a technical introduction to ngscb brandon baker windows security division microsoft corporation...
TRANSCRIPT
A Technical Introduction to A Technical Introduction to NGSCBNGSCB
Brandon BakerBrandon Baker
Windows Security DivisionWindows Security DivisionMicrosoft CorporationMicrosoft [email protected]@microsoft.com
AgendaAgenda
Vision for NGSCBVision for NGSCB
Define a basic NGSCB environmentDefine a basic NGSCB environment
Standard-Mode/Left Hand Side (LHS)Standard-Mode/Left Hand Side (LHS)
Nexus-Mode/Right Hand Side (RHS)Nexus-Mode/Right Hand Side (RHS)
Features – the 4 pillarsFeatures – the 4 pillars
High assuranceHigh assurance
NGSCB RoadmapNGSCB Roadmap
SummarySummary
NNext ext GGeneration eneration SSecure ecure CComputing omputing BBase Definedase Defined
Microsoft’s Next-Generation Secure Microsoft’s Next-Generation Secure Computing Base (NGSCB) is a new Computing Base (NGSCB) is a new security technology for the Microsoft security technology for the Microsoft Windows platformWindows platform
Uses both hardware and software to protect Uses both hardware and software to protect datadata
Gives people new kinds of security and privacy Gives people new kinds of security and privacy protections in an interconnected worldprotections in an interconnected world
NGSCB is hardware enhanced security that NGSCB is hardware enhanced security that sets the stage for the future of secure sets the stage for the future of secure computingcomputing
NGSCB Vision And GoalsNGSCB Vision And Goals
VisionVisionNGSCB advances the PC ecosystem to meet NGSCB advances the PC ecosystem to meet customers’ requirements for customers’ requirements for security, privacy, and security, privacy, and data protectiondata protection
Product GoalProduct GoalNGSCB will broaden the utility of the PC by NGSCB will broaden the utility of the PC by delivering delivering security on par with closed architecturesecurity on par with closed architecture systems while maintaining the flexibility of the systems while maintaining the flexibility of the Windows platformWindows platform
Business GoalBusiness GoalNGSCB will help to revitalize the PC ecosystem by NGSCB will help to revitalize the PC ecosystem by enabling a enabling a new generation of hardware and softwarenew generation of hardware and software productsproducts
Why NGSCB?Why NGSCB?
Vulnerabilities todayVulnerabilities today
Attacks on Core assetsAttacks on Core assets
Attacks on NetworksAttacks on Networks
Attacks via Remote users/machinesAttacks via Remote users/machines
Open computing environmentOpen computing environment
NGSCB can address software attacks on NGSCB can address software attacks on applications, secretsapplications, secrets
Damage from attacks can be Damage from attacks can be compartmentalized and limitedcompartmentalized and limited
Protect software from softwareProtect software from software
Threats Mitigated in V1Threats Mitigated in V1
Tampering with DataTampering with DataStrong process isolationStrong process isolation prevents rogue applications from prevents rogue applications from changing NGSCB data or code while it is runningchanging NGSCB data or code while it is runningSealed storage verifies the integrity of data when unsealing itSealed storage verifies the integrity of data when unsealing it
Information DisclosureInformation DisclosureSealed storageSealed storage prevents rogue applications from getting at your prevents rogue applications from getting at your encrypted dataencrypted data
RepudiationRepudiationAttestationAttestation enables you to verify that you are dealing with an enables you to verify that you are dealing with an application and machine configuration you trustapplication and machine configuration you trust
Spoofing IdentitySpoofing IdentitySecure pathSecure path enables you to be sure that you’re dealing with the enables you to be sure that you’re dealing with the real user, not an application spoofing the userreal user, not an application spoofing the user
What NGSCB What NGSCB Isn’tIsn’t
An attempt to control users against their An attempt to control users against their wisheswishes
Software which will destroy users’ dataSoftware which will destroy users’ data
An invasion of privacyAn invasion of privacy
All about consumer media protectionAll about consumer media protection
Protection against hardware attacksProtection against hardware attacks
The final word in securityThe final word in security
NGSCB QuadrantsNGSCB Quadrants
Main OSMain OS
USBUSBDriverDriver
HALHAL
User Apps.User Apps.
