Next generation secure computing base
This presentation is the property of its rightful owner.
Sponsored Links
1 / 107

Next Generation Secure Computing Base PowerPoint PPT Presentation


  • 99 Views
  • Uploaded on
  • Presentation posted in: General

Next Generation Secure Computing Base. 黃志源 @SiS. Contents. Next Generation Secure Computing Base Overview Hardware Fundamentals For NGSCB Part 1: Core Hardware Hardware Fundamentals For NGSCB Part 2: Peripheral Hardware Nexus Fundamentals. Next Generation Secure Computing Base Overview.

Download Presentation

Next Generation Secure Computing Base

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Next generation secure computing base

Next Generation Secure Computing Base

黃志源

@SiS


Contents

Contents

  • Next Generation Secure Computing Base Overview

  • Hardware Fundamentals For NGSCBPart 1: Core Hardware

  • Hardware Fundamentals For NGSCBPart 2: Peripheral Hardware

  • Nexus Fundamentals


Next generation secure computing base overview

Next Generation Secure Computing Base Overview


Trustworthy computing

Resilient to attack

Protects confidentiality, integrity, availability, and data

Security

Privacy

Reliability

Trustworthy Computing

Individuals control personal data

Products and Online Services adhere to fair information principles

Dependable

Available when needed

Performs at expected levels

Help customers find appropriate solutions

Address issues with products and services

Open interaction with customers

Business Integrity


Ngscb vision and goals

NGSCB Vision And Goals

  • Vision

    • NGSCB advances the PC ecosystem to meet customers’ requirements for security, privacy, and data protection

  • Product Goal

    • NGSCB will broaden the utility of the PC by delivering security on par with closed architecture systems while maintaining the flexibility of the Windows platform

  • Business Goal

    • NGSCB will help to revitalize the PC ecosystem by enabling a new generation of hardware and software products


Customer security issues

Customer Security Issues

  • Vulnerability introduced by enabling remote access

  • Illegal access and usage of sensitive information

  • Difficulty in knowing who a company is doing business with

  • Difficulty in doing patch management

  • Others

    • Collaborating in a secure environment

    • Protecting secrets, e.g., key pairs, certificates

    • Virus and malicious code attacks


Why ngscb

Why NGSCB?

  • Vulnerabilities today

    • Attacks on Core assets

    • Attacks on Networks

    • Attacks via Remote users/machines

  • NGSCB can address software attacks on applications, secrets

    • Damage from attacks can be compartmentalized and limited


How it works the pc

How It Works: The PC


How it works before ngscb

How It Works: Before NGSCB


How it works before ngscb1

How It Works: Before NGSCB


How it works before ngscb2

How it Works: Before NGSCB


How it works with ngscb

How It Works: With NGSCB

NGSCB


How it works with ngscb1

How It Works: With NGSCB


How it works with ngscb2

How It Works: With NGSCB

NGSCB


Next generation secure computing base

Standard-Mode (“std-mode”/LHS)

Nexus-Mode (RHS)

Agent

Agent

Agent

User

Trusted User

Engine (TUE)

User Apps.

TSP

TSP

TSP

NCA Runtime Library

Nexus

Kernel

NAL

SSC

Hardware

Secure Input

Secure Video

CPU

Chipset

NGSCB Quadrants

Main OS

USB

NexusMgr.sys

Driver

HAL


Four ngscb features groups

Four NGSCB Features Groups

  • The first three are needed to protect against malicious code

  • Attestation breaks new ground in distributed computing

    • The identity of hardware, nexus, and applications can be proven

1

4

2

3


Addressing customer needs with ngscb

Addressing Customer Needs With NGSCB

  • Remote access

    • Granularity of access at machine, nexus, and application level

    • Application to application connection rather than VPN connection

  • Patch management

    • IT can specify that only a known configuration of nexus and application can execute or access corporate resources

  • Preventing illegal access of information

    • Reinforce rights management by rooting key pair in hardware

    • Encryption of data based on secrets that never leave hardware

  • Agents development

    • Agents identity is rooted in secrets on the hardware

    • Applications run in isolated process space and are impermeable to software attack

  • Collaboration enablement

    • End users can collaborate and communicate securely

    • End users can establish content authenticity by digital signature


Four ngscb features groups1

Four NGSCB Features Groups


What does this all mean

What Does This All Mean?

