News

Palladium: Don't Fear the Nexus

• By Scott Bekker
• 07/07/2003

Microsoft's Next Generation Secure Computing Base is misunderstood. The controversial proposal for delivering client security through integrated hardware and software has some privacy advocates and conspiracy theorists crying foul. But several details have emerged that demonstrate that this code won't be running secretively in the background, and in fact that it looks like a promising, user-controlled defense against privacy intrusions and security violations.

The first thing you have to know is what to call it. The code-name was "Palladium." The formal name is way too long, and even pronouncing the letters NGSCB is a mouthful. Microsoft uses the guttural acronym "ING-scub."

According to Microsoft, the driving force behind NGSCB is the realization that software-only defense mechanisms have reached the point of diminishing returns.

Microsoft developers believe they can protect client systems from software-based attacks through a secure OS kernel that starts up inside the Windows "Longhorn" operating system and authenticates itself against next-generation hardware designed for security. The nexus is like a mini-kernel, providing services to applications directly related to security, while relying on the main operating system kernel to provide all other services.

Several things have to be in place for the nexus to run. For one thing, the system has to have several pieces of next-generation hardware. Those NGSCB-compliant pieces include a processor, a chipset, a secure graphics adapter and secure keyboard and mouse drivers. A new bit of hardware, called the security support component (SSC), must also be in place on the motherboard. The SSC does the encryption and stores the keys. The application must be written to use the nexus or have an agent written for it that helps it use the nexus. Finally, the user has to choose to run the application as an NGSCB application.

Because the nexus operates separately from the boot process and starts up only when requested, the nexus won't run automatically. When the nexus is in place, it will provide four main functions. First, and most important, is it will provide an area of curtained memory that isolates and hides all nexus-aware applications from the rest of the operating system and all other software on the system. A bad driver or a trojan will not be aware that the curtained-off protected operating environment exists, let alone be able to interact with applications operating inside it. Within the curtained memory, the nexus also isolates the nexus-aware applications from one another.

The other three functions rely on encryption services arranged by the nexus and provided by the hardware-based SSC. Data written to disk by the nexus-aware applications can be encrypted using the SSC's keys. The system can attest to its own identity for an external application through a hardware-based cryptographic key. Finally, all input from keyboard and mouse and output to the monitor is encrypted to protect against key logging software and malware written to steal data from video memory.

So when's it coming? The working ETA for Windows "Longhorn" is 2005. Microsoft NGSCB product unit manager Peter Biddle expects complete systems will be available from several vendors at that point. "I think that single-digit percentages in the first year of new shipping machines will support NGSCB," Biddle says. "I think the tipping point for uptake happens sometime in year two or year three."