next generation super computer base

7/29/2019 next generation super computer base

1/107

Next GenerationSecure ComputingBase

@SiS


2/107

Contents

Next Generation Secure ComputingBase Overview

Hardware Fundamentals For NGSCB

Part 1: Core Hardware Hardware Fundamentals For NGSCB

Part 2: Peripheral Hardware

Nexus Fundamentals


3/107

Next Generation SecureComputing Base Overview


4/107

Trustworthy Computing

Security

Privacy

Reliability

Business Integrity

Resilient to attack

Protects confidentiality, integrity,availability, and data

Dependable

Available when needed

Performs at expected levels

Individuals control personal data

Products and Online Services adhere to fairinformation principles

Help customers find appropriate solutions

Address issues with products and services

Open interaction with customers


5/107

NGSCB Vision And Goals

Vision NGSCB advances the PC ecosystem to meet

customers requirements forsecurity, privacy,and data protection

Product Goal NGSCB will broaden the utility of the PC by

delivering security on par with closedarchitecture systems while maintaining theflexibility of the Windows platform

Business Goal NGSCB will help to revitalize the PC ecosystem

by enabling a new generation of hardware andsoftware products


6/107

Customer Security Issues

Vulnerability introduced by enablingremote access

Illegal access and usage of sensitiveinformation

Difficulty in knowing who a company isdoing business with

Difficulty in doing patch management

Others Collaborating in a secure environment

Protecting secrets, e.g., key pairs, certificates

Virus and malicious code attacks


7/107

Why NGSCB?

Vulnerabilities today Attacks on Core assets

Attacks on Networks

Attacks via Remote users/machines

NGSCB can address software attackson applications, secrets

Damage from attacks can becompartmentalized and limited


8/107

How It Works: The PC


9/107

How It Works: Before NGSCB


10/107

How It Works: Before NGSCB


11/107

How it Works: Before NGSCB


12/107

NGSCB

How It Works: With NGSCB


13/107



14/107

NGSCB



15/107

Main OS

USBDriver

NexusMgr.sys

HAL

User Apps.

Nexus-Mode (RHS)

Nexus

NAL

Agent

NCA Runtime Library

Trusted UserEngine (TUE)

TSP TSP TSP

AgentAgent

NGSCB Quadrants

Standard-Mode (std-mode/LHS)

User

Kernel

SSCHardware Secure Input ChipsetCPUSecure Video


16/107

Four NGSCB Features Groups

The first three areneeded to protect

against malicious

code

Attestation breaksnew ground in

distributed

computingThe identity

of hardware,nexus, and

applications can

be proven

1

2

3

4


17/107

Addressing Customer NeedsWith NGSCB

Remote access Granularity of access at machine, nexus, and application level

Application to application connection rather than VPN connection

Patch management

IT can specify that only a known configuration of nexus and application canexecute or access corporate resources

Preventing illegal access of information Reinforce rights management by rooting key pair in hardware

Encryption of data based on secrets that never leave hardware

Agents development

Agents identity is rooted in secrets on the hardware Applications run in isolated process space and are impermeable to

software attack

Collaboration enablement End users can collaborate and communicate securely

End users can establish content authenticity by digital signature


18/107

Four NGSCB Features Groups


19/107

What Does This All Mean?

All NGSCB capabilities build off of four key features Strong process isolation

Root key for persistent secret protection

Secure path to and from the user

Attestation (hardware (HW)/software (SW) authentication) The first three are needed to protect against

malicious code

Attestation breaks new ground indistributed computing

Things (software, machines, services) can besecurely identified


20/107

NGSCB Quadrants

Main OS

USB Driver

Nexus-Mode (RHS)

Nexus

NexusMgr.sys

HAL

NAL

SSC

User Apps.

