View
216
Download
0
Category
Preview:
Citation preview
7/29/2019 next generation super computer base
1/107
Next GenerationSecure ComputingBase
@SiS
7/29/2019 next generation super computer base
2/107
Contents
Next Generation Secure ComputingBase Overview
Hardware Fundamentals For NGSCB
Part 1: Core Hardware Hardware Fundamentals For NGSCB
Part 2: Peripheral Hardware
Nexus Fundamentals
7/29/2019 next generation super computer base
3/107
Next Generation SecureComputing Base Overview
7/29/2019 next generation super computer base
4/107
Trustworthy Computing
Security
Privacy
Reliability
Business Integrity
Resilient to attack
Protects confidentiality, integrity,availability, and data
Dependable
Available when needed
Performs at expected levels
Individuals control personal data
Products and Online Services adhere to fairinformation principles
Help customers find appropriate solutions
Address issues with products and services
Open interaction with customers
7/29/2019 next generation super computer base
5/107
NGSCB Vision And Goals
Vision NGSCB advances the PC ecosystem to meet
customers requirements forsecurity, privacy,and data protection
Product Goal NGSCB will broaden the utility of the PC by
delivering security on par with closedarchitecture systems while maintaining theflexibility of the Windows platform
Business Goal NGSCB will help to revitalize the PC ecosystem
by enabling a new generation of hardware andsoftware products
7/29/2019 next generation super computer base
6/107
Customer Security Issues
Vulnerability introduced by enablingremote access
Illegal access and usage of sensitiveinformation
Difficulty in knowing who a company isdoing business with
Difficulty in doing patch management
Others Collaborating in a secure environment
Protecting secrets, e.g., key pairs, certificates
Virus and malicious code attacks
7/29/2019 next generation super computer base
7/107
Why NGSCB?
Vulnerabilities today Attacks on Core assets
Attacks on Networks
Attacks via Remote users/machines
NGSCB can address software attackson applications, secrets
Damage from attacks can becompartmentalized and limited
7/29/2019 next generation super computer base
8/107
How It Works: The PC
7/29/2019 next generation super computer base
9/107
How It Works: Before NGSCB
7/29/2019 next generation super computer base
10/107
How It Works: Before NGSCB
7/29/2019 next generation super computer base
11/107
How it Works: Before NGSCB
7/29/2019 next generation super computer base
12/107
NGSCB
How It Works: With NGSCB
7/29/2019 next generation super computer base
13/107
How It Works: With NGSCB
7/29/2019 next generation super computer base
14/107
NGSCB
How It Works: With NGSCB
7/29/2019 next generation super computer base
15/107
Main OS
USBDriver
NexusMgr.sys
HAL
User Apps.
Nexus-Mode (RHS)
Nexus
NAL
Agent
NCA Runtime Library
Trusted UserEngine (TUE)
TSP TSP TSP
AgentAgent
NGSCB Quadrants
Standard-Mode (std-mode/LHS)
User
Kernel
SSCHardware Secure Input ChipsetCPUSecure Video
7/29/2019 next generation super computer base
16/107
Four NGSCB Features Groups
The first three areneeded to protect
against malicious
code
Attestation breaksnew ground in
distributed
computingThe identity
of hardware,nexus, and
applications can
be proven
1
2
3
4
7/29/2019 next generation super computer base
17/107
Addressing Customer NeedsWith NGSCB
Remote access Granularity of access at machine, nexus, and application level
Application to application connection rather than VPN connection
Patch management
IT can specify that only a known configuration of nexus and application canexecute or access corporate resources
Preventing illegal access of information Reinforce rights management by rooting key pair in hardware
Encryption of data based on secrets that never leave hardware
Agents development
Agents identity is rooted in secrets on the hardware Applications run in isolated process space and are impermeable to
software attack
Collaboration enablement End users can collaborate and communicate securely
End users can establish content authenticity by digital signature
7/29/2019 next generation super computer base
18/107
Four NGSCB Features Groups
7/29/2019 next generation super computer base
19/107
What Does This All Mean?
All NGSCB capabilities build off of four key features Strong process isolation
Root key for persistent secret protection
Secure path to and from the user
Attestation (hardware (HW)/software (SW) authentication) The first three are needed to protect against
malicious code
Attestation breaks new ground indistributed computing
Things (software, machines, services) can besecurely identified
7/29/2019 next generation super computer base
20/107
NGSCB Quadrants
Main OS
USB Driver
Nexus-Mode (RHS)
Nexus
NexusMgr.sys
HAL
NAL
SSC
User Apps.
