Microsoft Next-Generation Secure Computing Base Documentation


Recommended Posts

I had originally planned to create a post in the 2014 Random Text Thread with links to these documents, but I realized that they would reach a much broader audience if they were posted here. This topic aims to foster discussion and promote awareness of Microsoft's Next-Generation Secure Computing Base architecture.

As you may remember, Microsoft had intended to ship NGSCB with its Windows "Longhorn" operating system. Unlike the other "major" technologies slated for Windows "Longhorn" - such as Avalon (WPF), Indigo (WCF), and WinFS - NGSCB was not built on the then fairly new .NET Framework, which places it in a unique position. This strongly suggests that it could have made it into Windows Vista (and thus subsequent versions) if it had not been for the negative perception surrounding the technology - indeed, one of the main architects of the technology has stated that this was the main reason why it was cancelled. This is such a disappointment to me, as both Android and Apple have recently adopted similar technologies when it was Microsoft that was innovative.
 
Intel Developer Forum 2003
A Privacy Friendly Method for Assuring Trust (PDF)
An Opt-In Strategy for a Safer Computing Platform (PDF)
LaGrande Technology & Safer Computing Overview (PDF)
Migrating Applications to NGSCB (PDF)
Next-Generation Secure Computing Base: Nexus Fundamentals (PDF)
Recovering from Computer Failures, If TPMs Go Bad (PDF)
Software for LaGrande Technology: Impact to the Software Development Process (PDF)
TCG Credentials: Their Role in the Trust Infrastructure and Manufacturing (PDF)
Trusted Computing Group and the TPM 1.2 Specification (PDF)
Trusted Mobile Keyboard Controller Architecture (PDF)
Trusted Platform Module: Impact to Manufacturing & Testing (PDF)
 
Microsoft Content Security Business Unit
Microsoft Palladium: A Business Overview (PDF)
 
Microsoft NGSCB Technical Documentation
A Technical Introduction to NGSCB (PPT)
Building a Secure Platform for Trusted Computing (DOC)
Hardware Platform for the Next-Generation Secure Computing Base (DOC)
Privacy Enhancements in the Next-Generation Secure Computing Base (DOC)
Secure User Authentication for NGSCB (DOC)
Security Model for the Next-Generation Secure Computing Base (DOC)
Trusted Computing Base and Software Authentication (DOC)

Microsoft NGSCB Website
Microsoft Shared Source Initiative Homepage (HTML)
The Next-Generation Secure Computing Base: An Overview (HTML)
The Next-Generation Secure Computing Base: Four Key Features (HTML)

Microsoft PressPass
Microsoft "Palladium" - A Business Overview (HTML)
Q&A: Microsoft Seeks Industry-Wide Collaboration for "Palladium" Initiative (HTML)
Trustworthy Computing From Fingertips to Eyeballs (HTML)

Microsoft Research
A Logical Account of NGSCB (PDF)
John Manferdelli: Next-Generation Secure Computing Base (PPT)
NGSCB: A Trusted Open System (PDF) (PDF link #2)

Microsoft TechNet
Microsoft Next-Generation Secure Computing Base Technical FAQ (HTML)

National Institutes of Standards and Technology (NIST)
Microsoft ?Palladium? (PDF)

PDC 2003
Next-Generation Secure Computing Base: Development Considerations for Nexus Computing Agents (HTML) (HTML link #2)
Next-Generation Secure Computing Base ? Overview and Drilldown (PPT)
 
WinHEC 2000
Privacy, Security, and Content in Windows Platforms (PPT)

WinHEC 2001
Privacy, Security, and Content in Windows Platforms (PPT)

WinHEC 2003
At WinHEC 2003, Microsoft Discusses Details of Next-Generation Secure Computing Base (HTML)

WinHEC 2003 Self Extracting ZIP Archives (Contain PowerPoint Slides)
Building a Next-Generation Secure Computing Base PC (EXE)
Ecosystem and Opportunities with NGSCB (EXE)
Industry Perspectives on NGSCB (EXE)
Microsoft Directions on Security (EXE)
Platform Enhancements for Trustworthy Computing (EXE)
Security Model for NGSCB (EXE)
Technical Introduction to NGSCB (EXE)
Trusted Graphics and NGSCB (EXE)
User Authentication in NGSCB (EXE)

WinHEC 2004 PowerPoint Slides
Next-Generation Secure Computing Base (PPT)
Securing the Input Path on NGSCB Systems (PPT)
TPM 1.2 ? Trusted Platform Module and its Use in NGSCB (PPT)
 
Microsoft France
NGSCB: Une Introduction (PPT)

  • 1 month later...
  • 2 weeks later...

about TrustZone, wheres the security when you can just dump the secure kernel in plaintext from the rom, then go through it and exploit all the bugs? there are instances of people doing this to unlock the bootloaders, for example.

