Next Generation Secure Computing Base John Manferdelli [email protected] Security Business Unit...
-
Upload
kevin-bates -
Category
Documents
-
view
221 -
download
4
Transcript of Next Generation Secure Computing Base John Manferdelli [email protected] Security Business Unit...
Next Generation Secure Next Generation Secure Computing Base Computing Base
John ManferdelliJohn [email protected]@microsoft.comSecurity Business UnitSecurity Business UnitMicrosoft CorporationMicrosoft Corporation
The ProblemThe Problem
Corp network
extr
anet
internet
Personal firewall
2-factor authentication, one time password, digital signature
Antivirus software
Coredata, IP, apps, “secrets”
Edge
Remote
ACL
Network IDS
Encryption
Air gap network
VA toolsReporting tools
Config and patch mgt
Monitoring tools
VPN
Firewall, Proxy server
HSM
Network level Encryption
Content screening
SSL
Network segmentation
IPsec
“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.”
Professor Gene Spafford Perdue CERIAS
Next Generation Secure Next Generation Secure Computing Base DefinedComputing Base Defined
Microsoft’s Next-Generation Secure Microsoft’s Next-Generation Secure Computing Base (NGSCB) is a bad Computing Base (NGSCB) is a bad name for a new security technology for name for a new security technology for the Microsoft Windows platform the Microsoft Windows platform Uses a unique hardware and software Uses a unique hardware and software
design design New kind of security model for integrity, New kind of security model for integrity,
confidentiality and trust negotiation in an confidentiality and trust negotiation in an interconnected worldinterconnected world
NGSCB Security GoalsNGSCB Security Goals
•Protect data and processing against Protect data and processing against software software attackattack
Provide a strong way to authenticate machines and Provide a strong way to authenticate machines and software.software.
Provide “compartmentalization” of secure applicationsProvide “compartmentalization” of secure applications Small, dynamically materialized security perimeters with Small, dynamically materialized security perimeters with unspoofable TCBsunspoofable TCBs
Provide safe haven in “network rich” environmentProvide safe haven in “network rich” environment
Key NGSCB ComponentsKey NGSCB Components
Main OSMain OS
USBUSBDriverDriver
NexusMgr.sysNexusMgr.sys
HALHAL
User Apps.User Apps.
Nexus-Mode (RHS)Nexus-Mode (RHS)
NexusNexus
NALNAL
AgentAgent
NCA Runtime LibraryNCA Runtime Library
Trusted UserTrusted UserEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
NGSCB QuadrantsNGSCB QuadrantsStandard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)
UserUser
KernelKernel
SSCSSC Hardware Hardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video
Attestation extends TCBAttestation extends TCB
Another program can rely on this key Another program can rely on this key without a central authoritywithout a central authority
Don’t try this at home, safe protocol is Don’t try this at home, safe protocol is more complicatedmore complicated
May be replaced by Zero Knowledge May be replaced by Zero Knowledge ProtocolProtocol
Program generates public/private key Program generates public/private key pairpair
Platform signs statement “The Platform signs statement “The following public key is in an isolated following public key is in an isolated program with hash H under Nexus N.”program with hash H under Nexus N.”
