107
Next Generation Next Generation Secure Computing Secure Computing Base Base 黃黃黃 黃黃黃 @SiS @SiS

Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

  • View
    230

  • Download
    4

Embed Size (px)

Citation preview

Page 1: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Next Generation Next Generation Secure Computing Secure Computing BaseBase

黃志源黃志源@SiS@SiS

Page 2: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

ContentsContents

Next Generation Secure Computing Next Generation Secure Computing Base OverviewBase Overview

Hardware Fundamentals For NGSCBHardware Fundamentals For NGSCBPart 1: Core HardwarePart 1: Core Hardware

Hardware Fundamentals For NGSCBHardware Fundamentals For NGSCBPart 2: Peripheral HardwarePart 2: Peripheral Hardware

Nexus FundamentalsNexus Fundamentals

Page 3: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Next Generation Secure Next Generation Secure Computing Base OverviewComputing Base Overview

Page 4: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Trustworthy ComputingTrustworthy Computing

SecuritySecurity

PrivacyPrivacy

ReliabilityReliability

Business IntegrityBusiness Integrity

Resilient to attackResilient to attack Protects confidentiality, integrity, Protects confidentiality, integrity,

availability, and dataavailability, and data

Dependable

Available when needed

Performs at expected levels

Individuals control personal data

Products and Online Services adhere to fair information principles

Help customers find appropriate solutions

Address issues with products and services

Open interaction with customers

Page 5: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB Vision And GoalsNGSCB Vision And Goals

VisionVision NGSCB advances the PC ecosystem to meet NGSCB advances the PC ecosystem to meet

customers’ requirements for customers’ requirements for security, privacy, security, privacy, and data protectionand data protection

Product GoalProduct Goal NGSCB will broaden the utility of the PC by NGSCB will broaden the utility of the PC by

delivering delivering security on par with closed security on par with closed architecturearchitecture systems while maintaining the systems while maintaining the flexibility of the Windows platformflexibility of the Windows platform

Business GoalBusiness Goal NGSCB will help to revitalize the PC ecosystem NGSCB will help to revitalize the PC ecosystem

by enabling a by enabling a new generation of hardware and new generation of hardware and softwaresoftware products products

Page 6: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Customer Security IssuesCustomer Security Issues

Vulnerability introduced by enabling Vulnerability introduced by enabling remote accessremote access

Illegal access and usage of sensitive Illegal access and usage of sensitive informationinformation

Difficulty in knowing who a company is Difficulty in knowing who a company is doing business withdoing business with

Difficulty in doing patch managementDifficulty in doing patch management OthersOthers

Collaborating in a secure environmentCollaborating in a secure environment Protecting secrets, e.g., key pairs, certificatesProtecting secrets, e.g., key pairs, certificates Virus and malicious code attacksVirus and malicious code attacks

Page 7: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Why NGSCB?Why NGSCB?

Vulnerabilities todayVulnerabilities today Attacks on Core assetsAttacks on Core assets Attacks on NetworksAttacks on Networks Attacks via Remote users/machinesAttacks via Remote users/machines

NGSCB can address software attacks NGSCB can address software attacks on applications, secretson applications, secrets Damage from attacks can be Damage from attacks can be

compartmentalized and limitedcompartmentalized and limited

Page 8: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

How It Works: The PCHow It Works: The PC

Page 9: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

How It Works: Before NGSCBHow It Works: Before NGSCB

Page 10: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

How It Works: Before NGSCBHow It Works: Before NGSCB

Page 11: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

How it Works: Before NGSCBHow it Works: Before NGSCB

Page 12: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB

How It Works: With NGSCBHow It Works: With NGSCB

Page 13: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

How It Works: With NGSCBHow It Works: With NGSCB

Page 14: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB

How It Works: With NGSCBHow It Works: With NGSCB

Page 15: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Main OSMain OS

USBUSBDriverDriver

NexusMgr.sysNexusMgr.sys

HALHAL

User Apps.User Apps.

Nexus-Mode (RHS)Nexus-Mode (RHS)

NexusNexus

NALNAL

AgentAgent

NCA Runtime LibraryNCA Runtime Library

Trusted UserTrusted UserEngine (TUE)Engine (TUE)

TSPTSP TSPTSP TSPTSP

AgentAgentAgentAgent

NGSCB Quadrants

Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)

UserUser

KernelKernel

SSCSSC Hardware Hardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video

Page 16: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Four NGSCB Features GroupsFour NGSCB Features Groups

The first three are needed to protect against malicious code

Attestation breaks new ground in distributed computingThe identity

of hardware, nexus, and applications can be proven

11

22

33

44

Page 17: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Addressing Customer Needs Addressing Customer Needs With NGSCBWith NGSCB Remote accessRemote access

Granularity of access at machine, nexus, and application levelGranularity of access at machine, nexus, and application level Application to application connection rather than VPN connectionApplication to application connection rather than VPN connection

Patch managementPatch management IT can specify that only a known configuration of nexus and application can IT can specify that only a known configuration of nexus and application can

execute or access corporate resourcesexecute or access corporate resources Preventing illegal access of informationPreventing illegal access of information

Reinforce rights management by rooting key pair in hardwareReinforce rights management by rooting key pair in hardware Encryption of data based on secrets that never leave hardwareEncryption of data based on secrets that never leave hardware

Agents developmentAgents development Agents identity is rooted in secrets on the hardwareAgents identity is rooted in secrets on the hardware Applications run in isolated process space and are impermeable to Applications run in isolated process space and are impermeable to

software attacksoftware attack Collaboration enablementCollaboration enablement

End users can collaborate and communicate securelyEnd users can collaborate and communicate securely End users can establish content authenticity by digital signatureEnd users can establish content authenticity by digital signature

Page 18: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Four NGSCB Features GroupsFour NGSCB Features Groups

Page 19: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

What Does This All Mean?What Does This All Mean?

All NGSCB capabilities build off of four key featuresAll NGSCB capabilities build off of four key features Strong process isolationStrong process isolation Root key for persistent secret protectionRoot key for persistent secret protection Secure path to and from the userSecure path to and from the user Attestation (hardware (HW)/software (SW) authentication)Attestation (hardware (HW)/software (SW) authentication)

The first three are needed to protect against The first three are needed to protect against malicious code malicious code

Attestation breaks new ground in Attestation breaks new ground in distributed computingdistributed computing ““Things” (software, machines, services) can be Things” (software, machines, services) can be

securely identifiedsecurely identified

Page 20: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB Quadrants

Main OSMain OS

USBUSBDriverDriver

Nexus-Mode (RHS)Nexus-Mode (RHS)

NexusNexus

NexusMgr.sysNexusMgr.sys

HALHAL

NALNAL

SSCSSC

User Apps.User Apps.