Agent
NCA Runtime Library
Trusted UserEngine (TUE)
TSP TSP TSP
AgentAgent
Standard-Mode (LHS)
User
Kernel
Hardware Secure Input ChipsetCPUSecure Video
7/29/2019 next generation super computer base
21/107
Nexus-Mode (RHS)
NCA Runtime Library
Trusted UserEngine (TUE)
TSP TSP TSP
Four Key Features(1) Process Isolation
Standard-Mode (LHS)
User
Kernel
Hardware
Agent Agent Agent
7/29/2019 next generation super computer base
22/107
Strong ProcessIsolation
Nexus Computing Agents, or NCAs,run in curtained memory
Not accessible by the standardWindows kernel
Not accessible by hardware DMA
Not accessible by other NCAs
Enforced by hardware and software
Changes to CPU, chipset
Nexus arbitrates page tables
7/29/2019 next generation super computer base
23/107
Nexus Manager Abstraction Layer (NMAL)
Nexus Manager CoreNexus
DispatchServices
ShadowService AdminService NexusMgrIPC
Object SecurityManager
Shared ResourceManager
HW Allocator(memory
wholesaler)
Nexus Loader
Nexus-Mode (RHS)Standard-Mode (LHS)
User
Kernel
Hardware
Four Key Features(2) Secure Path To and From User
SecureInput
Filter Driver
SecureVideo
Filter Driver
Secure videoSecure Input
7/29/2019 next generation super computer base
24/107
Secure Path To User
Secure input Encrypted session between USB device
and nexus
Changes to standard USB driver stack
Required for keyboard and mouse
Alternate solution being developed fornon-USB (laptops)
Secure output
Secure channel between graphics adaptorand nexus
Changes to graphics adaptor
Changes to video driver
7/29/2019 next generation super computer base
25/107
Nexus-Mode (RHS)
Four Key Features(3) Sealed Storage
Standard-Mode (LHS)
User
Kernel
Hardware
Nexus
NAL
Agent
NCA Runtime Library
Trusted UserEngine (TUE)
TSP TSP TSP
AgentAgent
SSC
7/29/2019 next generation super computer base
26/107
Hardware ProtectionOf Secrets
Security Support Component (SSC)chip on motherboard
SSC holds a secure keyset Each nexus generates a random keyset
on first load
SSC provides hardware protection of the
nexus keyset
NCAs use nexus facilities to generateand protect keys
7/29/2019 next generation super computer base
27/107
Nexus-Mode (RHS)
Four Key Features(4) Attestation
Standard-Mode (LHS)
User
Kernel
Hardware
Nexus
NAL
Agent
NCA Runtime Library
Trusted UserEngine (TUE)
TSP TSP TSP
AgentAgent
SSC
7/29/2019 next generation super computer base
28/107
AttestationSoftware/Hardware Authentication
When requested, the nexus can prepare achain that authenticates
NCA by digest, signed by the nexus
Nexus by digest, signed by the SSC
SSC by public key, signed by OEM
Other forms of attestation are possible that
provide less information Using trusted third party
User sets policy to control which NCAs canuse which forms of attestation
7/29/2019 next generation super computer base
29/107
Hardware
ChipsetCPUSecureInput
SecureVideo
SSC
Nexus-Mode (RHS)Standard-Mode (LHS)
User
Kernel
Hardware Summary
7/29/2019 next generation super computer base
30/107
Hardware Summary
Modified components CPU
Chipset
Secure video Secure input (keyboard and mouse)
Two versions: USB and laptop
New components SSC
7/29/2019 next generation super computer base
31/107
A Qualitative Step Forward
NGSCB extends the Windows platform We provide the core, others will build the
solutions
We really want to enable others to build new and
exciting applications NGSCB is appropriate anywhere you could
possibly imagine needing privacy, security ordata protection
We will ship some solutions in the box Enough to provide immediate value
7/29/2019 next generation super computer base
32/107
Scenario Categories
Secure remote access Corporate remote access
Secure client access to middle tier servers
Secure collaboration Chat and instant messaging
Rights management Digital signature
7/29/2019 next generation super computer base
33/107
Secure Remote Access
Examples To a client/server app, using a custom NCA client
To your enterprise desktop, using a secure remotedesktop client
How it works Uses attestation for end-to-end authentication
Uses strong process isolation and secure path to theuser to be safe against attacks on the remote client
Uses an application private network (APN) forsecure communications Application-to-application encrypted session
More secure than a VPN because the protection extendsinto the application layer itself
7/29/2019 next generation super computer base
34/107
Application Private NetworkApplication(Client NCA)
Presentation
Session
Transport
NetworkDatalink
Physical
Application(Server)
Presentation
Session
Transport
NetworkDatalink
Physical
Standard IP: vulnerable at every layer
NGSCB APN: extends protection to alllayers, so that only the client and serverapplications can use the connection
VPN: network layer and below are protected,including data on the wire but all software onthe client has access to the server connection
7/29/2019 next generation super computer base
35/107
Secure Collaboration
Examples Secure e-mail
Secure text document creation and sharing
Secure instant messaging
Secure digital signaturewhat you see is what you sign
How it works
Uses rights management based on hardware protection ofsecrets to protect and control access to data
Uses strong process isolation and secure path to the user to
be safe against spoofing and snooping attacks Uses an APN for end-to-end messaging security
7/29/2019 next generation super computer base
36/107
Secure Digital Signature
Micros oft Word
Thi s is text tha t sho ul d b e verifi ed as correct an d th en sig ne d.