 

And NGSCB relies on TPM to verify the kernel hash. you know how i feel about TPM.

  On 01/09/2014 at 05:30, vcfan said:

about TrustZone, wheres the security when you can just dump the secure kernel in plaintext from the rom, then go through it and exploit all the bugs? there are instances of people doing this to unlock the bootloaders, for example.

But how many people know how to do this?

 

  On 01/09/2014 at 05:30, vcfan said:
And NGSCB relies on TPM to verify the kernel hash. you know how i feel about TPM.

Correct. The TPM measures the hash of the Nexus and stores it within a Platform Configuration Register.

(I love that you know this, not many would care).

  On 01/09/2014 at 05:37, Ian William said:

But how many people know how to do this?

look at all the vulnerabilities that are discovered every day for all products. there are plenty of individuals capable of finding these holes. all is needed is only one person to release a proof of concept,and bam, every c coder on the planet can make the cpu do whatever they want it to do.

 

  On 01/09/2014 at 05:37, Ian William said:

Correct. The TPM measures the hash of the Nexus and stores it within a Platform Configuration Register.

(I love that you know this, not many would care).

thanks.

i think even if you had a the most secure, unbreakable TPM, that wouldn't even spell the end of such hacking attempt. lets say the trusted kernel was launched and passed the hash checks.

we know of a few known facts.

1. we can read the trusted kernel code at our will (disassemblies)

2. normal mode and trusted mode exchange data using the nexus manager.

see the problem here? we know exactly how the kernel behaves, and we have the power to craft the data that we send in such a way that its possible to break something and make the trusted kernel do something it was not meant to do.

  On 01/09/2014 at 05:04, Ian William said:

I am curious why you feel this way. Would you care to elaborate?

Because of locked bootloaders and last I checked they haven't found an exploit for my phone yet.

  On 01/09/2014 at 06:05, vcfan said:

look at all the vulnerabilities that are discovered every day for all products. there are plenty of individuals capable of finding these holes. all is needed is only one person to release a proof of concept,and bam, every c coder on the planet can make the cpu do whatever they want it to do.

True, but as you said this is not exclusive to TrustZone. There isn't a product in the world that is invulnerable.

 

  On 01/09/2014 at 06:05, vcfan said:

thanks.

 

No, thank you. I believe that the lack of information about the technology is one of the reasons that it is not appreciated. On top of that, there are some who just are not interested in that sort of thing, so you can just imagine my delight when I saw your response!

 

  On 01/09/2014 at 06:05, vcfan said:

see the problem here? we know exactly how the kernel behaves, and we have the power to craft the data that we send in such a way that its possible to break something and make the trusted kernel do something it was not meant to do.

Would you be willing to provide some examples? Microsoft strongly emphasized NGSCB's ability to thwart software based attacks.

 

  On 02/09/2014 at 21:05, MASTER260 said:

Because of locked bootloaders and last I checked they haven't found an exploit for my phone yet.

To each his own. I happen to have an affinity for locked bootloaders.