AgentAgent

NCA Runtime LibraryNCA Runtime Library

Trusted UserTrusted UserEngine (TUE)Engine (TUE)

TSPTSP TSPTSP TSPTSP

AgentAgentAgentAgent

Standard-Mode (LHS)Standard-Mode (LHS)

UserUser

KernelKernel

HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video

Page 21: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus-Mode (RHS)Nexus-Mode (RHS)

NCA Runtime LibraryNCA Runtime Library

Trusted UserTrusted UserEngine (TUE)Engine (TUE)

TSPTSP TSPTSP TSPTSP

Four Key Features (1) Process Isolation

Standard-Mode (LHS)Standard-Mode (LHS)

UserUser

KernelKernel

HardwareHardware

AgentAgent AgentAgent AgentAgent

Page 22: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Strong Process Strong Process IsolationIsolation Nexus Computing Agents, or NCAs, Nexus Computing Agents, or NCAs,

run in curtained memoryrun in curtained memory Not accessible by the standard Not accessible by the standard

Windows kernelWindows kernel Not accessible by hardware DMANot accessible by hardware DMA Not accessible by other NCAsNot accessible by other NCAs

Enforced by hardware and softwareEnforced by hardware and software Changes to CPU, chipsetChanges to CPU, chipset Nexus arbitrates page tablesNexus arbitrates page tables

Page 23: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus Manager Abstraction Layer (NMAL)Nexus Manager Abstraction Layer (NMAL)

Nexus Manager Core Nexus Manager Core Nexus

DispatchServices

Shadow Service

AdminService

Nexus MgrIPC

Object SecurityManager

Shared ResourceManager

HW Allocator(memory

wholesaler)

Nexus Loader

Nexus-Mode (RHS)Nexus-Mode (RHS)Standard-Mode (LHS)Standard-Mode (LHS)

UserUser

KernelKernel

HardwareHardware

Four Key Features(2) Secure Path To and From User

SecureSecureInput Input

Filter DriverFilter Driver

SecureSecureVideo Video

Filter DriverFilter Driver

Secure videoSecure videoSecure InputSecure Input

Page 24: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Secure Path To UserSecure Path To User

Secure inputSecure input Encrypted session between USB device Encrypted session between USB device

and nexusand nexus Changes to standard USB driver stackChanges to standard USB driver stack Required for keyboard and mouseRequired for keyboard and mouse Alternate solution being developed for Alternate solution being developed for

non-USB (laptops)non-USB (laptops)

Secure outputSecure output Secure channel between graphics adaptor Secure channel between graphics adaptor

and nexusand nexus Changes to graphics adaptorChanges to graphics adaptor Changes to video driverChanges to video driver

Page 25: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus-Mode (RHS)Nexus-Mode (RHS)

Four Key Features (3) Sealed Storage

Standard-Mode (LHS)Standard-Mode (LHS)

UserUser

KernelKernel

HardwareHardware

NexusNexus

NALNAL

AgentAgent

NCA Runtime LibraryNCA Runtime Library

Trusted UserTrusted UserEngine (TUE)Engine (TUE)

TSPTSP TSPTSP TSPTSP

AgentAgentAgentAgent

SSCSSC

Page 26: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Hardware Protection Hardware Protection Of SecretsOf Secrets Security Support Component (SSC) Security Support Component (SSC)

chip on motherboardchip on motherboard SSC holds a secure keysetSSC holds a secure keyset Each nexus generates a random keyset Each nexus generates a random keyset

on first loadon first load SSC provides hardware protection of the SSC provides hardware protection of the

nexus keysetnexus keyset

NCAs use nexus facilities to generate NCAs use nexus facilities to generate and protect keysand protect keys

Page 27: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus-Mode (RHS)Nexus-Mode (RHS)

Four Key Features (4) Attestation

Standard-Mode (LHS)Standard-Mode (LHS)

UserUser

KernelKernel

HardwareHardware

NexusNexus

NALNAL

AgentAgent

NCA Runtime LibraryNCA Runtime Library

Trusted UserTrusted UserEngine (TUE)Engine (TUE)

TSPTSP TSPTSP TSPTSP

AgentAgentAgentAgent

SSCSSC

Page 28: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

AttestationAttestationSoftware/Hardware AuthenticationSoftware/Hardware Authentication

When requested, the nexus can prepare a When requested, the nexus can prepare a chain that authenticateschain that authenticates NCA by digest, signed by the nexusNCA by digest, signed by the nexus Nexus by digest, signed by the SSCNexus by digest, signed by the SSC SSC by public key, signed by OEMSSC by public key, signed by OEM

Other forms of attestation are possible that Other forms of attestation are possible that provide less informationprovide less information Using trusted third partyUsing trusted third party

User sets policy to control which NCAs can User sets policy to control which NCAs can use which forms of attestationuse which forms of attestation

Page 29: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

HardwareHardware

ChipsetChipsetCPUCPUSecureSecureInputInput

Secure Secure VideoVideo

SSCSSC

Nexus-Mode (RHS)Nexus-Mode (RHS)Standard-Mode (LHS)Standard-Mode (LHS)

UserUser

KernelKernel

Hardware SummaryHardware Summary

Page 30: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Hardware SummaryHardware Summary

Modified componentsModified components CPUCPU ChipsetChipset Secure videoSecure video Secure input (keyboard and mouse)Secure input (keyboard and mouse)

Two versions: USB and laptopTwo versions: USB and laptop

New componentsNew components SSCSSC

Page 31: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

A Qualitative Step ForwardA Qualitative Step Forward

NGSCB extends the Windows platformNGSCB extends the Windows platform We provide the core, others will build the We provide the core, others will build the

solutionssolutions We really want to enable others to build new and We really want to enable others to build new and

exciting applicationsexciting applications

NGSCB is appropriate anywhere you could NGSCB is appropriate anywhere you could possibly imagine needing privacy, security or possibly imagine needing privacy, security or data protectiondata protection

We will ship some solutions “in the box”We will ship some solutions “in the box” Enough to provide immediate valueEnough to provide immediate value

Page 32: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Scenario CategoriesScenario Categories

Secure remote accessSecure remote access Corporate remote accessCorporate remote access Secure client access to middle tier serversSecure client access to middle tier servers

Secure collaborationSecure collaboration Chat and instant messagingChat and instant messaging E-MailE-Mail Rights managementRights management Digital signatureDigital signature

Page 33: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Secure Remote AccessSecure Remote Access