Fi le Ed it Vi ew In se rt He lp
Sign Digi tall y...
When the user
clicks sign, theXML d ata is sign eand the signe d
data is returned to
the application
Secure Digital Signa ture
Thi s is text tha t sho ul d b e verifi ed as correct an d th en sig ned .
Sign
Cancel
USPS Signa tureSignature:
When the user wa nts to sign , the
text is ren de red by the ap plication
into a standard XML-based formatand passed to the digital signatur
agent
NOTE: for
explanatorypurposesonly; this isnot actual UI
7/29/2019 next generation super computer base
37/107
Hardware FundamentalsFor NGSCB
Part 1: Core Hardware
7/29/2019 next generation super computer base
38/107
Agenda
Threat Models What is NGSCB and Why?
What does NGSCB do?
NGSCB Features and Details
Strong Process Isolation
Attestation
Sealed Storage
Call to Action
7/29/2019 next generation super computer base
39/107
Next Generation SecureComputing Base (NGSCB)Defined
New security technology for the MicrosoftWindows platform
Unique hardware and software architecture
Protected computing environment inside theWindows PC
A virtual vault that will sit side by side with theregular Windows environment
New kinds of security and privacyprotections for computers
7/29/2019 next generation super computer base
40/107
NGSCB Quadrants
Main OS
USB Driver
Nexus-Mode (RHS)
Nexus
NexusMgr.sys
HAL
NAL
SSC
User Apps.
Agent
NCA Runtime Library
Trusted UserEngine (TUE)
TSP TSP TSP
AgentAgent
Standard-Mode (LHS)
User
Kernel
Hardware Secure Input ChipsetCPUSecure Video
7/29/2019 next generation super computer base
41/107
NGSCB: Threat Models
Our Threat Model NO Software-Only Attacks Against Nexus-Space
Operations
NO Break-Once/Break-Everywhere (BOBE) attacks
No Software-Only Attacks means No attacks based on micro-code, macro-code,
adapter card scripts, etc.
Any attacks launched from the Web or e-mail are
software only
Protection only applies to the releaseof secrets
Viruses could still delete encrypted files
7/29/2019 next generation super computer base
42/107
NGSCB: Threat Models
No BOBE attacks means Attacks dont scale
Each Security Support Component (SSC) hasunique keys
Data MUST use unique or partially unique,rather than global keys
One person breaking one machine yieldsthe secrets sent to that machine only
Does NOT allow that person to tell everybodyelse in the world how to break content
Does allow the release of content bound tothat machine
?
7/29/2019 next generation super computer base
43/107
What And Why?
Modifications to allow PCs to be used innew ways Hardware changes
Software changes
Allows users to interact with entities eitherinside or outside the machine: Show them what code is running
Make believable promises about code
Prove that those promises are durable Changes what can be believed about
computation Not what can be done with it
Wh A d Wh ?
7/29/2019 next generation super computer base
44/107
What And Why?
This is the Next Big Thing Windowing in the 80s
Networking in the 90s
Security in the 00s
Security and trust will advance thePC ecosystem
Customers are demanding higher securityand privacy
From end-users to enterprises
Governments are mandating as well
Opens new markets that rely on trustworthiness ofinformation technology
Wh D NGSCB D ?
7/29/2019 next generation super computer base
45/107
What Does NGSCB Do?
