Next-Generation Secure Computing Base
The Next-Generation Secure Computing Base is a software architecture designed by Microsoft which claimed to provide users of the Windows operating system with better privacy, security, and system integrity. It was an initiative to implement Trusted Computing concepts to Windows. NGSCB was the result of years of research and development within Microsoft to create a secure computing solution that equaled the security of closed platforms such as set-top boxes while simultaneously preserving the backward compatibility, flexibility, and openness of the Windows operating system. Microsoft's primary stated objective with NGSCB was to "protect software from software."
Part of the Trustworthy Computing initiative when unveiled in 2002, NGSCB was to be integrated with Windows Vista, then known as "Longhorn." NGSCB relied on hardware designed by the Trusted Computing Group to produce a parallel operation environment hosted by a new hypervisor called the "Nexus" that existed alongside Windows and provided new applications with features such as hardware-based process isolation, data encryption based on integrity measurements, authentication of a local or remote machine or software configuration, and encrypted paths for user authentication and graphics output. NGSCB would facilitate the creation and distribution of digital rights management policies pertaining the use of information.
NGSCB was subject to much controversy during its development, with critics contending that it would impose restrictions on users, enforce vendor lock-in, prevent running open-source software, and undermine fair use rights. It was first demonstrated by Microsoft at WinHEC 2003 before undergoing a revision in 2004 that would enable earlier applications to benefit from its functionality. Reports indicated in 2005 that Microsoft would change its plans with NGSCB so that it could ship Windows Vista by its self-imposed deadline year, 2006; instead, Microsoft would ship only part of the architecture, BitLocker, which can optionally use the Trusted Platform Module to validate the integrity of boot and system files prior to operating system startup. Development of NGSCB spanned approximately a decade before its cancellation, the lengthiest development period of a major feature intended for Windows Vista.
NGSCB differed from technologies Microsoft billed as "pillars of Windows Vista"—Windows Presentation Foundation, Windows Communication Foundation, and WinFS—during its development in that it was not built with the.NET Framework and did not focus on managed code software development. NGSCB has yet to fully materialize; however, aspects of it are available in features such as BitLocker of Windows Vista, Measured Boot and UEFI of Windows 8, Certificate Attestation of Windows 8.1, Device Guard of Windows 10. and Device Encryption in Windows 11 Home editions, with TPM 2.0 mandatory for installation.
History
Early development
Development of NGSCB began in 1997 after Peter Biddle conceived of new ways to protect content on personal computers. Biddle enlisted assistance from members from the Microsoft Research division and other core contributors eventually included Blair Dillaway, Brian LaMacchia, Bryan Willman, Butler Lampson, John DeTreville, John Manferdelli, Marcus Peinado, and Paul England. Adam Barr, a former Microsoft employee who worked to secure the remote boot feature during development of Windows 2000 was approached by Biddle and colleagues during his tenure with an initiative tentatively known as "Trusted Windows," which aimed to protect DVD content from being copied. To this end, Lampson proposed the use of a hypervisor to execute a limited operating system dedicated to DVD playback alongside Windows 2000. Patents for a DRM operating system were later filed in 1999 by England, DeTreville and Lampson; Lampson noted that these patents were for NGSCB. Biddle and colleagues realized by 1999 that NGSCB was more applicable to privacy and security than content protection, and the project was formally given the green-light by Microsoft in October, 2001.During WinHEC 1999, Biddle discussed intent to create a "trusted" architecture for Windows to leverage new hardware to promote confidence and security while preserving backward compatibility with previous software. On October 11, 1999, the Trusted Computing Platform Alliance, a consortium of various technology companies including Compaq, Hewlett-Packard, IBM, Intel, and Microsoft was formed in an effort to promote personal computing confidence and security. The TCPA released detailed specifications for a trusted computing platform with focus on features such as code validation and encryption based on integrity measurements, hardware-based key storage, and machine authentication; these features required a new hardware component designed by the TCPA called the "Trusted Platform Module".
At WinHEC 2000, Microsoft released a technical presentation on the topics of protection of privacy, security, and intellectual property titled "Privacy, Security, and Content in Windows Platforms", which focused on turning Windows into a "platform of trust" for computer security, user content, and user privacy. Notable in the presentation is the contention that "there is no difference between privacy protection, computer security, and content protection"—"assurances of trust must be universally true". Microsoft reiterated these claims at WinHEC 2001. NGSCB intended to protect all forms of content, unlike traditional rights management schemes which focus only on the protection of audio tracks or movies instead of users they have the potential to protect which made it, in Biddle's words, "egalitarian".
As "Palladium"
Microsoft held its first design review for the NGSCB in April 2002, with approximately 37 companies under a non-disclosure agreement. NGSCB was publicly unveiled under its codename "Palladium" in a June 2002 article by Steven Levy for Newsweek that focused on its design, feature set, and origin. Levy briefly described potential features: access control, authentication, authorization, DRM, encryption, as well as protection from junk mail and malware, with example policies being email accessible only to an intended recipient and Microsoft Word documents readable for only a week after their creation; Microsoft later release a guide clarifying these assertions as being hyperbolic; namely, that NGSCB would not intrinsically enforce content protection, or protect against junk mail or malware. Instead, it would provide a platform on which developers could build new solutions that did not exist by isolating applications and store secrets for them. Microsoft was not sure whether to "expose the feature in the Control Panel or present it as a separate utility," but NGSCB would be an opt-in solution—disabled by default.Microsoft PressPass later interviewed John Manferdelli, who restated and expanded on many of the key points discussed in the article by Newsweek. Manferdelli described it as evolutionary platform for Windows in July, articulating how "'Palladium' will not require DRM, and DRM will not require 'Palladium'. Microsoft sought a group program manager in August to assist in leading the development of several Microsoft technologies including NGSCB. Paul Otellini announced Intel's support for NGSCB with a set of chipset, platform, and processor codenamed "LaGrande" at Intel Developer Forum 2002, which would provide an NGSCB hardware foundation and preserve backward compatibility with previous software.