ExamplesExamples To a client/server app, using a custom NCA clientTo a client/server app, using a custom NCA client To your enterprise desktop, using a secure remote To your enterprise desktop, using a secure remote

desktop clientdesktop client How it worksHow it works

Uses attestation for end-to-end authenticationUses attestation for end-to-end authentication Uses strong process isolation and secure path to the Uses strong process isolation and secure path to the

user to be safe against attacks on the remote client user to be safe against attacks on the remote client Uses an application private network (APN) for Uses an application private network (APN) for

secure communicationssecure communications Application-to-application encrypted sessionApplication-to-application encrypted session More secure than a VPN because the protection extends More secure than a VPN because the protection extends

into the application layer itself into the application layer itself

Page 34: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Application Private NetworkApplication Private NetworkApplicationApplication(Client NCA)(Client NCA)

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

DatalinkDatalink

PhysicalPhysical

ApplicationApplication(Server)(Server)

PresentationPresentation

SessionSession

TransportTransport

NetworkNetwork

DatalinkDatalink

PhysicalPhysical

Standard IP: vulnerable at every layerStandard IP: vulnerable at every layer

NGSCB APN: extends protection to all NGSCB APN: extends protection to all layers, so that only the client and server layers, so that only the client and server applications can use the connectionapplications can use the connection

VPN: network layer and below are protected, VPN: network layer and below are protected, including data on the wire – but all software on including data on the wire – but all software on the client has access to the server connectionthe client has access to the server connection

Page 35: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Secure CollaborationSecure Collaboration

ExamplesExamples Secure e-mailSecure e-mail Secure text document creation and sharingSecure text document creation and sharing Secure instant messagingSecure instant messaging Secure digital signature – “what you see is what you sign”Secure digital signature – “what you see is what you sign”

How it worksHow it works Uses rights management based on hardware protection of Uses rights management based on hardware protection of

secrets to protect and control access to datasecrets to protect and control access to data Uses strong process isolation and secure path to the user to Uses strong process isolation and secure path to the user to

be safe against spoofing and snooping attacksbe safe against spoofing and snooping attacks Uses an APN for end-to-end messaging securityUses an APN for end-to-end messaging security

Page 36: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Secure Digital SignatureSecure Digital Signature

Microsoft Word

This is text that should be verified as correct and then signed.

File Edit View Insert Help

Sign Digitally...

When the userclicks “sign”, theXML data is signedand the signeddata is returned tothe application

Secure Digital Signature

This is text that should be verified as correct and then signed.

Sign

Cancel

USPS SignatureSignature:

When the user wants to sign, thetext is rendered by the applicationinto a standard XML-based formatand passed to the digital signature

agent

NOTE: for NOTE: for explanatory explanatory purposes purposes only; this is only; this is not actual UInot actual UI

Page 37: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Hardware Fundamentals Hardware Fundamentals For NGSCBFor NGSCBPart 1: Core HardwarePart 1: Core Hardware

Page 38: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

AgendaAgenda

Threat ModelsThreat Models What is NGSCB and Why?What is NGSCB and Why? What does NGSCB do?What does NGSCB do? NGSCB Features and Details NGSCB Features and Details

Strong Process IsolationStrong Process Isolation AttestationAttestation Sealed StorageSealed Storage

Call to ActionCall to Action

Page 39: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Next Generation Secure Next Generation Secure Computing Base (NGSCB)Computing Base (NGSCB) DefinedDefined

New security technology for the Microsoft New security technology for the Microsoft Windows platformWindows platform

Unique hardware and software architecture Unique hardware and software architecture Protected computing environment inside the Protected computing environment inside the

Windows PCWindows PC A “virtual vault” that will sit side by side with the A “virtual vault” that will sit side by side with the

regular Windows environment regular Windows environment

New kinds of security and privacy New kinds of security and privacy protections for computers protections for computers

Page 40: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB Quadrants

Main OSMain OS

USBUSBDriverDriver

Nexus-Mode (RHS)Nexus-Mode (RHS)

NexusNexus

NexusMgr.sysNexusMgr.sys

HALHAL

NALNAL

SSCSSC

User Apps.User Apps.

AgentAgent

NCA Runtime LibraryNCA Runtime Library

Trusted UserTrusted UserEngine (TUE)Engine (TUE)

TSPTSP TSPTSP TSPTSP

AgentAgentAgentAgent

Standard-Mode (LHS)Standard-Mode (LHS)

UserUser

KernelKernel

HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video

Page 41: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: Threat ModelsNGSCB: Threat Models

Our Threat ModelOur Threat Model NO Software-Only Attacks Against Nexus-Space NO Software-Only Attacks Against Nexus-Space

OperationsOperations NO Break-Once/Break-Everywhere (BOBE) attacksNO Break-Once/Break-Everywhere (BOBE) attacks

No Software-Only Attacks means…No Software-Only Attacks means… No attacks based on micro-code, macro-code, No attacks based on micro-code, macro-code,

adapter card scripts, etc. adapter card scripts, etc. Any attacks launched from the Web or e-mail are Any attacks launched from the Web or e-mail are

“software only”“software only”

Protection only applies to the release Protection only applies to the release of secrets of secrets Viruses could still delete encrypted filesViruses could still delete encrypted files

Page 42: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: Threat ModelsNGSCB: Threat Models

No BOBE attacks meansNo BOBE attacks means Attacks don’t scaleAttacks don’t scale

Each Security Support Component (SSC) has Each Security Support Component (SSC) has unique keysunique keys

Data MUST use unique or partially unique, Data MUST use unique or partially unique, rather than global keysrather than global keys

One person breaking one machine yields One person breaking one machine yields the secrets sent to that machine onlythe secrets sent to that machine only Does NOT allow that person to tell everybody Does NOT allow that person to tell everybody

else in the world how to break content else in the world how to break content Does allow the release of content bound to Does allow the release of content bound to

that machinethat machine

Page 43: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

What And Why?What And Why?

Modifications to allow PCs to be used in Modifications to allow PCs to be used in new waysnew ways Hardware changesHardware changes Software changesSoftware changes

Allows users to interact with entities either Allows users to interact with entities either inside or outside the machine:inside or outside the machine: Show them what code is runningShow them what code is running Make believable promises about codeMake believable promises about code Prove that those promises are durableProve that those promises are durable

Changes what can be believed about Changes what can be believed about computationcomputation Not what can be done with itNot what can be done with it

Page 44: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

What And Why?What And Why?

This is the Next Big ThingThis is the Next Big Thing Windowing in the ‘80sWindowing in the ‘80s Networking in the ‘90sNetworking in the ‘90s Security in the ‘00sSecurity in the ‘00s

Security and trust will advance the Security and trust will advance the PC ecosystemPC ecosystem Customers are demanding higher security Customers are demanding higher security

and privacyand privacy From end-users to enterprisesFrom end-users to enterprises Governments are mandating as wellGovernments are mandating as well

Opens new markets that rely on trustworthiness Opens new markets that rely on trustworthiness of information technologyof information technology

Page 45: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

What Does NGSCB Do?What Does NGSCB Do?

