1 / 107

Next Generation Secure Computing Base

Next Generation Secure Computing Base. 黃志源 @SiS. Contents. Next Generation Secure Computing Base Overview Hardware Fundamentals For NGSCB Part 1: Core Hardware Hardware Fundamentals For NGSCB Part 2: Peripheral Hardware Nexus Fundamentals. Next Generation Secure Computing Base Overview.

nike
Télécharger la présentation

Next Generation Secure Computing Base

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Next Generation Secure Computing Base 黃志源 @SiS

  2. Contents • Next Generation Secure Computing Base Overview • Hardware Fundamentals For NGSCBPart 1: Core Hardware • Hardware Fundamentals For NGSCBPart 2: Peripheral Hardware • Nexus Fundamentals

  3. Next Generation Secure Computing Base Overview

  4. Resilient to attack Protects confidentiality, integrity, availability, and data Security Privacy Reliability Trustworthy Computing Individuals control personal data Products and Online Services adhere to fair information principles Dependable Available when needed Performs at expected levels Help customers find appropriate solutions Address issues with products and services Open interaction with customers Business Integrity

  5. NGSCB Vision And Goals • Vision • NGSCB advances the PC ecosystem to meet customers’ requirements for security, privacy, and data protection • Product Goal • NGSCB will broaden the utility of the PC by delivering security on par with closed architecture systems while maintaining the flexibility of the Windows platform • Business Goal • NGSCB will help to revitalize the PC ecosystem by enabling a new generation of hardware and software products

  6. Customer Security Issues • Vulnerability introduced by enabling remote access • Illegal access and usage of sensitive information • Difficulty in knowing who a company is doing business with • Difficulty in doing patch management • Others • Collaborating in a secure environment • Protecting secrets, e.g., key pairs, certificates • Virus and malicious code attacks

  7. Why NGSCB? • Vulnerabilities today • Attacks on Core assets • Attacks on Networks • Attacks via Remote users/machines • NGSCB can address software attacks on applications, secrets • Damage from attacks can be compartmentalized and limited

  8. How It Works: The PC

  9. How It Works: Before NGSCB

  10. How It Works: Before NGSCB

  11. How it Works: Before NGSCB

  12. How It Works: With NGSCB NGSCB

  13. How It Works: With NGSCB

  14. How It Works: With NGSCB NGSCB

  15. Standard-Mode (“std-mode”/LHS) Nexus-Mode (RHS) Agent Agent Agent User Trusted User Engine (TUE) User Apps. TSP TSP TSP NCA Runtime Library Nexus Kernel NAL SSC Hardware Secure Input Secure Video CPU Chipset NGSCB Quadrants Main OS USB NexusMgr.sys Driver HAL

  16. Four NGSCB Features Groups • The first three are needed to protect against malicious code • Attestation breaks new ground in distributed computing • The identity of hardware, nexus, and applications can be proven 1 4 2 3

  17. Addressing Customer Needs With NGSCB • Remote access • Granularity of access at machine, nexus, and application level • Application to application connection rather than VPN connection • Patch management • IT can specify that only a known configuration of nexus and application can execute or access corporate resources • Preventing illegal access of information • Reinforce rights management by rooting key pair in hardware • Encryption of data based on secrets that never leave hardware • Agents development • Agents identity is rooted in secrets on the hardware • Applications run in isolated process space and are impermeable to software attack • Collaboration enablement • End users can collaborate and communicate securely • End users can establish content authenticity by digital signature

  18. Four NGSCB Features Groups

  19. What Does This All Mean? • All NGSCB capabilities build off of four key features • Strong process isolation • Root key for persistent secret protection • Secure path to and from the user • Attestation (hardware (HW)/software (SW) authentication) • The first three are needed to protect against malicious code • Attestation breaks new ground in distributed computing • “Things” (software, machines, services) can be securely identified

  20. User Apps. NGSCB Quadrants Standard-Mode (LHS) Nexus-Mode (RHS) Agent Agent Agent User Trusted User Engine (TUE) TSP TSP TSP NCA Runtime Library Nexus Main OS Kernel USB NexusMgr.sys Driver NAL HAL SSC Hardware Secure Input Secure Video CPU Chipset

