Next-Generation Secure Computing Base: Difference between revisions

From BetaArchive Wiki
No edit summary
Line 1: Line 1:
[[File:NGSCBWHEC03.png|right|thumb|Diagram of the NGSCB software architecture as presented at WinHEC 2003.]]
[[File:NGSCBWHEC03.png|right|thumb|Diagram of the NGSCB software architecture as presented during WinHEC 2003.]]
The '''Next-Generation Secure Computing Base''' (codenamed ''Palladium'') is the name of a cancelled software architecture originally slated to be included in the [[Microsoft]] [[Windows:Longhorn|Windows "Longhorn"]] operating system. Development of the architecture began in 1997.<ref>Biddle, Peter. (August 5, 2002). [http://www.cl.cam.ac.uk/~rja14/biddle.txt "Re: Dangers of TCPA/Palladium"]</ref><ref>Merritt, Rick. (July 15, 2002). [http://www.eetimes.com/document.asp?doc_id=1144938 "Microsoft scheme for PC security faces flak"]</ref>  
The '''Next-Generation Secure Computing Base''' (codenamed ''Palladium'')<ref name="'What's in a name? Not Palladium.">Lemos, Robert. (January 24, 2003). [http://news.cnet.com/2100-1001-982127.html "What's in a name? Not Palladium"]</ref> is a software architecture originally slated to be included in the [[Microsoft]] [[Windows:Longhorn|Windows "Longhorn"]] operating system. Development of the architecture began in 1997.<ref name="Dangers of TCPA/Palladium.">Biddle, Peter. (August 5, 2002). [http://www.cl.cam.ac.uk/~rja14/biddle.txt "Re: Dangers of TCPA/Palladium"]</ref><ref>Merritt, Rick. (July 15, 2002). [http://www.eetimes.com/document.asp?doc_id=1144938 "Microsoft scheme for PC security faces flak"]</ref>  


NGSCB was designed to provide an isolated environment where sensitive operations may be performed securely. Microsoft's primary stated objective with NGSCB was to "protect software from software."<ref>Aday, Michael. "[http://epic.org/privacy/consumer/microsoft/nistpalladium.pdf 'Palladium']"</ref><ref>Lee, Timothy. (November 30, 2012). [http://arstechnica.com/tech-policy/2012/11/how-four-microsoft-engineers-proved-copy-protection-would-fail/?comments=1&post=23549237#comment-23549237 "How 4 Microsoft engineers proved that the 'darknet' would defeat DRM"]</ref>
The NGSCB was the result of years of research within Microsoft to create a secure computing solution that equaled the security of more closed systems while preserving the openness and flexibility of the Windows platform.<ref name="''Palladium'.">Aday, Michael. [http://epic.org/privacy/consumer/microsoft/nistpalladium.pdf "Palladium"]</ref> The NGSCB relied on new software components and specially designed hardware to create a new execution environment where more sensitive operations could be performed securely.<ref name="'Palladium' summary.">Schoen, Seth. (July 5, 2002). [https://web.archive.org/web/20020802145913/http://vitanuova.loyalty.org/2002-07-05.html "'Palladium' summary"]</ref> Microsoft's primary stated objective with the NGSCB was to "protect software from software."<ref name="''Palladium'.">Aday, Michael. [http://epic.org/privacy/consumer/microsoft/nistpalladium.pdf "Palladium"]</ref><ref>Lee, Timothy. (November 30, 2012). [http://arstechnica.com/tech-policy/2012/11/how-four-microsoft-engineers-proved-copy-protection-would-fail/?comments=1&post=23549237#comment-23549237 "How 4 Microsoft engineers proved that the 'darknet' would defeat DRM"]</ref>


==History==
==History==
The idea of creating an architecture where software components can be loaded in a known and protected state predates the development of NGSCB. A number of attempts were made in the 1960s and 1970s to produce secure computing systems,<ref>[http://www.google.com/patents/US6185678 Secure and reliable bootstrap architecture (U.S. Patent 6185678)]</ref><ref>Anderson, James. (October 1972). [http://seclab.cs.ucdavis.edu/projects/history/papers/ande72.pdf  "Computer Security Technology Planning Study"]</ref> with variations of the idea emerging in more recent decades.<ref>[http://www.google.com/patents/US5421006 Method and apparatus for assessing integrity of computer system software (U.S. Patent 5421006)]</ref><ref>Kuhn, Markus. (April 30, 1997). [http://www.cl.cam.ac.uk/~mgk25/trustno1.pdf "The TrustNo 1 Cryptoprocessor Concept"]</ref>
In 1999 the Trusted Computing Platform Alliance, a consortium of various technology companies, was formed in an effort to promote trust in the PC platform.<ref>Trusted Computing Platform Alliance. [https://web.archive.org/web/20020802135319/http://www.trustedcomputing.org/tcpaasp4/index.asp "Home Page"]</ref> The TCPA would release several detailed specifications for a trusted computing platform with focus on features such as code validation and encryption based on integrity measurements, hardware based key storage, and attestation to remote entities. These features required a new hardware component designed by the TCPA called the ''Trusted Platform Module'' (referred to as a ''Security Support Component'',<ref name="NGSCB Technical FAQ.">Microsoft. [http://technet.microsoft.com/en-us/library/cc723472.aspx"Microsoft Next-Generation Secure Computing Base - Technical FAQ"]</ref> ''Secure Cryptographic Processor'',<ref name="''Palladium'.">Aday, Michael. [http://epic.org/privacy/consumer/microsoft/nistpalladium.pdf "Palladium"]</ref> or ''Security Support Processor''<ref name="''Palladium'.">Aday, Michael. [http://epic.org/privacy/consumer/microsoft/nistpalladium.pdf "Palladium"]</ref> in earlier Microsoft documentation). While most of these features would later serve as the foundation for Microsoft's NGSCB architecture, they were different in terms of implementation.<ref name="Dangers of TCPA/Palladium.">Biddle, Peter. (August 5, 2002). [http://www.cl.cam.ac.uk/~rja14/biddle.txt "Re: Dangers of TCPA/Palladium"]</ref> The TCPA was superseded by the Trusted Computing Group in 2003.<ref>Trusted Computing Group. [http://www.trustedcomputinggroup.org/files/resource_files/B8FF1287-1A4B-B294-D0423684DEB619FD/TCG%20Timeline_rev%20Feb%202011.pdf "TCG Timeline"]</ref>
===Development===
===Development===
[[File:NGSCBWHEC04.png|right|thumb|Diagram of NGSCB architecture revision during WinHEC 2004.]]
Development of the NGSCB began in 1997 after Microsoft developer Peter Biddle conceived of new ways to protect content on personal computers.<ref name="'Palladium' summary.">Schoen, Seth. (July 5, 2002). [https://web.archive.org/web/20020802145913/http://vitanuova.loyalty.org/2002-07-05.html "'Palladium' summary"]</ref>
Development of the NGSCB began in 1997 after Microsoft developer, Peter Biddle, conceived of new ways to offer content protection on personal computers.<ref>Schoen, Seth. (July 5, 2002). [https://web.archive.org/web/20020802145913/http://vitanuova.loyalty.org/2002-07-05.html "'Palladium' summary"]</ref>
 