Creates a safe region called nexus-space Creates a safe region called nexus-space inside of a regular PCinside of a regular PC Think of an access-controlled, high-security vault Think of an access-controlled, high-security vault

in an open marketin an open market

All the rest of the PC is still presentAll the rest of the PC is still present Apply full power and speed of the PC to Apply full power and speed of the PC to

security functionssecurity functions Co-processors don’t scale with the CPUCo-processors don’t scale with the CPU

Adding main memory won’t speed them upAdding main memory won’t speed them up

Majority of the hardware is unchangedMajority of the hardware is unchanged E.g., PCI, Serial, Parallel, MemoryE.g., PCI, Serial, Parallel, Memory

Page 46: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

What Does NGSCB Do?What Does NGSCB Do?

NGSCB Code on NGSCB HardwareNGSCB Code on NGSCB Hardware Designed to stop all software only threats Designed to stop all software only threats

in nexus-spacein nexus-space

Run all the old codeRun all the old code Very obscure exceptionsVery obscure exceptions

Qualitatively different Qualitatively different Profound change in what can be believed, Profound change in what can be believed,

and hence, trustedand hence, trusted

Page 47: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

What Does NGSCB Do? What Does NGSCB Do?

Enhances Enhances Security Security ““Vault” to store important materialVault” to store important material

Both locally and remotely attestableBoth locally and remotely attestable Realistic control over which code can touch which dataRealistic control over which code can touch which data

Control given to software, by usersControl given to software, by users

EnhancesEnhances Robustness Robustness Better user control of what can run in NGSCB; what it can doBetter user control of what can run in NGSCB; what it can do

Enhances Enhances PrivacyPrivacy Users can know which code is doing what with private Users can know which code is doing what with private

informationinformation Users can delegate privacy decisions in a usable wayUsers can delegate privacy decisions in a usable way

Page 48: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

How Does NGSCB WorkHow Does NGSCB Work

New kind of process, called a Nexus CNew kind of process, called a Nexus Computing Agent, or NCA, or Agentomputing Agent, or NCA, or Agent Very much like a traditional process, but rVery much like a traditional process, but r

uns in a much more spartan environmentuns in a much more spartan environment The Key Assertions may be applied The Key Assertions may be applied

to agentsto agents

Page 49: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Key AssertionsKey Assertions

The agent is what it is attested to beThe agent is what it is attested to be The agent is running in the attested environment The agent is running in the attested environment

and THEREFOREand THEREFORE The agent will be initiated correctlyThe agent will be initiated correctly

Agent behavior cannot be permuted by attacking initializationAgent behavior cannot be permuted by attacking initialization The agent is isolated The agent is isolated

From other agents From other agents From the Left Hand Side (LHS) From the Left Hand Side (LHS) Not even debuggers or device drivers can alter the agent Not even debuggers or device drivers can alter the agent

at runtimeat runtime The agent has someplace to keep a secretThe agent has someplace to keep a secret On clients, agents will have a secure path to the userOn clients, agents will have a secure path to the user

Page 50: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Main OSMain OS

DriversDrivers

HALHAL

User ProgramsUser Programs

NGSCB: Context

Standard-Mode (LHS)Standard-Mode (LHS)

User User ModeMode

Kernel Kernel ModeMode

DLLDLL DLLDLL

What exists in today’s What exists in today’s systemssystems Main OS is rich, Main OS is rich,

compatible with vast compatible with vast array of stuff, array of stuff, supports vast array of supports vast array of hardware – it is largehardware – it is large

User can install User can install drivers which get drivers which get privileged access to privileged access to memory – remote memory – remote parties can never be parties can never be sure the program has sure the program has not been negatively not been negatively impacted by the driverimpacted by the driver

Page 51: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB Quadrants

Main OSMain OS

DriverDriver

Nexus-Mode (RHS)Nexus-Mode (RHS)

NexusNexus

NexusMgr.sysNexusMgr.sys

HALHAL

NALNAL

SSCSSC

User Apps.User Apps.

AgentAgent AgentAgentAgentAgent

Standard-Mode (LHS)Standard-Mode (LHS)

UserUser

KernelKernel

HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video

NxSvc.exeNxSvc.exe

Page 52: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Main OSMain OS

DriverDriver

Nexus-Mode (RHS)Nexus-Mode (RHS)

NexusNexus

NexusMgr.sysNexusMgr.sys

HALHAL

NALNAL

SSCSSC

User Apps.User Apps.

AgentAgent AgentAgentAgentAgent

Standard-Mode (LHS)Standard-Mode (LHS)

UserUser

KernelKernel

HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video

NxSvc.exeNxSvc.exe

NGSCB Quadrants

Page 53: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: NGSCB: Strong Process IsolationStrong Process Isolation Machine is locked into flat paged modeMachine is locked into flat paged mode Address-Translation-Control prohibits std-Address-Translation-Control prohibits std-

mode code from mapping a nexus-mode pagemode code from mapping a nexus-mode page No CPU access to memory w/out mappingNo CPU access to memory w/out mapping Requires CR3 loads trap to nexusRequires CR3 loads trap to nexus Requires alteration of maps Requires alteration of maps Requires PTE-writes to trap to the nexus or be Requires PTE-writes to trap to the nexus or be

filtered by hardware filtered by hardware Chipset/Memory controller maintains a per-page Chipset/Memory controller maintains a per-page

list of pages to which DMA is prohibited, periodlist of pages to which DMA is prohibited, period

Page 54: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: AttestationNGSCB: Attestation

Attestation is a crypto-signed digest Attestation is a crypto-signed digest of some codeof some code

Proof that some bit vector is known Proof that some bit vector is known by this digestby this digest

SSC and CPU compute digest of nexus SSC and CPU compute digest of nexus at nexus bootat nexus boot

Nexus computes the digest of agentsNexus computes the digest of agents Digests are gathered together to make Digests are gathered together to make

attestation vector that is passed back attestation vector that is passed back to a challengerto a challenger

Page 55: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: AttestationNGSCB: Attestation

Root of attestation stack is the security Root of attestation stack is the security support component (SSC)support component (SSC) Proof valid because the SSC provides a Proof valid because the SSC provides a

proof of a secret that only the SSC knowsproof of a secret that only the SSC knows

This secret never leaves the SSCThis secret never leaves the SSC Secret not revealedSecret not revealed Secret not a privacy hazardSecret not a privacy hazard

Page 56: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: Attestation NGSCB: Attestation ExampleExample Digest1 is for the SSCDigest1 is for the SSC

Establishes confidence in validity of NGSCB Establishes confidence in validity of NGSCB hardware hardware

Digest2 is for the nexusDigest2 is for the nexus Establishes confidence in validity of nexusEstablishes confidence in validity of nexus Has meaning only if Digest1 is validHas meaning only if Digest1 is valid