Attestation CaveatAttestation Caveat
Attestation is NOT a judgment of code Attestation is NOT a judgment of code quality or fitnessquality or fitness Code could still be maliciousCode could still be malicious Code could still have bugs affecting Code could still have bugs affecting
securitysecurity
Attestation leaves judgment up to Attestation leaves judgment up to challengerchallenger Done with high confidenceDone with high confidence
What Runs On The LHSWhat Runs On The LHS
Windows as you know it today Windows as you know it today Applications and Drivers still runApplications and Drivers still run Viruses tooViruses too Any software with minor exceptionsAny software with minor exceptions
The new hardware (HW) memory The new hardware (HW) memory controller won’t allow certain “bad” controller won’t allow certain “bad” behaviors, e.g., code whichbehaviors, e.g., code which Puts the CPU into real modePuts the CPU into real mode
What the RHS Needs From What the RHS Needs From The LHSThe LHS
Memory Management changes to allow Memory Management changes to allow nexus to participate in memory nexus to participate in memory pressure and paging decisionspressure and paging decisions
Window Manager coordinationWindow Manager coordination IPC, scheduling, communicationIPC, scheduling, communication NGSCB management software and NGSCB management software and
servicesservices
Business ScenariosBusiness Scenarios
Secure machine monitorSecure machine monitor Lock-down and monitor machine policyLock-down and monitor machine policy Sandbox executionSandbox execution
Secure Real Time MessagingSecure Real Time Messaging Secure MailSecure Mail Secure Distributed ProcessingSecure Distributed Processing
Employee use of Enterprise ProgramsEmployee use of Enterprise Programs Employee use of Enterprise DataEmployee use of Enterprise Data Doctors access hospital recordsDoctors access hospital records
Guard machines from untrusted networkGuard machines from untrusted network Guard network from untrusted machinesGuard network from untrusted machines Guard programs from untrusted servicesGuard programs from untrusted services
Secure Secure CommunicationCommunication
Secure Network Secure Network AccessAccess
Secure Machine Secure Machine PolicyPolicy
Secure Remote Secure Remote AccessAccess
Business ScenariosBusiness Scenarios
AuctionsAuctions NegotiationsNegotiations On-line GamesOn-line Games
Protect data on user machineProtect data on user machine Protect spoofed machines and usersProtect spoofed machines and users Provide Secure AuditProvide Secure Audit
Protect personal data at AmazonProtect personal data at Amazon Secure RMS from software attackSecure RMS from software attack Protect Corporate Partner InformationProtect Corporate Partner Information
Books, movies, audio, softwareBooks, movies, audio, software Flexible use models: Differential pricingFlexible use models: Differential pricing Content not “orphaned” by new devicesContent not “orphaned” by new devices
Confidentiality Confidentiality EnforcementEnforcement
““Big” Rights Big” Rights ManagementManagement
Secure Secure CollaborationCollaboration
““Small” Rights Small” Rights ManagementManagement
NGSCB: Threat ModelsNGSCB: Threat Models
Our Threat ModelOur Threat Model No Software-Only Attacks Against RHS No Software-Only Attacks Against RHS No Break-Once/Break-Everywhere (BOBE) attacksNo Break-Once/Break-Everywhere (BOBE) attacks
No Software-Only Attacks means…No Software-Only Attacks means… No attacks based on micro-code, macro-code, No attacks based on micro-code, macro-code,
adapter card scripts, etc. adapter card scripts, etc. Any attacks launched from the Web or e-mail are Any attacks launched from the Web or e-mail are
“software only”“software only”
Protection only applies to the release Protection only applies to the release of secrets of secrets
HW Keys: Whose are they?HW Keys: Whose are they?
Answer: The Hardware Used only under explicit user policy.
NGSCB uses two hardware keys directly: One key is used by Sealed Storage
Generated when user “takes ownership” Only available to TPM Randomizing
One key is an RSA key used for Attestation Only signs statements like “Nexus with hash x asked me to sign
the following statement: y.”
Privacy safeguards built into hardware Opt-in Disclosure of (public) signing key components is restricted Use of keys in sole control of machine owner
Other Keys: Whose are Other Keys: Whose are they?they?
Answer: Entities authorized by users to access key services User’s personal Keys Service provider’s Keys Shared Keys
Microsoft neither owns nor has access to any HW keys. Key ownership is circumscribed and may not even
be known to entity relying on it.
Machine owner is in Machine owner is in complete controlcomplete control
Hardware cannot be used without Hardware cannot be used without explicit user permissionexplicit user permission
No nexus can run without explicit user No nexus can run without explicit user permissionpermission
No NCA can use key services without No NCA can use key services without user permissionuser permission
No NCA can run without explicit user No NCA can run without explicit user permissionpermission
PoliciesPolicies Everything that runs today will run on NGSCB Everything that runs today will run on NGSCB
systemssystems The platform will run any nexusThe platform will run any nexus
The user will be in charge of what nexuses he The user will be in charge of what nexuses he chooses to runchooses to run
The MS nexus will run any applicationThe MS nexus will run any application The user will be in charge of the applications that he The user will be in charge of the applications that he
chooses to runchooses to run
The MS nexus will interoperate with any The MS nexus will interoperate with any network service providernetwork service provider
The MS nexus source code will be made The MS nexus source code will be made available for reviewavailable for review
Misconceptions: NGCSBMisconceptions: NGCSB NGSCB will censor or disable content without NGSCB will censor or disable content without
user permissionuser permission No policy (except user policy) in NGSCB No policy (except user policy) in NGSCB
NGSCB will lock out vendors NGSCB will lock out vendors No permission (signatures) required to use NGSCB No permission (signatures) required to use NGSCB
NGSCB is “super” virus spreaderNGSCB is “super” virus spreader NGSCB applications do no run at elevated privilegeNGSCB applications do no run at elevated privilege
NGSCB NCA is not debuggableNGSCB NCA is not debuggable Yes it is. Yes it is.