Creates a safe region called nexus-spaceinside of a regular PC
Think of an access-controlled, high-security vaultin an open market
All the rest of the PC is still present Apply full power and speed of the PC to
security functions
Co-processors dont scale with the CPU
Adding main memory wont speed them up
Majority of the hardware is unchanged
E.g., PCI, Serial, Parallel, Memory
Wh D NGSCB D ?
7/29/2019 next generation super computer base
46/107
What Does NGSCB Do?
NGSCB Code on NGSCB Hardware Designed to stop all software only threats
in nexus-space
Run all the old code Very obscure exceptions
Qualitatively different
Profound change in what can be believed,and hence, trusted
Wh t D NGSCB D ?
7/29/2019 next generation super computer base
47/107
What Does NGSCB Do?
Enhances Security Vault to store important material
Both locally and remotely attestable
Realistic control over which code can touch which data
Control given to software, by users
EnhancesRobustness
Better user control of what can run in NGSCB; what it can do
Enhances Privacy
Users can know which code is doing what with private
information Users can delegate privacy decisions in a usable way
H D NGSCB W k
7/29/2019 next generation super computer base
48/107
How Does NGSCB Work
New kind of process, called a NexusComputing Agent, or NCA, or Agent
Very much like a traditional process, butruns in a much more spartan environment
The Key Assertions may be appliedto agents
K A ti
7/29/2019 next generation super computer base
49/107
Key Assertions
The agent is what it is attested to be The agent is running in the attested environment
and THEREFORE
The agent will be initiated correctly
Agent behavior cannot be permuted by attacking initialization
The agent is isolated
From other agents
From the Left Hand Side (LHS)
Not even debuggers or device drivers can alter the agentat runtime
The agent has someplace to keep a secret
On clients, agents will have a secure path to the user
NGSCB C t t
7/29/2019 next generation super computer base
50/107
Main OS
Drivers
HAL
User Programs
NGSCB: Context
Standard-Mode (LHS)
UserMode
KernelMode
DLL DLL
What exists in todayssystems
Main OS is rich,compatible with vastarray of stuff,
supports vast array ofhardware it is large
User can installdrivers which getprivileged access to
memory remoteparties can never besure the program hasnot been negativelyimpacted by the driver
NGSCB Q d t
7/29/2019 next generation super computer base
51/107
NGSCB Quadrants
Main OS
Driver
Nexus-Mode (RHS)
Nexus
NexusMgr.sys
HAL
NAL
SSC
User Apps.
Agent AgentAgent
Standard-Mode (LHS)
User
Kernel
Hardware Secure Input ChipsetCPUSecure Video
NxSvc.exe
NGSCB Q d t
7/29/2019 next generation super computer base
52/107
Main OS
Driver
Nexus-Mode (RHS)
Nexus
NexusMgr.sys
HAL
NAL
SSC
User Apps.
Agent AgentAgent
Standard-Mode (LHS)
User
Kernel
Hardware Secure Input ChipsetCPUSecure Video
NxSvc.exe
NGSCB Quadrants
NGSCB
7/29/2019 next generation super computer base
53/107
NGSCB:Strong Process Isolation
Machine is locked into flat paged mode
Address-Translation-Control prohibits std-mode code from mapping a nexus-mode page
No CPU access to memory w/out mapping
Requires CR3 loads trap to nexus
Requires alteration of maps
Requires PTE-writes to trap to the nexus or befiltered by hardware
Chipset/Memory controller maintains a per-pagelist of pages to which DMA is prohibited, period
NGSCB Att t ti
7/29/2019 next generation super computer base
54/107
NGSCB: Attestation
Attestation is a crypto-signed digestof some code
Proof that some bit vector is known
by this digest SSC and CPU compute digest of nexus
at nexus boot
Nexus computes the digest of agents Digests are gathered together to make
attestation vector that is passed backto a challenger
NGSCB Att t ti
7/29/2019 next generation super computer base
55/107
NGSCB: Attestation
Root of attestation stack is the securitysupport component (SSC)
Proof valid because the SSC provides aproof of a secret that only the SSC knows
This secret never leaves the SSC
Secret not revealed
Secret not a privacy hazard
NGSCB Attestation
7/29/2019 next generation super computer base
56/107
NGSCB: AttestationExample
Digest1 is for the SSC
Establishes confidence in validity of NGSCBhardware
Digest2 is for the nexus Establishes confidence in validity of nexus
Has meaning only if Digest1 is valid
Digest3 is for the agent Establishes confidence in validity of agent