Digest3 is for the agent Digest3 is for the agent Establishes confidence in validity of agentEstablishes confidence in validity of agent Has meaning only if Digest1 and Digest2 are validHas meaning only if Digest1 and Digest2 are valid

Page 57: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: Attestation CaveatNGSCB: Attestation Caveat

Attestation is NOT a judgment of code Attestation is NOT a judgment of code quality or fitnessquality or fitness Hardware will run any nexus, and attest to Hardware will run any nexus, and attest to

the digest of any nexusthe digest of any nexus Our nexus will run any agent (in Our nexus will run any agent (in

accordance with user policy) and attest to accordance with user policy) and attest to the digest of that agentthe digest of that agent

Attestation leaves judgment up to Attestation leaves judgment up to challengerchallenger Done with excellent confidenceDone with excellent confidence Not up to hardware/nexusNot up to hardware/nexus

Page 58: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: Attestation → NGSCB: Attestation → HardwareHardware Attestation is implemented at the root Attestation is implemented at the root

by the SSC by the SSC Must be tightly bound to the CPU and the Must be tightly bound to the CPU and the

chipset for chipset for Booting of the nexusBooting of the nexus Attestation of the nexusAttestation of the nexus Chain of attestation Chain of attestation

Page 59: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: SealNGSCB: Seal

Here’s a good mental modelHere’s a good mental model Seal(secret) → cryptoblob(secret)Seal(secret) → cryptoblob(secret)

Crytoblob(secret) may be stored anywhereCrytoblob(secret) may be stored anywhere

The call is reallyThe call is really Seal(secret, DigestOfEnvironment, DigestOfCallingAgent,Seal(secret, DigestOfEnvironment, DigestOfCallingAgent,

MigrationControls) → cryptoblob(secret) MigrationControls) → cryptoblob(secret)

Unseal(cryptoblob(somesecret)) → somesecretUnseal(cryptoblob(somesecret)) → somesecret BUT – Unseal is reallyBUT – Unseal is really

Unseal(cryptoblob(somesecret), DigestOfEnvironment, DUnseal(cryptoblob(somesecret), DigestOfEnvironment, DigestOfCallingAgent) → somesecret | nothingigestOfCallingAgent) → somesecret | nothing

If the Digest of the environment or the calling agent does If the Digest of the environment or the calling agent does not match with those that did the seal, Unseal returns ** not match with those that did the seal, Unseal returns ** NOTHING **NOTHING **

Page 60: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: SealNGSCB: Seal

What it means…What it means… If we ignore migration and indirection…If we ignore migration and indirection… Seal/Unseal say that if agent A running on environment B Seal/Unseal say that if agent A running on environment B

seals a secret, then,seals a secret, then, Only agent A running on environment B can unseal itOnly agent A running on environment B can unseal it This gives agent A a way to hide a keyThis gives agent A a way to hide a key

Seal is implemented by the nexus in cooperation Seal is implemented by the nexus in cooperation with the SSCwith the SSC Same hardware build rules as for attestationSame hardware build rules as for attestation

What's an "environment"What's an "environment" Matching attestation vector for nexus-mode onlyMatching attestation vector for nexus-mode only

Booting some other OS that can call the SSC does NOT reveal Booting some other OS that can call the SSC does NOT reveal the secretsthe secrets

Page 61: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: SealNGSCB: Seal

Migration and indirectionMigration and indirection Caller gets to specify certain propertiesCaller gets to specify certain properties

What agents may unseal the secretWhat agents may unseal the secret What hardware may unseal the secretWhat hardware may unseal the secret What nexus may unseal the secretWhat nexus may unseal the secret What users may unseal the secretWhat users may unseal the secret

Agents shouldn’t seal against the SSCAgents shouldn’t seal against the SSC They should seal against the nexus They should seal against the nexus

which seals against the SSCwhich seals against the SSC

Backup, restore, migration are all possible Backup, restore, migration are all possible using intermediate keys using intermediate keys and certificatesand certificates

Page 62: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Hardware Fundamentals Hardware Fundamentals For NGSCBFor NGSCBPart 2: Peripheral HardwarePart 2: Peripheral Hardware

Page 63: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

GSCB: Desktop Secure InputGSCB: Desktop Secure Input

Threat ModelThreat Model NO Software Only Attacks Against Secured NO Software Only Attacks Against Secured

KeystrokesKeystrokes NO Break-Once/Break-Everywhere (BOBE) attacksNO Break-Once/Break-Everywhere (BOBE) attacks

Out of scopeOut of scope People swapping the keyboard hardwarePeople swapping the keyboard hardware Patching into the keyboard cablePatching into the keyboard cable Sticking some device between the keyboard and Sticking some device between the keyboard and

the boxthe box All require a physical attackAll require a physical attack

Cannot send a physical attack via e-mailCannot send a physical attack via e-mail

Page 64: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

HazardHazard

Nexus-Mode (RHS)Nexus-Mode (RHS)

Secure Input

Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)

UserUser

KernelKernel

USBUSBHostHost

ControllerController

Page 65: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus-Mode (RHS)Nexus-Mode (RHS)

Secure Input

Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)

UserUser

KernelKernel

E = EncryptedE = Encrypted

HazardHazard

USBUSBHostHost

ControllerController

EE

EE

Page 66: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus-Mode (RHS)Nexus-Mode (RHS)

Secure Input

Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)

UserUser

KernelKernel

E = EncryptedE = Encrypted

HazardHazard

USBUSBHostHost

ControllerController

EE

EE

Page 67: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus-Mode (RHS)Nexus-Mode (RHS)

Secure Input

Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)

UserUser

KernelKernel

E = EncryptedE = Encrypted

EE

USBUSBHostHost

ControllerController

HazardHazardEE

Page 68: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus-Mode (RHS)Nexus-Mode (RHS)

Secure Input

Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)

UserUser

KernelKernel

E = EncryptedE = Encrypted

EE

USBUSBHostHost

ControllerController

HazardHazardEE

Page 69: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus-Mode (RHS)Nexus-Mode (RHS)

Secure Input

Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)

UserUser

KernelKernel

E = EncryptedE = Encrypted

EE

USBUSBHostHost

ControllerController

DecryptedDecryptedTextText

HazardHazard EE

Page 70: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus-Mode (RHS)Nexus-Mode (RHS)

Mobile PC Secure Input

Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)

UserUser

KernelKernel

E = EncryptedE = EncryptedKey BoardKey BoardControllerController

(KBC)(KBC)

ChipsetChipsetSouth BridgeSouth Bridge

(LPC bus(LPC busController)Controller)

EE

HazardHazard

EE

Page 71: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Secure Input Secure Input

Encryption for Human Interface Device Encryption for Human Interface Device (HID) will be done on the outboard side (HID) will be done on the outboard side of a USB hostof a USB host1.1. Built into USB root hubBuilt into USB root hub

