Next Generation Secure Next Generation Secure Computing Base Computing Base

John ManferdelliJohn Manferdellijmanfer@microsoft.comjmanfer@microsoft.comSecurity Business UnitSecurity Business UnitMicrosoft CorporationMicrosoft Corporation

The ProblemThe Problem

Corp network

extr

anet

internet

Personal firewall

2-factor authentication, one time password, digital signature

Antivirus software

Coredata, IP, apps, “secrets”

Edge

Remote

ACL

Network IDS

Encryption

Air gap network

VA toolsReporting tools

Config and patch mgt

Monitoring tools

VPN

Firewall, Proxy server

HSM

Network level Encryption

Content screening

SSL

Network segmentation

IPsec

“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.”

Professor Gene Spafford Perdue CERIAS

Next Generation Secure Next Generation Secure Computing Base DefinedComputing Base Defined

Microsoft’s Next-Generation Secure Microsoft’s Next-Generation Secure Computing Base (NGSCB) is a bad Computing Base (NGSCB) is a bad name for a new security technology for name for a new security technology for the Microsoft Windows platform the Microsoft Windows platform Uses a unique hardware and software Uses a unique hardware and software

design design New kind of security model for integrity, New kind of security model for integrity,

confidentiality and trust negotiation in an confidentiality and trust negotiation in an interconnected worldinterconnected world

NGSCB Security GoalsNGSCB Security Goals

•Protect data and processing against Protect data and processing against software software attackattack

Provide a strong way to authenticate machines and Provide a strong way to authenticate machines and software.software.

Provide “compartmentalization” of secure applicationsProvide “compartmentalization” of secure applications Small, dynamically materialized security perimeters with Small, dynamically materialized security perimeters with unspoofable TCBsunspoofable TCBs

Provide safe haven in “network rich” environmentProvide safe haven in “network rich” environment

Key NGSCB ComponentsKey NGSCB Components

Main OSMain OS

USBUSBDriverDriver

NexusMgr.sysNexusMgr.sys

HALHAL

User Apps.User Apps.

Nexus-Mode (RHS)Nexus-Mode (RHS)

NexusNexus

NALNAL

AgentAgent

NCA Runtime LibraryNCA Runtime Library

Trusted UserTrusted UserEngine (TUE)Engine (TUE)

TSPTSP TSPTSP TSPTSP

AgentAgentAgentAgent

NGSCB QuadrantsNGSCB QuadrantsStandard-Mode (“std-mode”/LHS)Standard-Mode (“std-mode”/LHS)

UserUser

KernelKernel

SSCSSC Hardware Hardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video

Attestation extends TCBAttestation extends TCB

Another program can rely on this key Another program can rely on this key without a central authoritywithout a central authority

Don’t try this at home, safe protocol is Don’t try this at home, safe protocol is more complicatedmore complicated

May be replaced by Zero Knowledge May be replaced by Zero Knowledge ProtocolProtocol

Program generates public/private key Program generates public/private key pairpair

Platform signs statement “The Platform signs statement “The following public key is in an isolated following public key is in an isolated program with hash H under Nexus N.”program with hash H under Nexus N.”

Attestation CaveatAttestation Caveat

Attestation is NOT a judgment of code Attestation is NOT a judgment of code quality or fitnessquality or fitness Code could still be maliciousCode could still be malicious Code could still have bugs affecting Code could still have bugs affecting

securitysecurity

Attestation leaves judgment up to Attestation leaves judgment up to challengerchallenger Done with high confidenceDone with high confidence

What Runs On The LHSWhat Runs On The LHS

Windows as you know it today Windows as you know it today Applications and Drivers still runApplications and Drivers still run Viruses tooViruses too Any software with minor exceptionsAny software with minor exceptions

The new hardware (HW) memory The new hardware (HW) memory controller won’t allow certain “bad” controller won’t allow certain “bad” behaviors, e.g., code whichbehaviors, e.g., code which Puts the CPU into real modePuts the CPU into real mode

What the RHS Needs From What the RHS Needs From The LHSThe LHS

Memory Management changes to allow Memory Management changes to allow nexus to participate in memory nexus to participate in memory pressure and paging decisionspressure and paging decisions

