Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Why is Control-Alt-Delete the secure attention sequence (SAS)?

Why is Control-Alt-Delete the secure attention sequence (SAS)?

  • Comments 50

When we were designing NT 3.1, one of the issues that came up fairly early was the secure attention sequence - we needed to have a keystroke sequence that couldn't be intercepted by any application.

So the security architect for NT (Jim Kelly) went looking for a keystroke sequence he could use.

 

It turned out that the only keystroke combination that wasn't already being used by a shipping application was control-alt-del, because that was used to reboot the computer.

And thus was born the Control-Alt-Del to log in.

I've got to say that the first time that the logon dialog went into the system, I pressed it with a fair amount of trepidation - I'd been well trained that C-A-D rebooted the computer and....

 

  • The first time I saw NT 3.5, I thought someone had customised the logon screen as a joke, sort of like those people on IRC who tell you to press ALT-F4 to fix a problem.
  • I thought the Alt-Crtl-Del was "invented" by an IBM-er?
  • Out of interest, who was responsible for making the BSOD blue? Why is it still blue?
  • > It turned out that the only keystroke
    > combination that wasn't already being
    > used by a shipping application was
    > control-alt-del,

    Fine, that makes it a reasonable choice for some purposes. But let's back up and see what the purpose was?

    > So the security architect for NT (Jim Kelly)
    > went looking for a keystroke sequence he
    > could use.

    From where comes the inference that the then-absence of other uses makes it secure? I'm perfectly willing to believe that some of the games that I've played weren't shipping yet when NT 3.1 was designed, but that sequence of historical events doesn't stop the games from gobbling up ctrl-alt-delete. Surely any writer of Trojan-style fake login screens or other stuff could also eat the same ctrl-alt-delete and display whatever they want?
  • A Shipping Application? From MS? If it wasn't from MS, why did you guys care if it was used? Why not CTRL-ALT-SPACE? Who was using that? DEL is so far away from CTRL-ALT.
  • Yeah, an IBM guy came up with CTRL-ALT-DEL as the reboot sequence. But we coopted it because no existing application was using it.

    No existing DOS application would use CTRL-ALT-DEL in the application because of the rather obvious problems it would introduce (users expected that C-A-D would reboot the machine, and if it didn't reboot the machine, they would be upset).

    Sushant,
    You're new here, aren't you? You've never read my blog or Raymond Chen's (http://weblogs.asp.net/oldnewthing) blog and seen the herculean efforts that Microsoft expends to ensure that apps continue to work on our platforms. Here's a hint: With very, very few exceptions, Windows doesn't break apps across platform upgrades.

    Some app used CTRL-ALT-SPACE for something - I don't know which app, but it was used. So were all the other CTRL-ALT combinations, and the CTRL-ALT-SHIFT, etc.

    Mr. Blobby, actually, I believe it's because a lot of developers (myself included) find looking at white text on a blue background to be highly readable, so when it came time to pick a color scheme, that's what came out. I know others find black text on a white background to be cool, but...
  • Hi Larry. Thanks for responding. While I do recognize the effort that MS goes to in order to allow backward compatibility, as a designer, does this come at a cost of an effective or efficient design? What makes a designer say, lets keep with the old because apps depend on it, versus, lets create a design that will most likely be used by millions of people maybe every day (I guess hindsight is always 20/20) :-) But I hope you see that I'm not trying to belittle your efforts, just trying to understand what an experienced developer would say.
  • Hi Larry. Thanks for responding. While I do recognize the effort that MS goes to in order to allow backward compatibility, as a designer, does this come at a cost of an effective or efficient design? What makes a designer say, lets keep with the old because apps depend on it, versus, lets create a design that will most likely be used by millions of people maybe every day (I guess hindsight is always 20/20) :-) But I hope you see that I'm not trying to belittle your efforts, just trying to understand what an experienced developer would say.
  • Sorry, I think I hit the button twice in a row. Didn't mean to.
  • By the way, BSOD colors can be changed somewhere in the regitry... At least on Win 9x it was so.
  • Sushant

    Windows gives the key to the application not vice versa. Any key is as good as any other. But MS choose it as the one key they could refuse to pass on to applications.

    Larry and others

    My blue colour gun went and I didn't notice (your eyes adapt) and I was convinced that one change in Win 2000 was black screen crashes. I thought Microsoft's Marketing was up to no good trying to eradicate the phrase blue screen from the language. I felt stupid when I bought a new monitor.
  • Sushant,
    The simple answer is that it's irrelevant whether it comes at a cost of an effective or efficient design.

    The reality is that Windows is a platform for running applications. If the applications stop running (because we made the platform "more efficient"), then people will stop using the platform.

    So compatibility is job 1. If a redesign can't be done without ensuring compatibility, then the new design needs to change. I personally think of it as an "opportunity to excel"
  • "From where comes the inference that the then-absence of other uses makes it secure?"

    No such inference was drawn. The security does not derive from its prior non-use.

    What makes it secure is that the OS traps this key sequence in a way that makes it impossible for anything not in the Trusted Computing Base to handle it.

    That part, the part that makes it secure, is orthogonal the choice of which particular key sequence they chose to trap in this way. They could have chosen anything. For example, they could have used, say, Ctrl-SysRq. Arguably that would have made sense of the fact that that key had had SysRq printed on it for no obvious reason all these years.

    But if they had done that, this would have prevented applications that actually did something with that key sequence from working. If backwards compatibility is a goal (and it was) then Ctrl-SysRq is no better than choosing, say, the E key as the sequence...

    They had to chose a key sequence that wasn't already in use if they were to avoid breaking existing applications. Since Ctrl-Alt-Del had been the reboot sequence since the dawn of time, arguably no sane development team would choose to use it to do anything important. Which of course is exactly what the NT team promptly did. ;-) (For the benefit of the irony-impaired, who seem to be particularly active in blog comments, I'd like to point out that that last sentence was in jest.)

    Once they had chosen the key sequence, the thing that made that choice secure was the implementation of their decision to secure it.
  • Larry, I think I understand the design philosophy a bit better now that you have elaborated. I think that Apple does give different weightings to compatibility vs effective or efficient design vs MS. From my little experience with apples products, backward compatibility isn't really a priority. Would you agree? Is that why their products weren't able to capture the market as well as MS in the early days?
  • I thought the point was that only C-A-D generates a hardware interrupt that the OS can trap. Something else does like ctrl-alt-space would not generate such an interrupt and so a trojan could fake the login screen.

    Is this not correct?
Page 1 of 4 (50 items) 1234