While we reported that Microsoft will be introducing hardware-tied security called NGSCB in Longhorn, Microsoft has now announced that it will introduce hardware-linked security in Windows XP Service Pack 2 called execution protection (NX). This feature is currently supported in both AMD's K8 32/64-bit and Intel Itanium 64-bit processor families. The purpose of the feature is to protect application data from execution code and allow only memory marked as execution code to be run.
As with the previous report on NGSCB, Microsoft claims that this has nothing to do with DRM and will be only used to prevent running code from being attacked or modified by worms and viruses. While DRM may not be in the picture here, it looks like Microsoft is making a gradual approach into tying DRM into the hardware. Microsoft has announced that some applications will be broken on XP-SP2 if they are run on an NX compatible CPU. Examples include applications that perform just-in-time (JIT) code generation such as legacy debuggers.
|
"Microsoft is preparing for and encouraging this trend by supporting execution protection in its Windows operating systems." So is it DRM? Not exactly, not yet, but it's another example of the closer linking of hardware and software that will result in the processors with NGSCB built-in that Bill Gates promised at the recent Professional Developers Conference, and a reread of his keynote after hearing about NX does tend to suggest that Bill might not see any clearly defined line between the two, and between hardware security and hardware ID. And linkage is helpful from the point of view of selling DRM to users; clearly, you can't pitch hardware protection that screws up your ability to listen to music as you wish as an unalloyed benefit for the general public, but you can sell them it on the basis it stops Bad Things coming at them from The Net. Microsoft can also use compliance with this and future hardware features as the 'entry ticket' for hardware manufacturers wanting Windows development relationships and support. One might speculate that Windows XP support for AMD64 might not be entirely unconnected with NX support. As Microsoft says: "The 32-bit version of Windows currently leverages the NX processor feature, as defined by the AMD64 Architecture Programmer's Manual." So actually, it's not being introduced to the mass market with SP2 - it's here already for AMD64 platforms. NX "uses the CPU itself to enforce the separation of application code and data, preventing an application or Windows component from executing program code that an attacking worm or virus inserted into a portion of memory marked for data only." Which is quite cute really, when you consider that one of the fundamental security problems of Windows is its failures in separating application code from data. Fix Windows? Go back to basics and write a proper operating system? Nope, we have a better idea... Whatever, although there may be applications for NX support in non-Windows operating systems, it doesn't immediately look like a 'must have' for, say, Linux in the same way that it does for Windows. Read the full article here. |
While this does look like an interesting feature in preventing buffer-overload attacks such as what we have already seen with the blaster worm and so on, it looks like we could be seeing more hardware tied 'security' features before the launch of Longhorn. It also looks like we may someday come to the stage where Microsoft ties real-time encryption and decryption into the CPU, so software and multimedia would be encrypted from the source all the way to decryption and execution simultaneously within the CPU. CSS protected DVD-Video despite already been hacked and DVD-Audio are already encrypted from the disc to the processor and it is just a matter of time before Microsoft takes this approach with software and again calls it 'A Security Feature'.
Discuss about hardware and processor topics on our General Hardware Forum.
Source: The Register