Agent

NCA Runtime Library


TSP TSP TSP

AgentAgent

Standard-Mode (LHS)

User

Kernel

Hardware Secure Input ChipsetCPUSecure Video


21/107

Nexus-Mode (RHS)

NCA Runtime Library


TSP TSP TSP

Four Key Features(1) Process Isolation

Standard-Mode (LHS)

User

Kernel

Hardware

Agent Agent Agent


22/107

Strong ProcessIsolation

Nexus Computing Agents, or NCAs,run in curtained memory

Not accessible by the standardWindows kernel

Not accessible by hardware DMA

Not accessible by other NCAs

Enforced by hardware and software

Changes to CPU, chipset

Nexus arbitrates page tables


23/107

Nexus Manager Abstraction Layer (NMAL)

Nexus Manager CoreNexus

DispatchServices

ShadowService AdminService NexusMgrIPC

Object SecurityManager

Shared ResourceManager

HW Allocator(memory

wholesaler)

Nexus Loader

Nexus-Mode (RHS)Standard-Mode (LHS)

User

Kernel

Hardware

Four Key Features(2) Secure Path To and From User

SecureInput

Filter Driver

SecureVideo

Filter Driver

Secure videoSecure Input


24/107

Secure Path To User

Secure input Encrypted session between USB device

and nexus

Changes to standard USB driver stack

Required for keyboard and mouse

Alternate solution being developed fornon-USB (laptops)

Secure output

Secure channel between graphics adaptorand nexus

Changes to graphics adaptor

Changes to video driver


25/107

Nexus-Mode (RHS)

Four Key Features(3) Sealed Storage

Standard-Mode (LHS)

User

Kernel

Hardware

Nexus

NAL

Agent

NCA Runtime Library


TSP TSP TSP

AgentAgent

SSC


26/107

Hardware ProtectionOf Secrets

Security Support Component (SSC)chip on motherboard

SSC holds a secure keyset Each nexus generates a random keyset

on first load

SSC provides hardware protection of the

nexus keyset

NCAs use nexus facilities to generateand protect keys


27/107

Nexus-Mode (RHS)

Four Key Features(4) Attestation

Standard-Mode (LHS)

User

Kernel

Hardware

Nexus

NAL

Agent

NCA Runtime Library


TSP TSP TSP

AgentAgent

SSC


28/107

AttestationSoftware/Hardware Authentication

When requested, the nexus can prepare achain that authenticates

NCA by digest, signed by the nexus

Nexus by digest, signed by the SSC

SSC by public key, signed by OEM

Other forms of attestation are possible that

provide less information Using trusted third party

User sets policy to control which NCAs canuse which forms of attestation


29/107

Hardware

ChipsetCPUSecureInput

SecureVideo

SSC


User

Kernel

Hardware Summary


30/107

Hardware Summary

Modified components CPU

Chipset

Secure video Secure input (keyboard and mouse)

Two versions: USB and laptop

New components SSC


31/107

A Qualitative Step Forward

NGSCB extends the Windows platform We provide the core, others will build the

solutions

We really want to enable others to build new and

exciting applications NGSCB is appropriate anywhere you could

possibly imagine needing privacy, security ordata protection

We will ship some solutions in the box Enough to provide immediate value


32/107

Scenario Categories

Secure remote access Corporate remote access

Secure client access to middle tier servers

Secure collaboration Chat and instant messaging

E-Mail

Rights management Digital signature


33/107

Secure Remote Access

Examples To a client/server app, using a custom NCA client

To your enterprise desktop, using a secure remotedesktop client

How it works Uses attestation for end-to-end authentication

Uses strong process isolation and secure path to theuser to be safe against attacks on the remote client

Uses an application private network (APN) forsecure communications Application-to-application encrypted session

More secure than a VPN because the protection extendsinto the application layer itself


34/107

Application Private NetworkApplication(Client NCA)

Presentation

Session

Transport

NetworkDatalink

Physical

Application(Server)

Presentation

Session

Transport

NetworkDatalink

Physical

Standard IP: vulnerable at every layer

NGSCB APN: extends protection to alllayers, so that only the client and serverapplications can use the connection

VPN: network layer and below are protected,including data on the wire but all software onthe client has access to the server connection


35/107

Secure Collaboration

Examples Secure e-mail

Secure text document creation and sharing

Secure instant messaging

Secure digital signaturewhat you see is what you sign

How it works

Uses rights management based on hardware protection ofsecrets to protect and control access to data

Uses strong process isolation and secure path to the user to

be safe against spoofing and snooping attacks Uses an APN for end-to-end messaging security


36/107

Secure Digital Signature

Micros oft Word

Thi s is text tha t sho ul d b e verifi ed as correct an d th en sig ne d.

Fi le Ed it Vi ew In se rt He lp

Sign Digi tall y...

When the user

clicks sign, theXML d ata is sign eand the signe d

data is returned to

the application

Secure Digital Signa ture

Thi s is text tha t sho ul d b e verifi ed as correct an d th en sig ned .