2.2. Built into any USB hubBuilt into any USB hub

3.3. Inside the device of interestInside the device of interest

4.4. In-line device (dongle) between the In-line device (dongle) between the machine and the input devicemachine and the input device

Best solution is Best solution is #1#1

Page 72: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Secure Input Work In ProgressSecure Input Work In Progress

For desktopsFor desktops Evaluating several different ways of establishing Evaluating several different ways of establishing

shared secretshared secret Security versus OEM and IT deployment tradeoffsSecurity versus OEM and IT deployment tradeoffs

For laptopsFor laptops Evaluating different ways to partition Secure Input Evaluating different ways to partition Secure Input

Path firmware/microcode in Embedded ControllerPath firmware/microcode in Embedded Controller Legacy versus security certification issuesLegacy versus security certification issues

Alternatives being evaluatedAlternatives being evaluated More information in calls-to-actionMore information in calls-to-action

Page 73: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Secure VideoSecure Video

Threat Model for videoThreat Model for video NO Software-Only attacks against Secure Windows NO Software-Only attacks against Secure Windows

and the information displayed in themand the information displayed in them NO Break-Once/Break-Everywhere (BOBE) attacks NO Break-Once/Break-Everywhere (BOBE) attacks

This is not the ONLY hazard relevant to all This is not the ONLY hazard relevant to all stake holdersstake holders

It is what we can secureIt is what we can secure

Security for external video interfaces is a matter Security for external video interfaces is a matter for hardware standardsfor hardware standards NGSCB could support link protections but won’t require itNGSCB could support link protections but won’t require it

Page 74: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus-Mode (RHS)Nexus-Mode (RHS)

Secure Video

Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)

UserUser

KernelKernel

USBUSBHostHost

ControllerController

GraphicsGraphicsAdaptorAdaptor

(nexus-mode)(nexus-mode)

GraphicsGraphicsAdaptorAdaptor

(std-mode)(std-mode)

HazardHazard

Page 75: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Secure VideoSecure Video

Secure Video assuresSecure Video assures Secure windows cannot be obscuredSecure windows cannot be obscured Secure windows cannot be captured by Secure windows cannot be captured by

unauthorized softwareunauthorized software Secure windows cannot be altered by Secure windows cannot be altered by

unauthorized softwareunauthorized software

Graphics adaptor may communicate Graphics adaptor may communicate with display in various formatswith display in various formats

We are working on accessibilityWe are working on accessibility

Page 76: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Secure VideoSecure Video

The ChallengeThe Challenge How does the video data get from How does the video data get from

nexus-mode to the graphics processor?nexus-mode to the graphics processor? Two general waysTwo general ways

Closed path – video MUST be integrated deviceClosed path – video MUST be integrated device Depends on special hardware path from nexus to Depends on special hardware path from nexus to

video devicevideo device Works when the video device is in close cooperation Works when the video device is in close cooperation

with the memory controllerwith the memory controller

Encrypted path – data is encrypted in Encrypted path – data is encrypted in nexus-mode and decrypted by the nexus-mode and decrypted by the graphics adaptorgraphics adaptor Can reuse LHS driver stackCan reuse LHS driver stack

Page 77: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus-Mode (RHS)Nexus-Mode (RHS)

Closed Path T-Vid

Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)

UserUser

KernelKernel

USBUSBHostHost

ControllerController

Trusted Trusted Video Video

AbstractorAbstractor

GraphicsGraphicsAdaptorAdaptor

(nexus-mode)(nexus-mode)

GraphicsGraphicsAdaptorAdaptor

(std-mode)(std-mode)

HazardHazard

Page 78: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus-Mode (RHS)Nexus-Mode (RHS)

Crypto Path T-Vid

Standard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)

UserUser

E = EncryptedE = EncryptedUSBUSBHostHost

ControllerController

Trusted Trusted Video Video

AbstractorAbstractor

EEGraphicsGraphicsAdaptorAdaptor

(nexus-mode)(nexus-mode)

GraphicsGraphicsAdaptorAdaptor

(std-mode)(std-mode)

EEHazardHazard

KernelKernel

Page 79: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: EcosystemNGSCB: Ecosystem

Works today on x86 flat 32-bit Works today on x86 flat 32-bit architectures from multiple sourcesarchitectures from multiple sources

Could work on any CPU with Could work on any CPU with User/kernel modesUser/kernel modes Page granular virtual memory mappingPage granular virtual memory mapping

With effort, could be adapted to other With effort, could be adapted to other CPU modelsCPU models

Page 80: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: EcosystemNGSCB: Ecosystem

Building an NGSCB capable machine Building an NGSCB capable machine requires:requires:

NGSCB NGSCB CPUCPU

NGSCB NGSCB ChipsetChipset SSCSSC Secure Secure

InputInputSecure Secure VideoVideo

All working in conjunctionInclude tamper resistant/detecting hardware to pursue specific opportunities

Page 81: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

NGSCB: NGSCB: Changing The NexusChanging The Nexus

The digest of the nexus is the basis for trust in The digest of the nexus is the basis for trust in the systemthe system So a change to the nexus is non-trivialSo a change to the nexus is non-trivial

Hardware changes which require nexus changes will face delayHardware changes which require nexus changes will face delays in market supports in market support We are working closely with core-logic vendors to minimize riskWe are working closely with core-logic vendors to minimize risk

For RHS input and output it’s important to get For RHS input and output it’s important to get things “right”things “right”

This means that there will be a small number of practical *INTERThis means that there will be a small number of practical *INTERFACES* for trusted-input and trusted-outputFACES* for trusted-input and trusted-output This is about INTERFACES, not gates, technologies, fabs, speeds, or This is about INTERFACES, not gates, technologies, fabs, speeds, or

costs; INTERFACEScosts; INTERFACES Microsoft is working to define these INTERFACES with leading Microsoft is working to define these INTERFACES with leading

providers of video and USB hardwareproviders of video and USB hardware

LHS interfaces and software can change in the normaLHS interfaces and software can change in the normal waysl ways

Page 82: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus FundamentalsNexus Fundamentals

Page 83: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Device DriversDevice Drivers

NGSCB doesn’t change the device NGSCB doesn’t change the device driver modeldriver model

NGSCB needs very minimal access to NGSCB needs very minimal access to real hardwarereal hardware

Secure reuse of Left Hand Side (LHS) driver Secure reuse of Left Hand Side (LHS) driver stacks wherever possiblestacks wherever possible Right Hand Side (RHS) encrypted channel through Right Hand Side (RHS) encrypted channel through

LHS unprotected conduitLHS unprotected conduit Every line of privileged code is a potential Every line of privileged code is a potential

security risksecurity risk No third-party codeNo third-party code No kernel-mode plug-insNo kernel-mode plug-ins