Standard-Mode (“std-mode” / LHS)Standard-Mode (“std-mode” / LHS)
UserUser
KernelKernel
HardwareHardware InputInput ChipsetChipsetCPUCPUVideoVideo
BadBadDriverDriver
BadBadDriverDriver
BadBadDriverDriver
RogueRogueApp.App.
RogueRogueApp.App.
NGSCB QuadrantsNGSCB Quadrants
Main OSMain OS
USBUSBDriverDriver
Nexus-Mode (RHS)Nexus-Mode (RHS)
NexusNexus
NexusMgr.sysNexusMgr.sys
HALHAL
NALNAL
TPM 1.2TPM 1.2
User Apps.User Apps.
AgentAgent
NCA Runtime LibraryNCA Runtime Library
Trusted UserTrusted UserEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
Standard-Mode (“std-mode” / LHS)Standard-Mode (“std-mode” / LHS)
UserUser
KernelKernel
HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video
Partitioned SystemPartitioned System
RHS = SecurityRHS = Security
In the presence of adversarial LHS code In the presence of adversarial LHS code NGSCB must not leak secretsNGSCB must not leak secrets→→ The RHS must NOT rely on the LHS The RHS must NOT rely on the LHS
for securityfor security
LHS = Richness and Compatibility LHS = Richness and Compatibility
In the absence of LHS cooperation NGSCB In the absence of LHS cooperation NGSCB doesn’t rundoesn’t run→→ The RHS MUST rely on the LHS for stability and The RHS MUST rely on the LHS for stability and
servicesservices
Nexus - A Basic OSNexus - A Basic OS
Section 1 of Intro to Operating Systems TextbookSection 1 of Intro to Operating Systems Textbook
Process and Thread Loader/ManagerProcess and Thread Loader/Manager
Memory ManagerMemory Manager
I/O ManagerI/O Manager
Security Reference MonitorSecurity Reference Monitor
Interrupt handling/Hardware abstractionInterrupt handling/Hardware abstraction
But no Section 2??But no Section 2??
No File SystemNo File System
No NetworkingNo Networking
No Kernel Mode/Privileged Device DriversNo Kernel Mode/Privileged Device Drivers
No Direct XNo Direct X
No SchedulingNo Scheduling
No…No…
Kernel mode has no pluggablesKernel mode has no pluggables
All of the kernel loaded at boot and hashed in the TPMAll of the kernel loaded at boot and hashed in the TPM
Close-Up Of The Lower RHSClose-Up Of The Lower RHS
Syscall Dispatcher
Porch
Nexus.exe
Kerneldebug
Nexus Core
HandleMgr
SSCAbstractor
ATCModule
(Nexus Callable Interfaces)
Nexus Abstraction Layer (NAL)
Nx* Functions
IntHandler
Sync
Objects
Mem
oryM
anager
Process Loader
Process
Manager
Thread M
anager
IO M
anager
NG
SC
B C
allsT
raps
Crypto
Runtim
eLibrary
Native S
RM
““Booting” the Booting” the NNexusexus
The Nexus is like a kernelThe Nexus is like a kernel
A kernel has to boot sometimeA kernel has to boot sometime
The Nexus can boot any timeThe Nexus can boot any time
It can shut down when it’s not needed (and It can shut down when it’s not needed (and restart later)restart later)
Nexus startup is atomic and protected Nexus startup is atomic and protected through new CPU instructionthrough new CPU instruction
Nexus is started in a controlled initial stateNexus is started in a controlled initial state
Shadow Process and ThreadsShadow Process and Threads
The Nexus has no schedulerThe Nexus has no scheduler
LHS threads to call the right to load and run LHS threads to call the right to load and run a RHS threada RHS thread
These LHS threads are part of the Agent’s These LHS threads are part of the Agent’s LHS shadow processLHS shadow process