This topic is now closed to further replies.
  • Posts

    • Markdown's creator weighs in on rumored Apple Notes export feature by David Uzondu The rumor mill is churning as we draw closer to WWDC2025, and one of the interesting developments being discussed is a report from 9To5Mac that claimed Apple Notes in iOS 19 iOS 26, will finally get Markdown export capabilities. This caught the attention of many, including the person who actually invented Markdown. John Gruber, the creator of Markdown, shared his thoughts on this potential new feature on his weblog. For those who don't know, Markdown, which Gruber developed back in 2004 with significant input from Aaron Swartz (RIP!), is a lightweight markup language designed for creating formatted text using a plain text editor. Its main advantage is that it is easy to read and easy to write. When the news first broke, some interpretations suggested Apple Notes would gain full Markdown support, transforming it into an application where users could directly type and see Markdown syntax, much like how specialized editors like Obsidian operate. These tools are intended for users to work directly within the Markdown framework for all their note-taking. Gruber himself indicated that he does not believe Apple Notes should become a full-fledged "Markdown editor," even as an option. He stated that such a change would be a "huge mistake." His reasoning is rooted in his original vision for Markdown and his view of Apple Notes' purpose. He reiterated that he initially designed Markdown as a "text-to-HTML conversion tool for web writers" and for contexts requiring plain text file storage. He feels Apple Notes serves a different, valuable role with its current WYSIWYG (What You See Is What You Get) rich text editing. This interface, he argues, is excellent for quickly capturing thoughts, particularly on an iPhone, and aligns with the Macintosh philosophy of user-friendliness. He pointed out that creating a syntactically incorrect markdown is trivial, whereas a malformed note should not be possible with Apple Notes. Despite his reservations about a complete Markdown overhaul for the editing experience, Gruber finds the prospect of exporting notes in Markdown format very appealing. He wrote that this specific capability "sounds awesome." He pointed out, quite rightly, that Apple Notes' current export functions are rather limited, primarily offering PDF and Pages document formats. Adding Markdown export would provide a much more flexible way for users, especially those in the "niche" he identifies with, to move their content out of Notes and into other applications. Gruber did express curiosity about how Apple might handle images embedded in notes during a Markdown export, as image handling can be a tricky aspect of Markdown.
    • What? Every single app I've installed from the Microsoft Store comes from its intended developer and works perfectly fine. What apps do you install?
    • Microsoft Store is such a weird place filled with so much absolute garbage and with reputable apps that somehow come from questionable sources. Like, the app name is known, the images back it up but the publisher is just some weird name that's not mentioned for the apps we know.
    • NTLite 2025.06.10459 is out.
    • Wireshark 4.4.7 by Razvan Serea  Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course). In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, all that has changed. Wireshark is perhaps one of the best open source packet analyzers available today. Deep inspection of hundreds of protocols, with more being added all the time Live capture and offline analysis Standard three-pane packet browser Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility The most powerful display filters in the industry Rich VoIP analysis Read/write many different capture file formats Capture files compressed with gzip can be decompressed on the fly Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom) Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2 Coloring rules can be applied to the packet list for quick, intuitive analysis Output can be exported to XML, PostScript®, CSV, or plain text Wireshark 4.4.7 changelog: The following vulnerabilities have been fixed wnpa-sec-2025-02 Dissection engine crash. Issue 20509. CVE-2025-5601. The following bugs have been fixed Wireshark does not correctly decode LIN "go to sleep" in TECMP and CMP. Issue 20463. Dissector bug, Protocol CIGI. Issue 20496. Green power packets are not dissected when proto_version == ZBEE_VERSION_GREEN_POWER. Issue 20497. Packet diagrams misalign or drop bitfields. Issue 20507. Corruption when setting heuristic dissector table UI name from Lua. Issue 20523. LDAP dissector incorrectly displays filters with singleton "&" Issue 20527. WebSocket per-message compression extentions: fail to decompress server messages (from the 2nd) due to parameter handling. Issue 20531. The LL_PERIODIC_SYNC_WR_IND packet is not properly dissected (packet-btle.c) Issue 20554. Updated Protocol Support AT, BT LE LL, CIGI, genl, LDAP, LIN, Logcat Text, net_dm, netfilter, nvme, SSH, TCPCL, TLS, WebSocket, ZigBee, and ZigBee ZCL Download: Wireshark 4.4.7 | 83.2 MB (Open Source) Download: Portable Wireshark 4.4.7 | ARM64 Installer View: Wireshark Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • Week One Done
      CHUNWEI earned a badge
      Week One Done
    • One Year In
      survivor303 earned a badge
      One Year In
    • Week One Done
      jbatch earned a badge
      Week One Done
    • First Post
      Yianis earned a badge
      First Post
    • Rookie
      GTRoberts went up a rank
      Rookie
  • Popular Contributors

    1. 1
      +primortal
      419
    2. 2
      snowy owl
      183
    3. 3
      +FloatingFatMan
      182
    4. 4
      ATLien_0
      176
    5. 5
      Xenon
      139
  • Tell a friend

    Love Neowin? Tell a friend!