Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
@SiS
Contents
Next Generation Secure Computing Base Overview Hardware Fundamentals For NGSCB Part 1: Core Hardware
Hardware Fundamentals For NGSCB Part 2: Peripheral Hardware
Nexus Fundamentals
Trustworthy Computing
Security
Privacy
Individuals control personal data Products and Online Services adhere to fair information principles
Reliability
Help customers find appropriate solutions Business Integrity Address issues with products and services Open interaction with customers
Vision
NGSCB advances the PC ecosystem to meet customers requirements for security, privacy, and data protection NGSCB will broaden the utility of the PC by delivering security on par with closed architecture systems while maintaining the flexibility of the Windows platform
Product Goal
Business Goal
NGSCB will help to revitalize the PC ecosystem by enabling a new generation of hardware and software products
Vulnerability introduced by enabling remote access Illegal access and usage of sensitive information Difficulty in knowing who a company is doing business with Difficulty in doing patch management Others
Collaborating in a secure environment Protecting secrets, e.g., key pairs, certificates Virus and malicious code attacks
Why NGSCB?
Vulnerabilities today
NGSCB
NGSCB
NGSCB Quadrants
Standard-Mode (std-mode/LHS)
Agent
Nexus-Mode (RHS)
Agent Agent
User
User Apps.
Main OS
Kernel
USB Driver NexusMgr.sys
Nexus
NAL
HAL
Hardware
Secure Input
Secure Video
SSC
CPU
Chipset
4
3
Remote access
Granularity of access at machine, nexus, and application level Application to application connection rather than VPN connection IT can specify that only a known configuration of nexus and application can execute or access corporate resources Reinforce rights management by rooting key pair in hardware Encryption of data based on secrets that never leave hardware Agents identity is rooted in secrets on the hardware Applications run in isolated process space and are impermeable to software attack End users can collaborate and communicate securely End users can establish content authenticity by digital signature
Patch management
Agents development
Collaboration enablement
Strong process isolation Root key for persistent secret protection Secure path to and from the user Attestation (hardware (HW)/software (SW) authentication)
The first three are needed to protect against malicious code Attestation breaks new ground in distributed computing
NGSCB Quadrants
Standard-Mode (LHS)
Agent
Nexus-Mode (RHS)
Agent Trusted User Engine (TUE) TSP TSP TSP NCA Runtime Library Agent
User
User Apps.
Main OS
Kernel
USB
Nexus
Driver
Secure Video
SSC
CPU
Chipset
Agent
Agent
Agent
User
TSP
TSP
TSP
Kernel Hardware
Not accessible by the standard Windows kernel Not accessible by hardware DMA Not accessible by other NCAs Changes to CPU, chipset Nexus arbitrates page tables
User
Shadow Service
Admin Service
Hardware
Secure input
Encrypted session between USB device and nexus Changes to standard USB driver stack Required for keyboard and mouse Alternate solution being developed for non-USB (laptops) Secure channel between graphics adaptor and nexus Changes to graphics adaptor Changes to video driver
Secure output
Agent
Agent
Agent
TSP
TSP
Kernel
Nexus
NAL
Hardware
SSC
SSC holds a secure keyset Each nexus generates a random keyset on first load SSC provides hardware protection of the nexus keyset
Agent
Agent
Agent
TSP
TSP
Nexus
NAL
Hardware
SSC
Attestation
Software/Hardware Authentication
NCA by digest, signed by the nexus Nexus by digest, signed by the SSC SSC by public key, signed by OEM
User sets policy to control which NCAs can use which forms of attestation
Hardware Summary
Standard-Mode (LHS)
Nexus-Mode (RHS)
User
Kernel
Hardware
SSC
Secure Video
Secure Input
CPU
Chipset
Hardware Summary
Modified components
New components
SSC
We provide the core, others will build the solutions We really want to enable others to build new and exciting applications
NGSCB is appropriate anywhere you could possibly imagine needing privacy, security or data protection We will ship some solutions in the box
Scenario Categories
Corporate remote access Secure client access to middle tier servers Chat and instant messaging E-Mail Rights management Digital signature
Secure collaboration
Examples
To a client/server app, using a custom NCA client To your enterprise desktop, using a secure remote desktop client Uses attestation for end-to-end authentication Uses strong process isolation and secure path to the user to be safe against attacks on the remote client Uses an application private network (APN) for secure communications
How it works
Application-to-application encrypted session More secure than a VPN because the protection extends into the application layer itself
Standard IP: vulnerable at every layer VPN: network layer and below are protected, including data on the wire but all software on the client has access to the server connection NGSCB APN: extends protection to all layers, so that only the client and server applications can use the connection
Secure Collaboration
Examples
Secure e-mail Secure text document creation and sharing Secure instant messaging Secure digital signature what you see is what you sign
How it works
Uses rights management based on hardware protection of secrets to protect and control access to data Uses strong process isolation and secure path to the user to be safe against spoofing and snooping attacks Uses an APN for end-to-end messaging security
Wh e n th e u se r w a n ts to sig n , th e te xt is re n d e re d b y th e a p p lica tio n in to a sta n d a rd XML -b a se d fo rma t a n d p a sse d to th e d ig ita l sig n a tu re agent
Si g n a tu re : USPS Si g n a tu re
Si g n Ca n ce l
Agenda
Threat Models What is NGSCB and Why? What does NGSCB do? NGSCB Features and Details
Call to Action
New security technology for the Microsoft Windows platform Unique hardware and software architecture Protected computing environment inside the Windows PC
A virtual vault that will sit side by side with the regular Windows environment
NGSCB Quadrants
Standard-Mode (LHS)
Agent
Nexus-Mode (RHS)
Agent Trusted User Engine (TUE) TSP TSP TSP Agent
User
User Apps.