Not getting scheduled again does not leak Not getting scheduled again does not leak a secreta secret
Safe RHS synchronization primitivesSafe RHS synchronization primitives
Device DriversDevice Drivers
NGSCB doesn’t change the device NGSCB doesn’t change the device driver modeldriver modelSecure reuse of Left Hand Side (LHS) driver Secure reuse of Left Hand Side (LHS) driver stacks wherever possiblestacks wherever possible
Right Hand Side (RHS) encrypted channel through LHS Right Hand Side (RHS) encrypted channel through LHS unprotected conduitunprotected conduit
NGSCB needs very minimal access to NGSCB needs very minimal access to real hardwarereal hardwareEvery line of privileged code is a potential security Every line of privileged code is a potential security riskrisk
No third-party codeNo third-party codeNo kernel-mode plug-insNo kernel-mode plug-ins
What NGSCB Needs From The What NGSCB Needs From The LHSLHS
Basic OS services - schedulerBasic OS services - scheduler
Device Driver work for Trusted Input / VideoDevice Driver work for Trusted Input / Video
Memory Management additions to allow nexus to Memory Management additions to allow nexus to participate in memory pressure and paging participate in memory pressure and paging decisionsdecisions
User mode debugger additions to allow User mode debugger additions to allow debugging of agents (explained later)debugging of agents (explained later)
Window Manager coordinationWindow Manager coordination
Nexus Manager Device driver (nexusmgr.sys)Nexus Manager Device driver (nexusmgr.sys)
NGSCB management software and servicesNGSCB management software and services
What Runs On The LHSWhat Runs On The LHS
Applications and Drivers still runApplications and Drivers still run
Viruses tooViruses too
Windows as you know it todayWindows as you know it today
Any software with minor exceptionsAny software with minor exceptions
The new hardware (HW) memory controller The new hardware (HW) memory controller won’t allow certain “bad” behaviors, e.g., won’t allow certain “bad” behaviors, e.g., code whichcode which
Copies all of memory from one location to the nextCopies all of memory from one location to the next
Puts the CPU into real modePuts the CPU into real mode
A Basic Application EnvironmentA Basic Application Environment
Virtualization of hardware fundamentals for AgentsVirtualization of hardware fundamentals for AgentsSealed storage, attestation, etc.Sealed storage, attestation, etc.
Minimal ServicesMinimal ServicesTrusted UI EngineTrusted UI Engine
XML Based Graphical Services for UIXML Based Graphical Services for UI
Input Routing/Focus ManagementInput Routing/Focus Management
Minimum Fonts (inc. Multiple Languages…)Minimum Fonts (inc. Multiple Languages…)
Windows ManagerWindows Manager
IPC IPC
TSPs (Trusted Service Provider)TSPs (Trusted Service Provider)Run in User Mode RHSRun in User Mode RHS
Provide ServicesProvide Services
Are “Drivers” for Trusted Input/VideoAre “Drivers” for Trusted Input/Video
Limited APIs for LHS services (Expo)Limited APIs for LHS services (Expo)
Standard Crypto LibrariesStandard Crypto Libraries
NGSCB FeaturesNGSCB Features
All NGSCB-enabled application capabilities All NGSCB-enabled application capabilities build off of four key features (the pillars!)build off of four key features (the pillars!)