Microsoft later filed a number of patents related to elements of the NGSCB design.<ref>Lampson, Butler. [http://research.microsoft.com/en-us/um/people/blampson/cv.doc "Curriculum Vitae"]</ref> Patents for a digital rights management operating system,<ref>[http://www.google.com/patents/US6330670 Digital rights management operating system (U.S. Patent 6330670 B1)]</ref> loading and identifying a digital rights management operating system,<ref>[http://www.google.com/patents/US6327652 Loading and identifying a digital rights management operating system (U.S. Patent 6327652 B1)]</ref> key-based secure storage,<ref>[http://www.google.com/patents/US7194092 Key-based secure storage (U.S. Patent 7194092 B1)]</ref> and certificate based access control<ref>[http://www.google.com/patents/US6820063 Controlling access to content based on certificates and access predicates (U.S. Patent 6820063 B1)]</ref>  were filed on January 8, 1999. A method to authenticate an operating system based on its central processing unit was filed on March 10, 1999.<ref>[http://www.google.com/patents/US7174457 System and method for authenticating an operating system to a central processing unit (U.S. Patent 7174457 B1)]</ref> Patents related to the secure execution of code<ref>[http://www.google.com/patents/US6651171 Secure execution of program code (U.S. Patent 6651171 B1)]</ref> and protection of code in memory<ref>[http://www.google.com/patents/US6775779 Hierarchical trusted code for content protection in computers (U.S. Patent 20040243836 A1)]</ref> were filed on April 6, 1999.


Microsoft later filed a large number of patents related to elements of the NGSCB design.<ref>Lampson, Butler. [http://research.microsoft.com/en-us/um/people/blampson/cv.doc "Curriculum Vitae"]</ref> Patents for a digital rights management operating system,<ref>[http://www.google.com/patents/US6330670 Digital rights management operating system (U.S. 6330670 B1)]</ref> loading and identifying a digital rights management operating system,<ref>[http://www.google.com/patents/US6327652 Loading and identifying a digital rights management operating system (U.S. 6327652 B1)]</ref> key-based secure storage,<ref>[http://www.google.com/patents/US7194092 Key-based secure storage (U.S. 7194092 B1)]</ref> and certificate based access control<ref>[http://www.google.com/patents/US6820063 Controlling access to content based on certificates and access predicates (U.S. 6820063 B1)]</ref> were filed on January 8, 1999. A method to authenticate an operating system based on its central processing unit was filed on March 10, 1999.<ref>[http://www.google.com/patents/US7174457 System and method for authenticating an operating system to a central processing unit (U.S. 7174457 B1)]</ref> Patents related to the secure execution of code<ref>[http://www.google.com/patents/US6651171 Secure execution of program code (U.S. 6651171 B1)]</ref> and protection of code in memory<ref>[http://www.google.com/patents/US6775779 Hierarchical trusted code for content protection in computers (U.S. 20040243836 A1)]</ref> were filed on April 6, 1999.
During its [[Windows Hardware Engineering Conference 1999|Windows Hardware Engineering Conference of 1999]], Microsoft had shown a presentation titled ''Privacy, Security, and Content Protection'' which focused on the protection of intellectual property and end user privacy. The presentation mentioned turning Windows into a "platform of trust" designed to protect the privacy of individual users. Microsoft would show a similar presentation during [[Windows Hardware Engineering Conference 2001|WinHEC 2001]].<ref>Microsoft. [http://download.microsoft.com/download/a/f/c/afcf8195-0eda-4190-a46d-aa60b45e0740/Secure.ppt "Privacy, Security, and Content Protection"]</ref>
The technology was publicly unveiled under the name "Palladium" on June 24, 2002 in an article by Steven Levy of ''Newsweek'' that focused on its origin, design and features.<ref>Levy, Steven. (June 24, 2002). [http://www.newsweek.com/big-secret-145809 "The Big Secret"]</ref><ref>Geek.com. (June 24, 2002). [http://www.geek.com/chips/palladium-microsofts-big-plan-for-the-pc-549258/ "'Palladium': Microsoft's big plan for the PC"]</ref><ref>ExtremeTech. (June 24, 2002). [http://www.extremetech.com/extreme/51436-palladium-microsoft-revisits-digitalrights-management "'Palladium': Microsoft Revisits Digital Rights Management"]</ref> Levy stated that the technology would allow users to identify and authenticate themselves, encrypt data to protect it from unauthorized access, and allow users to enforce policies related to the use of their information. As examples of policies that could be enforced, Levy stated that users could send e-mail messages accessible only by the intended recipient, or create Microsoft Word documents that could only be read a week after they were created. To provide this functionality, the technology would require specially designed hardware components, including updated processors, chipsets, peripherals, and a Trusted Platform Module.