Page 84: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Partitioned SystemPartitioned System

RHS = SecurityRHS = Security In the presence of adversarial LHS code In the presence of adversarial LHS code

the system must not leak secretsthe system must not leak secrets→ → The RHS must NOT rely on the LHS The RHS must NOT rely on the LHS

for securityfor security

LHS = Richness and Compatibility LHS = Richness and Compatibility In the absence of LHS cooperation In the absence of LHS cooperation

NGSCB doesn’t runNGSCB doesn’t run→ → The RHS MUST rely on the LHS for stability The RHS MUST rely on the LHS for stability

and servicesand services

Page 85: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

What Runs On The LHSWhat Runs On The LHS

Applications and Drivers still runApplications and Drivers still run Viruses tooViruses too Windows as you know it todayWindows as you know it today Any software with minor exceptionsAny software with minor exceptions

The new hardware (HW) memory The new hardware (HW) memory controller won’t allow certain “bad” controller won’t allow certain “bad” behaviors, e.g., code whichbehaviors, e.g., code which Copies all of memory from one location to Copies all of memory from one location to

the nextthe next Puts the CPU into real modePuts the CPU into real mode

Page 86: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

What NGSCB Needs From What NGSCB Needs From The LHSThe LHS Device Driver work for Trusted Input / VideoDevice Driver work for Trusted Input / Video Memory Management additions to allow nexuMemory Management additions to allow nexu

s to participate in memory pressure and pagis to participate in memory pressure and paging decisionsng decisions

User mode debugger additions to allow debuUser mode debugger additions to allow debugging of agents (explained later)gging of agents (explained later)

Window Manager coordinationWindow Manager coordination Nexus Manager Device driver (nexusmgr.sys)Nexus Manager Device driver (nexusmgr.sys) NGSCB management software and servicesNGSCB management software and services

Page 87: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Close-Up Of The Lower RHSClose-Up Of The Lower RHS

Syscall Dispatcher

Porch

Nexus.exe

Kerneldebug

Nexus Core

HandleMgr

SSCAbstractor

ATCModule

(Nexus Callable Interfaces)

Nexus Abstraction Layer (NAL)

Nx* Functions

IntHandler

Sync

Objects

Mem

oryM

anager

Process Loader

Process

Manager

Thread M

anager

IO M

anager

NG

SC

B C

allsT

raps

Crypto

Runtim

eLibrary

Native S

RM

Page 88: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

I Think, Therefore I AmI Think, Therefore I AmDescartes ProblemDescartes Problem

Challenge for attestation must always come fChallenge for attestation must always come from outside the machinerom outside the machine Local (the user with a superkey) Local (the user with a superkey) Remote (some server)Remote (some server)

No nexus can directly determine if it is runninNo nexus can directly determine if it is running in the secured environmentg in the secured environment

No Agent can directly determine if it is runninNo Agent can directly determine if it is running in the secured environmentg in the secured environment

Must use Remote Attestation or Sealed StoraMust use Remote Attestation or Sealed Storage to cache credentials or secrets to prove thge to cache credentials or secrets to prove the system is sounde system is sound

Page 89: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus Derivative WorksNexus Derivative Works

The user can run any nexus, or write his The user can run any nexus, or write his own and run it, on the hardwareown and run it, on the hardware

That nexus can only report the attestation That nexus can only report the attestation provided by the Security Support provided by the Security Support Component (SSC)Component (SSC) The SSC won’t lieThe SSC won’t lie The nexus cannot pretend to be another nexusThe nexus cannot pretend to be another nexus

Other systems will need to decide if they Other systems will need to decide if they trust the new derived nexustrust the new derived nexus

Just need to prove to others your derivative Just need to prove to others your derivative is legitimateis legitimate

Page 90: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Agent Derivative WorksAgent Derivative Works

The user can run any agent, or write The user can run any agent, or write his own and run it, on the nexushis own and run it, on the nexus

That agent can report the attestation That agent can report the attestation provided by the nexusprovided by the nexus The nexus won’t lieThe nexus won’t lie The agent cannot pretend to be The agent cannot pretend to be

another agentanother agent Other systems will need to decide if Other systems will need to decide if

they trust the new derived agentthey trust the new derived agent Just need to prove to others your Just need to prove to others your

derivative is legitimatederivative is legitimate

Page 91: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Policy Controlled By The Policy Controlled By The Owner Of The MachineOwner Of The Machine NGSCB enforces policy but does not set the policyNGSCB enforces policy but does not set the policy The hardware will load any nexusThe hardware will load any nexus

But only one at a timeBut only one at a time Each nexus gets the same servicesEach nexus gets the same services The hardware keeps nexus secrets separateThe hardware keeps nexus secrets separate Nothing about this architecture prevents any nexus from Nothing about this architecture prevents any nexus from

running; however, the owner can control which nexuses are running; however, the owner can control which nexuses are allowed to runallowed to run

Proposed software (nexus) policiesProposed software (nexus) policies The Microsoft nexus will run any agentThe Microsoft nexus will run any agent

The platform owner can set policy that limits thisThe platform owner can set policy that limits this User gets to pick some other delegated evaluator User gets to pick some other delegated evaluator

(e.g., my union) if they choose(e.g., my union) if they choose

Page 92: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Policy NotesPolicy Notes

Policy is a way for users and machine Policy is a way for users and machine owners to make general, abstract owners to make general, abstract statements, about what software runsstatements, about what software runs

““Run any agent I click”Run any agent I click” ““Run only agents whose source I’ve read”Run only agents whose source I’ve read” ““Run agents that a third party I trust, trusts” Run agents that a third party I trust, trusts”

The point of policy is to enable the The point of policy is to enable the users to control what runs on their users to control what runs on their machinesmachines

Page 93: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Next Generation Secure Next Generation Secure Computing Base DefinedComputing Base Defined Microsoft’s Next-Generation Secure Microsoft’s Next-Generation Secure

Computing Base (NGSCB) is a new Computing Base (NGSCB) is a new security technology for the Microsoft security technology for the Microsoft Windows platform Windows platform Uses a unique hardware and Uses a unique hardware and

software design software design Gives people new kinds of security and Gives people new kinds of security and

privacy protections in an privacy protections in an interconnected worldinterconnected world

Page 94: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Main OSMain OS

USBUSBDriverDriver

Nexus-Mode (RHS)Nexus-Mode (RHS)

NexusNexus

NexusMgr.sysNexusMgr.sys

HALHAL

NALNAL

SSCSSC

User Apps.User Apps.