Sign

Cancel

USPS Signa tureSignature:

When the user wa nts to sign , the

text is ren de red by the ap plication

into a standard XML-based formatand passed to the digital signatur

agent

NOTE: for

explanatorypurposesonly; this isnot actual UI


37/107

Hardware FundamentalsFor NGSCB

Part 1: Core Hardware


38/107

Agenda

Threat Models What is NGSCB and Why?

What does NGSCB do?

NGSCB Features and Details

Strong Process Isolation

Attestation

Sealed Storage

Call to Action


39/107

Next Generation SecureComputing Base (NGSCB)Defined

New security technology for the MicrosoftWindows platform

Unique hardware and software architecture

Protected computing environment inside theWindows PC

A virtual vault that will sit side by side with theregular Windows environment

New kinds of security and privacyprotections for computers


40/107

NGSCB Quadrants

Main OS

USB Driver

Nexus-Mode (RHS)

Nexus

NexusMgr.sys

HAL

NAL

SSC

User Apps.

Agent

NCA Runtime Library


TSP TSP TSP

AgentAgent

Standard-Mode (LHS)

User

Kernel



41/107

NGSCB: Threat Models

Our Threat Model NO Software-Only Attacks Against Nexus-Space

Operations

NO Break-Once/Break-Everywhere (BOBE) attacks

No Software-Only Attacks means No attacks based on micro-code, macro-code,

adapter card scripts, etc.

Any attacks launched from the Web or e-mail are

software only

Protection only applies to the releaseof secrets

Viruses could still delete encrypted files


42/107

NGSCB: Threat Models

No BOBE attacks means Attacks dont scale

Each Security Support Component (SSC) hasunique keys

Data MUST use unique or partially unique,rather than global keys

One person breaking one machine yieldsthe secrets sent to that machine only

Does NOT allow that person to tell everybodyelse in the world how to break content

Does allow the release of content bound tothat machine

?


43/107

What And Why?

Modifications to allow PCs to be used innew ways Hardware changes

Software changes

Allows users to interact with entities eitherinside or outside the machine: Show them what code is running

Make believable promises about code

Prove that those promises are durable Changes what can be believed about

computation Not what can be done with it

Wh A d Wh ?


44/107

What And Why?

This is the Next Big Thing Windowing in the 80s

Networking in the 90s

Security in the 00s

Security and trust will advance thePC ecosystem

Customers are demanding higher securityand privacy

From end-users to enterprises

Governments are mandating as well

Opens new markets that rely on trustworthiness ofinformation technology

Wh D NGSCB D ?


45/107

What Does NGSCB Do?

Creates a safe region called nexus-spaceinside of a regular PC

Think of an access-controlled, high-security vaultin an open market

All the rest of the PC is still present Apply full power and speed of the PC to

security functions

Co-processors dont scale with the CPU

Adding main memory wont speed them up

Majority of the hardware is unchanged

E.g., PCI, Serial, Parallel, Memory

Wh D NGSCB D ?


46/107

What Does NGSCB Do?

NGSCB Code on NGSCB Hardware Designed to stop all software only threats

in nexus-space

Run all the old code Very obscure exceptions

Qualitatively different

Profound change in what can be believed,and hence, trusted

Wh t D NGSCB D ?


47/107

What Does NGSCB Do?

Enhances Security Vault to store important material

Both locally and remotely attestable

Realistic control over which code can touch which data

Control given to software, by users

EnhancesRobustness

Better user control of what can run in NGSCB; what it can do

Enhances Privacy

Users can know which code is doing what with private

information Users can delegate privacy decisions in a usable way

H D NGSCB W k


48/107

How Does NGSCB Work

New kind of process, called a NexusComputing Agent, or NCA, or Agent

Very much like a traditional process, butruns in a much more spartan environment

The Key Assertions may be appliedto agents

K A ti


49/107

Key Assertions

The agent is what it is attested to be The agent is running in the attested environment

and THEREFORE

The agent will be initiated correctly

Agent behavior cannot be permuted by attacking initialization

The agent is isolated

From other agents

From the Left Hand Side (LHS)

Not even debuggers or device drivers can alter the agentat runtime

The agent has someplace to keep a secret

On clients, agents will have a secure path to the user

NGSCB C t t


50/107

Main OS

Drivers

HAL

User Programs

NGSCB: Context

Standard-Mode (LHS)

UserMode

KernelMode

DLL DLL

What exists in todayssystems

Main OS is rich,compatible with vastarray of stuff,

supports vast array ofhardware it is large

User can installdrivers which getprivileged access to

memory remoteparties can never besure the program hasnot been negativelyimpacted by the driver

NGSCB Q d t


51/107

NGSCB Quadrants

Main OS

Driver

Nexus-Mode (RHS)

Nexus

NexusMgr.sys

HAL

NAL

SSC

User Apps.