This will hurt smart card vendorsThis will hurt smart card vendors No, it increases portable smart card valueNo, it increases portable smart card value
Misconceptions: TCPA/TCGMisconceptions: TCPA/TCG
It’s the Fritz chipIt’s the Fritz chip Nope. It’s an anti-Fritz chip.Nope. It’s an anti-Fritz chip.
TCPA/TCG refuses to run unlicensed softwareTCPA/TCG refuses to run unlicensed software Nope. Statement publicly denied by MS, HP and Nope. Statement publicly denied by MS, HP and
IBM.IBM.
Control will be exercised centrallyControl will be exercised centrally No central authorities requiredNo central authorities required Need for central authorities diminishedNeed for central authorities diminished
TC will remove effective control of PC from its TC will remove effective control of PC from its ownerowner Strengthens owner controlStrengthens owner control
NGSCB QuadrantsNGSCB Quadrants
Main OSMain OS
USBUSBDriverDriver
Nexus-Mode (RHS)Nexus-Mode (RHS)
NexusNexus
NexusMgr.sysNexusMgr.sys
HALHAL
NALNAL
SSCSSC
User Apps.User Apps.
AgentAgent
NCA Runtime LibraryNCA Runtime Library
Trusted UserTrusted UserEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
Standard-Mode (“std-mode” / LHS)Standard-Mode (“std-mode” / LHS)
UserUser
KernelKernel
HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video
““Booting” The NexusBooting” The Nexus
Nexus is like an OS kernel, so it must Nexus is like an OS kernel, so it must boot sometimeboot sometime
Can boot long after main OSCan boot long after main OS Can shut down long before main OS Can shut down long before main OS
(and restart later)(and restart later)
Boot a NexusBoot a Nexus
Nexus: Basic EnvironmentNexus: Basic Environment Section 1 of Intro to Operating Systems TextbookSection 1 of Intro to Operating Systems Textbook
Process and Thread Loader/ManagerProcess and Thread Loader/Manager Memory ManagerMemory Manager I/O ManagerI/O Manager Security Reference MonitorSecurity Reference Monitor Interrupt handing/Hardware abstractionInterrupt handing/Hardware abstraction
But no Section 2But no Section 2 No File SystemNo File System No NetworkingNo Networking No Kernel Mode/Privileged Device DriversNo Kernel Mode/Privileged Device Drivers No Direct XNo Direct X No SchedulingNo Scheduling No…No…
Kernel mode has no pluggablesKernel mode has no pluggables All of the kernel loaded at boot and in the PCRAll of the kernel loaded at boot and in the PCR
Nexus: Basic EnvironmentNexus: Basic Environment
Virtualization of hardware fundamentals for AgentsVirtualization of hardware fundamentals for Agents Sealed storage, attestation, etc.Sealed storage, attestation, etc.
