The "Next-Generation Secure Computing Base" (NGSCB), formerly known as Palladium (Pd), is Microsoft's new trusted computing architecture. (The name was changed in 2003. Microsoft claimed it was because a book publisher of the same name wouldn't allow them to use "Palladium"; Critics charge that the change was a reaction to the negative publicity surrounding the Palladium operating system.)
NGSCB makes heavy use of the so-called Fritz-chip, a secure cryptographic coprocessor.
Under Palladium, the Microsoft operating system, working with a secure cryptoprocessor embedded in the PC, will create a new class of applications which have special powers and protections and which run side by side with ordinary code. The stated aim is to fix the problems of current computer insecurity, and to create new kinds of distributed applications, where each component can know and trust the operation of other parts of the system, even when they are running on remote computers.
Opponents characterise it as an attempt to control the market for computer hardware and software, thus entrenching and extending Microsoft's existing desktop computer operating system and software monopoly. Opponents have also characterised it as an attempt to leverage this monopoly into a monopoly over Digital Rights Management, and hence effective control over the content delivery industry. They further fear that the Palladium platform will eventually control all aspects of computer operation, including web browsing and e-mail.
Microsoft has patent protection on several concepts relating to their "Digital Rights Management Operating System", although it is not clear at this point which of them will be part of Palladium when it is finally fielded.
The Palladium initiative is probably named after the Palladium, a legendary statue in ancient Troy. According to myth, while the statue was safe, so was the city. Troy fell to a Trojan horse attack, according to the legend. The parallel is one that opponents are quick to point to, both for the idea itself as well as for explaining why Microsoft chose to change the name.
Functionality of TCPA/NGSCB
Based on current information, NGSCB (Palladium) would work in the following ways:
- At any time after booting, the user chooses to enable NGSCB, which will let him run "trusted" applications.
- The Windows OS loads the NGSCB micro-kernel, called the Nexus, into a region of memory that is only accessible in a new processor mode. Simultaneously, the NGSCB Security Support Component, SSC, takes and records a hash of the Nexus.
- An NGSCB "trusted" module, called a Nexus Computing Agent or NCA, loads into the special curtained memory region. The SSC takes a hash of the software as it loads.
- The NCA can make calls into the Nexus to make use of NGSCB functionality. This includes sealing (encrypting) data with the aid of the SSC, which can optionally lock the data to the hash of the NCA, making it impossible for other software to decrypt the data.
- The NCA can also use the "attestation" feature of NGSCB to get the SSC to sign a message that reports on the NCA's hash, which the Nexus then sends to a remote system. This allows the remote system to be convinced of the identity of the software running locally.
- The keyboard and display device can also be opened as secure channels by the NCA, allowing I/O to occur without other software being able to snoop on the data being displayed or typed.
- The combination of these features allows distributed applications to exchange and store data via secure channels such that no entity other than these software programs can examine or change the data. This inherently supports DRM as well as a wide range of other security based applications.
If the above functionality of TCPA/NGSCB were in the final product, opponents claim it would have the following drawbacks:
- The current free competition within the software industry could be a thing of the past, say critics, as programs could not load each other's files due to the encryption the saving program can put on files created. One software company would gain dominance over a particular industry and it would be impossible to dislodge them. Note, however, that this is already the case as many software companies use proprietary file formats that are difficult or impossible to read in other applications.
- Those who attempt to circumvent the security restrictions of NGSCB could be sued under the Digital Millennium Copyright Act, advise challengers.
- Currently websites are processor independent. TCPA/NGSCB would make x86 processors gain a monopoly as websites would not allow ARM users access
On August 28 2003 Microsoft made an announcement saying that to combat the thread of future viruses like SoBig.F NGSCB was needed.
Simon Conant, a 'security expert' (quoted verbatim from the source article, the UK Metro) working for Microsoft said "We need to go back to the drawing board with a brand new architecture for the PC".
This argument has several flaws in it, according to critics:
- SoBig.F only affects Microsoft operating systems, argue rivals to it, and even then only those who use Outlook or Outlook Express as their mail program. Advocates of alternatives to Outlook have suggested that a mail program which either has no scripting language at all or has a scripting language which is too secure to be exploited is completely immune to the virus. According to their logic, using a non-Microsoft operating system and/or a mail program with no Outlook-style flaws is a perfectly adequate defense against mail viruses.
- Arguably one of NGSCB's main features is providing "trusted" programs immunity to attack from other programs, including viruses. Programs can still be infected, however, and script viruses that run from emails would still run.
- Even if a way can be found to stop malicious scripts inside signed programs as well on an NGSCB, it is considered overkill by dissenters to introduce NGSCB when a simple change to a non-Microsoft OS and/or mail program would be sufficient, especially given all the other claimed disadvantages of NGSCB.
Microsoft is not presently making strong claims that NGSCB would solve the virus problem. In their Technical FAQ linked from the Microsoft NGSCB page, they say, "Since the nexus and NCAs do not interfere with the operation of any program running in the regular Windows environment, everything, including the native operating system and viruses, runs there as it does today. Therefore, users are still going to need antivirus monitoring and detection software in Windows."
The FAQ goes on to describe the contribution of NGSCB against viruses in more modest terms: "However, the NGSCB architecture does provide features that can be used by an antivirus program to help guarantee that it has not been corrupted. The antivirus software can be grounded in such a way that it can bootstrap itself into a protected execution state, something it cannot do today."
A conspiracy theorist view on this is that Microsoft have deliberately left the flaws in Outlook/Outlook Express so that an email virus can cripple a computer and Microsoft can then announce NGSCB as the saviour. Certainly, claim critics of Outlook, there is no valid reason for an incoming email to have access to a client's address book which they call one of the primary ways email viruses spread.
Later versions of Outlook and Outlook Express disable scripting in emails to prevent such viruses from spreading. Most email viruses today spread by sending executable attachments and using social engineering tactics to convince users to open them. Newer versions of Outlook and Outlook Express automatically strip executable attachments from emails.
Discussion on the Pros and Cons of Palladium/NGSCB
- Microsoft's NGSCB page (http://www.microsoft.com/resources/ngscb/default.mspx)
- Ross Anderson's TCPA/Palladium FAQ (http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html)
- Microsoft patents "Digital Rights Management Operating System" (http://www.oreillynet.com/cs/user/view/wlg/956)
- Microsoft's "Digital Rights Management Operating System" patent (http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=/netahtml/srchnum.htm&r=1&f=G&l=50&s1=6330670.WKU.&OS=PN/6330670&RS=PN/6330670)
- Register story criticising Palladium (http://theregister.co.uk/content/4/25891.html)
- MSNBC article (http://www.msnbc.com/news/770511.asp?cp1=1)
- Register story: MS security patch EULA gives Billg admin privileges on your box (http://www.theregister.co.uk/content/4/25956.html)
- The Trojan Palladium (http://homepage.mac.com/cparada/GML/Palladium.html)
- News.com story: What's in a name? Not Palladium (http://news.com.com/2100-1001-982127.html?tag=fd_top)
- Richard Stallman's The Right to Read (http://www.gnu.org/philosophy/right-to-read.html)
- Richard Stallman's Can You Trust Your Computer? (http://www.gnu.org/philosophy/can-you-trust.html)
- EFF's Trusted Computing: Promise and Risk (http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php)
- Microsoft moves to integrate Windows with BIOS (http://news.zdnet.co.uk/software/developer/0,39020387,39116902,00.htm)