During testimony in the antitrust case against Microsoft, Jim Allchin, senior vice president for Windows, said that any remedy that required the company to reveal the operating system's source code would strengthen hackers' and virus writers' ability to circumvent protections.

"The more creators of viruses know about how antivirus mechanisms in Windows operating systems work, the easier it will be to create viruses or disable or destroy those mechanisms," Allchin testified.

Programs that are published under open-source tenets allow anyone to look at the software's source code. Unlike, say, Microsoft Windows XP, which only comes packaged as extremely difficult-to-understand binary code, an open-source program lets people copy or modify code to include improvements--as long as the new code is republished.

The open-source software community and closed-source advocates have long argued that their own development process leads to better security. Both sides, however, have had major breaches in security. Microsoft's Web server had an easily exploitable hole that led to the Code Red worm epidemic almost a year ago. Linux and other Unix-like systems had a major flaw in the WU-FTP server, a popular program for hosting files for downloading. That flaw allowed numerous hackers and some worms to break into unpatched servers.

A recent research paper argued that open-source and closed-source software had essentially the same security.

While Microsoft's Juarez doesn't promise that the source code to the secure processing environment will be open source, he did say that it will be published.

Bruce Perens, an open-source evangelist and creator of the open-source definition, said that Microsoft does seem to be contradicting its prior statements.

"I think what Microsoft is admitting is that it can disclose the source code to the whole world, and not necessarily hurt the security of the program," he said.