The technology was publicly unveiled under the name "Palladium" on June 24, 2002 in an article by Steven Levy of ''Newsweek'' that focused on its origin, design and features.<ref>Levy, Steven. (June 24, 2002). [http://www.newsweek.com/big-secret-145809 "The Big Secret"]</ref><ref>Geek.com. (June 24, 2002). [http://www.geek.com/chips/palladium-microsofts-big-plan-for-the-pc-549258/ "'Palladium': Microsoft's big plan for the PC"]</ref><ref>ExtremeTech. (June 24, 2002). [http://www.extremetech.com/extreme/51436-palladium-microsoft-revisits-digitalrights-management "'Palladium': Microsoft Revisits Digital Rights Management"]</ref> Levy stated that the technology would allow users to identify and authenticate themselves, encrypt data to protect against unauthorized access, and enforce policies related to the use of information. As examples of policies that users could enforce, Levy stated that users could send e-mail messages accessible only by the intended recipient, or create Microsoft Word documents that could only be read a week after they were created. To provide this functionality, the technology would require specially designed hardware components, including updated processors, chipsets, peripherals, and a new coprocessor designed to perform cryptographic operations.
In August 2002, Microsoft posted a recruitment advertisement seeking a group program manager to provide vision and industry leadership in the development of several Microsoft technologies, including its NGSCB architecture.<ref>Lettice, John. (August 13, 2002). [http://www.theregister.co.uk/2002/08/13/ms_recruits_for_palladium_microkernel/ "MS recruits for Palladium microkernel and/or DRM platform"]</ref>


Microsoft publicly demonstrated the NGSCB for the first time at its Windows Hardware Engineering Conference in 2003.<ref>Bekker, Scott. (May 6, 2003). [http://redmondmag.com/articles/2003/05/06/palladium-on-display-at-winhec.aspx "'Palladium' on Display at WinHEC"]</ref><ref>BusinessWire. (May 7, 2003). [http://www.businesswire.com/news/home/20030507005219/en/Atmel-Microsoft-Demonstrate-Secure-USB-Keyboard-Prototype "Atmel and Microsoft Demonstrate New Secure USB Keyboard Prototype at WinHEC 2003"]</ref><ref> Microsoft PressPass. [http://www.microsoft.com/en-us/news/features/2003/may03/05-07ngscb.aspx "At WinHEC, Microsoft Discusses Details of Next-Generation Secure Computing Base"]</ref>
In 2003, Microsoft publicly demonstrated the NGSCB for the first time at its Windows Hardware Engineering Conference<ref>Bekker, Scott. (May 6, 2003). [http://redmondmag.com/articles/2003/05/06/palladium-on-display-at-winhec.aspx "'Palladium' on Display at WinHEC"]</ref><ref> Microsoft PressPass. [http://www.microsoft.com/en-us/news/features/2003/may03/05-07ngscb.aspx "At WinHEC, Microsoft Discusses Details of Next-Generation Secure Computing Base"]</ref><ref>Evers, Joris. (May 7, 2003). [http://www.networkworld.com/article/2342054/lan-wan/microsoft-turns-to-emulators-for-security-demo.html "Microsoft turns to emulators for security demo"]</ref> and released a developer preview of the technology later that year during its [[Professional Developers Conference 2003|Professional Developers Conference]].<ref>Rooney, Paula; Montalbano, Elizabeth. (October 1, 2003). [http://www.crn.com/news/channel-programs/18839939/microsoft-to-hand-over-early-whidbey-yukon-code-at-pdc.htm "Microsoft to Hand Over Early Whidbey, Yukon Code At PDC"]</ref><ref>Evers, Joris. (October 30, 2003). [http://www.networkworld.com/article/2338050/lan-wan/developers-get-hands-on-microsoft-s-ngscb.html "Developers get hands on Microsoft's NGSCB"]</ref><ref>Microsoft. [http://www.microsoft.com/en-us/news/features/2003/dec03/12-15yearreview.aspx "A Review of Microsoft Technology for 2003, Preview for 2004"]</ref>