  21. Trusted User Engine (TUE) TSP TSP TSP NCA Runtime Library Four Key Features (1) Process Isolation Standard-Mode (LHS) Nexus-Mode (RHS) Agent Agent Agent User Kernel Hardware

  22. Strong Process Isolation • Nexus Computing Agents, or NCAs, run in curtained memory • Not accessible by the standard Windows kernel • Not accessible by hardware DMA • Not accessible by other NCAs • Enforced by hardware and software • Changes to CPU, chipset • Nexus arbitrates page tables

  23. Four Key Features(2) Secure Path To and From User Standard-Mode (LHS) Nexus-Mode (RHS) User Nexus Manager Abstraction Layer (NMAL) Nexus Manager Core Shadow Service Admin Service NexusMgr IPC Nexus Dispatch Services Secure Video Filter Driver Secure Input Filter Driver Kernel Object Security Manager Shared Resource Manager HW Allocator (memory wholesaler) Nexus Loader Secure Input Secure video Hardware

  24. Secure Path To User • Secure input • Encrypted session between USB device and nexus • Changes to standard USB driver stack • Required for keyboard and mouse • Alternate solution being developed for non-USB (laptops) • Secure output • Secure channel between graphics adaptor and nexus • Changes to graphics adaptor • Changes to video driver

  25. Agent Agent Agent Trusted User Engine (TUE) TSP TSP TSP NCA Runtime Library Four Key Features (3) Sealed Storage Standard-Mode (LHS) Nexus-Mode (RHS) User Kernel Nexus NAL SSC Hardware

  26. Hardware Protection Of Secrets • Security Support Component (SSC) chip on motherboard • SSC holds a secure keyset • Each nexus generates a random keyset on first load • SSC provides hardware protection of the nexus keyset • NCAs use nexus facilities to generate and protect keys

  27. Agent Agent Agent Trusted User Engine (TUE) TSP TSP TSP NCA Runtime Library Four Key Features (4) Attestation Standard-Mode (LHS) Nexus-Mode (RHS) User Kernel Nexus NAL SSC Hardware

  28. AttestationSoftware/Hardware Authentication • When requested, the nexus can prepare a chain that authenticates • NCA by digest, signed by the nexus • Nexus by digest, signed by the SSC • SSC by public key, signed by OEM • Other forms of attestation are possible that provide less information • Using trusted third party • User sets policy to control which NCAs can use which forms of attestation

  29. Hardware Summary Standard-Mode (LHS) Nexus-Mode (RHS) User Kernel SSC Hardware Secure Video Secure Input CPU Chipset

  30. Hardware Summary • Modified components • CPU • Chipset • Secure video • Secure input (keyboard and mouse) • Two versions: USB and laptop • New components • SSC

  31. A Qualitative Step Forward • NGSCB extends the Windows platform • We provide the core, others will build the solutions • We really want to enable others to build new and exciting applications • NGSCB is appropriate anywhere you could possibly imagine needing privacy, security or data protection • We will ship some solutions “in the box” • Enough to provide immediate value

  32. Scenario Categories • Secure remote access • Corporate remote access • Secure client access to middle tier servers • Secure collaboration • Chat and instant messaging • E-Mail • Rights management • Digital signature

  33. Secure Remote Access • Examples • To a client/server app, using a custom NCA client • To your enterprise desktop, using a secure remote desktop client • How it works • Uses attestation for end-to-end authentication • Uses strong process isolation and secure path to the user to be safe against attacks on the remote client • Uses an application private network (APN) for secure communications • Application-to-application encrypted session • More secure than a VPN because the protection extends into the application layer itself

  34. Standard IP: vulnerable at every layer VPN: network layer and below are protected, including data on the wire – but all software on the client has access to the server connection NGSCB APN: extends protection to all layers, so that only the client and server applications can use the connection Application Private Network Application (Client NCA) Application (Server) Presentation Presentation Session Session Transport Transport Network Network Datalink Datalink Physical Physical

  35. Secure Collaboration • Examples • Secure e-mail • Secure text document creation and sharing • Secure instant messaging • Secure digital signature – “what you see is what you sign” • How it works • Uses rights management based on hardware protection of secrets to protect and control access to data • Uses strong process isolation and secure path to the user to be safe against spoofing and snooping attacks • Uses an APN for end-to-end messaging security