  • All NGSCB capabilities build off of four key features

    • Strong process isolation

    • Root key for persistent secret protection

    • Secure path to and from the user

    • Attestation (hardware (HW)/software (SW) authentication)

  • The first three are needed to protect against malicious code

  • Attestation breaks new ground in distributed computing

    • “Things” (software, machines, services) can be securely identified


Next generation secure computing base

User Apps.

NGSCB Quadrants

Standard-Mode (LHS)

Nexus-Mode (RHS)

Agent

Agent

Agent

User

Trusted User

Engine (TUE)

TSP

TSP

TSP

NCA Runtime Library

Nexus

Main OS

Kernel

USB

NexusMgr.sys

Driver

NAL

HAL

SSC

Hardware

Secure Input

Secure Video

CPU

Chipset


Next generation secure computing base

Trusted User

Engine (TUE)

TSP

TSP

TSP

NCA Runtime Library

Four Key Features (1) Process Isolation

Standard-Mode (LHS)

Nexus-Mode (RHS)

Agent

Agent

Agent

User

Kernel

Hardware


Strong process isolation

Strong Process Isolation

  • Nexus Computing Agents, or NCAs, run in curtained memory

    • Not accessible by the standard Windows kernel

    • Not accessible by hardware DMA

    • Not accessible by other NCAs

  • Enforced by hardware and software

    • Changes to CPU, chipset

    • Nexus arbitrates page tables


Next generation secure computing base

Four Key Features(2) Secure Path To and From User

Standard-Mode (LHS)

Nexus-Mode (RHS)

User

Nexus Manager Abstraction Layer (NMAL)

Nexus Manager Core

Shadow

Service

Admin

Service

NexusMgr

IPC

Nexus

Dispatch

Services

Secure

Video

Filter Driver

Secure

Input

Filter Driver

Kernel

Object Security

Manager

Shared Resource

Manager

HW Allocator

(memory

wholesaler)

Nexus Loader

Secure Input

Secure video

Hardware


Secure path to user

Secure Path To User

  • Secure input

    • Encrypted session between USB device and nexus

    • Changes to standard USB driver stack

    • Required for keyboard and mouse

    • Alternate solution being developed for non-USB (laptops)

  • Secure output

    • Secure channel between graphics adaptor and nexus

    • Changes to graphics adaptor

    • Changes to video driver


Next generation secure computing base

Agent

Agent

Agent

Trusted User

Engine (TUE)

TSP

TSP

TSP

NCA Runtime Library

Four Key Features (3) Sealed Storage

Standard-Mode (LHS)

Nexus-Mode (RHS)

User

Kernel

Nexus

NAL

SSC

Hardware


Hardware protection of secrets

Hardware Protection Of Secrets

  • Security Support Component (SSC) chip on motherboard

    • SSC holds a secure keyset

    • Each nexus generates a random keyset on first load

    • SSC provides hardware protection of the nexus keyset

  • NCAs use nexus facilities to generate and protect keys


Next generation secure computing base

Agent

Agent

Agent

Trusted User

Engine (TUE)

TSP

TSP

TSP

NCA Runtime Library

Four Key Features (4) Attestation

Standard-Mode (LHS)

Nexus-Mode (RHS)

User

Kernel

Nexus

NAL

SSC

Hardware


Attestation software hardware authentication

AttestationSoftware/Hardware Authentication

  • When requested, the nexus can prepare a chain that authenticates

    • NCA by digest, signed by the nexus

    • Nexus by digest, signed by the SSC

    • SSC by public key, signed by OEM

  • Other forms of attestation are possible that provide less information

    • Using trusted third party

  • User sets policy to control which NCAs can use which forms of attestation


Hardware summary

Hardware Summary

Standard-Mode (LHS)

Nexus-Mode (RHS)

User

Kernel

SSC

Hardware

Secure

Video

Secure

Input

CPU

Chipset


Hardware summary1

Hardware Summary

  • Modified components

    • CPU

    • Chipset

    • Secure video

    • Secure input (keyboard and mouse)

      • Two versions: USB and laptop

  • New components

    • SSC


A qualitative step forward

A Qualitative Step Forward

  • NGSCB extends the Windows platform

    • We provide the core, others will build the solutions

    • We really want to enable others to build new and exciting applications

  • NGSCB is appropriate anywhere you could possibly imagine needing privacy, security or data protection