Has meaning only if Digest1 and Digest2 are valid
NGSCB Attestation Caveat
7/29/2019 next generation super computer base
57/107
NGSCB: Attestation Caveat
Attestation is NOT a judgment of codequality or fitness
Hardware will run any nexus, and attest tothe digest of any nexus
Our nexus will run any agent (inaccordance with user policy) and attest tothe digest of that agent
Attestation leaves judgment up tochallenger
Done with excellent confidence
Not up to hardware/nexus
NGSCB: Attestation
7/29/2019 next generation super computer base
58/107
NGSCB: Attestation Hardware
Attestation is implemented at the rootby the SSC
Must be tightly bound to the CPU and thechipset for
Booting of the nexus
Attestation of the nexus
Chain of attestation
NGSCB: Seal
7/29/2019 next generation super computer base
59/107
NGSCB: Seal
Heres a good mental model Seal(secret) cryptoblob(secret)
Crytoblob(secret) may be stored anywhere
The call is really
Seal(secret, DigestOfEnvironment, DigestOfCallingAgent,MigrationControls) cryptoblob(secret)
Unseal(cryptoblob(somesecret)) somesecret
BUT Unseal is really
Unseal(cryptoblob(somesecret), DigestOfEnvironment,DigestOfCallingAgent) somesecret | nothing
If the Digest of the environment or the calling agent doesnot match with those that did the seal, Unseal returns **NOTHING **
NGSCB: Seal
7/29/2019 next generation super computer base
60/107
NGSCB: Seal
What it means If we ignore migration and indirection
Seal/Unseal say that if agent A running on environment Bseals a secret, then,
Only agent A running on environment B can unseal it
This gives agent A a way to hide a key
Seal is implemented by the nexus in cooperationwith the SSC
Same hardware build rules as for attestation
What's an "environment" Matching attestation vector for nexus-mode only
Booting some other OS that can call the SSC does NOT revealthe secrets
NGSCB: Seal
7/29/2019 next generation super computer base
61/107
NGSCB: Seal
Migration and indirection Caller gets to specify certain properties
What agents may unseal the secret
What hardware may unseal the secret
What nexus may unseal the secret What users may unseal the secret
Agents shouldnt seal against the SSC They should seal against the nexus
which seals against the SSC
Backup, restore, migration are allpossible using intermediate keysand certificates
7/29/2019 next generation super computer base
62/107
Hardware FundamentalsFor NGSCB
Part 2: Peripheral Hardware
GSCB: Desktop Secure Input
7/29/2019 next generation super computer base
63/107
GSCB: Desktop Secure Input
Threat Model NO Software Only Attacks Against Secured
Keystrokes
NO Break-Once/Break-Everywhere (BOBE) attacks
Out of scope People swapping the keyboard hardware
Patching into the keyboard cable
Sticking some device between the keyboard andthe box
All require a physical attack
Cannot send a physical attack via e-mail
Secure Input
7/29/2019 next generation super computer base
64/107
Hazard
Nexus-Mode (RHS)
Secure Input
Standard-Mode (std-mode/LHS)
User
Kernel
USB
HostController
Secure Input
7/29/2019 next generation super computer base
65/107
Nexus-Mode (RHS)
Secure Input
Standard-Mode (std-mode/LHS)
User
Kernel
E = Encrypted
Hazard
USB
HostController
E
E
Secure Input
7/29/2019 next generation super computer base
66/107
Nexus-Mode (RHS)
Secure Input
Standard-Mode (std-mode/LHS)
User
Kernel
E = Encrypted
Hazard
USB
HostController
E
E
Secure Input
7/29/2019 next generation super computer base
67/107
Nexus-Mode (RHS)
Secure Input
Standard-Mode (std-mode/LHS)
User
Kernel
E = Encrypted
E
USB
HostController
HazardE
Secure Input
7/29/2019 next generation super computer base
68/107
Nexus-Mode (RHS)
Secure Input
Standard-Mode (std-mode/LHS)
User
Kernel
E = Encrypted
E
USB
HostController
HazardE
Secure Input
7/29/2019 next generation super computer base
69/107
Nexus-Mode (RHS)
p
Standard-Mode (std-mode/LHS)
User
Kernel
E = Encrypted
E
USB
HostController
DecryptedText
HazardE
Mobile PC Secure Input
7/29/2019 next generation super computer base
70/107
Nexus-Mode (RHS)
p
Standard-Mode (std-mode/LHS)
User
Kernel
E = Encrypted
Key Board
Controller(KBC)
ChipsetSouth Bridge
(LPC busController)
E
Hazard
E
Secure Input
7/29/2019 next generation super computer base
71/107
Secure Input
Encryption for Human Interface Device(HID) will be done on the outboard sideof a USB host
1. Built into USB root hub
2. Built into any USB hub
3. Inside the device of interest