Agent AgentAgent

Standard-Mode (LHS)

User

Kernel


NxSvc.exe

NGSCB Q d t


52/107

Main OS

Driver

Nexus-Mode (RHS)

Nexus

NexusMgr.sys

HAL

NAL

SSC

User Apps.

Agent AgentAgent

Standard-Mode (LHS)

User

Kernel


NxSvc.exe

NGSCB Quadrants

NGSCB


53/107

NGSCB:Strong Process Isolation

Machine is locked into flat paged mode

Address-Translation-Control prohibits std-mode code from mapping a nexus-mode page

No CPU access to memory w/out mapping

Requires CR3 loads trap to nexus

Requires alteration of maps

Requires PTE-writes to trap to the nexus or befiltered by hardware

Chipset/Memory controller maintains a per-pagelist of pages to which DMA is prohibited, period

NGSCB Att t ti


54/107

NGSCB: Attestation

Attestation is a crypto-signed digestof some code

Proof that some bit vector is known

by this digest SSC and CPU compute digest of nexus

at nexus boot

Nexus computes the digest of agents Digests are gathered together to make

attestation vector that is passed backto a challenger

NGSCB Att t ti


55/107

NGSCB: Attestation

Root of attestation stack is the securitysupport component (SSC)

Proof valid because the SSC provides aproof of a secret that only the SSC knows

This secret never leaves the SSC

Secret not revealed

Secret not a privacy hazard

NGSCB Attestation


56/107

NGSCB: AttestationExample

Digest1 is for the SSC

Establishes confidence in validity of NGSCBhardware

Digest2 is for the nexus Establishes confidence in validity of nexus

Has meaning only if Digest1 is valid

Digest3 is for the agent Establishes confidence in validity of agent

Has meaning only if Digest1 and Digest2 are valid

NGSCB Attestation Caveat


57/107

NGSCB: Attestation Caveat

Attestation is NOT a judgment of codequality or fitness

Hardware will run any nexus, and attest tothe digest of any nexus

Our nexus will run any agent (inaccordance with user policy) and attest tothe digest of that agent

Attestation leaves judgment up tochallenger

Done with excellent confidence

Not up to hardware/nexus

NGSCB: Attestation


58/107

NGSCB: Attestation Hardware

Attestation is implemented at the rootby the SSC

Must be tightly bound to the CPU and thechipset for

Booting of the nexus

Attestation of the nexus

Chain of attestation

NGSCB: Seal


59/107

NGSCB: Seal

Heres a good mental model Seal(secret) cryptoblob(secret)

Crytoblob(secret) may be stored anywhere

The call is really

Seal(secret, DigestOfEnvironment, DigestOfCallingAgent,MigrationControls) cryptoblob(secret)

Unseal(cryptoblob(somesecret)) somesecret

BUT Unseal is really

Unseal(cryptoblob(somesecret), DigestOfEnvironment,DigestOfCallingAgent) somesecret | nothing

If the Digest of the environment or the calling agent doesnot match with those that did the seal, Unseal returns **NOTHING **

NGSCB: Seal


60/107

NGSCB: Seal

What it means If we ignore migration and indirection

Seal/Unseal say that if agent A running on environment Bseals a secret, then,

Only agent A running on environment B can unseal it

This gives agent A a way to hide a key

Seal is implemented by the nexus in cooperationwith the SSC

Same hardware build rules as for attestation

What's an "environment" Matching attestation vector for nexus-mode only

Booting some other OS that can call the SSC does NOT revealthe secrets

NGSCB: Seal


61/107

NGSCB: Seal

Migration and indirection Caller gets to specify certain properties

What agents may unseal the secret

What hardware may unseal the secret

What nexus may unseal the secret What users may unseal the secret

Agents shouldnt seal against the SSC They should seal against the nexus

which seals against the SSC

Backup, restore, migration are allpossible using intermediate keysand certificates