Microsoft released the first NGSCB software developer kit (SDK) during its Professional Developers Conference (PDC) of 2003.<ref>Rooney, Paula; Montalbano, Elizabeth. (October 1, 2003). [http://www.crn.com/news/channel-programs/18839939/microsoft-to-hand-over-early-whidbey-yukon-code-at-pdc.htm "Microsoft to Hand Over Early Whidbey, Yukon Code At PDC"]</ref><ref>Furman, Keith; Thurrott, Paul. (October 23, 2003). [http://windowsitpro.com/windows-server-2008/live-pdc-2003-countdown-two-days-go "Live from PDC 2003: Countdown, Two Days to Go!"]</ref><ref>Evers, Joris. (October 30, 2003). [http://www.networkworld.com/article/2338050/lan-wan/developers-get-hands-on-microsoft-s-ngscb.html "Developers get hands on Microsoft's NGSCB"]</ref>
[[File:NGSCBWHEC04.png|right|thumb|Diagram of NGSCB architecture revision shown during WinHEC 2004.]]
During [[Windows Hardware Engineering Conference 2004|WinHEC 2004]], Microsoft announced that it would revise the technology in response to feedback from customers and independent software vendors who stated that they did not want to rewrite their existing programs in order to benefit from its functionality.<ref>Evers, Joris. (May 5, 2004). [http://www.networkworld.com/news/2004/0505msngscb.html "WinHEC: Microsoft revisits NGSCB security plan"]</ref><ref>Sanders, Tom. (May 6, 2004) [https://web.archive.org/web/20051129072044/http://www.vnunet.com/vnunet/news/2124916/microsoft-shakes-longhorn-security "Microsoft shakes up 'Longhorn' security"]</ref> After the announcement, some reports stated that Microsoft would cease development of the technology.<ref>Bangeman, Eric. (May 5, 2004). [http://arstechnica.com/uncategorized/2004/05/3736-2/ "Microsoft kills Next-Generation Secure Computing Base"]</ref><ref>Rooney, Paula. (May 5, 2004). [http://www.crn.com/news/security/18841713/microsoft-shelves-ngscb-project-as-nx-moves-to-center-stage.htm "Microsoft shelves NGSCB project as NX moves to center stage"]</ref> Microsoft denied the claims and reaffirmed its commitment to delivering the technology.<ref>eWeek. (May 5, 2004). [http://www.eweek.com/c/a/Windows/Microsoft-Palladium-Is-Still-Alive-and-Kicking/ "Microsoft: Palladium is still alive and kicking"]</ref><ref>Thurrott, Paul. (May 7, 2004). [http://winsupersite.com/product-review/winhec-2004-show-report-and-photo-gallery "WinHEC 2004 Show Report and Photo Gallery"]</ref> Later that year, Microsoft's Steve Heil stated that the company would make additional changes to the technology based on feedback from the industry.<ref>Fried, Ina. (September 8, 2004). [http://news.cnet.com/Controversial-Microsoft-plan-heads-for-Longhorn/2100-1016_3-5357726.html "Controversial Microsoft plan heads for 'Longhorn'"]</ref>


During WinHEC 2004, based on feedback from customers and ISV partners who stated that they did not want to rewrite their existing programs in order to benefit from its functionality, Microsoft announced that it would revise the technology.<ref>Evers, Joris. (May 5, 2004). [http://www.networkworld.com/news/2004/0505msngscb.html "WinHEC: Microsoft revisits NGSCB security plan"]</ref><ref>Sanders, Tom. (May 6, 2004) [https://web.archive.org/web/20051129072044/http://www.vnunet.com/vnunet/news/2124916/microsoft-shakes-longhorn-security "Microsoft shakes up 'Longhorn' security"]</ref> After the announcement, reports stated that Microsoft would cease development of the technology.<ref>Bangeman, Eric. (May 5, 2004). [http://arstechnica.com/uncategorized/2004/05/3736-2/ "Microsoft kills Next-Generation Secure Computing Base"]</ref><ref>Rooney, Paula. (May 5, 2004). [http://www.crn.com/news/security/18841713/microsoft-shelves-ngscb-project-as-nx-moves-to-center-stage.htm "Microsoft shelves NGSCB project as NX moves to center stage"]</ref> Microsoft denied the claims and reaffirmed its commitment to delivering the technology.<ref>eWeek. (May 5, 2004). [http://www.eweek.com/c/a/Windows/Microsoft-Palladium-Is-Still-Alive-and-Kicking/ "Microsoft: Palladium is still alive and kicking"]</ref><ref>Thurrott, Paul. (May 7, 2004). [http://winsupersite.com/product-review/winhec-2004-show-report-and-photo-gallery "WinHEC 2004 Show Report and Photo Gallery"]</ref>
In 2005, Microsoft's lack of continual updates on its progress with the technology had led some in the industry to speculate that it had been cancelled.<ref>Ever, Joris. (February 24, 2005). [http://www.pcworld.com/article/119798/article.html "Silence Fuels Speculation on Microsoft Security Plan"]</ref> At the annual Microsoft Management Summit event, then Microsoft CEO Steve Ballmer said that the company was building on the foundation it had started with the NGSCB to create a new set of hypervisor technologies for its Windows operating system.<ref name="''Microsoft Management Summit'.">Microsoft. (April 20, 2005) [http://www.microsoft.com/en-us/news/exec/steve/2005/04-20managementsummit.aspx "Steve Ballmer: Microsoft Management Summit"]</ref> During [[Windows Hardware Engineering Conference 2005|WinHEC 2005]], Microsoft announced that it had scaled back its plans for the technology in order to ship the post-reset Windows "Longhorn" operating system within a reasonable timeframe. Instead of providing an isolated software environment, the NGSCB would offer full operating system volume encryption with a feature known as ''Secure Startup'' (which would later be renamed as ''Bitlocker Drive Encryption''). Microsoft stated that it planned to deliver other aspects of its NGSCB architecture at a later date.<ref name="'Longhorn' security gets its teeth kicked out.">Sanders, Tom. (April 26, 2005). [https://web.archive.org/web/20050428001948/http://www.vnunet.com/news/1162710 "'Longhorn' security gets its teeth kicked out"]</ref>
 
In July 2008, Peter Biddle stated that negative perception was the main contributing factor responsible for the cancellation of the architecture.<ref>Biddle, Peter. (July 16, 2008). [http://peternbiddle.wordpress.com/2008/07/16/perception-or-linus-gets-away-with-being-honest-again/ "Perception (or, Linus gets away with being honest again)"]</ref>