Strong process isolationStrong process isolationSealed storageSealed storageSecure pathSecure pathAttestation Attestation
The first three are needed to protect against The first three are needed to protect against malicious code malicious code Attestation breaks new ground in distributed Attestation breaks new ground in distributed computingcomputing
““Subjects” (software, machines, services) can be Subjects” (software, machines, services) can be securely authenticated through code IDsecurely authenticated through code IDThis is separate from user authenticationThis is separate from user authentication
Strong Process IsolationStrong Process Isolation
Agents and Nexus run in curtained memoryAgents and Nexus run in curtained memory
Not accessible by other agentsNot accessible by other agents
Not accessible by the standardNot accessible by the standardWindows kernelWindows kernel
Not accessible by hardware DMANot accessible by hardware DMA
Enforced by NGSCB hardwareEnforced by NGSCB hardwareand softwareand software
Hardware notifies Nexus of certain operationsHardware notifies Nexus of certain operations
Nexus arbitrates page tables, control registers, Nexus arbitrates page tables, control registers, etc.etc.
Sealed StorageSealed Storage
Provides a method for encrypting data with a key Provides a method for encrypting data with a key rooted in the hardwarerooted in the hardware
Sealed data can only be accessed bySealed data can only be accessed byauthenticated entitiesauthenticated entities
Each Nexus generates a random keyset on first loadEach Nexus generates a random keyset on first load
TPM chip on motherboard protects the Nexus keysetTPM chip on motherboard protects the Nexus keyset
Agents use Nexus facilities to seal (encrypt and sign) Agents use Nexus facilities to seal (encrypt and sign) private dataprivate data
The Nexus protects the key from any other The Nexus protects the key from any other agent/application, and the hardware prevents any other agent/application, and the hardware prevents any other Nexus from gaining access to the keyNexus from gaining access to the key
Secure PathSecure Path
Secure inputSecure input
Secure session between device and NexusSecure session between device and Nexus
Protects both keyboard and mouseProtects both keyboard and mouse
USB for desktops, integrated inputUSB for desktops, integrated inputfor laptopsfor laptops
Secure outputSecure output
Secure channel between graphics adaptor and Secure channel between graphics adaptor and NexusNexus
AttestationAttestation
When requested by an agent, the Nexus can prepare a When requested by an agent, the Nexus can prepare a chain that authenticates:chain that authenticates:
Agent by digest, signed by the NexusAgent by digest, signed by the Nexus
Nexus by digest, signed by the TPMNexus by digest, signed by the TPM
TPM by public key, signed by OEM or IT departmentTPM by public key, signed by OEM or IT department
The machine owner sets policy to control which forms of The machine owner sets policy to control which forms of attestation each agent or group of agents can useattestation each agent or group of agents can use
Secure communications agent provides higher-level Secure communications agent provides higher-level services to agent developersservices to agent developers
Open a secure channel to a service using a secure session keyOpen a secure channel to a service using a secure session key
Respond to an attestation challenge from the service basedRespond to an attestation challenge from the service basedon user policyon user policy
I Think, Therefore I AmI Think, Therefore I AmDescartes ProblemDescartes Problem
Challenge for attestation must always come from Challenge for attestation must always come from outside the machineoutside the machine
Local (the user with a dongle) Local (the user with a dongle) Remote (some server)Remote (some server)
No nexus can directly determine if it is running in No nexus can directly determine if it is running in the secured environmentthe secured environmentNo Agent can directly determine if it is running in No Agent can directly determine if it is running in the secured environmentthe secured environmentMust use Remote Attestation or Sealed Storage Must use Remote Attestation or Sealed Storage to cache credentials or secrets to prove the to cache credentials or secrets to prove the system is soundsystem is sound