62/107

Hardware FundamentalsFor NGSCB

Part 2: Peripheral Hardware

GSCB: Desktop Secure Input


63/107

GSCB: Desktop Secure Input

Threat Model NO Software Only Attacks Against Secured

Keystrokes


Out of scope People swapping the keyboard hardware

Patching into the keyboard cable

Sticking some device between the keyboard andthe box

All require a physical attack

Cannot send a physical attack via e-mail

Secure Input


64/107

Hazard

Nexus-Mode (RHS)

Secure Input


User

Kernel

USB

HostController

Secure Input


65/107

Nexus-Mode (RHS)

Secure Input


User

Kernel

E = Encrypted

Hazard

USB

HostController

E

E

Secure Input


66/107

Nexus-Mode (RHS)

Secure Input


User

Kernel

E = Encrypted

Hazard

USB

HostController

E

E

Secure Input


67/107

Nexus-Mode (RHS)

Secure Input


User

Kernel

E = Encrypted

E

USB

HostController

HazardE

Secure Input


68/107

Nexus-Mode (RHS)

Secure Input


User

Kernel

E = Encrypted

E

USB

HostController

HazardE

Secure Input


69/107

Nexus-Mode (RHS)

p


User

Kernel

E = Encrypted

E

USB

HostController

DecryptedText

HazardE

Mobile PC Secure Input


70/107

Nexus-Mode (RHS)

p


User

Kernel

E = Encrypted

Key Board

Controller(KBC)

ChipsetSouth Bridge

(LPC busController)

E

Hazard

E

Secure Input


71/107

Secure Input

Encryption for Human Interface Device(HID) will be done on the outboard sideof a USB host

1. Built into USB root hub

2. Built into any USB hub

3. Inside the device of interest

4. In-line device (dongle) between the

machine and the input device

Best solution is #1

Secure Input Work In Progress


72/107

Secure Input Work In Progress

For desktops Evaluating several different ways of establishing

shared secret

Security versus OEM and IT deployment tradeoffs

For laptops Evaluating different ways to partition Secure Input

Path firmware/microcode in Embedded Controller

Legacy versus security certification issues

Alternatives being evaluated More information in calls-to-action

Secure Video


73/107

Secure Video

Threat Model for video NO Software-Only attacks against Secure Windows

and the information displayed in them


This is not the ONLY hazard relevant to allstake holders

It is what we can secure

Security for external video interfaces is a matter

for hardware standards NGSCB could support link protections but wont require it

Secure Video


74/107

Nexus-Mode (RHS)Standard-Mode (std-mode/LHS)

User

Kernel

USB

HostController

Graphics

Adaptor(nexus-mode)

GraphicsAdaptor

(std-mode)

Hazard

Secure Video


75/107

Secure Video

Secure Video assures Secure windows cannot be obscured

Secure windows cannot be captured byunauthorized software

Secure windows cannot be altered byunauthorized software

Graphics adaptor may communicate

with display in various formats We are working on accessibility

Secure Video


76/107

Secure Video

The Challenge How does the video data get from

nexus-mode to the graphics processor?

Two general ways

Closed path video MUST be integrated device

Depends on special hardware path from nexus tovideo device

Works when the video device is in close cooperation

with the memory controller Encrypted path data is encrypted in

nexus-mode and decrypted by thegraphics adaptor

Can reuse LHS driver stack

Closed Path T-Vid


77/107


User

Kernel

USB

HostController

Trusted

VideoAbstractor

Graphics

Adaptor(nexus-mode)

GraphicsAdaptor

(std-mode)

Hazard

Crypto Path T-Vid


78/107


User

E = Encrypted

USB

HostController

Trusted

VideoAbstractor

EGraphics

Adaptor(nexus-mode)

GraphicsAdaptor

(std-mode)

E Hazard

Kernel

NGSCB: Ecosystem


79/107

NGSCB: Ecosystem

Works today on x86 flat 32-bitarchitectures from multiple sources

Could work on any CPU with

User/kernel modes Page granular virtual memory mapping

With effort, could be adapted to otherCPU models

NGSCB: Ecosystem


80/107

NGSCB: Ecosystem

Building an NGSCB capable machinerequires:

NGSCB

CPU

NGSCB

Chipset

SSCSecure

Input

Secure

Video

All working in conjunction

Include tamper resistant/detecting hardware to pursue specific

opportunities

NGSCB: Changing The Nexus


81/107

NGSCB: Changing The Nexus

The digest of the nexus is the basis for trust inthe system So a change to the nexus is non-trivial

Hardware changes which require nexus changes will facedelays in market support We are working closely with core-logic vendors to minimize risk

For RHS input and output its important to getthings right

This means that there will be a small number of practical*INTERFACES* for trusted-input and trusted-output This is about INTERFACES, not gates, technologies, fabs, speeds, or

costs; INTERFACES Microsoft is working to define these INTERFACES with leading

providers of video and USB hardware

LHS interfaces and software can change in thenormal ways


82/107

Nexus Fundamentals

Device Drivers


83/107

Device Drivers

NGSCB doesnt change the devicedriver model

NGSCB needs very minimal access toreal hardware

Secure reuse of Left Hand Side (LHS) driverstacks wherever possible Right Hand Side (RHS) encrypted channel through

LHS unprotected conduit

Every line of privileged code is a potentialsecurity risk No third-party code

No kernel-mode plug-ins

Partitioned System


84/107

Partitioned System

RHS = Security In the presence of adversarial LHS code

the system must not leak secrets

The RHS must NOT rely on the LHS

for security

LHS = Richness and Compatibility

In the absence of LHS cooperation

NGSCB doesnt run The RHS MUST rely on the LHS for stability

and services

What Runs On The LHS


85/107

What Runs On The LHS

Applications and Drivers still run Viruses too

Windows as you know it today

Any software with minor exceptions The new hardware (HW) memory

controller wont allow certain badbehaviors, e.g., code which

Copies all of memory from one location tothe next

Puts the CPU into real mode

What NGSCB Needs From


86/107

What NGSCB Needs FromThe LHS

Device Driver work for Trusted Input / Video

Memory Management additions to allownexus to participate in memory pressure and

paging decisions User mode debugger additions to allow

debugging of agents (explained later)

Window Manager coordination Nexus Manager Device driver (nexusmgr.sys)

NGSCB management software and services

Close-Up Of The Lower RHS


87/107

Close Up Of The Lower RHS

Syscall Dispatcher

Porch

Nexus.exe

Kernel

debug

Nexus Core

Handle

Mgr

SSC

Abstractor

ATC

Module

(Nexus Callable Interfaces)

Nexus Abstraction Layer (NAL)

Nx* Functions

Int

Handler

Sync

Objects

Memory

Manager

ProcessLoader

Process

Manager

T

hreadManager

IOManager

NGSCB

Calls

Traps

Crypto

Runtime

Library

NativeSRM

I Think, Therefore I Am


88/107

I Think, Therefore I AmDescartes Problem

Challenge for attestation must always comefrom outside the machine Local (the user with a superkey)

Remote (some server) No nexus can directly determine if it is

running in the secured environment

No Agent can directly determine if it is

running in the secured environment Must use Remote Attestation or Sealed

Storage to cache credentials or secrets toprove the system is sound

Nexus Derivative Works


89/107

Nexus Derivative Works

The user can run any nexus, or write hisown and run it, on the hardware

That nexus can only report the attestationprovided by the Security Support

Component (SSC) The SSC wont lie

The nexus cannot pretend to be another nexus

Other systems will need to decide if they

trust the new derived nexus

Just need to prove to others your derivativeis legitimate

Agent Derivative Works


90/107

Agent Derivative Works

The user can run any agent, or writehis own and run it, on the nexus

That agent can report the attestationprovided by the nexus The nexus wont lie

The agent cannot pretend to beanother agent

Other systems will need to decide ifthey trust the new derived agent

Just need to prove to others yourderivative is legitimate

Policy Controlled By The


91/107

Policy Controlled By TheOwner Of The Machine

NGSCB enforces policy but does not set the policy

The hardware will load any nexus

But only one at a time

Each nexus gets the same services The hardware keeps nexus secrets separate

Nothing about this architecture prevents any nexus fromrunning; however, the owner can control which nexuses areallowed to run

Proposed software (nexus) policies The Microsoft nexus will run any agent

The platform owner can set policy that limits this

User gets to pick some other delegated evaluator(e.g., my union) if they choose

Policy Notes


92/107

Policy Notes

Policy is a way for users and machineowners to make general, abstractstatements, about what software runs