  • We will ship some solutions “in the box”

    • Enough to provide immediate value


Scenario categories

Scenario Categories

  • Secure remote access

    • Corporate remote access

    • Secure client access to middle tier servers

  • Secure collaboration

    • Chat and instant messaging

    • E-Mail

    • Rights management

    • Digital signature


Secure remote access

Secure Remote Access

  • Examples

    • To a client/server app, using a custom NCA client

    • To your enterprise desktop, using a secure remote desktop client

  • How it works

    • Uses attestation for end-to-end authentication

    • Uses strong process isolation and secure path to the user to be safe against attacks on the remote client

    • Uses an application private network (APN) for secure communications

      • Application-to-application encrypted session

      • More secure than a VPN because the protection extends into the application layer itself


Application private network

Standard IP: vulnerable at every layer

VPN: network layer and below are protected, including data on the wire – but all software on the client has access to the server connection

NGSCB APN: extends protection to all layers, so that only the client and server applications can use the connection

Application Private Network

Application

(Client NCA)

Application

(Server)

Presentation

Presentation

Session

Session

Transport

Transport

Network

Network

Datalink

Datalink

Physical

Physical


Secure collaboration

Secure Collaboration

  • Examples

    • Secure e-mail

    • Secure text document creation and sharing

    • Secure instant messaging

    • Secure digital signature – “what you see is what you sign”

  • How it works

    • Uses rights management based on hardware protection of secrets to protect and control access to data

    • Uses strong process isolation and secure path to the user to be safe against spoofing and snooping attacks

    • Uses an APN for end-to-end messaging security


Secure digital signature

Secure Digital Signature

NOTE: for explanatory purposes only; this is not actual UI


Hardware fundamentals for ngscb part 1 core hardware

Hardware Fundamentals For NGSCBPart 1: Core Hardware


Agenda

Agenda

  • Threat Models

  • What is NGSCB and Why?

  • What does NGSCB do?

  • NGSCB Features and Details

    • Strong Process Isolation

    • Attestation

    • Sealed Storage

  • Call to Action


Next generation secure computing base ngscb defined

Next Generation Secure Computing Base (NGSCB)Defined

  • New security technology for the Microsoft Windows platform

  • Unique hardware and software architecture

  • Protected computing environment inside the Windows PC

    • A “virtual vault” that will sit side by side with the regular Windows environment

  • New kinds of security and privacy protections for computers


Next generation secure computing base

User Apps.

NGSCB Quadrants

Standard-Mode (LHS)

Nexus-Mode (RHS)

Agent

Agent

Agent

User

Trusted User

Engine (TUE)

TSP

TSP

TSP

NCA Runtime Library

Nexus

Main OS

Kernel

USB

NexusMgr.sys

Driver

NAL

HAL

SSC

Hardware

Secure Input

Secure Video

CPU

Chipset


Ngscb threat models

NGSCB: Threat Models

  • Our Threat Model

    • NO Software-Only Attacks Against Nexus-Space Operations

    • NO Break-Once/Break-Everywhere (BOBE) attacks

  • No Software-Only Attacks means…

    • No attacks based on micro-code, macro-code, adapter card scripts, etc.

    • Any attacks launched from the Web or e-mail are “software only”

  • Protection only applies to the release of secrets

    • Viruses could still delete encrypted files


Ngscb threat models1

NGSCB: Threat Models

  • No BOBE attacks means

    • Attacks don’t scale

      • Each Security Support Component (SSC) has unique keys

      • Data MUST use unique or partially unique, rather than global keys

    • One person breaking one machine yields the secrets sent to that machine only

      • Does NOT allow that person to tell everybody else in the world how to break content

      • Does allow the release of content bound to that machine


What and why

What And Why?

  • Modifications to allow PCs to be used in new ways

    • Hardware changes

    • Software changes

  • Allows users to interact with entities either inside or outside the machine:

    • Show them what code is running

    • Make believable promises about code

    • Prove that those promises are durable

  • Changes what can be believed about computation

    • Not what can be done with it


What and why1

What And Why?

