Next-Generation Secure Computing Base
|
The "Next-Generation Secure Computing Base" (NGSCB), formerly known as Palladium (Pd), is Microsoft's new trusted computing architecture. (The name was changed in 2003. Microsoft claimed it was because a book publisher of the same name wouldn't allow them to use "Palladium"; Critics charge that the change was a reaction to the negative publicity surrounding the Palladium operating system.)
NGSCB makes heavy use of the so-called Fritz-chip, a secure cryptographic coprocessor.
Under Palladium, the Microsoft operating system, working with a secure cryptoprocessor embedded in the PC, will create a new class of applications which have special powers and protections and which run side by side with ordinary code. The stated aim is to fix the problems of current computer insecurity, and to create new kinds of distributed applications, where each component can know and trust the operation of other parts of the system, even when they are running on remote computers.
Opponents characterise it as an attempt to control the market for computer hardware and software, thus entrenching and extending Microsoft's existing desktop computer operating system and software monopoly. Opponents have also characterised it as an attempt to leverage this monopoly into a monopoly over Digital Rights Management, and hence effective control over the content delivery industry. They further fear that the Palladium platform will eventually control all aspects of computer operation, including web browsing and e-mail.
Microsoft has patent protection on several concepts relating to their "Digital Rights Management Operating System", although it is not clear at this point which of them will be part of Palladium when it is finally fielded.
The Palladium initiative is probably named after the Palladium, a legendary statue in ancient Troy. According to myth, while the statue was safe, so was the city. Troy fell to a Trojan horse attack, according to the legend. The parallel is one that opponents are quick to point to, both for the idea itself as well as for explaining why Microsoft chose to change the name.
Contents |
Functionality of TCPA/NGSCB
Based on current information, NGSCB (Palladium) would work in the following ways:
- At any time after booting, the user chooses to enable NGSCB, which will let him run "trusted" applications.
- The Windows OS loads the NGSCB micro-kernel, called the Nexus, into a region of memory that is only accessible in a new processor mode. Simultaneously, the NGSCB Security Support Component, SSC, takes and records a hash of the Nexus.
- An NGSCB "trusted" module, called a Nexus Computing Agent or NCA, loads into the special curtained memory region. The SSC takes a hash of the software as it loads.
- The NCA can make calls into the Nexus to make use of NGSCB functionality. This includes sealing (encrypting) data with the aid of the SSC, which can optionally lock the data to the hash of the NCA, making it impossible for other software to decrypt the data.
- The NCA can also use the "attestation" feature of NGSCB to get the SSC to sign a message that reports on the NCA's hash, which the Nexus then sends to a remote system. This allows the remote system to be convinced of the identity of the software running locally.
- The keyboard and display device can also be opened as secure channels by the NCA, allowing I/O to occur without other software being able to snoop on the data being displayed or typed.
- The combination of these features allows distributed applications to exchange and store data via secure channels such that no entity other than these software programs can examine or change the data. This inherently supports DRM as well as a wide range of other security based applications.
NGSCB-diagram.png
Criticism
If the above functionality of TCPA/NGSCB were in the final product, opponents claim it would have the following drawbacks:
- The current free competition within the software industry could be a thing of the past, say critics, as programs could not load each other's files due to the encryption the saving program can put on files created. One software company would gain dominance over a particular industry and it would be impossible to dislodge them. This is similar to the problems caused by files using different and mutually incompatible formats, but more so; instead of simply needing to reverse-engineer the dominant file format, a potential new competitor would need to find a way to decrypt the files, which would be much more difficult and possibly even illegal.
- Those who attempt to circumvent the security restrictions of NGSCB could be sued under the Digital Millennium Copyright Act, advise challengers.
- Currently, websites are processor independent. TCPA/NGSCB could lock ARM or PowerPC users out of sites developed for x86 processors.
Virus cure?
On August 28 2003 Microsoft made an announcement saying that to combat the threat of future viruses like SoBig.F NGSCB was needed.
Simon Conant, a 'security expert' (quoted verbatim from the source article, the UK Metro) working for Microsoft said "We need to go back to the drawing board with a brand new architecture for the PC".
This argument has several flaws in it, according to critics:
- SoBig.F was a script virus that affected only Outlook and Outlook Express, only under Windows. A change as simple as using an e-mail program that can't execute any sort of malicious script (or any sort of script at all) eliminates the spread of that particular virus.
- Problems with that specific example aside, a switch to a "trusted" computing platform would only protect the trusted programs from the untrusted ones. For a great deal of the period where users were still using legacy untrusted programs, they would see little benefit at all.
- Once a "trusted" program has a known exploit, that program can wreak havok on other trusted programs and files until the exploit is dealt with.
Microsoft is not presently making strong claims that NGSCB would solve the virus problem. In their Technical FAQ linked from the Microsoft NGSCB page, they say, "Since the nexus and NCAs do not interfere with the operation of any program running in the regular Windows environment, everything, including the native operating system and viruses, runs there as it does today. Therefore, users are still going to need antivirus monitoring and detection software in Windows."
The FAQ goes on to describe the contribution of NGSCB against viruses in more modest terms: "However, the NGSCB architecture does provide features that can be used by an antivirus program to help guarantee that it has not been corrupted. The antivirus software can be grounded in such a way that it can bootstrap itself into a protected execution state, something it cannot do today."
Later versions of Outlook and Outlook Express disable scripting in emails to prevent such viruses from spreading. Most email viruses today spread by sending executable attachments and using social engineering tactics to convince users to open them. Newer versions of Outlook and Outlook Express automatically strip executable attachments from emails.
External links
- Microsoft's NGSCB page (http://www.microsoft.com/resources/ngscb/default.mspx)
- Ross Anderson's anti-TCPA/Palladium opinion article (http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html)
- Microsoft patents "Digital Rights Management Operating System" (http://www.oreillynet.com/cs/user/view/wlg/956)
- Microsoft's "Digital Rights Management Operating System" patent (http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1=6330670.WKU.&OS=PN/6330670&RS=PN/6330670)
- Register story criticising Palladium (http://theregister.co.uk/content/4/25891.html)
- MSNBC article (http://www.msnbc.com/news/770511.asp?cp1=1)
- Register story: MS security patch EULA gives Billg admin privileges on your box (http://www.theregister.co.uk/content/4/25956.html)
- The Trojan Palladium (http://homepage.mac.com/cparada/GML/Palladium.html)
- News.com story: What's in a name? Not Palladium (http://news.com.com/2100-1001-982127.html?tag=fd_top)
- Richard Stallman's The Right to Read (http://www.gnu.org/philosophy/right-to-read.html)
- Richard Stallman's Can You Trust Your Computer? (http://www.gnu.org/philosophy/can-you-trust.html)
- EFF's Trusted Computing: Promise and Risk (http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php)
- Microsoft moves to integrate Windows with BIOS (http://news.zdnet.co.uk/software/developer/0,39020387,39116902,00.htm)
- Bruce Schneier's analysis (http://www.schneier.com/crypto-gram-0208.html#1) of Palladium/TCPAde:NGSCB