As NGSCB
NGSCB was known as "Palladium" until January 24, 2003 when Microsoft announced it had been renamed as "Next-Generation Secure Computing Base." Project manager Mario Juarez stated this name was chosen to avoid legal action from an unnamed company which had acquired the rights to the "Palladium" name, as well as to reflect Microsoft's commitment to NGSCB in the upcoming decade. Juarez acknowledged the previous name was controversial, but denied it was changed by Microsoft to dodge criticism.The Trusted Computing Platform Alliance was superseded by the Trusted Computing Group in April 2003. A principal goal of the new consortium was to produce a Trusted Platform Module specification compatible with NGSCB; the previous specification, TPM 1.1 did not meet its requirements. TPM 1.2 was designed for compliance with NGSCB and introduced many features for such platforms. The first TPM 1.2 specification, Revision 62 was released in 2003.
Biddle emphasized in June 2003 that hardware vendors and software developers were vital to NGSCB. Microsoft publicly demonstrated NGSCB for the first time at WinHEC 2003, where it protected data in memory from an attacker; prevented access to—and alerted the user of—an application that had been changed; and prevented a remote administration tool from capturing an instant messaging conversation. Despite Microsoft's desire to demonstrate NGSCB on hardware, software emulation was required for as few hardware components were available. Biddle reiterated that NGSCB was a set of evolutionary enhancements to Windows, basing this assessment on preserved backward compatibility and employed concepts in use before its development, but said the capabilities and scenarios it would enable would be revolutionary. Microsoft also revealed its multi-year roadmap for NGSCB, with the next major development milestone scheduled for the Professional Developers Conference, indicating that subsequent versions would ship concurrently with pre-release builds of Windows Vista; however, news reports suggested that NGSCB would not be integrated with Windows Vista when release, but it would instead be made available as separate software for the operating system.
Microsoft also announced details related to adoption and deployment of NGSCB at WinHEC 2003, stating that it would create a new value proposition for customers without significantly increasing the cost of computers; NGSCB adoption during the year of its introductory release was not anticipated and immediate support for servers was not expected. On the last day of the conference, Biddle said NGSCB needed to provide users with a way to differentiate between secured and unsecured windows—that a secure window should be "noticeably different" to help protect users from spoofing attacks; Nvidia was the earliest to announce this feature. WinHEC 2003 represented an important development milestone for NGSCB. Microsoft dedicated several hours to presentations and released many technical whitepapers, and companies including Atmel, Comodo Group, Fujitsu, and SafeNet produced preliminary hardware for the demonstration. Microsoft also demonstrated NGSCB at several U.S. campuses in California and in New York in June 2003.
NGSCB was among the topics discussed during Microsoft's PDC 2003 with a pre-beta software development kit, known as the Developer Preview, being distributed to attendees. The Developer Preview was the first time that Microsoft made NGSCB code available to the developer community and was offered by the company as an educational opportunity for NGSCB software development. With this release, Microsoft stated that it was primarily focused on supporting business and enterprise applications and scenarios with the first version of the NGSCB scheduled to ship with Windows Vista, adding that it intended to address consumers with a subsequent version of the technology, but did not provide an estimated time of delivery for this version. At the conference, Jim Allchin said that Microsoft was continuing to work with hardware vendors so that they would be able to support the technology, and Bill Gates expected a new generation of central processing units to offer full support. Following PDC 2003, NGSCB was demonstrated again on prototype hardware during the annual RSA Security conference in November.
Microsoft announced at WinHEC 2004 that it would revise NSCB in response to feedback from customers and independent software vendors who did not desire to rewrite their existing programs in order to benefit from its functionality; the revision would also provide more direct support for Windows with protected environments for the operating system, its components, and applications, instead of it being an environment to itself and new applications. The NGSCB secure input feature would also undergo a significant revision based on cost assessments, hardware requirements, and usability issues of the previous implementation. There were subsequent reports that Microsoft would cease developing NGSCB; Microsoft denied these reports and reaffirmed its commitment to delivery. Additional reports published later that year suggested that Microsoft would make even additional changes based on feedback from the industry.
Microsoft's absence of continual updates on NGSCB progress in 2005 had caused industry insiders to speculate that NGSCB had been cancelled. At the Microsoft Management Summit event, Steve Ballmer said that the company would build on the security foundation it had started with the NGSCB to create a new set of virtualization technologies for Windows, which were later Hyper-V. Reports during WinHEC 2005 indicated Microsoft scaled back its plans for NGSCB, so that it could to ship Windows Vista—which had already been beset by numerous delays and even a "development reset"—within a reasonable timeframe; instead of isolating components, NGSCB would offer "Secure Startup" to encrypt disk volumes and validate both pre-boot firmware and operating system components. Microsoft intended to deliver other aspects of NGSCB later. Jim Allchin stated NGSCB would "marry hardware and software to gain better security", which was instrumental in the development of BitLocker.