Main OS
Kernel
USB Driver NexusMgr.sys
Nexus
NAL HAL
Hardware
Secure Input
Secure Video
SSC
CPU
Chipset
No attacks based on micro-code, macro-code, adapter card scripts, etc. Any attacks launched from the Web or e-mail are software only
Each Security Support Component (SSC) has unique keys Data MUST use unique or partially unique, rather than global keys
One person breaking one machine yields the secrets sent to that machine only
Does NOT allow that person to tell everybody else in the world how to break content Does allow the release of content bound to that machine
Allows users to interact with entities either inside or outside the machine:
Show them what code is running Make believable promises about code Prove that those promises are durable
All the rest of the PC is still present Apply full power and speed of the PC to security functions
Designed to stop all software only threats in nexus-space Very obscure exceptions Profound change in what can be believed, and hence, trusted
Qualitatively different
Enhances Security
Enhances Robustness
Better user control of what can run in NGSCB; what it can do Users can know which code is doing what with private information Users can delegate privacy decisions in a usable way
Enhances Privacy
Very much like a traditional process, but runs in a much more spartan environment The Key Assertions may be applied to agents
Key Assertions
The agent is what it is attested to be The agent is running in the attested environment and THEREFORE
Agent behavior cannot be permuted by attacking initialization From other agents From the Left Hand Side (LHS) Not even debuggers or device drivers can alter the agent at runtime
The agent has someplace to keep a secret On clients, agents will have a secure path to the user
NGSCB: Context
Standard-Mode (LHS) User Mode
User Programs
DLL
DLL
Kernel Mode
Main OS
Drivers
HAL
Main OS is rich, compatible with vast array of stuff, supports vast array of hardware it is large User can install drivers which get privileged access to memory remote parties can never be sure the program has not been negatively impacted by the driver
NGSCB Quadrants
Standard-Mode (LHS) Nexus-Mode (RHS)
User
NxSvc.exe User Apps.
Agent
Agent
Agent
Main OS
Kernel
Driver HAL NexusMgr.sys
Nexus NAL
Hardware
Secure Input
Secure Video
SSC
CPU
Chipset
NGSCB Quadrants
Standard-Mode (LHS) Nexus-Mode (RHS)
User
NxSvc.exe User Apps.