Policy Controlled By The Owner Policy Controlled By The Owner Of The MachineOf The Machine
NGSCB enforces policy but does not set the policyNGSCB enforces policy but does not set the policy
The hardware will load any nexusThe hardware will load any nexusBut only one at a timeBut only one at a time
Each nexus gets the same servicesEach nexus gets the same services
The hardware keeps nexus secrets separateThe hardware keeps nexus secrets separate
Nothing about this architecture prevents any nexus from running; Nothing about this architecture prevents any nexus from running; however, the owner can control which nexuses are allowed to runhowever, the owner can control which nexuses are allowed to run
Proposed software (nexus) policiesProposed software (nexus) policiesThe Microsoft nexus will run any agentThe Microsoft nexus will run any agent
The platform owner can set policy that limits thisThe platform owner can set policy that limits this
Owner could pick some other delegated evaluator Owner could pick some other delegated evaluator (e.g., my IT group) if they choose(e.g., my IT group) if they choose
Nexus Derivative WorksNexus Derivative Works
The user can run any nexus, or write his own The user can run any nexus, or write his own and run it, on the hardwareand run it, on the hardware
That nexus can only report the attestation That nexus can only report the attestation provided by the Trusted Platform Module (TPM)provided by the Trusted Platform Module (TPM)
The TPM won’t lieThe TPM won’t lie
The nexus cannot pretend to be another nexusThe nexus cannot pretend to be another nexus
Other systems will need to decide if they trust Other systems will need to decide if they trust the new derived nexusthe new derived nexus
Just need to prove to others your derivative is Just need to prove to others your derivative is legitimatelegitimate
Agent Derivative WorksAgent Derivative Works
The user can run any agent, or write his The user can run any agent, or write his own, and run it on the nexusown, and run it on the nexusThat agent can report the attestation That agent can report the attestation provided by the nexusprovided by the nexus
The nexus won’t lieThe nexus won’t lieThe agent cannot pretend to be The agent cannot pretend to be another agentanother agent
Other systems will need to decide if they Other systems will need to decide if they trust the new derived agenttrust the new derived agentJust need to prove to others your derivative Just need to prove to others your derivative is legitimateis legitimate
High Assurance ProcessHigh Assurance Process
Things Microsoft does todayThings Microsoft does todayDesignDesign
SpecificationsSpecificationsRequirementsRequirements
ImplementationImplementationSecure coding guidelinesSecure coding guidelinesCode reviewCode review
TestingTestingCode coverageCode coverageTest casesTest casesUnit / BVT testsUnit / BVT tests
Configuration ManagementConfiguration Management
High Assurance ProcessHigh Assurance Process
DesignDesignFormal specificationFormal specification
TCB MinimizationTCB Minimization
Layering / ModularizationLayering / Modularization
ImplementationImplementationCritical code generated through formal methodsCritical code generated through formal methods
Process and tools to tie implementation to specificationProcess and tools to tie implementation to specification
Mandatory code review processMandatory code review process
TestingTestingTest from specsTest from specs
Static and dynamic code review toolsStatic and dynamic code review tools
Dedicated penetration test teamDedicated penetration test team
Configuration ManagementConfiguration ManagementCode base tamperingCode base tampering
Insider subversionInsider subversion
NGSCB LayeringNGSCB Layering
Main OSMain OS
USBUSBDriverDriver
Nexus-Mode (RHS)Nexus-Mode (RHS)
NexusNexus
NexusMgr.sysNexusMgr.sys
HALHAL
NALNAL
TPM 1.2TPM 1.2
User Apps.User Apps.
AgentAgent
NCA Runtime LibraryNCA Runtime Library
Trusted UserTrusted UserEngine (TUE)Engine (TUE)
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
Standard-Mode (“std-mode” / LHS)Standard-Mode (“std-mode” / LHS)
UserUser
KernelKernel
HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video
KernelKernel
NGSCB LayeringNGSCB Layering
Main OSMain OS
USBUSBDriverDriver
Nexus-Mode (RHS)Nexus-Mode (RHS)
NexusMgr.sysNexusMgr.sys
HALHAL
TPM 1.2TPM 1.2
User Apps.User Apps.