Run any agent I click

Run only agents whose source Ive read

Run agents that a third party I trust, trusts

The point of policy is to enable the

users to control what runs on theirmachines

Next Generation Secure


93/107

Next Generation SecureComputing Base Defined

Microsofts Next-Generation SecureComputing Base (NGSCB) is a newsecurity technology for the Microsoft

Windows platform Uses a unique hardware and

software design

Gives people new kinds of security andprivacy protections in aninterconnected world

NGSCB Quadrants


94/107

Main OS

USB Driver

Nexus-Mode (RHS)

Nexus

NexusMgr.sys

HAL

NAL

SSC

User Apps.

Agent

NCA Runtime Library


TSP TSP TSP

AgentAgent

Standard-Mode (std-mode / LHS)

User

Kernel


Booting The Nexus


95/107

oot g e e us

Nexus is like an OS kernel, so it mustboot sometime

Can boot long after main OS

Can shut down long before main OS(and restart later)

NGSCB Nexus Manager


96/107

Nexus Manager Abstraction Layer (NMAL)

Nexus Manager CoreNexus

DispatchServices

Shadow

Service

Admin

Service

NexusMgr

IPC

Object SecurityManager Shared ResourceManager

HW Allocator

(memorywholesaler)

Nexus Loader


User

Kernel

Hardware

SecureInput

Filter Driver

SecureVideo

Filter Driver

Secure videoSecure Input

Booting The Nexus


97/107

g

NexusMgr is a kernel mode LHScomponent

Read and map the nexus code

Allocate some pages from the main OS

Pass that list of pages to the nexus viasome platform-specific code/hardware

Digest the nexus (with hardware help)

Now the nexus starts, initializesAddress Translation Control (ATC),and returns control to the LHS

Address Translation


98/107

Protected Page

Normal Page

AddressTranslation

Normal PageVirtualaddresses

Address Translation Control


99/107

This is curtained memory (or strongprocess isolation)

Cant tamper with a page unless you have amapping to it

On current PCs

Any kernel mode code can modify Virtual Address (VA) Physical Address (PA) mapping structures

Theres untrusted code in kernel mode

NGSCB hardware calls nexus before

Page map changes (process swap) Edits to mapping structures

Turning off paging



100/107

When the page map changes,the nexus

Walks the tree of pages it maps

Makes sure no protected pages aremapped

No read/write mappings to the page map

Now the map will remain safe, so

hardware and software can manage a listof known safe page maps



101/107

When a mapping structure changes,the nexus

Walks the tree of pages getting mapped

Makes sure no protected pages aregetting mapped

Ensures no read/write mappings to thepage map

ATC will almost always allow themapping to change

Legacy code will still work unless itattempts to access nexus space pages



102/107

ATC protects Agent and nexus data

Agent and nexus code

All page mapping structures (LHS/RHS) Also protected from DMA (thanks to

special hardware)

Correct ATC implementation vital toNGSCB security

Memory Management (MM)


103/107

y g ( )

Simplicity, robustness preferred overmaximizing performance

Allocate/free whole pages

No shared memory between agents No paging-to-disk in this version

If nexus were to page to disk, it wouldencrypt and sign the pages, then ask themain OS to flush them

Memory Management (MM)


104/107

y g ( )

Nexus keeps some free pages that ATCis protecting

Nexus can request extra pages fromkernel via NexusMgr (seize)

Nexus MM asks ATC if new pages aresafe to use - any left side mappings?

Nexus can give surplus pages back tokernel if the kernel needs them

Nexus Abstraction Layer (NAL)


105/107

Multiple CPU vendors Different Security Support

Components (SSC)

Much nexus code is architectureindependent

Interrupts


106/107

p

Interrupts enabled on the RHS Most drivers are still on the LHS

Sowhat if an interrupt for the NIC, SCSI

card, etc. happens on the right? Nexus asks Porch to transition to

the LHS

NexusMgr replays the interrupt

Nexus Also Protects


107/107

Model specific registers (MSRs) Some MSRs are used to implement NGSCB,

but most will be accessible by left side code

I/O ports

Combined with ATC, this means PCI configspace is protected

Things like the DMA exclusion list are in

chipset registers, so we must protect them The NAL helps decide what to protect

next generation super computer base

Documents