  36. Secure Digital Signature NOTE: for explanatory purposes only; this is not actual UI

  37. Hardware Fundamentals For NGSCBPart 1: Core Hardware

  38. Agenda • Threat Models • What is NGSCB and Why? • What does NGSCB do? • NGSCB Features and Details • Strong Process Isolation • Attestation • Sealed Storage • Call to Action

  39. Next Generation Secure Computing Base (NGSCB)Defined • New security technology for the Microsoft Windows platform • Unique hardware and software architecture • Protected computing environment inside the Windows PC • A “virtual vault” that will sit side by side with the regular Windows environment • New kinds of security and privacy protections for computers

  40. User Apps. NGSCB Quadrants Standard-Mode (LHS) Nexus-Mode (RHS) Agent Agent Agent User Trusted User Engine (TUE) TSP TSP TSP NCA Runtime Library Nexus Main OS Kernel USB NexusMgr.sys Driver NAL HAL SSC Hardware Secure Input Secure Video CPU Chipset

  41. NGSCB: Threat Models • Our Threat Model • NO Software-Only Attacks Against Nexus-Space Operations • NO Break-Once/Break-Everywhere (BOBE) attacks • No Software-Only Attacks means… • No attacks based on micro-code, macro-code, adapter card scripts, etc. • Any attacks launched from the Web or e-mail are “software only” • Protection only applies to the release of secrets • Viruses could still delete encrypted files

  42. NGSCB: Threat Models • No BOBE attacks means • Attacks don’t scale • Each Security Support Component (SSC) has unique keys • Data MUST use unique or partially unique, rather than global keys • One person breaking one machine yields the secrets sent to that machine only • Does NOT allow that person to tell everybody else in the world how to break content • Does allow the release of content bound to that machine

  43. What And Why? • Modifications to allow PCs to be used in new ways • Hardware changes • Software changes • Allows users to interact with entities either inside or outside the machine: • Show them what code is running • Make believable promises about code • Prove that those promises are durable • Changes what can be believed about computation • Not what can be done with it

  44. What And Why? • This is the Next Big Thing • Windowing in the ‘80s • Networking in the ‘90s • Security in the ‘00s • Security and trust will advance the PC ecosystem • Customers are demanding higher security and privacy • From end-users to enterprises • Governments are mandating as well • Opens new markets that rely on trustworthiness of information technology

  45. What Does NGSCB Do? • Creates a safe region called nexus-space inside of a regular PC • Think of an access-controlled, high-security vault in an open market • All the rest of the PC is still present • Apply full power and speed of the PC to security functions • Co-processors don’t scale with the CPU • Adding main memory won’t speed them up • Majority of the hardware is unchanged • E.g., PCI, Serial, Parallel, Memory

  46. What Does NGSCB Do? • NGSCB Code on NGSCB Hardware • Designed to stop all software only threats in nexus-space • Run all the old code • Very obscure exceptions • Qualitatively different • Profound change in what can be believed, and hence, trusted

  47. What Does NGSCB Do? • Enhances Security • “Vault” to store important material • Both locally and remotely attestable • Realistic control over which code can touch which data • Control given to software, by users • EnhancesRobustness • Better user control of what can run in NGSCB; what it can do • Enhances Privacy • Users can know which code is doing what with private information • Users can delegate privacy decisions in a usable way

  48. How Does NGSCB Work • New kind of process, called a Nexus Computing Agent, or NCA, or Agent • Very much like a traditional process, but runs in a much more spartan environment • The Key Assertions may be applied to agents

  49. Key Assertions • The agent is what it is attested to be • The agent is running in the attested environment and THEREFORE • The agent will be initiated correctly • Agent behavior cannot be permuted by attacking initialization • The agent is isolated • From other agents • From the Left Hand Side (LHS) • Not even debuggers or device drivers can alter the agent at runtime • The agent has someplace to keep a secret • On clients, agents will have a secure path to the user

  50. User Programs NGSCB: Context Standard-Mode (LHS) • What exists in today’s systems • Main OS is rich, compatible with vast array of stuff, supports vast array of hardware – it is large • User can install drivers which get privileged access to memory – remote parties can never be sure the program has not been negatively impacted by the driver User Mode DLL DLL Main OS Kernel Mode Drivers HAL

More Related