  • This is the Next Big Thing

    • Windowing in the ‘80s

    • Networking in the ‘90s

    • Security in the ‘00s

  • Security and trust will advance the PC ecosystem

    • Customers are demanding higher security and privacy

      • From end-users to enterprises

      • Governments are mandating as well

    • Opens new markets that rely on trustworthiness of information technology


What does ngscb do

What Does NGSCB Do?

  • Creates a safe region called nexus-space inside of a regular PC

    • Think of an access-controlled, high-security vault in an open market

  • All the rest of the PC is still present

  • Apply full power and speed of the PC to security functions

    • Co-processors don’t scale with the CPU

      • Adding main memory won’t speed them up

  • Majority of the hardware is unchanged

    • E.g., PCI, Serial, Parallel, Memory


What does ngscb do1

What Does NGSCB Do?

  • NGSCB Code on NGSCB Hardware

    • Designed to stop all software only threats in nexus-space

  • Run all the old code

    • Very obscure exceptions

  • Qualitatively different

    • Profound change in what can be believed, and hence, trusted


What does ngscb do2

What Does NGSCB Do?

  • Enhances Security

    • “Vault” to store important material

      • Both locally and remotely attestable

    • Realistic control over which code can touch which data

      • Control given to software, by users

  • EnhancesRobustness

    • Better user control of what can run in NGSCB; what it can do

  • Enhances Privacy

    • Users can know which code is doing what with private information

    • Users can delegate privacy decisions in a usable way


How does ngscb work

How Does NGSCB Work

  • New kind of process, called a Nexus Computing Agent, or NCA, or Agent

    • Very much like a traditional process, but runs in a much more spartan environment

    • The Key Assertions may be applied to agents


Key assertions

Key Assertions

  • The agent is what it is attested to be

  • The agent is running in the attested environment and THEREFORE

    • The agent will be initiated correctly

      • Agent behavior cannot be permuted by attacking initialization

    • The agent is isolated

      • From other agents

      • From the Left Hand Side (LHS)

      • Not even debuggers or device drivers can alter the agent at runtime

    • The agent has someplace to keep a secret

    • On clients, agents will have a secure path to the user


Next generation secure computing base

User Programs

NGSCB: Context

Standard-Mode (LHS)

  • What exists in today’s systems

    • Main OS is rich, compatible with vast array of stuff, supports vast array of hardware – it is large

    • User can install drivers which get privileged access to memory – remote parties can never be sure the program has not been negatively impacted by the driver

User Mode

DLL

DLL

Main OS

Kernel Mode

Drivers

HAL


Next generation secure computing base

User Apps.

NGSCB Quadrants

Standard-Mode (LHS)

Nexus-Mode (RHS)

User

Agent

Agent

Agent

NxSvc.exe

Main OS

Nexus

Kernel

NexusMgr.sys

Driver

NAL

HAL

SSC

Hardware

Secure Input

Secure Video

CPU

Chipset


Next generation secure computing base

User Apps.

NGSCB Quadrants

Standard-Mode (LHS)

Nexus-Mode (RHS)

User

Agent

Agent

Agent

NxSvc.exe

Main OS

Nexus

Kernel

NexusMgr.sys

Driver

NAL

HAL

SSC

Hardware

Secure Input

Secure Video

CPU

Chipset


Ngscb strong process isolation

NGSCB: Strong Process Isolation

  • Machine is locked into flat paged mode

  • Address-Translation-Control prohibits std-mode code from mapping a nexus-mode page

    • No CPU access to memory w/out mapping

    • Requires CR3 loads trap to nexus

    • Requires alteration of maps

    • Requires PTE-writes to trap to the nexus or be filtered by hardware

    • Chipset/Memory controller maintains a per-page list of pages to which DMA is prohibited, period


Ngscb attestation

NGSCB: Attestation

  • Attestation is a crypto-signed digest of some code

  • Proof that some bit vector is known by this digest

  • SSC and CPU compute digest of nexus at nexus boot

  • Nexus computes the digest of agents

  • Digests are gathered together to make attestation vector that is passed back to a challenger


Ngscb attestation1

NGSCB: Attestation

  • Root of attestation stack is the security support component (SSC)

    • Proof valid because the SSC provides a proof of a secret that only the SSC knows