4. In-line device (dongle) between the
machine and the input device
Best solution is #1
Secure Input Work In Progress
7/29/2019 next generation super computer base
72/107
Secure Input Work In Progress
For desktops Evaluating several different ways of establishing
shared secret
Security versus OEM and IT deployment tradeoffs
For laptops Evaluating different ways to partition Secure Input
Path firmware/microcode in Embedded Controller
Legacy versus security certification issues
Alternatives being evaluated More information in calls-to-action
Secure Video
7/29/2019 next generation super computer base
73/107
Secure Video
Threat Model for video NO Software-Only attacks against Secure Windows
and the information displayed in them
NO Break-Once/Break-Everywhere (BOBE) attacks
This is not the ONLY hazard relevant to allstake holders
It is what we can secure
Security for external video interfaces is a matter
for hardware standards NGSCB could support link protections but wont require it
Secure Video
7/29/2019 next generation super computer base
74/107
Nexus-Mode (RHS)Standard-Mode (std-mode/LHS)
User
Kernel
USB
HostController
Graphics
Adaptor(nexus-mode)
GraphicsAdaptor
(std-mode)
Hazard
Secure Video
7/29/2019 next generation super computer base
75/107
Secure Video
Secure Video assures Secure windows cannot be obscured
Secure windows cannot be captured byunauthorized software
Secure windows cannot be altered byunauthorized software
Graphics adaptor may communicate
with display in various formats We are working on accessibility
Secure Video
7/29/2019 next generation super computer base
76/107
Secure Video
The Challenge How does the video data get from
nexus-mode to the graphics processor?
Two general ways
Closed path video MUST be integrated device
Depends on special hardware path from nexus tovideo device
Works when the video device is in close cooperation
with the memory controller Encrypted path data is encrypted in
nexus-mode and decrypted by thegraphics adaptor
Can reuse LHS driver stack
Closed Path T-Vid
7/29/2019 next generation super computer base
77/107
Nexus-Mode (RHS)Standard-Mode (std-mode/LHS)
User
Kernel
USB
HostController
Trusted
VideoAbstractor
Graphics
Adaptor(nexus-mode)
GraphicsAdaptor
(std-mode)
Hazard
Crypto Path T-Vid
7/29/2019 next generation super computer base
78/107
Nexus-Mode (RHS)Standard-Mode (std-mode/LHS)
User
E = Encrypted
USB
HostController
Trusted
VideoAbstractor
EGraphics
Adaptor(nexus-mode)
GraphicsAdaptor
(std-mode)
E Hazard
Kernel
NGSCB: Ecosystem
7/29/2019 next generation super computer base
79/107
NGSCB: Ecosystem
Works today on x86 flat 32-bitarchitectures from multiple sources
Could work on any CPU with
User/kernel modes Page granular virtual memory mapping
With effort, could be adapted to otherCPU models
NGSCB: Ecosystem
7/29/2019 next generation super computer base
80/107
NGSCB: Ecosystem
Building an NGSCB capable machinerequires:
NGSCB
CPU
NGSCB
Chipset
SSCSecure
Input
Secure
Video
All working in conjunction
Include tamper resistant/detecting hardware to pursue specific
opportunities
NGSCB: Changing The Nexus
7/29/2019 next generation super computer base
81/107
NGSCB: Changing The Nexus
The digest of the nexus is the basis for trust inthe system So a change to the nexus is non-trivial
Hardware changes which require nexus changes will facedelays in market support We are working closely with core-logic vendors to minimize risk
For RHS input and output its important to getthings right
This means that there will be a small number of practical*INTERFACES* for trusted-input and trusted-output This is about INTERFACES, not gates, technologies, fabs, speeds, or
costs; INTERFACES Microsoft is working to define these INTERFACES with leading
providers of video and USB hardware
LHS interfaces and software can change in thenormal ways
7/29/2019 next generation super computer base
82/107
Nexus Fundamentals
Device Drivers
7/29/2019 next generation super computer base
83/107
Device Drivers
NGSCB doesnt change the devicedriver model
NGSCB needs very minimal access toreal hardware
Secure reuse of Left Hand Side (LHS) driverstacks wherever possible Right Hand Side (RHS) encrypted channel through
LHS unprotected conduit
Every line of privileged code is a potentialsecurity risk No third-party code
No kernel-mode plug-ins
Partitioned System
7/29/2019 next generation super computer base
84/107
