Security in the industry H/W & S/W

What is AMD’s

”enhanced virus protection”

all about?

What’s coming next?

Presented by: Micha Moffie

NUCAR 2

Outline

• Security Objectives

• Happening now… AMD Solution – ‘enhanced virus protection’ WinXP support in SP2

• Coming soon … Intel LaGrande technology Windows Palladium/NGSCB

NUCAR 3

Security - Objectives

• Protect User Confidential Data

• From: Attacks on executing software

• Software vulnerabilities Attacks from malicious software

• Viruses/worms/Trojan horses Attacks on hardware

• Access to keyboard & mouse data / screen output

NUCAR 4

AMD’s ‘Enhanced Virus Protection’

• Hardware support against stack smashing Stack smashing attack - reminder

• Hardware implements NX bit - No eXecution on predefined pages. Each page in the translation pages has a new NX bit,

when the instruction TLB is loaded with a new page, this bit is checked. if the bit is set (we are trying to execute from a non executable page) we will get a page fault exception.

this applied to all privilege levels (from AMD manual)

NUCAR 5

The OS role

• Window XP (Service Pack 2)• Microsoft uses NX bit to: ”prevents the

execution of code in memory regions that are marked as data storage” This will NOT prevent an attacker from overrunning

the data buffer, but will prevent him from executing his attack (generate an exception)

• Some problems with legitimate code a ”Data Execution Prevention" error message – for

legitimate code Workaround - Microsoft allow exceptions, per

application. (I.e. turn DEP off for specific apps.)

NUCAR 6

Who else?

• Transmeta already supported

• Intel Itanium supports this bit Intel Pentium … in the near future

• Linux a patch to the Linux kernel exists that supports the

NX bit http://www.uwsg.indiana.edu/hypermail/linux/kernel/0406.0/0497.html

NUCAR 7

Outline

• Security Objectives

• Happening now… AMD Solution – ‘enhanced virus protection’ WinXP support in sp2

• Coming soon … Intel LaGrande technology Windows Palladium

NUCAR 8

Intel LaGrange Technology (LT)

• New Hardware Components complemented with New OS & New applications: protect data from software attacks protect data confidentiality & integrity

• Hardware Capabilities Isolated execution

• Protected memory pages

Sealed storage (TPM) Protected I/O (keyboard/mouse/graphics) Attestation (Proof of current protected environment)

NUCAR 9

LT Hardware enhancements

NUCAR 10

LT Protection Model

• Standard partition execute:

• legacy code,

• non secure portion of new code

provides • regular IA32

semantics

• Protected partition execute

• new security modules & services

Provides• execution isolation

• sealed storage

• Protected I/O

• Attestation

NUCAR 11

LT Protection Model - Cont

NUCAR 12

Microsoft Palladium NGSCB

• Next Generation Secure Computing Base

• security technology for the Microsoft® Windows® platform, will be included in “Longhorn”

• Includes a new operating system module: “Nexus” enable secure interaction with applications,

peripheral hardware, memory and storage

NUCAR 13

Microsoft NGSCB

• Four key features: Strong process isolation

• even against attacks from the kernel

Sealed storage• accessible only to

program, nexus & machine

Secure path to/from user Attestation

NUCAR 14

The nexus

• Essentially the kernel of an isolated software stack

• runs alongside the existing OS software stack. not underneath it

• Provides a limited set of APIs and services for applications, including sealed storage and attestation functions.

• Special processes that work with nexus are called “Agents”

• Can run different nexuses on a machine But only one nexus at a time

NUCAR 15

NGSCB - run time environment

NUCAR 16

References• AMD64 Architecture Programmer's Manual Volume 2: System

Programming, 3.09 edition, Sep. 2003. Publication No. 24593.• Microsoft Knowledge Base Articles 875352 & 875351 • Intel, LaGrande Technology Architectural Overview, 252491-001,

September 2003• Microsoft The Next-Generation Secure Computing Base: Four Key

Features, June 2003• Microsoft Next-Generation Secure Computing Base - Technical

FAQ, July 2003• Microsoft "Palladium": A Business Overview, August 2002• TPM Main Part 1 Design Principles, Specification Version 1.2

Revision 62 2 October 2003 Published• ARM, A New Foundation for CPU Systems Security, Security

Extensions to the ARM Architecture, Richard York, May 2003• A wooden fence in Kyoto, http://www.gastric.com /mari/54.htm

NUCAR 17

The End

• Thanks,

• Questions ?

NUCAR 18

Backup & links

NUCAR 19

Stack Smashing Attack

main(int argc, char **argv) { … foo(argv[1], 10); …}

void foo(int i, char *s) { char b[16]; strcpy(b, s); ……}

main( ) auto variables

return addr of foo( )

frame ptr of foo( )

Stack ptr

Frame ptr

Stack grows

Buffer grows

10

ptr to input string

0+4

-4

+8

dddd

+12

cccc

bbbb

aaaa

-8

-12

-16 b[0]

b[1]

b[2]

b[3]

Stack

NUCAR 20

0x0012ff12

0x0012ff12

Stack grows

Buffer grows

start of attack code

0x0012ff12

0+4

-4

+8

****

+12

****

****

****

-8

-12

-16 b[0]

b[1]

b[2]

b[3]

Stack

0x0012ff12

0x0012ff08

0x0012ff04

0x0012ff00

attack code

attack code

attack code Attacker code executed in Stack Segment..

Stack Smashing Attack - II

return addr of foo( ) Has changed!

it will return to 0x0012ff12, the attacker code

NUCAR 21

TPM

• Trusted Platform Module • also called SSC - Security Support Component

• Stores hardware secret key

• Base of trust

• Cryptographic co-processor

• more…

NUCAR 22

TPM architecture

NUCAR 23

Transitive Trust

NUCAR 24

ARM – TrustZone

• Extending the CPU to enable more security

• Main problem with current OS It is huge, millions of code lines - Complex

• difficult to establish a ‘trusted code base’ A rich API - Open

• enables widespread access to OS from non-secure code

• Main idea: establishing a trusted code base using a hardware enforced security domain to

systemize the implementation of secure systems

NUCAR 25

ARM - cont

• Current typical security structure

NUCAR 26

ARM - Cont

• New security structure

NUCAR 27

ARM - Cont

• Introduce an NS-bit use this bit to identify secure data throughout

system• cache

• pages

• Monitor manages the NS-bit manages transition in & out of security mode Small fixed API