Agent
Agent
Agent
Main OS
Kernel
Driver HAL NexusMgr.sys
Nexus NAL
Hardware
Secure Input
Secure Video
SSC
CPU
Chipset
Machine is locked into flat paged mode Address-Translation-Control prohibits stdmode code from mapping a nexus-mode page
No CPU access to memory w/out mapping Requires CR3 loads trap to nexus Requires alteration of maps Requires PTE-writes to trap to the nexus or be filtered by hardware Chipset/Memory controller maintains a per-page list of pages to which DMA is prohibited, period
NGSCB: Attestation
Attestation is a crypto-signed digest of some code Proof that some bit vector is known by this digest SSC and CPU compute digest of nexus at nexus boot Nexus computes the digest of agents Digests are gathered together to make attestation vector that is passed back to a challenger
NGSCB: Attestation
Proof valid because the SSC provides a proof of a secret that only the SSC knows Secret not revealed Secret not a privacy hazard
Establishes confidence in validity of NGSCB hardware Establishes confidence in validity of nexus Has meaning only if Digest1 is valid
Establishes confidence in validity of agent Has meaning only if Digest1 and Digest2 are valid
Hardware will run any nexus, and attest to the digest of any nexus Our nexus will run any agent (in accordance with user policy) and attest to the digest of that agent
NGSCB: Seal
Seal(secret) cryptoblob(secret)
Unseal(cryptoblob(somesecret), DigestOfEnvironment, DigestOfCallingAgent) somesecret | nothing If the Digest of the environment or the calling agent does not match with those that did the seal, Unseal returns ** NOTHING **
NGSCB: Seal
What it means
If we ignore migration and indirection Seal/Unseal say that if agent A running on environment B seals a secret, then, Only agent A running on environment B can unseal it This gives agent A a way to hide a key
What's an "environment"
Booting some other OS that can call the SSC does NOT reveal the secrets
NGSCB: Seal
What agents may unseal the secret What hardware may unseal the secret What nexus may unseal the secret What users may unseal the secret
They should seal against the nexus
Backup, restore, migration are all possible using intermediate keys and certificates
Threat Model
Out of scope
People swapping the keyboard hardware Patching into the keyboard cable Sticking some device between the keyboard and the box All require a physical attack
Secure Input
Standard-Mode (std-mode/LHS) Nexus-Mode (RHS)
User
Kernel
Hazard
USB Host Controller
Secure Input
Standard-Mode (std-mode/LHS) Nexus-Mode (RHS)
User
Kernel
Hazard
USB Host Controller
E
E = Encrypted
Secure Input
Standard-Mode (std-mode/LHS) Nexus-Mode (RHS)
User
Kernel
Hazard
E
E = Encrypted
Secure Input
Standard-Mode (std-mode/LHS) Nexus-Mode (RHS)
User
Kernel
Hazard
USB Host Controller
E
E = Encrypted
Secure Input
Standard-Mode (std-mode/LHS) Nexus-Mode (RHS)
User
Kernel
Hazard
USB Host Controller
E
E = Encrypted
Secure Input
Standard-Mode (std-mode/LHS) Nexus-Mode (RHS)
User
Kernel
Hazard
USB Host Controller
E
Decrypted Text
E = Encrypted
User
Chipset South Bridge (LPC bus Controller) Key Board Controller (KBC)
E
Hazard
E = Encrypted
Kernel
Secure Input
Encryption for Human Interface Device (HID) will be done on the outboard side of a USB host
1. 2.
3.
4.
Built into USB root hub Built into any USB hub Inside the device of interest In-line device (dongle) between the machine and the input device
Best solution is #1
For desktops
For laptops
Evaluating different ways to partition Secure Input Path firmware/microcode in Embedded Controller
Secure Video
NO Software-Only attacks against Secure Windows and the information displayed in them NO Break-Once/Break-Everywhere (BOBE) attacks
Secure Video
Standard-Mode (std-mode/LHS) Nexus-Mode (RHS)
User
Graphics Adaptor (nexus-mode) Graphics Adaptor (std-mode) USB Host Controller
Kernel
Hazard
Secure Video
Secure windows cannot be obscured Secure windows cannot be captured by unauthorized software Secure windows cannot be altered by unauthorized software
Graphics adaptor may communicate with display in various formats We are working on accessibility
Secure Video
The Challenge
How does the video data get from nexus-mode to the graphics processor? Two general ways
Depends on special hardware path from nexus to video device Works when the video device is in close cooperation with the memory controller
Encrypted path data is encrypted in nexus-mode and decrypted by the graphics adaptor
User
Graphics Adaptor (nexus-mode) Graphics Adaptor (std-mode) USB Host Controller
Hazard
Kernel
User
Graphics Adaptor (nexus-mode) Graphics Adaptor (std-mode) USB Host Controller
Kernel
Hazard
E = Encrypted
NGSCB: Ecosystem
Works today on x86 flat 32-bit architectures from multiple sources Could work on any CPU with
NGSCB: Ecosystem
All working in conjunction Include tamper resistant/detecting hardware to pursue specific opportunities
The digest of the nexus is the basis for trust in the system
Hardware changes which require nexus changes will face delays in market support
For RHS input and output its important to get things right
This means that there will be a small number of practical *INTERFACES* for trusted-input and trusted-output
This is about INTERFACES, not gates, technologies, fabs, speeds, or costs; INTERFACES
Microsoft is working to define these INTERFACES with leading providers of video and USB hardware
Nexus Fundamentals
Device Drivers
NGSCB doesnt change the device driver model NGSCB needs very minimal access to real hardware Secure reuse of Left Hand Side (LHS) driver stacks wherever possible
Right Hand Side (RHS) encrypted channel through LHS unprotected conduit
Partitioned System
RHS = Security
