Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Outlook.com wikipedia , lookup
Address space layout randomization wikipedia , lookup
Computer security wikipedia , lookup
Unix security wikipedia , lookup
Microsoft Security Essentials wikipedia , lookup
Mobile security wikipedia , lookup
Security-focused operating system wikipedia , lookup
A Technical Introduction to NGSCB Brandon Baker Windows Security Division Microsoft Corporation [email protected] Agenda Vision for NGSCB Define a basic NGSCB environment Standard-Mode/Left Hand Side (LHS) Nexus-Mode/Right Hand Side (RHS) Features – the 4 pillars High assurance NGSCB Roadmap Summary Next Generation Secure Computing Base Defined Microsoft’s Next-Generation Secure Computing Base (NGSCB) is a new security technology for the Microsoft Windows platform Uses both hardware and software to protect data Gives people new kinds of security and privacy protections in an interconnected world NGSCB is hardware enhanced security that sets the stage for the future of secure computing NGSCB Vision And Goals Vision NGSCB advances the PC ecosystem to meet customers’ requirements for security, privacy, and data protection Product Goal NGSCB will broaden the utility of the PC by delivering security on par with closed architecture systems while maintaining the flexibility of the Windows platform Business Goal NGSCB will help to revitalize the PC ecosystem by enabling a new generation of hardware and software products Why NGSCB? Vulnerabilities today Attacks on Core assets Attacks on Networks Attacks via Remote users/machines Open computing environment NGSCB can address software attacks on applications, secrets Damage from attacks can be compartmentalized and limited Protect software from software Threats Mitigated in V1 Tampering with Data Strong process isolation prevents rogue applications from changing NGSCB data or code while it is running Sealed storage verifies the integrity of data when unsealing it Information Disclosure Sealed storage prevents rogue applications from getting at your encrypted data Repudiation Attestation enables you to verify that you are dealing with an application and machine configuration you trust Spoofing Identity Secure path enables you to be sure that you’re dealing with the real user, not an application spoofing the user What NGSCB Isn’t An attempt to control users against their wishes Software which will destroy users’ data An invasion of privacy All about consumer media protection Protection against hardware attacks The final word in security NGSCB Quadrants Standard-Mode (“std-mode” / LHS) User User Apps. Rogue App. Rogue App. Main OS Kernel Bad Driver USB Bad Driver Driver Bad Driver HAL Hardware Input Video CPU Chipset NGSCB Quadrants Standard-Mode (“std-mode” / LHS) Nexus-Mode (RHS) Agent User Agent Agent Trusted User Engine (TUE) User Apps. TSP TSP TSP NCA Runtime Library Main OS Nexus Kernel USB NexusMgr.sys Driver NAL HAL Hardware Secure Input Secure Video TPM 1.2 CPU Chipset Partitioned System RHS = Security In the presence of adversarial LHS code NGSCB must not leak secrets → The RHS must NOT rely on the LHS for security LHS = Richness and Compatibility In the absence of LHS cooperation NGSCB doesn’t run → The RHS MUST rely on the LHS for stability and services Nexus - A Basic OS Section 1 of Intro to Operating Systems Textbook Process and Thread Loader/Manager Memory Manager I/O Manager Security Reference Monitor Interrupt handling/Hardware abstraction But no Section 2?? No File System No Networking No Kernel Mode/Privileged Device Drivers No Direct X No Scheduling No… Kernel mode has no pluggables All of the kernel loaded at boot and hashed in the TPM Close-Up Of The Lower RHS Nexus.exe Nx* Functions NGSCB Calls Syscall Dispatcher (Nexus Callable Interfaces) ATC Module Handle Mgr Nexus Abstraction Layer (NAL) Runtime Library Nexus Core Native SRM IO Manager Thread Manager Process Manager Traps Process Loader Memory Manager Sync Objects Porch Kernel debug Crypto SSC Abstractor Int Handler “Booting” the Nexus The Nexus is like a kernel A kernel has to boot sometime The Nexus can boot any time It can shut down when it’s not needed (and restart later) Nexus startup is atomic and protected through new CPU instruction Nexus is started in a controlled initial state Shadow Process and Threads The Nexus has no scheduler LHS threads to call the right to load and run a RHS thread These LHS threads are part of the Agent’s LHS shadow process Not getting scheduled again does not leak a secret Safe RHS synchronization primitives Device Drivers NGSCB doesn’t change the device driver model Secure reuse of Left Hand Side (LHS) driver stacks wherever possible Right Hand Side (RHS) encrypted channel through LHS unprotected conduit NGSCB needs very minimal access to real hardware Every line of privileged code is a potential security risk No third-party code No kernel-mode plug-ins What NGSCB Needs From The LHS Basic OS services - scheduler Device Driver work for Trusted Input / Video Memory Management additions to allow nexus to participate in memory pressure and paging decisions User mode debugger additions to allow debugging of agents (explained later) Window Manager coordination Nexus Manager Device driver (nexusmgr.sys) NGSCB management software and services What Runs On The LHS Applications and Drivers still run Viruses too Windows as you know it today Any software with minor exceptions The new hardware (HW) memory controller won’t allow certain “bad” behaviors, e.g., code which Copies all of memory from one location to the next Puts the CPU into real mode A Basic Application Environment Virtualization of hardware fundamentals for Agents Sealed storage, attestation, etc. Minimal Services Trusted UI Engine XML Based Graphical Services for UI Input Routing/Focus Management Minimum Fonts (inc. Multiple Languages…) Windows Manager IPC TSPs (Trusted Service Provider) Run in User Mode RHS Provide Services Are “Drivers” for Trusted Input/Video Limited APIs for LHS services (Expo) Standard Crypto Libraries NGSCB Features All NGSCB-enabled application capabilities build off of four key features (the pillars!) Strong process isolation Sealed storage Secure path Attestation The first three are needed to protect against malicious code Attestation breaks new ground in distributed computing “Subjects” (software, machines, services) can be securely authenticated through code ID This is separate from user authentication Strong Process Isolation Agents and Nexus run in curtained memory Not accessible by other agents Not accessible by the standard Windows kernel Not accessible by hardware DMA Enforced by NGSCB hardware and software Hardware notifies Nexus of certain operations Nexus arbitrates page tables, control registers, etc. Sealed Storage Provides a method for encrypting data with a key rooted in the hardware Sealed data can only be accessed by authenticated entities Each Nexus generates a random keyset on first load TPM chip on motherboard protects the Nexus keyset Agents use Nexus facilities to seal (encrypt and sign) private data The Nexus protects the key from any other agent/application, and the hardware prevents any other Nexus from gaining access to the key Secure Path Secure input Secure session between device and Nexus Protects both keyboard and mouse USB for desktops, integrated input for laptops Secure output Secure channel between graphics adaptor and Nexus Attestation When requested by an agent, the Nexus can prepare a chain that authenticates: Agent by digest, signed by the Nexus Nexus by digest, signed by the TPM TPM by public key, signed by OEM or IT department The machine owner sets policy to control which forms of attestation each agent or group of agents can use Secure communications agent provides higher-level services to agent developers Open a secure channel to a service using a secure session key Respond to an attestation challenge from the service based on user policy I Think, Therefore I Am Descartes Problem Challenge for attestation must always come from outside the machine Local (the user with a dongle) Remote (some server) No nexus can directly determine if it is running in the secured environment No Agent can directly determine if it is running in the secured environment Must use Remote Attestation or Sealed Storage to cache credentials or secrets to prove the system is sound Policy Controlled By The Owner Of The Machine NGSCB enforces policy but does not set the policy The hardware will load any nexus But only one at a time Each nexus gets the same services The hardware keeps nexus secrets separate Nothing about this architecture prevents any nexus from running; however, the owner can control which nexuses are allowed to run Proposed software (nexus) policies The Microsoft nexus will run any agent The platform owner can set policy that limits this Owner could pick some other delegated evaluator (e.g., my IT group) if they choose Nexus Derivative Works The user can run any nexus, or write his own and run it, on the hardware That nexus can only report the attestation provided by the Trusted Platform Module (TPM) The TPM won’t lie The nexus cannot pretend to be another nexus Other systems will need to decide if they trust the new derived nexus Just need to prove to others your derivative is legitimate Agent Derivative Works The user can run any agent, or write his own, and run it on the nexus That agent can report the attestation provided by the nexus The nexus won’t lie The agent cannot pretend to be another agent Other systems will need to decide if they trust the new derived agent Just need to prove to others your derivative is legitimate High Assurance Process Things Microsoft does today Design Specifications Requirements Implementation Secure coding guidelines Code review Testing Code coverage Test cases Unit / BVT tests Configuration Management High Assurance Process Design Formal specification TCB Minimization Layering / Modularization Implementation Critical code generated through formal methods Process and tools to tie implementation to specification Mandatory code review process Testing Test from specs Static and dynamic code review tools Dedicated penetration test team Configuration Management Code base tampering Insider subversion NGSCB Layering Standard-Mode (“std-mode” / LHS) Nexus-Mode (RHS) Agent User Agent Agent Trusted User Engine (TUE) User Apps. TSP TSP TSP NCA Runtime Library Main OS Nexus Kernel USB NexusMgr.sys Driver NAL HAL Hardware Secure Input Secure Video TPM 1.2 CPU Chipset NGSCB Layering Standard-Mode (“std-mode” / LHS) Nexus-Mode (RHS) Agent Agent Agent TUE TUE TUE User User Apps. Kernel TSP TSP TSP NCA Runtime Library Main OS Kernel USB Kernel Kernel NexusMgr.sys Driver HAL Nexus Hardware Secure Input Secure Video TPM 1.2 CPU Chipset NGSCB Roadmap Initial Focus Intermediate Focus Long-term Focus Target Hardware Client Server Devices Target Market Influencers and Developers Enterprise Everyone Target Audience • • • Government Developers Targeted verticals • • • Information Workers Verticals IT • • • Mobile workers Consumers Government Target Scenarios • • • • Remote Access Secure Collaboration Identity Attestation Secure Application Development Privacy protection • Productivity Applications Server applications LOB and ERP applications IT infrastructure Privacy-enhanced applications • • Mobile applications Consumer commerce and entertainment IT centralized management • • • • • • From Now To NGSCB Longhorn 2003 WinHEC PDC, Oct 03 OS Beta NGSCB NGSCB SDK API Preview Developer Preview (Pre-beta) Beta SDK SDK NGSCB compliant Hardware Standard x86 CPU NA NGSCBready desktop, laptop, and workstation NGSCB Compliant hardware Development Environment None Some hardware; software emulator; Preview SDK Beta NGSCB hardware Compliant and complete hardware SDK NGSCB Demo Summary NGSCB is a combination of New hardware which creates secure space for… …A new kernel, called the nexus, which… …Will run applications in a secure memory space, and which… …Will provide these agents with security services so that they can… …Provide users with trustworthy computing Additional Information NGSCB preview with the Longhorn developer preview from the Microsoft Professional Developers Conference (PDC) SDK and Tools Simulated hardware, nexus, process isolation http://msdn.microsoft.com/events/pdc/ Ask your vendors what NGSCB-enabled components they will provide Read the available white papers and specs Http://www.microsoft.com/ngscb Subscribe to the WTPI information newsletter for ongoing updates; send blank e-mail to [email protected] Send questions to our Q&A alias [email protected] © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.