Window Manager coordinationWindow Manager coordination IPC, scheduling, communicationIPC, scheduling, communication NGSCB management software and NGSCB management software and

servicesservices

Business ScenariosBusiness Scenarios

Secure machine monitorSecure machine monitor Lock-down and monitor machine policyLock-down and monitor machine policy Sandbox executionSandbox execution

Secure Real Time MessagingSecure Real Time Messaging Secure MailSecure Mail Secure Distributed ProcessingSecure Distributed Processing

Employee use of Enterprise ProgramsEmployee use of Enterprise Programs Employee use of Enterprise DataEmployee use of Enterprise Data Doctors access hospital recordsDoctors access hospital records

Guard machines from untrusted networkGuard machines from untrusted network Guard network from untrusted machinesGuard network from untrusted machines Guard programs from untrusted servicesGuard programs from untrusted services

Secure Secure CommunicationCommunication

Secure Network Secure Network AccessAccess

Secure Machine Secure Machine PolicyPolicy

Secure Remote Secure Remote AccessAccess

Business ScenariosBusiness Scenarios

AuctionsAuctions NegotiationsNegotiations On-line GamesOn-line Games

Protect data on user machineProtect data on user machine Protect spoofed machines and usersProtect spoofed machines and users Provide Secure AuditProvide Secure Audit

Protect personal data at AmazonProtect personal data at Amazon Secure RMS from software attackSecure RMS from software attack Protect Corporate Partner InformationProtect Corporate Partner Information

Books, movies, audio, softwareBooks, movies, audio, software Flexible use models: Differential pricingFlexible use models: Differential pricing Content not “orphaned” by new devicesContent not “orphaned” by new devices

Confidentiality Confidentiality EnforcementEnforcement

““Big” Rights Big” Rights ManagementManagement

Secure Secure CollaborationCollaboration

““Small” Rights Small” Rights ManagementManagement

NGSCB: Threat ModelsNGSCB: Threat Models

Our Threat ModelOur Threat Model No Software-Only Attacks Against RHS No Software-Only Attacks Against RHS No Break-Once/Break-Everywhere (BOBE) attacksNo Break-Once/Break-Everywhere (BOBE) attacks

No Software-Only Attacks means…No Software-Only Attacks means… No attacks based on micro-code, macro-code, No attacks based on micro-code, macro-code,

adapter card scripts, etc. adapter card scripts, etc. Any attacks launched from the Web or e-mail are Any attacks launched from the Web or e-mail are

“software only”“software only”

Protection only applies to the release Protection only applies to the release of secrets of secrets

HW Keys: Whose are they?HW Keys: Whose are they?

Answer: The Hardware Used only under explicit user policy.

NGSCB uses two hardware keys directly: One key is used by Sealed Storage

Generated when user “takes ownership” Only available to TPM Randomizing

One key is an RSA key used for Attestation Only signs statements like “Nexus with hash x asked me to sign

the following statement: y.”

Privacy safeguards built into hardware Opt-in Disclosure of (public) signing key components is restricted Use of keys in sole control of machine owner

Other Keys: Whose are Other Keys: Whose are they?they?

Answer: Entities authorized by users to access key services User’s personal Keys Service provider’s Keys Shared Keys

Microsoft neither owns nor has access to any HW keys. Key ownership is circumscribed and may not even

be known to entity relying on it.

Machine owner is in Machine owner is in complete controlcomplete control

Hardware cannot be used without Hardware cannot be used without explicit user permissionexplicit user permission

No nexus can run without explicit user No nexus can run without explicit user permissionpermission

No NCA can use key services without No NCA can use key services without user permissionuser permission

No NCA can run without explicit user No NCA can run without explicit user permissionpermission

PoliciesPolicies Everything that runs today will run on NGSCB Everything that runs today will run on NGSCB

systemssystems The platform will run any nexusThe platform will run any nexus

The user will be in charge of what nexuses he The user will be in charge of what nexuses he chooses to runchooses to run

The MS nexus will run any applicationThe MS nexus will run any application The user will be in charge of the applications that he The user will be in charge of the applications that he

chooses to runchooses to run

The MS nexus will interoperate with any The MS nexus will interoperate with any network service providernetwork service provider

The MS nexus source code will be made The MS nexus source code will be made available for reviewavailable for review

Misconceptions: NGCSBMisconceptions: NGCSB NGSCB will censor or disable content without NGSCB will censor or disable content without

user permissionuser permission No policy (except user policy) in NGSCB No policy (except user policy) in NGSCB

NGSCB will lock out vendors NGSCB will lock out vendors No permission (signatures) required to use NGSCB No permission (signatures) required to use NGSCB

NGSCB is “super” virus spreaderNGSCB is “super” virus spreader NGSCB applications do no run at elevated privilegeNGSCB applications do no run at elevated privilege

NGSCB NCA is not debuggableNGSCB NCA is not debuggable Yes it is. Yes it is.