  • This secret never leaves the SSC

    • Secret not revealed

    • Secret not a privacy hazard


Ngscb attestation example

NGSCB: Attestation Example

  • Digest1 is for the SSC

    • Establishes confidence in validity of NGSCB hardware

  • Digest2 is for the nexus

    • Establishes confidence in validity of nexus

    • Has meaning only if Digest1 is valid

  • Digest3 is for the agent

    • Establishes confidence in validity of agent

    • Has meaning only if Digest1 and Digest2 are valid


Ngscb attestation caveat

NGSCB: Attestation Caveat

  • Attestation is NOT a judgment of code quality or fitness

    • Hardware will run any nexus, and attest to the digest of any nexus

    • Our nexus will run any agent (in accordance with user policy) and attest to the digest of that agent

  • Attestation leaves judgment up to challenger

    • Done with excellent confidence

    • Not up to hardware/nexus


Ngscb attestation hardware

NGSCB: Attestation → Hardware

  • Attestation is implemented at the root by the SSC

    • Must be tightly bound to the CPU and the chipset for

      • Booting of the nexus

      • Attestation of the nexus

      • Chain of attestation


Ngscb seal

NGSCB: Seal

  • Here’s a good mental model

    • Seal(secret) → cryptoblob(secret)

      • Crytoblob(secret) may be stored anywhere

    • The call is really

      • Seal(secret, DigestOfEnvironment, DigestOfCallingAgent, MigrationControls) → cryptoblob(secret)

    • Unseal(cryptoblob(somesecret)) → somesecret

    • BUT – Unseal is really

      • Unseal(cryptoblob(somesecret), DigestOfEnvironment, DigestOfCallingAgent) → somesecret | nothing

      • If the Digest of the environment or the calling agent does not match with those that did the seal, Unseal returns ** NOTHING **


Ngscb seal1

NGSCB: Seal

  • What it means…

    • If we ignore migration and indirection…

    • Seal/Unseal say that if agent A running on environment B seals a secret, then,

    • Only agent A running on environment B can unseal it

    • This gives agent A a way to hide a key

  • Seal is implemented by the nexus in cooperation with the SSC

    • Same hardware build rules as for attestation

  • What's an "environment"

    • Matching attestation vector for nexus-mode only

      • Booting some other OS that can call the SSC does NOT reveal the secrets


Ngscb seal2

NGSCB: Seal

  • Migration and indirection

    • Caller gets to specify certain properties

      • What agents may unseal the secret

      • What hardware may unseal the secret

      • What nexus may unseal the secret

      • What users may unseal the secret

    • Agents shouldn’t seal against the SSC

      • They should seal against the nexus

        • which seals against the SSC

    • Backup, restore, migration are all possible using intermediate keys and certificates


Hardware fundamentals for ngscb part 2 peripheral hardware

Hardware Fundamentals For NGSCBPart 2: Peripheral Hardware


Gscb desktop secure input

GSCB: Desktop Secure Input

  • Threat Model

    • NO Software Only Attacks Against Secured Keystrokes

    • NO Break-Once/Break-Everywhere (BOBE) attacks

  • Out of scope

    • People swapping the keyboard hardware

    • Patching into the keyboard cable

    • Sticking some device between the keyboard and the box

    • All require a physical attack

  • Cannot send a physical attack via e-mail


Next generation secure computing base

Secure Input

Standard-Mode (“std-mode”/LHS)

Nexus-Mode (RHS)

User

Hazard

Kernel

USB

Host

Controller


Next generation secure computing base

Secure Input

Standard-Mode (“std-mode”/LHS)

Nexus-Mode (RHS)

User

Hazard

E

Kernel

E

USB

Host

Controller

E = Encrypted


Next generation secure computing base

Secure Input

Standard-Mode (“std-mode”/LHS)

Nexus-Mode (RHS)

User

Hazard

E

Kernel

USB

Host

Controller

E

E = Encrypted


Next generation secure computing base

Secure Input

Standard-Mode (“std-mode”/LHS)

Nexus-Mode (RHS)

User

Hazard

E

Kernel

USB

Host

Controller

E = Encrypted

E


Next generation secure computing base

Secure Input

Standard-Mode (“std-mode”/LHS)

Nexus-Mode (RHS)

User

Hazard

E

Kernel

USB

Host

Controller

E = Encrypted

E


Next generation secure computing base

Secure Input

Standard-Mode (“std-mode”/LHS)

