Microsoft Shelves NGSCB Project As NX Moves To Center Stage


Windows XP SP2 hooks into No Execute technology in newer AMD, Intel processors


After a year of tackling the Windows security nightmare, Microsoft has killed its Next-Generation Secure Computing Base (NGSCB) project and later this year plans to detail a revised security plan for Longhorn, the next major version of Windows, company executives said.

On Tuesday, Microsoft executives confirmed that NGSCB will be canned. The project, dreamed up with Intel in 2002, was once code-named Palladium.

"We're evaluating how these NGSCB capabilities should be integrated into Longhorn, but we don't know exactly how it'll be manifested. A lot of decisions have yet to be made," said Mario Juarez, product manager in Microsoft's Security and Technology Business Unit. "We're going to come out later this year with a complete story."

Juarez said the project is being shelved because customers and ISV partners didn't want to rewrite their applications using the NGSCB API set.

Though Microsoft plans to use the NGSCB "compartmentalizing" technology in future versions of Windows, the company is moving swiftly to support No Execute (NX) security technology in newer AMD and Intel processors. NX reduces memory buffer overruns that many hackers exploit to insert malicious code into Windows and allows developers to mark pages as nonexecutable.

"Two years ago, we went public with something that was very, very far off in the future," Juarez said, noting that customer and ISV feedback and faster-than-expected chip security advancements led Microsoft back to the drawing board. "There's no tie between [NGSCB] and NX, but it is reflective of innovations in hardware we hadn't foreseen."

At WinHEC 2004, for example, Microsoft product managers said Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 will exploit AMD's Enhanced Virus Protection or NX technology for 32-bit applications.

Microsoft's 64-bit Windows XP and Windows Server 2003 for Extended Systems will also support the NX feature in Intel Itanium processors for clients due out in the second half. In addition, Microsoft will continue to support Intel's LaGrande security architecture, Juarez said.

ISVs will have the flexibility to "NX-enable" their applications, said Richard Brunner, AMD Fellow and software architect, who presented the technology at WinHec 2004. "No Execute can be selectively disabled for a particular application," Brunner said. NX is one of several new hardware technologies that will be supported by Windows XP SP2, including iSCSI and Serial ATA.

The NGSCB code won't be updated in the enhanced Longhorn developer's preview update, due out later this week, but in the future it will be used in some capacity, Juarez said. "The investment is high in this," he added. "It's in an important realm."

Microsoft announced the NGSCB plans for Longhorn at WinHEC 2003 and released NGSCB code in the Longhorn Developer Preview software development kit last fall at the Redmond, Wash.-based company's Professional Developers Conference.