This will hurt smart card vendorsThis will hurt smart card vendors No, it increases portable smart card valueNo, it increases portable smart card value

Misconceptions: TCPA/TCGMisconceptions: TCPA/TCG

It’s the Fritz chipIt’s the Fritz chip Nope. It’s an anti-Fritz chip.Nope. It’s an anti-Fritz chip.

TCPA/TCG refuses to run unlicensed softwareTCPA/TCG refuses to run unlicensed software Nope. Statement publicly denied by MS, HP and Nope. Statement publicly denied by MS, HP and

IBM.IBM.

Control will be exercised centrallyControl will be exercised centrally No central authorities requiredNo central authorities required Need for central authorities diminishedNeed for central authorities diminished

TC will remove effective control of PC from its TC will remove effective control of PC from its ownerowner Strengthens owner controlStrengthens owner control

NGSCB QuadrantsNGSCB Quadrants

Main OSMain OS

USBUSBDriverDriver

Nexus-Mode (RHS)Nexus-Mode (RHS)

NexusNexus

NexusMgr.sysNexusMgr.sys

HALHAL

NALNAL

SSCSSC

User Apps.User Apps.

AgentAgent

NCA Runtime LibraryNCA Runtime Library

Trusted UserTrusted UserEngine (TUE)Engine (TUE)

TSPTSP TSPTSP TSPTSP

AgentAgentAgentAgent

Standard-Mode (“std-mode” / LHS)Standard-Mode (“std-mode” / LHS)

UserUser

KernelKernel

HardwareHardware Secure InputSecure Input ChipsetChipsetCPUCPUSecure VideoSecure Video

““Booting” The NexusBooting” The Nexus

Nexus is like an OS kernel, so it must Nexus is like an OS kernel, so it must boot sometimeboot sometime

Can boot long after main OSCan boot long after main OS Can shut down long before main OS Can shut down long before main OS

(and restart later)(and restart later)

Boot a NexusBoot a Nexus

Nexus: Basic EnvironmentNexus: Basic Environment Section 1 of Intro to Operating Systems TextbookSection 1 of Intro to Operating Systems Textbook

Process and Thread Loader/ManagerProcess and Thread Loader/Manager Memory ManagerMemory Manager I/O ManagerI/O Manager Security Reference MonitorSecurity Reference Monitor Interrupt handing/Hardware abstractionInterrupt handing/Hardware abstraction

But no Section 2But no Section 2 No File SystemNo File System No NetworkingNo Networking No Kernel Mode/Privileged Device DriversNo Kernel Mode/Privileged Device Drivers No Direct XNo Direct X No SchedulingNo Scheduling No…No…

Kernel mode has no pluggablesKernel mode has no pluggables All of the kernel loaded at boot and in the PCRAll of the kernel loaded at boot and in the PCR

Nexus: Basic EnvironmentNexus: Basic Environment

Virtualization of hardware fundamentals for AgentsVirtualization of hardware fundamentals for Agents Sealed storage, attestation, etc.Sealed storage, attestation, etc.

Minimal ServicesMinimal Services Trusted UI EngineTrusted UI Engine

XML Based Graphical Services for UIXML Based Graphical Services for UI Input Routing/Focus ManagementInput Routing/Focus Management Minimum Fonts (inc. Multiple Languages…)Minimum Fonts (inc. Multiple Languages…) Windows ManagerWindows Manager

IPC IPC TSPs (Trusted Service Provider)TSPs (Trusted Service Provider)

Run in User Mode RHSRun in User Mode RHS Provide ServicesProvide Services Are “Drivers” for Trusted Input/VideoAre “Drivers” for Trusted Input/Video

