What to expect from Microsoft's NGSCB plan

Computerworld - Microsoft Corp. said that it was retinkering with its Next Generation Secure Computing Base (NGSCB), originally announced in 2002 with the code name Palladium. This step was taken in response to demands from users and software vendors that existing applications could take advantage of the security functions offered by the NGSCB platform without having to rewrite them (see story).

This is welcome news for users and independent software vendors. However, it may present challenges to the NGSCB design. To facilitate the discussion, Figure 1 shows the NGSCB configuration. Components of the NGSCB that require the support of new hardware are shown in Figure 1 with the image of an IC chip.

Figure 1: NGSCB Configuration. The green-red lines show where protected data is in encrypted or decrypted format. Encryption or decryption occurs at the junction of the red and green lines.

The NGSCB Nexus security kernel identifies, authenticates and controls access to trusted applications and resources using a security reference monitor, a part of the Nexus security kernel. For an application to make use of the protected operating environment, either parts of it need to function as component Nexus Computing Agents, or the entire application needs to function as a stand-alone NCA. An NCA is a trusted software running in the protected operating environment and is hosted by the Nexus. The protected environment in the NGSCB was envisioned as a very restricted development environment. An application is partitioned so that only components that manage critical trusted information are run as NCAs in the protected environment, and components that manage traditional functionalities are run in the standard environment. This is summarized by Microsoft¹ as: "A good rule of thumb is: If you can leave functionality in Standard mode without compromising information, you should leave it there." To achieve this partition will most likely require some rewriting and retesting of existing applications.

Another challenge to running existing applications as is without rewriting is more fundamental and may cause breaches to the security of the NGSCB. The two main enabling features of the NGSCB platform are the hardware-enforced curtained memory where the Nexus and NCAs are run, and the hardware component, namely the Security Support Component or Trusted Platform Module chip, for storing and managing encryption keys.

However, once in the protected environment, based on Microsoft documents², the Nexus is protected from NCAs, and the NCAs are protected from each other using the same ring and virtual memory protections as used in today's computers.

Thus, once a program gets into the protected environment, the security is no different from the situation in today's PCs. To ensure the security in the protected environment, NCAs should be written as managed codes so that the Nexus can closely manage them, and it is ensured that the Nexus is protected from the NCAs and the NCAs are protected from each other. Allowing applications to run in the protected environment means that flaws or vulnerabilities in an application may compromise the ring and virtual memory protection within the protected environment, and modify or affect the Nexus or other NCAs in unintended or malicious ways.