When Microsoft Corp. raises the curtain on the first piece of its Next-Generation Secure Computing Base for Windows technology this week, company executives said it will mark the beginning of a fundamental shift in the architecture of the PC and the way users interact with their machines.
While it could take years to test that theory, security experts, researchers and potential customers say the architecture in its current form leaves much to be desired and may be more useful to Microsoft and its partners than to users.
Microsoft plans to demonstrate Nexus, the software module that is the heart of the NGSCB architecture, formerly code-named Palladium, this week at the companys in New Orleans. Nexus functions as a separate operating system kernel, controlling the way a PC interacts with Nexus-aware applications, hardware and memory. To run in secure mode on an NGSCB-enabled machine, an application will have to be trusted by Nexus.
Microsoft has Nexus up and running, although it doesnt currently have all the security features enabled, said company officials in Redmond, Wash. Microsoft has also developed several small Nexus-aware applications it will demonstrate at the show. Nexus will run in parallel with the normal operating system and will, theoretically, prevent rogue applications and processes from running on the machine.
Another major part of the system will be the Security Support Component, a hardware module that will handle cryptographic operations and store the crypto keys used by Nexus.
But the same technology that enables this kind of protection is also what worries many of NGSCBs critics. They say the tight control over the PCs interaction with applications could easily lead to onerous digital-rights-management-style restrictions on content use and could give Microsoft and other vendors the ability to dictate which applications users can run.
“If some set of mandatory access controls for e-mail become a popular corporate application under Windows [Server] 2003 and mandatory access controls eventually require a [Trustworthy Computing] platform, then corporate users may also have little choice but to migrate,” said Ross Anderson, a professor of security engineering at Cambridge University, in Cambridge, England, in a new paper on NGSCB and similar technologies to be published later this month.
“In fact, they may have even less choice than music subscribers,” Anderson added. “Music fans can always go out and buy new CDs, as they did when CDs replaced vinyl; but if many corporate and official communications and records come to be protected using cryptographic keys that cannot conveniently be extracted from embedded mandatory access control mechanisms, then companies may have no choice but to follow the [Trustworthy Computing] mechanisms that protect and control these keys.”
“The interesting thing to me is that Microsoft has pushed the hardware vendors to implement things—for example, trusted paths—that the defense community has wanted for years. The underlying hardware that supports Palladium can definitely support trusted computing without all of the baggage that Ross and others point out,” said Bill Arbaugh, assistant professor of computer science at the University of Maryland at College Park and the co-author of one of the seminal papers on the kind of architecture Microsoft is proposing.
“Whether or not the software vendors do that is another issue and one that I cant answer,” he said. “I will say that myself and others plan to develop open-source software that utilizes these features once they are released. Security technology, like most technology, is a double-edged sword in that effective DRM requires originator control over the material. The defense and government users very much want to have effective originator control, and privacy rights advocates do as well, i.e., it would be nice if I could release my private information in a way that I continued to control who, how and when it was accessed.”
Other observers say that while many initial concerns about Microsofts being able to remotely control what software runs on users machines have proved unfounded, the NGSCB technology would give vendors and others more control over end-user machines than they currently have.
“There are elements of control, but theyre not as fine-grained as people think,” said Seth Schoen, staff technologist at the Electronic Frontier Foundation, in San Francisco. “Still, reliable remote attestation and sealed storage means that someone not sitting in front of a computer gets control over it while its doing a certain thing.”
“As hardware becomes more tamper-proof, that becomes more worrisome,” Schoen added. “And a lot of businesses are very concerned about vendor lock-in. NGSCB would allow vendors to achieve lock-in deliberately. That doesnt exist today.”
Microsoft officials resist this characterization of the system.
“From a lock-in perspective, the Microsoft business model is about delighting a broad range of customers, and theyre very clear that they dont want lock-in,” said Peter Biddle (pictured), product unit manager in the Security Business Unit at Microsoft. “That never was an intent. Were getting feedback from customers that if they smell a whiff of lock-in, theyre not adopting [NGSCB].”
Potential users of the NGSCB system, meanwhile, are unsure whether the promised security enhancements outweigh the baggage that accompanies them.
“NGSCB is great for security, but there are costs beyond adding the encryption chip to the hardware or the added complexity of developing applications,” said Lester John, assistant vice president of information security at Fleet Securities Inc., in Boston. “[If] a computer breaks and a [technician] pulls the hard drive and puts it into a new machine, the user is back in business. With a secure PC, how does this now happen?”
A vital element of Microsofts plans for NGSCB is the development of a strong, diverse set of partners. Some key vendors, including Intel Corp., Advanced Micro Devices Inc. and Hewlett-Packard Co., have already allied themselves with Microsoft. But if a broader base of support doesnt materialize, NGSCB could die on the vine.
“If we dont get hardware, Im done,” Microsofts Biddle said. “I have no business without some fundamental changes to the PC architecture. And if people dont write software that takes advantage of those changes, Im done.”
Hardware vendors say customer demand will be a key driver in determining the extent to which NGSCB is featured in their machines. Manny Novoa, a security architect at HP, based in Palo Alto, Calif., said he expects that hardware manufacturers will initially offer versions of systems that are NGSCB-enabled and others that arent. It will be customers who decide whether they want to spend the extra money for an NGSCB-ready version of a system, Novoa said.
“I think its going to be a good couple of years of progressive rollouts before you see a critical mass” of NGSCB-enabled PCs, Novoa said.
Additional reporting by Jeffrey Burt.
(Editors Note: This story has been updated since its original posting to include comments from Bill Arbaugh.)
Latest Microsoft News:
Latest Security News:
For more on WinHEC, see our special section.