Microsoft Corp.s NGSCB initiative aims to improve security in future versions of Windows by providing a fine-grained level of control over applications designed to take advantage of this technology.
Based on WinHEC talks and on Microsoft documentation, eWEEK Labs believes significant implementation hurdles must be overcome before Next-Generation Secure Computing Base can become a reality.
NGSCB will provide what amounts to a separate, scaled-back operating system running in and alongside Windows as we know it today. The kernel of this separate operating system is called Nexus, and the applications, services or portions of applications that run atop it are called NCAs (Nexus Computing Agents).
Microsoft describes this OS-within-an-OS situation in terms of a Standard mode, or left-hand side; and a Nexus mode, or right-hand side.
NGSCB sets aside a portion of system RAM as “curtained.” A given section of memory in this curtained space is accessible only by the NCA that runs in it or by processes with which that NCA has a specific trust relationship. NGSCB will work with standard RAM chips but will require new CPUs and chip sets to manage this curtained memory scheme.
NGSCB extends these controls to data stored on hard disks with encryption services that ensure that data may be accessed only by the NCA to which it belongs or to other software that that NCA trusts.
These encryption services are rooted in an OEM-signed SSC (security support component) that will be embedded in, or at least soldered onto, the motherboard of every NGSCB-capable machine and will contain encryption keys unique to that piece of hardware. When Nexus boots, the CPU and the SSC compute a cryptographically signed digest for Nexus. Nexus, in turn, computes digests for NCAs.
A “chain of trust” rooted in the secret keys stored in the SSC enables NGSCB systems to offer trustable authentication of hardware and software as well as user authentication. However, attestation only confirms that a signed piece of code or data is what it claims to be, and it wont guarantee its quality or benevolence. Further assurance must come from an outside party.
Rounding out the NGSCB system security loop is the provision of a secure path between the user and Nexus. Mouse and keyboard input will travel across an encrypted path to Nexus, which directs these inputs to the appropriate NCA or back to the left-hand side, preventing keystroke logger attacks on right-hand-side applications.
On the output side, NCAs will communicate with graphics adapters across a secure path, and a simple, XML-based graphics service on the right-hand side will be responsible for drawing interface windows for NCAs.
These secure paths to and from the user will require changes to current input devices and/or Universal Serial Bus hubs, as well as to graphics adapters. How NGSCB will support accessibility software or wireless input devices has yet to be determined.
At WinHEC, Microsoft announced that it will deliver a prebeta version of NGSCB at its Professional Developers Conference in October, with the system slated for completion in time to accompany “Longhorn” in 2005. Before that time comes, Microsoft must address a number of significant challenges if NGSCB is to succeed.
Requiring CPU, chip set, graphics adapter, input device and motherboard changes, NGSCB wont run on todays hardware, which will probably slow customer uptake. In addition, NGSCB will only be as useful as the software that supports it, so its viability will depend on widespread industry support.
NGSCB will enable much more control over systems that include it, but these expanded control options come with more management complexity. NCAs will have to communicate with one another, with portions of the Standard-mode operating system and with remote services, and each of these links will require users to monitor their trust relationship choices.
Out of the box, Windows XP grants default Administrator rights, in a nod to convenience over security. Conversely, Microsoft officials have said that NGSCB systems will ship with Nexus switched off by default. However, unless Microsoft aces the job of implementing the policy management portions of NGSCB, users and companies may never opt to enable them.