===Name===
===Name===
Line 29: Line 38:
In response, Microsoft published the first version of its technical NGSCB FAQ on August 21, 2002 that outlined the scope and intent of the technology.<ref>Microsoft PressPass. (August, 2002). [http://www.napolifirewall.com/MicrosoftPalladium.htm "Microsoft "Palladium" Initiative Technical FAQ"]</ref> According to Microsoft, the technology would not incorporate features that could be used to censor or delete users' data; an idea which the corporation stated was in direct conflict with its design goals. Microsoft also vehemently denied that it would incorporate a backdoor or exploit that would allow government agencies access to computers or data protected by the technology: <blockquote>"Microsoft would refuse to voluntarily place a back door in any of its products and would fiercely resist any government attempt to require back doors in products. From a security perspective, such back doors are an unacceptable security risk because they would permit unscrupulous individuals to compromise the confidentiality, integrity and availability of our customers' data and systems. From a market perspective, such products would not be marketable, either domestically or internationally. Equally important, deliberately inserting such vulnerabilities would undermine Microsoft's reputation in the marketplace as a trusted vendor of products. For these reasons and others, we would, as we did during the encryption debate, oppose any such government efforts."</blockquote>
In response, Microsoft published the first version of its technical NGSCB FAQ on August 21, 2002 that outlined the scope and intent of the technology.<ref>Microsoft PressPass. (August, 2002). [http://www.napolifirewall.com/MicrosoftPalladium.htm "Microsoft "Palladium" Initiative Technical FAQ"]</ref> According to Microsoft, the technology would not incorporate features that could be used to censor or delete users' data; an idea which the corporation stated was in direct conflict with its design goals. Microsoft also vehemently denied that it would incorporate a backdoor or exploit that would allow government agencies access to computers or data protected by the technology: <blockquote>"Microsoft would refuse to voluntarily place a back door in any of its products and would fiercely resist any government attempt to require back doors in products. From a security perspective, such back doors are an unacceptable security risk because they would permit unscrupulous individuals to compromise the confidentiality, integrity and availability of our customers' data and systems. From a market perspective, such products would not be marketable, either domestically or internationally. Equally important, deliberately inserting such vulnerabilities would undermine Microsoft's reputation in the marketplace as a trusted vendor of products. For these reasons and others, we would, as we did during the encryption debate, oppose any such government efforts."</blockquote>


===Cancellation===
During WinHEC 2005, Microsoft announced that it had scaled back its plans for the technology in order to ship the post-reset Windows "Longhorn" operating system within a reasonable timeframe. Instead of providing a new operating environment, the NGSCB would offer full volume encryption with a feature known as "Secure Startup" (later renamed as "Bitlocker Drive Encryption").<ref>Sanders, Tom. (April 26, 2005). [https://web.archive.org/web/20050428001948/http://www.vnunet.com/news/1162710 "'Longhorn' security gets its teeth kicked out"]</ref>
Microsoft stated that it would deliver other aspects of its NGSCB vision at a later date.<ref>[https://www.microsoft.com/resources/ngscb/default.mspx Microsoft Next-Generation Secure Computing Base]</ref>
In July 2008, Peter Biddle stated that negative perception was the main contributing factor responsible for the cancellation of the architecture.<ref>Biddle, Peter. (July 16, 2008). [http://peternbiddle.wordpress.com/2008/07/16/perception-or-linus-gets-away-with-being-honest-again/ "Perception (or, Linus gets away with being honest again)"]</ref>
==Overview and features==
==Overview and features==


Line 64: Line 68:


==In builds of Windows "Longhorn"==
==In builds of Windows "Longhorn"==
In released pre-reset builds of Windows "Longhorn", NGSCB components reside in %SYSTEMDRIVE%\WINDOWS\NGSCB.
[[File:NGSCBCONFIG.png|right|thumb|A successful attempt to configure the Next-Generation Secure Computing Base in Windows "Longhorn" [[Windows:Longhorn:4053.main.031022-1720|build 4053]].]]
In released pre-reset builds of Windows "Longhorn", NGSCB components reside in %SYSTEMDRIVE%\WINDOWS\NGSCB. The last build of Windows "Longhorn" known to include the NGSCB directory and subfolders is [[Windows:Server2008:4066.main.040226-1010|build 4066]].<ref>BetaArchive forums. (May 2, 2014). [http://www.betaarchive.com/forum/viewtopic.php?p=370526#p370526 "Builds of 'Longhorn' with NGSCB?"]</ref>


==In Windows 8==
==In Windows 8==
On systems equipped with a compatible Trusted Platform Module, Windows 8 includes a feature called "Measured Boot" which allows a trusted server to verify the integrity of the Windows startup process.<ref>Microsoft TechNet. [http://technet.microsoft.com/en-us/windows/dn168167.aspx "Windows 8 Boot Process - Security, UEFI, TPM"]</ref><ref>Microsoft TechNet. [http://technet.microsoft.com/en-us/windows/dn168169.aspx "Windows 8 Boot Security FAQ"]</ref><ref>Microsoft Software Developer Network (MSDN). [http://msdn.microsoft.com/en-us/library/windows/desktop/hh848050(v=vs.85).aspx "Measured Boot"]</ref> Measured Boot is not directly related to the NGSCB architecture; rather, it serves a purpose comparable to the architecture's "Attestation" feature in that both are designed to validate a platform's configuration.<ref>Microsoft. [http://download.microsoft.com/download/4/0/D/40DF6E51-DAD0-4CF8-B768-8E3B4A848D9C/secured-boot-measured-boot.docx "Secured Boot and Measured Boot: Hardening Early Boot Components against Malware"]</ref>  
On systems equipped with a compatible Trusted Platform Module, Windows 8 includes a feature called "Measured Boot" which allows a trusted server to verify the integrity of the Windows startup process.<ref>Microsoft TechNet. [http://technet.microsoft.com/en-us/windows/dn168167.aspx "Windows 8 Boot Process - Security, UEFI, TPM"]</ref><ref>Microsoft TechNet. [http://technet.microsoft.com/en-us/windows/dn168169.aspx "Windows 8 Boot Security FAQ"]</ref><ref>Microsoft Software Developer Network (MSDN). [http://msdn.microsoft.com/en-us/library/windows/desktop/hh848050(v=vs.85).aspx "Measured Boot"]</ref> Measured Boot is not directly related to the NGSCB architecture; rather, it serves a purpose comparable to the architecture's "Attestation" feature in that both are designed to validate a platform's configuration.<ref>Microsoft. [http://download.microsoft.com/download/4/0/D/40DF6E51-DAD0-4CF8-B768-8E3B4A848D9C/secured-boot-measured-boot.docx "Secured Boot and Measured Boot: Hardening Early Boot Components against Malware"]</ref>


==References==
==References==

Revision as of 20:58, 30 August 2014

Diagram of the NGSCB software architecture as presented during WinHEC 2003.