Nexus-Mode (RHS)

User

Hazard

E

Kernel

Decrypted

Text

USB

Host

Controller

E = Encrypted

E


Next generation secure computing base

Mobile PC Secure Input

Standard-Mode (“std-mode”/LHS)

Nexus-Mode (RHS)

User

E

Hazard

Kernel

Chipset

South Bridge

(LPC bus

Controller)

E

Key Board

Controller

(KBC)

E = Encrypted


Secure input

Secure Input

  • Encryption for Human Interface Device (HID) will be done on the outboard side of a USB host

    • Built into USB root hub

    • Built into any USB hub

    • Inside the device of interest

    • In-line device (dongle) between the machine and the input device

  • Best solution is #1


Secure input work in progress

Secure Input Work In Progress

  • For desktops

    • Evaluating several different ways of establishing shared secret

      • Security versus OEM and IT deployment tradeoffs

  • For laptops

    • Evaluating different ways to partition Secure Input Path firmware/microcode in Embedded Controller

      • Legacy versus security certification issues

  • Alternatives being evaluated

    • More information in calls-to-action


Secure video

Secure Video

  • Threat Model for video

    • NO Software-Only attacks against Secure Windows and the information displayed in them

    • NO Break-Once/Break-Everywhere (BOBE) attacks

  • This is not the ONLY hazard relevant to all stake holders

    • It is what we can secure

  • Security for external video interfaces is a matter for hardware standards

    • NGSCB could support link protections but won’t require it


Next generation secure computing base

Secure Video

Standard-Mode (“std-mode”/LHS)

Nexus-Mode (RHS)

User

Graphics

Adaptor

(nexus-mode)

Kernel

Hazard

Graphics

Adaptor

(std-mode)

USB

Host

Controller


Secure video1

Secure Video

  • Secure Video assures

    • Secure windows cannot be obscured

    • Secure windows cannot be captured by unauthorized software

    • Secure windows cannot be altered by unauthorized software

  • Graphics adaptor may communicate with display in various formats

  • We are working on accessibility


Secure video2

Secure Video

  • The Challenge

    • How does the video data get from nexus-mode to the graphics processor?

    • Two general ways

      • Closed path – video MUST be integrated device

        • Depends on special hardware path from nexus to video device

        • Works when the video device is in close cooperation with the memory controller

      • Encrypted path – data is encrypted in nexus-mode and decrypted by the graphics adaptor

        • Can reuse LHS driver stack


Next generation secure computing base

Closed Path T-Vid

Standard-Mode (“std-mode”/LHS)

Nexus-Mode (RHS)

Trusted Video Abstractor

Hazard

User

Graphics

Adaptor

(nexus-mode)

Kernel

Graphics

Adaptor

(std-mode)

USB

Host

Controller


Next generation secure computing base

Crypto Path T-Vid

Standard-Mode (“std-mode”/LHS)

Nexus-Mode (RHS)

Trusted Video Abstractor

E

User

Hazard

Graphics

Adaptor

(nexus-mode)

Kernel

E

Graphics

Adaptor

(std-mode)

USB

Host

Controller

E = Encrypted


Ngscb ecosystem

NGSCB: Ecosystem

  • Works today on x86 flat 32-bit architectures from multiple sources

  • Could work on any CPU with

    • User/kernel modes

    • Page granular virtual memory mapping

  • With effort, could be adapted to other CPU models


Ngscb ecosystem1

NGSCB: Ecosystem

  • Building an NGSCB capable machine requires:

All working in conjunction

Include tamper resistant/detecting hardware to pursue specific opportunities


Ngscb changing the nexus

NGSCB: Changing The Nexus

  • The digest of the nexus is the basis for trust in the system

    • So a change to the nexus is non-trivial

      • Hardware changes which require nexus changes will face delays in market support

        • We are working closely with core-logic vendors to minimize risk

  • For RHS input and output it’s important to get things “right”

    • This means that there will be a small number of practical *INTERFACES* for trusted-input and trusted-output

      • This is about INTERFACES, not gates, technologies, fabs, speeds, or costs; INTERFACES

    • Microsoft is working to define these INTERFACES with leading providers of video and USB hardware