Partitioned System
RHS = Security In the presence of adversarial LHS code
the system must not leak secrets
The RHS must NOT rely on the LHS
for security
LHS = Richness and Compatibility
In the absence of LHS cooperation
NGSCB doesnt run The RHS MUST rely on the LHS for stability
and services
What Runs On The LHS
7/29/2019 next generation super computer base
85/107
What Runs On The LHS
Applications and Drivers still run Viruses too
Windows as you know it today
Any software with minor exceptions The new hardware (HW) memory
controller wont allow certain badbehaviors, e.g., code which
Copies all of memory from one location tothe next
Puts the CPU into real mode
What NGSCB Needs From
7/29/2019 next generation super computer base
86/107
What NGSCB Needs FromThe LHS
Device Driver work for Trusted Input / Video
Memory Management additions to allownexus to participate in memory pressure and
paging decisions User mode debugger additions to allow
debugging of agents (explained later)
Window Manager coordination Nexus Manager Device driver (nexusmgr.sys)
NGSCB management software and services
Close-Up Of The Lower RHS
7/29/2019 next generation super computer base
87/107
Close Up Of The Lower RHS
Syscall Dispatcher
Porch
Nexus.exe
Kernel
debug
Nexus Core
Handle
Mgr
SSC
Abstractor
ATC
Module
(Nexus Callable Interfaces)
Nexus Abstraction Layer (NAL)
Nx* Functions
Int
Handler
Sync
Objects
Memory
Manager
ProcessLoader
Process
Manager
T
hreadManager
IOManager
NGSCB
Calls
Traps
Crypto
Runtime
Library
NativeSRM
I Think, Therefore I Am
7/29/2019 next generation super computer base
88/107
I Think, Therefore I AmDescartes Problem
Challenge for attestation must always comefrom outside the machine Local (the user with a superkey)
Remote (some server) No nexus can directly determine if it is
running in the secured environment
No Agent can directly determine if it is
running in the secured environment Must use Remote Attestation or Sealed
Storage to cache credentials or secrets toprove the system is sound
Nexus Derivative Works
7/29/2019 next generation super computer base
89/107
Nexus Derivative Works
The user can run any nexus, or write hisown and run it, on the hardware
That nexus can only report the attestationprovided by the Security Support
Component (SSC) The SSC wont lie
The nexus cannot pretend to be another nexus
Other systems will need to decide if they
trust the new derived nexus
Just need to prove to others your derivativeis legitimate
Agent Derivative Works
7/29/2019 next generation super computer base
90/107
Agent Derivative Works
The user can run any agent, or writehis own and run it, on the nexus
That agent can report the attestationprovided by the nexus The nexus wont lie
The agent cannot pretend to beanother agent
Other systems will need to decide ifthey trust the new derived agent
Just need to prove to others yourderivative is legitimate
Policy Controlled By The
7/29/2019 next generation super computer base
91/107
Policy Controlled By TheOwner Of The Machine
NGSCB enforces policy but does not set the policy
The hardware will load any nexus
But only one at a time
Each nexus gets the same services The hardware keeps nexus secrets separate
Nothing about this architecture prevents any nexus fromrunning; however, the owner can control which nexuses areallowed to run
Proposed software (nexus) policies The Microsoft nexus will run any agent
The platform owner can set policy that limits this
User gets to pick some other delegated evaluator(e.g., my union) if they choose
Policy Notes
7/29/2019 next generation super computer base
92/107
Policy Notes
Policy is a way for users and machineowners to make general, abstractstatements, about what software runs
Run any agent I click
Run only agents whose source Ive read
Run agents that a third party I trust, trusts
The point of policy is to enable the
users to control what runs on theirmachines
Next Generation Secure
7/29/2019 next generation super computer base
93/107
Next Generation SecureComputing Base Defined
Microsofts Next-Generation SecureComputing Base (NGSCB) is a newsecurity technology for the Microsoft
Windows platform Uses a unique hardware and
software design
Gives people new kinds of security andprivacy protections in aninterconnected world
NGSCB Quadrants
7/29/2019 next generation super computer base
94/107
Main OS
USB Driver
Nexus-Mode (RHS)
Nexus
NexusMgr.sys
HAL
NAL
SSC
User Apps.