AgentAgent
NCA Runtime LibraryNCA Runtime Library
TUETUE
TSPTSP TSPTSP TSPTSP
AgentAgentAgentAgent
Standard-Mode (“std-mode” / LHS)Standard-Mode (“std-mode” / LHS)
UserUser
KernelKernel
HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video
TUETUE TUETUE
KernelKernel
KernelKernel
NexusNexus
NGSCB RoadmapNGSCB Roadmap
Initial FocusInitial Focus Intermediate FocusIntermediate Focus Long-term FocusLong-term Focus
Target Target HardwareHardware
ClientClient ServerServer DevicesDevices
Target Target MarketMarket
Influencers and Influencers and DevelopersDevelopers
EnterpriseEnterprise EveryoneEveryone
Target Target AudienceAudience
• Government Government • DevelopersDevelopers• Targeted verticals Targeted verticals
• Information WorkersInformation Workers• VerticalsVerticals• ITIT
• Mobile workersMobile workers• ConsumersConsumers• GovernmentGovernment
Target Target ScenariosScenarios
• Remote AccessRemote Access• Secure CollaborationSecure Collaboration• Identity AttestationIdentity Attestation• Secure Application Secure Application
DevelopmentDevelopment• Privacy protectionPrivacy protection
• Productivity Productivity ApplicationsApplications
• Server applicationsServer applications• LOB and ERP LOB and ERP
applicationsapplications• IT infrastructure IT infrastructure • Privacy-enhanced Privacy-enhanced
applicationsapplications
• Mobile applicationsMobile applications• Consumer Consumer
commerce and commerce and entertainmententertainment
• IT centralized IT centralized management management
From Now To NGSCBFrom Now To NGSCB
LonghornLonghorn20032003
NGSCBNGSCBWinHECWinHEC
NGSCB SDKNGSCB SDK API PreviewAPI Preview Developer Preview Developer Preview (Pre-beta)(Pre-beta)
Beta SDKBeta SDK SDKSDK
NGSCB NGSCB compliant compliant HardwareHardware
Standard Standard x86 CPUx86 CPU
NANA NGSCB-NGSCB-ready ready desktop, desktop, laptop, and laptop, and workstationworkstation
NGSCB NGSCB Compliant Compliant hardwarehardware
Development Development EnvironmentEnvironment
NoneNone Some hardware; Some hardware; software emulator;software emulator;Preview SDKPreview SDK
Beta Beta hardware hardware and complete and complete SDKSDK
NGSCB NGSCB Compliant Compliant hardwarehardware
PDC, Oct 03PDC, Oct 03 OS Beta OS Beta
NGSCB DemoNGSCB Demo
SummarySummary
NGSCB is a combination ofNGSCB is a combination of
New hardware which creates secure space New hardware which creates secure space for…for…
……A new kernel, called the nexus, which…A new kernel, called the nexus, which…
……Will run applications in a secure memory Will run applications in a secure memory space, and which…space, and which…
……Will provide these agents with security Will provide these agents with security services so that they can…services so that they can…
……Provide users with trustworthy computingProvide users with trustworthy computing
Additional InformationAdditional Information
NGSCB preview with the Longhorn developer preview NGSCB preview with the Longhorn developer preview from the Microsoft Professional Developers Conference from the Microsoft Professional Developers Conference (PDC) (PDC)
SDK and ToolsSDK and ToolsSimulated hardware, nexus, process isolationSimulated hardware, nexus, process isolationhttp://msdn.microsoft.com/events/pdc/ http://msdn.microsoft.com/events/pdc/
Ask your vendors what NGSCB-enabled components Ask your vendors what NGSCB-enabled components they will providethey will provideRead the available white papers and specs Read the available white papers and specs
Http://www.microsoft.com/ngscbHttp://www.microsoft.com/ngscb
Subscribe to the WTPI information newsletter for Subscribe to the WTPI information newsletter for ongoing updates; send blank e-mail to ongoing updates; send blank e-mail to
[email protected]@pens.tm500.com
Send questions to our Q&A aliasSend questions to our Q&A [email protected][email protected]
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.