  • LHS interfaces and software can change in the normal ways


  • Nexus fundamentals

    Nexus Fundamentals


    Device drivers

    Device Drivers

    • NGSCB doesn’t change the device driver model

    • NGSCB needs very minimal access to real hardware

    • Secure reuse of Left Hand Side (LHS) driver stacks wherever possible

      • Right Hand Side (RHS) encrypted channel through LHS unprotected conduit

    • Every line of privileged code is a potential security risk

      • No third-party code

      • No kernel-mode plug-ins


    Partitioned system

    Partitioned System

    • RHS = Security

      • In the presence of adversarial LHS code the system must not leak secrets

        → The RHS must NOT rely on the LHS for security

    • LHS = Richness and Compatibility

      • In the absence of LHS cooperation NGSCB doesn’t run

        → The RHS MUST rely on the LHS for stability and services


    What runs on the lhs

    What Runs On The LHS

    • Applications and Drivers still run

    • Viruses too

    • Windows as you know it today

    • Any software with minor exceptions

      • The new hardware (HW) memory controller won’t allow certain “bad” behaviors, e.g., code which

        • Copies all of memory from one location to the next

        • Puts the CPU into real mode


    What ngscb needs from the lhs

    What NGSCB Needs From The LHS

    • Device Driver work for Trusted Input / Video

    • Memory Management additions to allow nexus to participate in memory pressure and paging decisions

    • User mode debugger additions to allow debugging of agents (explained later)

    • Window Manager coordination

    • Nexus Manager Device driver (nexusmgr.sys)

    • NGSCB management software and services


    Close up of the lower rhs

    Close-Up Of The Lower RHS


    I think therefore i am descartes problem

    I Think, Therefore I AmDescartes Problem

    • Challenge for attestation must always come from outside the machine

      • Local (the user with a superkey)

      • Remote (some server)

    • No nexus can directly determine if it is running in the secured environment

    • No Agent can directly determine if it is running in the secured environment

    • Must use Remote Attestation or Sealed Storage to cache credentials or secrets to prove the system is sound


    Nexus derivative works

    Nexus Derivative Works

    • The user can run any nexus, or write his own and run it, on the hardware

    • That nexus can only report the attestation provided by the Security Support Component (SSC)

      • The SSC won’t lie

      • The nexus cannot pretend to be another nexus

    • Other systems will need to decide if they trust the new derived nexus

    • Just need to prove to others your derivative is legitimate


    Agent derivative works

    Agent Derivative Works

    • The user can run any agent, or write his own and run it, on the nexus

    • That agent can report the attestation provided by the nexus

      • The nexus won’t lie

      • The agent cannot pretend to be another agent

    • Other systems will need to decide if they trust the new derived agent

    • Just need to prove to others your derivative is legitimate


    Policy controlled by the owner of the machine

    Policy Controlled By The Owner Of The Machine

    • NGSCB enforces policy but does not set the policy

    • The hardware will load any nexus

      • But only one at a time

      • Each nexus gets the same services

      • The hardware keeps nexus secrets separate

      • Nothing about this architecture prevents any nexus from running; however, the owner can control which nexuses are allowed to run

    • Proposed software (nexus) policies

      • The Microsoft nexus will run any agent

        • The platform owner can set policy that limits this

        • User gets to pick some other delegated evaluator (e.g., my union) if they choose


    Policy notes

    Policy Notes

    • Policy is a way for users and machine owners to make general, abstract statements, about what software runs

      • “Run any agent I click”

      • “Run only agents whose source I’ve read”

      • “Run agents that a third party I trust, trusts”

  • The point of policy is to enable the users to control what runs on their machines


  • Next generation secure computing base defined

    Next Generation Secure Computing Base Defined

    • Microsoft’s Next-Generation Secure Computing Base (NGSCB) is a new security technology for the Microsoft Windows platform

      • Uses a unique hardware and software design

      • Gives people new kinds of security and privacy protections in an interconnected world


    Next generation secure computing base

    User Apps.