Minimal ServicesMinimal Services Trusted UI EngineTrusted UI Engine
XML Based Graphical Services for UIXML Based Graphical Services for UI Input Routing/Focus ManagementInput Routing/Focus Management Minimum Fonts (inc. Multiple Languages…)Minimum Fonts (inc. Multiple Languages…) Windows ManagerWindows Manager
IPC IPC TSPs (Trusted Service Provider)TSPs (Trusted Service Provider)
Run in User Mode RHSRun in User Mode RHS Provide ServicesProvide Services Are “Drivers” for Trusted Input/VideoAre “Drivers” for Trusted Input/Video
Close-Up Of NexusClose-Up Of Nexus
Syscall Dispatcher
Porch
Nexus.exe
Kerneldebug
Nexus Core
HandleMgr
SSCAbstractor
ATCModule
(Nexus Callable Interfaces)
Nexus Abstraction Layer (NAL)
Nx* Functions
IntHandler
Sync
Objects
Mem
oryM
anager
Process Loader
Process
Manager
Thread M
anager
IO M
anager
NG
SC
B C
allsT
raps
Crypto
Runtim
eLibrary
Native S
RM
Code IdentityCode Identity
NexusNexus Cryptographic HashCryptographic Hash
AgentsAgents Manifest (or rather hash of manifest)Manifest (or rather hash of manifest)
Debugging PolicyDebugging Policy Public Key Public Key Corresponding Private key authorized to name Corresponding Private key authorized to name
cryptographic hashes of binaries that identify cryptographic hashes of binaries that identify “this program”“this program”
MetadataMetadata
Debugging The NexusDebugging The Nexus
The retail nexus cannot be debuggedThe retail nexus cannot be debugged The debug nexus can be debuggedThe debug nexus can be debugged Since these two nexuses are different Since these two nexuses are different
in at least one bit, their attestations are in at least one bit, their attestations are different as welldifferent as well
User Mode DebuggingUser Mode Debugging
No agents are debuggable without a change to their No agents are debuggable without a change to their code identitycode identity Attestation reflects this change Attestation reflects this change
Debugging the LHS Shadow Process means Debugging the LHS Shadow Process means debugging the Agentdebugging the Agent We’ve redirected the functions to Get and Set Thread We’ve redirected the functions to Get and Set Thread
Context and Read and Write Process MemoryContext and Read and Write Process Memory We’ve redirected RHS debug events to the LHS processWe’ve redirected RHS debug events to the LHS process Thread control “just works”Thread control “just works”
Well behaved debuggers that work with LHS Well behaved debuggers that work with LHS processes will also with agentsprocesses will also with agents
NGSCB: SealNGSCB: Seal
Here’s a good mental modelHere’s a good mental model Seal(secret) → cryptoblob(secret)Seal(secret) → cryptoblob(secret)
Crytoblob(secret) may be stored anywhereCrytoblob(secret) may be stored anywhere
The call is reallyThe call is really Seal(secret, DigestOfTargetEnvironment) → Seal(secret, DigestOfTargetEnvironment) →
cryptoblob(secret)cryptoblob(secret)
Unseal(cryptoblob(somesecret)) → Unseal(cryptoblob(somesecret)) → somesecretsomesecret
Unseal is reallyUnseal is really Unseal(cryptoblob(somesecret), Unseal(cryptoblob(somesecret),
DigestOfTargetEnvironment) → somesecretDigestOfTargetEnvironment) → somesecret
Secret MigrationSecret Migration
Caller gets to specify certain propertiesCaller gets to specify certain properties What agents may unseal the secretWhat agents may unseal the secret What hardware may unseal the secretWhat hardware may unseal the secret What nexus may unseal the secretWhat nexus may unseal the secret What users may unseal the secretWhat users may unseal the secret
Agents shouldn’t seal against the SSCAgents shouldn’t seal against the SSC They should seal against the nexus They should seal against the nexus
which seals against the SSCwhich seals against the SSC
Backup, restore, migration are all Backup, restore, migration are all possible using intermediate keys possible using intermediate keys and certificatesand certificates
WIIFM: Credential Based WIIFM: Credential Based SecuritySecurity
Single simple, flexible, scalable, distributed, credential based Single simple, flexible, scalable, distributed, credential based security model security model Programs, users, machines, channels as principalsPrograms, users, machines, channels as principals Fine-grained, persistent, declarative claim/assertion/authorization Fine-grained, persistent, declarative claim/assertion/authorization
languagelanguage General authentication and authorization primitivesGeneral authentication and authorization primitives
Manageable and FlexibleManageable and Flexible Non brittleNon brittle AdministrableAdministrable Projects Security Perimeter outside EnterpriseProjects Security Perimeter outside Enterprise
Framework for policy enforcementFramework for policy enforcement Desktop LockdownDesktop Lockdown Policy assurance (Virus policy, IDS, …)Policy assurance (Virus policy, IDS, …)
Supports migration of existing Windows security servicesSupports migration of existing Windows security services