The Next-Generation Secure Computing Base (codenamed Palladium)[1] is a software architecture originally slated to be included in the Microsoft Windows "Longhorn" operating system. Development of the architecture began in 1997.[2][3]

The NGSCB was the result of years of research within Microsoft to create a secure computing solution that equaled the security of more closed systems while preserving the openness and flexibility of the Windows platform.[4] The NGSCB relied on new software components and specially designed hardware to create a new execution environment where more sensitive operations could be performed securely.[5] Microsoft's primary stated objective with the NGSCB was to "protect software from software."[4][6]

History

The idea of creating an architecture where software components can be loaded in a known and protected state predates the development of NGSCB. A number of attempts were made in the 1960s and 1970s to produce secure computing systems,[7][8] with variations of the idea emerging in more recent decades.[9][10]

In 1999 the Trusted Computing Platform Alliance, a consortium of various technology companies, was formed in an effort to promote trust in the PC platform.[11] The TCPA would release several detailed specifications for a trusted computing platform with focus on features such as code validation and encryption based on integrity measurements, hardware based key storage, and attestation to remote entities. These features required a new hardware component designed by the TCPA called the Trusted Platform Module (referred to as a Security Support Component,[12] Secure Cryptographic Processor,[4] or Security Support Processor[4] in earlier Microsoft documentation). While most of these features would later serve as the foundation for Microsoft's NGSCB architecture, they were different in terms of implementation.[2] The TCPA was superseded by the Trusted Computing Group in 2003.[13]

Development

Development of the NGSCB began in 1997 after Microsoft developer Peter Biddle conceived of new ways to protect content on personal computers.[5]

Microsoft later filed a number of patents related to elements of the NGSCB design.[14] Patents for a digital rights management operating system,[15] loading and identifying a digital rights management operating system,[16] key-based secure storage,[17] and certificate based access control[18] were filed on January 8, 1999. A method to authenticate an operating system based on its central processing unit was filed on March 10, 1999.[19] Patents related to the secure execution of code[20] and protection of code in memory[21] were filed on April 6, 1999.

During its Windows Hardware Engineering Conference of 1999, Microsoft had shown a presentation titled Privacy, Security, and Content Protection which focused on the protection of intellectual property and end user privacy. The presentation mentioned turning Windows into a "platform of trust" designed to protect the privacy of individual users. Microsoft would show a similar presentation during WinHEC 2001.[22] The technology was publicly unveiled under the name "Palladium" on June 24, 2002 in an article by Steven Levy of Newsweek that focused on its origin, design and features.[23][24][25] Levy stated that the technology would allow users to identify and authenticate themselves, encrypt data to protect it from unauthorized access, and allow users to enforce policies related to the use of their information. As examples of policies that could be enforced, Levy stated that users could send e-mail messages accessible only by the intended recipient, or create Microsoft Word documents that could only be read a week after they were created. To provide this functionality, the technology would require specially designed hardware components, including updated processors, chipsets, peripherals, and a Trusted Platform Module.

In August 2002, Microsoft posted a recruitment advertisement seeking a group program manager to provide vision and industry leadership in the development of several Microsoft technologies, including its NGSCB architecture.[26]

In 2003, Microsoft publicly demonstrated the NGSCB for the first time at its Windows Hardware Engineering Conference[27][28][29] and released a developer preview of the technology later that year during its Professional Developers Conference.[30][31][32]

Diagram of NGSCB architecture revision shown during WinHEC 2004.

During WinHEC 2004, Microsoft announced that it would revise the technology in response to feedback from customers and independent software vendors who stated that they did not want to rewrite their existing programs in order to benefit from its functionality.[33][34] After the announcement, some reports stated that Microsoft would cease development of the technology.[35][36] Microsoft denied the claims and reaffirmed its commitment to delivering the technology.[37][38] Later that year, Microsoft's Steve Heil stated that the company would make additional changes to the technology based on feedback from the industry.[39]

In 2005, Microsoft's lack of continual updates on its progress with the technology had led some in the industry to speculate that it had been cancelled.[40] At the annual Microsoft Management Summit event, then Microsoft CEO Steve Ballmer said that the company was building on the foundation it had started with the NGSCB to create a new set of hypervisor technologies for its Windows operating system.[41] During WinHEC 2005, Microsoft announced that it had scaled back its plans for the technology in order to ship the post-reset Windows "Longhorn" operating system within a reasonable timeframe. Instead of providing an isolated software environment, the NGSCB would offer full operating system volume encryption with a feature known as Secure Startup (which would later be renamed as Bitlocker Drive Encryption). Microsoft stated that it planned to deliver other aspects of its NGSCB architecture at a later date.[42]

In July 2008, Peter Biddle stated that negative perception was the main contributing factor responsible for the cancellation of the architecture.[43]

Name

In Greek and Roman mythology, the term "palladium" refers to an object that the safety of a city or nation was believed to be dependent upon.[44]

On January 24, 2003, Microsoft announced that "Palladium" had been renamed as the "Next-Generation Secure Computing Base." According to NGSCB product manager Mario Juarez, the new name was chosen not only to reflect Microsoft's commitment to the technology in the upcoming decade, but also to avoid any legal conflict with an unnamed company that had already acquired the rights to the Palladium name. Juarez acknowledged that the previous name had been a source of criticism, but denied that the decision was made by Microsoft in an attempt to deflect criticism.[45]