    NGSCB Quadrants

    Standard-Mode (“std-mode” / LHS)

    Nexus-Mode (RHS)

    Agent

    Agent

    Agent

    User

    Trusted User

    Engine (TUE)

    TSP

    TSP

    TSP

    NCA Runtime Library

    Nexus

    Main OS

    Kernel

    USB

    NexusMgr.sys

    Driver

    NAL

    HAL

    SSC

    Hardware

    Secure Input

    Secure Video

    CPU

    Chipset


    Booting the nexus

    “Booting” The Nexus

    • Nexus is like an OS kernel, so it must boot sometime

    • Can boot long after main OS

    • Can shut down long before main OS (and restart later)


    Next generation secure computing base

    NGSCB Nexus Manager

    Standard-Mode (LHS)

    Nexus-Mode (RHS)

    User

    Nexus Manager Abstraction Layer (NMAL)

    Nexus Manager Core

    Shadow

    Service

    Admin

    Service

    NexusMgr

    IPC

    Nexus

    Dispatch

    Services

    Secure

    Video

    Filter Driver

    Secure

    Input

    Filter Driver

    Kernel

    Object Security

    Manager

    Shared Resource

    Manager

    HW Allocator

    (memory

    wholesaler)

    Nexus Loader

    Secure Input

    Secure video

    Hardware


    Booting the nexus1

    “Booting” The Nexus

    • NexusMgr is a kernel mode LHS component

      • Read and map the nexus code

      • Allocate some pages from the main OS

      • Pass that list of pages to the nexus via some platform-specific code/hardware

      • Digest the nexus (with hardware help)

    • Now the nexus starts, initializes Address Translation Control (ATC), and returns control to the LHS


    Address translation

    Address Translation

    Normal Page

    Address

    Translation

    Virtual

    addresses

    Normal Page

    Protected Page


    Address translation control

    Address Translation Control

    • This is curtained memory (or strong process isolation)

    • Can’t tamper with a page unless you have a mapping to it

    • On current PCs

      • Any kernel mode code can modify Virtual Address (VA) → Physical Address (PA) mapping structures

      • There’s untrusted code in kernel mode

    • NGSCB hardware calls nexus before

      • Page map changes (process swap)

      • Edits to mapping structures

      • Turning off paging


    Address translation control1

    Address Translation Control

    • When the page map changes, the nexus

      • Walks the tree of pages it maps

      • Makes sure no protected pages are mapped

      • No read/write mappings to the page map

      • Now the map will remain safe, so hardware and software can manage a list of known safe page maps


    Address translation control2

    Address Translation Control

    • When a mapping structure changes, the nexus

      • Walks the tree of pages getting mapped

      • Makes sure no protected pages are getting mapped

      • Ensures no read/write mappings to the page map

    • ATC will almost always allow the mapping to change

      • Legacy code will still work unless it attempts to access nexus space pages


    Address translation control3

    Address Translation Control

    • ATC protects

      • Agent and nexus data

      • Agent and nexus code

      • All page mapping structures (LHS/RHS)

    • Also protected from DMA (thanks to special hardware)

    • Correct ATC implementation vital to NGSCB security


    Memory management mm

    Memory Management (MM)

    • Simplicity, robustness preferred over maximizing performance

    • Allocate/free whole pages

    • No shared memory between agents

    • No paging-to-disk in this version

      • If nexus were to page to disk, it would encrypt and sign the pages, then ask the main OS to flush them


    Memory management mm1

    Memory Management (MM)

    • Nexus keeps some free pages that ATC is protecting

    • Nexus can request extra pages from kernel via NexusMgr (seize)

    • Nexus MM asks ATC if new pages are safe to use - “any left side mappings?”

    • Nexus can give surplus pages back to kernel if the kernel needs them


    Nexus abstraction layer nal

    Nexus Abstraction Layer (NAL)

    • Multiple CPU vendors

    • Different Security Support Components (SSC)

    • Much nexus code is architecture independent


    Interrupts

    Interrupts

    • Interrupts enabled on the RHS

    • Most drivers are still on the LHS

      So…what if an interrupt for the NIC, SCSI card, etc. happens on the right?

    • Nexus asks Porch to transition to the LHS

    • NexusMgr “replays” the interrupt


    Nexus also protects

    Nexus Also Protects

    • Model specific registers (MSRs)

      • Some MSRs are used to implement NGSCB, but most will be accessible by left side code

    • I/O ports

      • Combined with ATC, this means PCI config space is protected

      • Things like the DMA exclusion list are in chipset registers, so we must protect them

    • The NAL helps decide what to protect


  • Login