In the presence of adversarial LHS code the system must not leak secrets
The RHS must NOT rely on the LHS for security
Applications and Drivers still run Viruses too Windows as you know it today Any software with minor exceptions
The new hardware (HW) memory controller wont allow certain bad behaviors, e.g., code which
Copies all of memory from one location to the next Puts the CPU into real mode
Device Driver work for Trusted Input / Video Memory Management additions to allow nexus to participate in memory pressure and paging decisions User mode debugger additions to allow debugging of agents (explained later) Window Manager coordination Nexus Manager Device driver (nexusmgr.sys) NGSCB management software and services
Thread Manager
Process Loader
Native SRM
IO Manager
Process Manager
Runtime Library
Traps
ATC Module
I Think, Therefore I Am
Descartes Problem
Challenge for attestation must always come from outside the machine
No nexus can directly determine if it is running in the secured environment No Agent can directly determine if it is running in the secured environment Must use Remote Attestation or Sealed Storage to cache credentials or secrets to prove the system is sound
The user can run any nexus, or write his own and run it, on the hardware That nexus can only report the attestation provided by the Security Support Component (SSC)
The SSC wont lie The nexus cannot pretend to be another nexus
Other systems will need to decide if they trust the new derived nexus Just need to prove to others your derivative is legitimate
The user can run any agent, or write his own and run it, on the nexus That agent can report the attestation provided by the nexus
The nexus wont lie The agent cannot pretend to be another agent
Other systems will need to decide if they trust the new derived agent Just need to prove to others your derivative is legitimate
NGSCB enforces policy but does not set the policy The hardware will load any nexus
But only one at a time Each nexus gets the same services The hardware keeps nexus secrets separate Nothing about this architecture prevents any nexus from running; however, the owner can control which nexuses are allowed to run The Microsoft nexus will run any agent
The platform owner can set policy that limits this User gets to pick some other delegated evaluator (e.g., my union) if they choose
Policy Notes
Policy is a way for users and machine owners to make general, abstract statements, about what software runs
Run any agent I click Run only agents whose source Ive read Run agents that a third party I trust, trusts
The point of policy is to enable the users to control what runs on their machines
Microsofts Next-Generation Secure Computing Base (NGSCB) is a new security technology for the Microsoft Windows platform
Uses a unique hardware and software design Gives people new kinds of security and privacy protections in an interconnected world
NGSCB Quadrants
Standard-Mode (std-mode / LHS)
Agent
Nexus-Mode (RHS)
Agent Agent
User
User Apps.
Main OS
Kernel
USB Driver NexusMgr.sys
Nexus
NAL HAL
Hardware
Secure Input
Secure Video
SSC
CPU
Chipset
Nexus is like an OS kernel, so it must boot sometime Can boot long after main OS Can shut down long before main OS (and restart later)
Nexus-Mode (RHS)
User
Shadow Service
Admin Service
Hardware
Read and map the nexus code Allocate some pages from the main OS Pass that list of pages to the nexus via some platform-specific code/hardware Digest the nexus (with hardware help)
Now the nexus starts, initializes Address Translation Control (ATC), and returns control to the LHS
Address Translation
Normal Page
Virtual addresses
Address Translation
Normal Page
Protected Page
This is curtained memory (or strong process isolation) Cant tamper with a page unless you have a mapping to it On current PCs
Any kernel mode code can modify Virtual Address (VA) Physical Address (PA) mapping structures Theres untrusted code in kernel mode Page map changes (process swap) Edits to mapping structures Turning off paging
Walks the tree of pages it maps Makes sure no protected pages are mapped No read/write mappings to the page map Now the map will remain safe, so hardware and software can manage a list of known safe page maps
Walks the tree of pages getting mapped Makes sure no protected pages are getting mapped Ensures no read/write mappings to the page map
Legacy code will still work unless it attempts to access nexus space pages
ATC protects
Agent and nexus data Agent and nexus code All page mapping structures (LHS/RHS)
Also protected from DMA (thanks to special hardware) Correct ATC implementation vital to NGSCB security
Simplicity, robustness preferred over maximizing performance Allocate/free whole pages No shared memory between agents No paging-to-disk in this version
If nexus were to page to disk, it would encrypt and sign the pages, then ask the main OS to flush them
Nexus keeps some free pages that ATC is protecting Nexus can request extra pages from kernel via NexusMgr (seize) Nexus MM asks ATC if new pages are safe to use - any left side mappings? Nexus can give surplus pages back to kernel if the kernel needs them
Multiple CPU vendors Different Security Support Components (SSC) Much nexus code is architecture independent
Interrupts
Interrupts enabled on the RHS Most drivers are still on the LHS Sowhat if an interrupt for the NIC, SCSI card, etc. happens on the right? Nexus asks Porch to transition to the LHS NexusMgr replays the interrupt
Some MSRs are used to implement NGSCB, but most will be accessible by left side code Combined with ATC, this means PCI config space is protected Things like the DMA exclusion list are in chipset registers, so we must protect them
I/O ports