Reception

Industry and consumer reaction to Microsoft's Next-Generation Secure Computing Base technology was largely negative. The editorial staff of The Register were among the first to criticize Microsoft after the technology was unveiled. John Lettice, noting the similarities between Microsoft's NGSCB and the company's DRM-OS patents filed almost three years prior, believed that the technology was in development solely for the content industries and that the article by Newsweek had "been deliberately planted in order to prepare the way for the DRM OS."[46] Richard Forno blamed Microsoft's past record with security for the majority of contemporary security issues and expressed his belief that the technology would allow Microsoft to dictate the applications that could be allowed to run on personal computers.[47] Thomas Greene wrote that the technology had the potential to eradicate Linux and the GPL.[48] Ross Anderson of Cambridge University was one of the most vocal critics and had written an article on the potential dangers of the technology.[49][50][51] Anderson claimed that it would allow content providers to remotely censor or delete data from personal computers. Richard Stallman, founder of the GNU Project and the Free Software Foundation, expressed similar concerns and labelled the "trusted computing" initiative as "treacherous computing".[52] There were concerns that Microsoft would replace the Transmission Control Protocol with a proprietary one.[53][54]

In response, Microsoft published the first version of its technical NGSCB FAQ on August 21, 2002 that outlined the scope and intent of the technology.[55] According to Microsoft, the technology would not incorporate features that could be used to censor or delete users' data; an idea which the corporation stated was in direct conflict with its design goals. Microsoft also vehemently denied that it would incorporate a backdoor or exploit that would allow government agencies access to computers or data protected by the technology:

"Microsoft would refuse to voluntarily place a back door in any of its products and would fiercely resist any government attempt to require back doors in products. From a security perspective, such back doors are an unacceptable security risk because they would permit unscrupulous individuals to compromise the confidentiality, integrity and availability of our customers' data and systems. From a market perspective, such products would not be marketable, either domestically or internationally. Equally important, deliberately inserting such vulnerabilities would undermine Microsoft's reputation in the marketplace as a trusted vendor of products. For these reasons and others, we would, as we did during the encryption debate, oppose any such government efforts."

Overview and features

Process isolation

Sealed storage

Sealed storage refers to the use of encryption to protect locally stored data. Sealed storage differs from traditional encryption schemes in that it allows data to be decrypted only under conditions specified at the time of its encryption.

Attestation

Attestation refers to validation of a NGSCB machine configuration. Attestation allows users to attest to the state of a hardware or software configuration by sending its cryptographic information to a trusted third-party; the third-party can then determine whether it should trust the configuration.

Secure I/O

Input and output devices compatible with the NGSCB are designed to provide encrypted channels from the user and to applications in order to protect it from observation or modification.

Software

Nexus

Diagram of the Nexus design.

The Nexus, previously referred to as the "Nub"[56] or "Trusted Operating Root"[57][58] is the new kernel introduced by the NGSCB. The Nexus is responsible for the secure interaction between the specialized hardware components, and is also responsible for the management of Nexus Computing Agents.

Nexus Computing Agents

Nexus Computing Agents are user-mode application processes managed by the Nexus kernel.

Nexus Computing Agents are divided into three categories: "Application," "Component," and "Trusted Service Provider."[59]

Hardware

Encrypted memory was once considered for the NGSCB, but the idea was later discarded as the only threat conceived of that would warrant its inclusion was the circumvention of digital rights management technology.[60][61]

Trusted Platform Module

The Trusted Platform Module, previously referred to as the "Secure Cryptographic Processor" or "Security Support Component", is the hardware component that securely stores the cryptographic keys for the Nexus and Nexus Computing Agents, which makes the sealed storage and attestation features of the Nexus possible.

The Trusted Platform Module includes an asymmetric 2048-bit RSA key pair, referred to as the Endorsement Key (EK), which is unique to each particular module and is generated as part of its manufacturing process. The public key is accessible to applications or services that have established a trusted relationship with the owner, and is also used to provide the owner with Attestation Identity Keys (AIKs).

According to Microsoft, version 1.2 of the Trusted Platform Module is the first version compatible with its NGSCB architecture. Previous versions do not include the required functionality.[62]

In builds of Windows "Longhorn"

A successful attempt to configure the Next-Generation Secure Computing Base in Windows "Longhorn" build 4053.

In released pre-reset builds of Windows "Longhorn", NGSCB components reside in %SYSTEMDRIVE%\WINDOWS\NGSCB. The last build of Windows "Longhorn" known to include the NGSCB directory and subfolders is build 4066.[63]

In Windows 8

On systems equipped with a compatible Trusted Platform Module, Windows 8 includes a feature called "Measured Boot" which allows a trusted server to verify the integrity of the Windows startup process.[64][65][66] Measured Boot is not directly related to the NGSCB architecture; rather, it serves a purpose comparable to the architecture's "Attestation" feature in that both are designed to validate a platform's configuration.[67]