Close-Up Of NexusClose-Up Of Nexus

Syscall Dispatcher

Porch

Nexus.exe

Kerneldebug

Nexus Core

HandleMgr

SSCAbstractor

ATCModule

(Nexus Callable Interfaces)

Nexus Abstraction Layer (NAL)

Nx* Functions

IntHandler

Sync

Objects

Mem

oryM

anager

Process Loader

Process

Manager

Thread M

anager

IO M

anager

NG

SC

B C

allsT

raps

Crypto

Runtim

eLibrary

Native S

RM

Code IdentityCode Identity

NexusNexus Cryptographic HashCryptographic Hash

AgentsAgents Manifest (or rather hash of manifest)Manifest (or rather hash of manifest)

Debugging PolicyDebugging Policy Public Key Public Key Corresponding Private key authorized to name Corresponding Private key authorized to name

cryptographic hashes of binaries that identify cryptographic hashes of binaries that identify “this program”“this program”

MetadataMetadata

Debugging The NexusDebugging The Nexus

The retail nexus cannot be debuggedThe retail nexus cannot be debugged The debug nexus can be debuggedThe debug nexus can be debugged Since these two nexuses are different Since these two nexuses are different

in at least one bit, their attestations are in at least one bit, their attestations are different as welldifferent as well

User Mode DebuggingUser Mode Debugging

No agents are debuggable without a change to their No agents are debuggable without a change to their code identitycode identity Attestation reflects this change Attestation reflects this change

Debugging the LHS Shadow Process means Debugging the LHS Shadow Process means debugging the Agentdebugging the Agent We’ve redirected the functions to Get and Set Thread We’ve redirected the functions to Get and Set Thread

Context and Read and Write Process MemoryContext and Read and Write Process Memory We’ve redirected RHS debug events to the LHS processWe’ve redirected RHS debug events to the LHS process Thread control “just works”Thread control “just works”

Well behaved debuggers that work with LHS Well behaved debuggers that work with LHS processes will also with agentsprocesses will also with agents

NGSCB: SealNGSCB: Seal

Here’s a good mental modelHere’s a good mental model Seal(secret) → cryptoblob(secret)Seal(secret) → cryptoblob(secret)

Crytoblob(secret) may be stored anywhereCrytoblob(secret) may be stored anywhere

The call is reallyThe call is really Seal(secret, DigestOfTargetEnvironment) → Seal(secret, DigestOfTargetEnvironment) →

cryptoblob(secret)cryptoblob(secret)

Unseal(cryptoblob(somesecret)) → Unseal(cryptoblob(somesecret)) → somesecretsomesecret

Unseal is reallyUnseal is really Unseal(cryptoblob(somesecret), Unseal(cryptoblob(somesecret),

DigestOfTargetEnvironment) → somesecretDigestOfTargetEnvironment) → somesecret

Secret MigrationSecret Migration

Caller gets to specify certain propertiesCaller gets to specify certain properties What agents may unseal the secretWhat agents may unseal the secret What hardware may unseal the secretWhat hardware may unseal the secret What nexus may unseal the secretWhat nexus may unseal the secret What users may unseal the secretWhat users may unseal the secret

Agents shouldn’t seal against the SSCAgents shouldn’t seal against the SSC They should seal against the nexus They should seal against the nexus

which seals against the SSCwhich seals against the SSC

Backup, restore, migration are all Backup, restore, migration are all possible using intermediate keys possible using intermediate keys and certificatesand certificates

WIIFM: Credential Based WIIFM: Credential Based SecuritySecurity

Single simple, flexible, scalable, distributed, credential based Single simple, flexible, scalable, distributed, credential based security model security model Programs, users, machines, channels as principalsPrograms, users, machines, channels as principals Fine-grained, persistent, declarative claim/assertion/authorization Fine-grained, persistent, declarative claim/assertion/authorization

languagelanguage General authentication and authorization primitivesGeneral authentication and authorization primitives

Manageable and FlexibleManageable and Flexible Non brittleNon brittle AdministrableAdministrable Projects Security Perimeter outside EnterpriseProjects Security Perimeter outside Enterprise

Framework for policy enforcementFramework for policy enforcement Desktop LockdownDesktop Lockdown Policy assurance (Virus policy, IDS, …)Policy assurance (Virus policy, IDS, …)

Supports migration of existing Windows security servicesSupports migration of existing Windows security services