Agent
NCA Runtime Library
Trusted UserEngine (TUE)
TSP TSP TSP
AgentAgent
Standard-Mode (std-mode / LHS)
User
Kernel
Hardware Secure Input ChipsetCPUSecure Video
Booting The Nexus
7/29/2019 next generation super computer base
95/107
oot g e e us
Nexus is like an OS kernel, so it mustboot sometime
Can boot long after main OS
Can shut down long before main OS(and restart later)
NGSCB Nexus Manager
7/29/2019 next generation super computer base
96/107
Nexus Manager Abstraction Layer (NMAL)
Nexus Manager CoreNexus
DispatchServices
Shadow
Service
Admin
Service
NexusMgr
IPC
Object SecurityManager Shared ResourceManager
HW Allocator
(memorywholesaler)
Nexus Loader
Nexus-Mode (RHS)Standard-Mode (LHS)
User
Kernel
Hardware
SecureInput
Filter Driver
SecureVideo
Filter Driver
Secure videoSecure Input
Booting The Nexus
7/29/2019 next generation super computer base
97/107
g
NexusMgr is a kernel mode LHScomponent
Read and map the nexus code
Allocate some pages from the main OS
Pass that list of pages to the nexus viasome platform-specific code/hardware
Digest the nexus (with hardware help)
Now the nexus starts, initializesAddress Translation Control (ATC),and returns control to the LHS
Address Translation
7/29/2019 next generation super computer base
98/107
Protected Page
Normal Page
AddressTranslation
Normal PageVirtualaddresses
Address Translation Control
7/29/2019 next generation super computer base
99/107
This is curtained memory (or strongprocess isolation)
Cant tamper with a page unless you have amapping to it
On current PCs
Any kernel mode code can modify Virtual Address (VA) Physical Address (PA) mapping structures
Theres untrusted code in kernel mode
NGSCB hardware calls nexus before
Page map changes (process swap) Edits to mapping structures
Turning off paging
Address Translation Control
7/29/2019 next generation super computer base
100/107
When the page map changes,the nexus
Walks the tree of pages it maps
Makes sure no protected pages aremapped
No read/write mappings to the page map
Now the map will remain safe, so
hardware and software can manage a listof known safe page maps
Address Translation Control
7/29/2019 next generation super computer base
101/107
When a mapping structure changes,the nexus
Walks the tree of pages getting mapped
Makes sure no protected pages aregetting mapped
Ensures no read/write mappings to thepage map
ATC will almost always allow themapping to change
Legacy code will still work unless itattempts to access nexus space pages
Address Translation Control
7/29/2019 next generation super computer base
102/107
ATC protects Agent and nexus data
Agent and nexus code
All page mapping structures (LHS/RHS) Also protected from DMA (thanks to
special hardware)
Correct ATC implementation vital toNGSCB security
Memory Management (MM)
7/29/2019 next generation super computer base
103/107
y g ( )
Simplicity, robustness preferred overmaximizing performance
Allocate/free whole pages
No shared memory between agents No paging-to-disk in this version
If nexus were to page to disk, it wouldencrypt and sign the pages, then ask themain OS to flush them
Memory Management (MM)
7/29/2019 next generation super computer base
104/107
y g ( )
Nexus keeps some free pages that ATCis protecting
Nexus can request extra pages fromkernel via NexusMgr (seize)
Nexus MM asks ATC if new pages aresafe to use - any left side mappings?
Nexus can give surplus pages back tokernel if the kernel needs them
Nexus Abstraction Layer (NAL)
7/29/2019 next generation super computer base
105/107
Multiple CPU vendors Different Security Support
Components (SSC)
Much nexus code is architectureindependent
Interrupts
7/29/2019 next generation super computer base
106/107
p
Interrupts enabled on the RHS Most drivers are still on the LHS
Sowhat if an interrupt for the NIC, SCSI
card, etc. happens on the right? Nexus asks Porch to transition to
the LHS
NexusMgr replays the interrupt
Nexus Also Protects
7/29/2019 next generation super computer base
107/107
Model specific registers (MSRs) Some MSRs are used to implement NGSCB,
but most will be accessible by left side code
I/O ports
Combined with ATC, this means PCI configspace is protected
Things like the DMA exclusion list are in
chipset registers, so we must protect them The NAL helps decide what to protect
Recommended