AgentAgent

NCA Runtime LibraryNCA Runtime Library

Trusted UserTrusted UserEngine (TUE)Engine (TUE)

TSPTSP TSPTSP TSPTSP

AgentAgentAgentAgent

NGSCB Quadrants

Standard-Mode (“std-mode” / LHS)Standard-Mode (“std-mode” / LHS)

UserUser

KernelKernel

HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video

Page 95: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

““Booting” The NexusBooting” The Nexus

Nexus is like an OS kernel, so it must Nexus is like an OS kernel, so it must boot sometimeboot sometime

Can boot long after main OSCan boot long after main OS Can shut down long before main OS Can shut down long before main OS

(and restart later)(and restart later)

Page 96: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus Manager Abstraction Layer (NMAL)Nexus Manager Abstraction Layer (NMAL)

Nexus Manager Core Nexus Manager Core Nexus

DispatchServices

Shadow Service

AdminService

Nexus MgrIPC

Object SecurityManager

Shared ResourceManager

HW Allocator(memory

wholesaler)

Nexus Loader

Nexus-Mode (RHS)Nexus-Mode (RHS)Standard-Mode (LHS)Standard-Mode (LHS)

UserUser

KernelKernel

HardwareHardware

NGSCB Nexus Manager

SecureSecureInput Input

Filter DriverFilter Driver

SecureSecureVideo Video

Filter DriverFilter Driver

Secure videoSecure videoSecure InputSecure Input

Page 97: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

““Booting” The NexusBooting” The Nexus

NexusMgr is a kernel mode LHS compoNexusMgr is a kernel mode LHS componentnent Read and map the nexus codeRead and map the nexus code Allocate some pages from the main OSAllocate some pages from the main OS Pass that list of pages to the nexus via soPass that list of pages to the nexus via so

me platform-specific code/hardwareme platform-specific code/hardware Digest the nexus (with hardware help)Digest the nexus (with hardware help)

Now the nexus starts, initializes AddreNow the nexus starts, initializes Address Translation Control (ATC), and returss Translation Control (ATC), and returns control to the LHSns control to the LHS

Page 98: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Address TranslationAddress Translation

Protected PageProtected Page

Normal PageNormal Page

AddressAddressTranslationTranslation

Normal PageNormal PageVirtualVirtual

addressesaddresses

Page 99: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Address Translation ControlAddress Translation Control

This is curtained memory (or strong This is curtained memory (or strong process isolation)process isolation)

Can’t tamper with a page unless you have a Can’t tamper with a page unless you have a mapping to itmapping to it

On current PCsOn current PCs Any kernel mode code can modify Virtual Address (VA) → Any kernel mode code can modify Virtual Address (VA) →

Physical Address (PA) mapping structuresPhysical Address (PA) mapping structures There’s untrusted code in kernel modeThere’s untrusted code in kernel mode

NGSCB hardware calls nexus beforeNGSCB hardware calls nexus before Page map changes (process swap)Page map changes (process swap) Edits to mapping structuresEdits to mapping structures Turning off pagingTurning off paging

Page 100: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Address Translation ControlAddress Translation Control

When the page map changes, When the page map changes, the nexusthe nexus Walks the tree of pages it mapsWalks the tree of pages it maps Makes sure no protected pages are Makes sure no protected pages are

mappedmapped No read/write mappings to the page mapNo read/write mappings to the page map Now the map will remain safe, so Now the map will remain safe, so

hardware and software can manage a list hardware and software can manage a list of known safe page mapsof known safe page maps

Page 101: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Address Translation ControlAddress Translation Control

When a mapping structure changes, When a mapping structure changes, the nexusthe nexus Walks the tree of pages getting mappedWalks the tree of pages getting mapped Makes sure no protected pages are Makes sure no protected pages are

getting mappedgetting mapped Ensures no read/write mappings to the Ensures no read/write mappings to the

page mappage map

ATC will almost always allow the ATC will almost always allow the mapping to changemapping to change Legacy code will still work unless it Legacy code will still work unless it

attempts to access nexus space pagesattempts to access nexus space pages

Page 102: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Address Translation ControlAddress Translation Control

ATC protectsATC protects Agent and nexus dataAgent and nexus data Agent and nexus codeAgent and nexus code All page mapping structures (LHS/RHS)All page mapping structures (LHS/RHS)

Also protected from DMA (thanks to Also protected from DMA (thanks to special hardware)special hardware)

Correct ATC implementation vital to Correct ATC implementation vital to NGSCB securityNGSCB security

Page 103: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Memory Management (MM)Memory Management (MM)

Simplicity, robustness preferred over Simplicity, robustness preferred over maximizing performancemaximizing performance

Allocate/free whole pagesAllocate/free whole pages No shared memory between agentsNo shared memory between agents No paging-to-disk in this versionNo paging-to-disk in this version

If nexus were to page to disk, it would If nexus were to page to disk, it would encrypt and sign the pages, then ask the encrypt and sign the pages, then ask the main OS to flush themmain OS to flush them

Page 104: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Memory Management (MM)Memory Management (MM)

Nexus keeps some free pages that ATC Nexus keeps some free pages that ATC is protectingis protecting

Nexus can request extra pages from keNexus can request extra pages from kernel via NexusMgr (seize)rnel via NexusMgr (seize)

Nexus MM asks ATC if new pages are sNexus MM asks ATC if new pages are safe to use - “any left side mappings?”afe to use - “any left side mappings?”

Nexus can give surplus pages back to Nexus can give surplus pages back to kernel if the kernel needs themkernel if the kernel needs them

Page 105: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus Abstraction Layer (NAL)Nexus Abstraction Layer (NAL)

Multiple CPU vendorsMultiple CPU vendors Different Security Support Different Security Support

Components (SSC)Components (SSC) Much nexus code is architecture Much nexus code is architecture

independentindependent

Page 106: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

InterruptsInterrupts

Interrupts enabled on the RHSInterrupts enabled on the RHS Most drivers are still on the LHSMost drivers are still on the LHS

So…what if an interrupt for the NIC, SCSI So…what if an interrupt for the NIC, SCSI card, etc. happens on the right?card, etc. happens on the right?

Nexus asks Porch to transition to Nexus asks Porch to transition to the LHSthe LHS

NexusMgr “replays” the interruptNexusMgr “replays” the interrupt

Page 107: Next Generation Secure Computing Base 黃志源@SiS. Contents Next Generation Secure Computing Base Overview Next Generation Secure Computing Base Overview

Nexus Also ProtectsNexus Also Protects

Model specific registers (MSRs)Model specific registers (MSRs) Some MSRs are used to implement NGSCB, Some MSRs are used to implement NGSCB,

but most will be accessible by left side codebut most will be accessible by left side code

I/O portsI/O ports Combined with ATC, this means PCI config Combined with ATC, this means PCI config

space is protectedspace is protected Things like the DMA exclusion list are in chiThings like the DMA exclusion list are in chi

pset registers, so we must protect thempset registers, so we must protect them

The NAL helps decide what to protectThe NAL helps decide what to protect