References

  1. Lemos, Robert. (January 24, 2003). "What's in a name? Not Palladium"
  2. 2.0 2.1 Biddle, Peter. (August 5, 2002). "Re: Dangers of TCPA/Palladium"
  3. Merritt, Rick. (July 15, 2002). "Microsoft scheme for PC security faces flak"
  4. 4.0 4.1 4.2 4.3 Aday, Michael. "Palladium"
  5. 5.0 5.1 Schoen, Seth. (July 5, 2002). "'Palladium' summary"
  6. Lee, Timothy. (November 30, 2012). "How 4 Microsoft engineers proved that the 'darknet' would defeat DRM"
  7. Secure and reliable bootstrap architecture (U.S. Patent 6185678)
  8. Anderson, James. (October 1972). "Computer Security Technology Planning Study"
  9. Method and apparatus for assessing integrity of computer system software (U.S. Patent 5421006)
  10. Kuhn, Markus. (April 30, 1997). "The TrustNo 1 Cryptoprocessor Concept"
  11. Trusted Computing Platform Alliance. "Home Page"
  12. Microsoft. "Microsoft Next-Generation Secure Computing Base - Technical FAQ"
  13. Trusted Computing Group. "TCG Timeline"
  14. Lampson, Butler. "Curriculum Vitae"
  15. Digital rights management operating system (U.S. Patent 6330670 B1)
  16. Loading and identifying a digital rights management operating system (U.S. Patent 6327652 B1)
  17. Key-based secure storage (U.S. Patent 7194092 B1)
  18. Controlling access to content based on certificates and access predicates (U.S. Patent 6820063 B1)
  19. System and method for authenticating an operating system to a central processing unit (U.S. Patent 7174457 B1)
  20. Secure execution of program code (U.S. Patent 6651171 B1)
  21. Hierarchical trusted code for content protection in computers (U.S. Patent 20040243836 A1)
  22. Microsoft. "Privacy, Security, and Content Protection"
  23. Levy, Steven. (June 24, 2002). "The Big Secret"
  24. Geek.com. (June 24, 2002). "'Palladium': Microsoft's big plan for the PC"
  25. ExtremeTech. (June 24, 2002). "'Palladium': Microsoft Revisits Digital Rights Management"
  26. Lettice, John. (August 13, 2002). "MS recruits for Palladium microkernel and/or DRM platform"
  27. Bekker, Scott. (May 6, 2003). "'Palladium' on Display at WinHEC"
  28. Microsoft PressPass. "At WinHEC, Microsoft Discusses Details of Next-Generation Secure Computing Base"
  29. Evers, Joris. (May 7, 2003). "Microsoft turns to emulators for security demo"
  30. Rooney, Paula; Montalbano, Elizabeth. (October 1, 2003). "Microsoft to Hand Over Early Whidbey, Yukon Code At PDC"
  31. Evers, Joris. (October 30, 2003). "Developers get hands on Microsoft's NGSCB"
  32. Microsoft. "A Review of Microsoft Technology for 2003, Preview for 2004"
  33. Evers, Joris. (May 5, 2004). "WinHEC: Microsoft revisits NGSCB security plan"
  34. Sanders, Tom. (May 6, 2004) "Microsoft shakes up 'Longhorn' security"
  35. Bangeman, Eric. (May 5, 2004). "Microsoft kills Next-Generation Secure Computing Base"
  36. Rooney, Paula. (May 5, 2004). "Microsoft shelves NGSCB project as NX moves to center stage"
  37. eWeek. (May 5, 2004). "Microsoft: Palladium is still alive and kicking"
  38. Thurrott, Paul. (May 7, 2004). "WinHEC 2004 Show Report and Photo Gallery"
  39. Fried, Ina. (September 8, 2004). "Controversial Microsoft plan heads for 'Longhorn'"
  40. Ever, Joris. (February 24, 2005). "Silence Fuels Speculation on Microsoft Security Plan"
  41. Microsoft. (April 20, 2005) "Steve Ballmer: Microsoft Management Summit"
  42. Sanders, Tom. (April 26, 2005). "'Longhorn' security gets its teeth kicked out"
  43. Biddle, Peter. (July 16, 2008). "Perception (or, Linus gets away with being honest again)"
  44. Greek Mythology Index. "PALLADIUM"
  45. Lemos, Robert. (January 24, 2003). "What's in a name? Not Palladium"
  46. Lettice, John. (June 24, 2002). "MS DRM OS, retagged 'secure OS' to ship with 'Longhorn'?"
  47. Forno, Richard. (June 24, 2002). "MS to micro-manage your computer"
  48. Greene, Thomas. (June 25, 2002). "MS to eradicate GPL, hence Linux"
  49. Anderson, Ross. (June 26, 2002). "TCPA / Palladium Frequently Asked Questions - Version 0.1"
  50. Tweney, Dylan. (June 28, 2002). "Broken trust"
  51. Lettice, John. (June 28, 2002). "MS 'Palladium' protects IT vendors, not you - paper"
  52. Stallman, Richard. "Can you trust your computer?"
  53. Cringely, Robert. (August 1, 2001). "The Death of TCP/IP"
  54. Cringely, Robert (June 27, 2002). "I Told You So: Alas, a Couple of Bob's Dire Predictions Have Come True"
  55. Microsoft PressPass. (August, 2002). "Microsoft "Palladium" Initiative Technical FAQ"
  56. Biddle, Peter. (August 5, 2002). "Re: Dangers of TCPA/Palladium"
  57. Microsoft PressPass. "'Palladium': A Business Overview"
  58. Biddle, Peter. (September 19, 2002). "Re: Cryptogram: 'Palladium' only for DRM"
  59. Cram, Ellen. (October 2003). "Development Considerations for Nexus Computing Agents"
  60. Biddle, Peter. (February 22, 2008). "Attack isn't news, and there are mitigations"
  61. Biddle, Peter. (February 23, 2008). "Threat Model Irony"
  62. Microsoft. "Privacy-Enabling Enhancements in the Next-Generation Secure Computing Base"
  63. BetaArchive forums. (May 2, 2014). "Builds of 'Longhorn' with NGSCB?"
  64. Microsoft TechNet. "Windows 8 Boot Process - Security, UEFI, TPM"
  65. Microsoft TechNet. "Windows 8 Boot Security FAQ"
  66. Microsoft Software Developer Network (MSDN). "Measured Boot"
  67. Microsoft. "Secured Boot and Measured Boot: Hardening Early Boot Components against Malware"

External links

Microsoft Next-Generation Secure Computing Base Home Page

Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Next-Generation_Secure_Computing_Base&oldid=7556
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki