Professional Documents
Culture Documents
Secure Computing
Base
黃志源
@SiS
Contents
Next Generation Secure Computing
Base Overview
Hardware Fundamentals For NGSCB
Part 1: Core Hardware
Hardware Fundamentals For NGSCB
Part 2: Peripheral Hardware
Nexus Fundamentals
Next Generation Secure
Computing Base Overview
Trustworthy Computing
Resilient to attack
Security Protects confidentiality, integrity,
availability, and data
NGSCB
How It Works: With NGSCB
How It Works: With NGSCB
NGSCB
NGSCB Quadrants
Standard-Mode (“std-mode”/LHS) Nexus-Mode (RHS)
User
Trusted User
Engine (TUE)
User Apps.
TSP TSP TSP
Main OS
Kernel Nexus
USB NexusMgr.sys
Driver NAL
HAL
Main OS
Kernel Nexus
USB NexusMgr.sys
Driver
NAL
HAL
User
Trusted User
Engine (TUE)
Kernel
Hardware
Strong Process
Isolation
Nexus Computing Agents, or NCAs,
run in curtained memory
Not accessible by the standard
Windows kernel
Not accessible by hardware DMA
Not accessible by other NCAs
Enforced by hardware and software
Changes to CPU, chipset
Nexus arbitrates page tables
Four Key Features
(2) Secure Path To and From User
Standard-Mode (LHS) Nexus-Mode (RHS)
User
Secure
Shadow Admin Nexus Mgr
Video Service Service IPC
Filter Driver
Nexus
Nexus Manager Core Dispatch
Secure Services
Kernel Input
Filter Driver HW Allocator
Object Security Shared Resource
(memory
Manager Manager
wholesaler)
Trusted User
Engine (TUE)
Kernel
Nexus
NAL
Hardware SSC
Hardware Protection
Of Secrets
Security Support Component (SSC)
chip on motherboard
SSC holds a secure keyset
Each nexus generates a random keyset
on first load
SSC provides hardware protection of the
nexus keyset
NCAs use nexus facilities to generate
and protect keys
Four Key Features
(4) Attestation
Standard-Mode (LHS) Nexus-Mode (RHS)
Trusted User
Engine (TUE)
Kernel
Nexus
NAL
Hardware SSC
Attestation
Software/Hardware Authentication
User
Kernel
Hardware
SSC
Secure Secure
Video Input CPU Chipset
Hardware Summary
Modified components
CPU
Chipset
Secure video
Secure input (keyboard and mouse)
Two versions: USB and laptop
New components
SSC
A Qualitative Step Forward
NGSCB extends the Windows platform
We provide the core, others will build the
solutions
We really want to enable others to build new and
exciting applications
NGSCB is appropriate anywhere you could
possibly imagine needing privacy, security or
data protection
We will ship some solutions “in the box”
Enough to provide immediate value
Scenario Categories
Secure remote access
Corporate remote access
Secure client access to middle tier servers
Secure collaboration
Chat and instant messaging
E-Mail
Rights management
Digital signature
Secure Remote Access
Examples
To a client/server app, using a custom NCA client
To your enterprise desktop, using a secure remote
desktop client
How it works
Uses attestation for end-to-end authentication
Uses strong process isolation and secure path to the
user to be safe against attacks on the remote client
Uses an application private network (APN) for
secure communications
Application-to-application encrypted session
More secure than a VPN because the protection extends
into the application layer itself
Application Private Network
Application Application
(Client NCA) (Server)
Presentation Presentation
Session Session
Transport Transport
Network Network
Datalink Datalink
Physical Physical
User
Trusted User
Engine (TUE)
User Apps.
TSP TSP TSP
Main OS
Kernel Nexus
USB NexusMgr.sys
Driver
NAL
HAL
Standard-Mode (LHS)
What exists in today’s
User systems
Mode Main OS is rich,
User Programs compatible with vast
array of stuff,
DLL DLL supports vast array of
hardware – it is large
User can install
Main OS drivers which get
Kernel privileged access to
Mode
memory – remote
Drivers parties can never be
sure the program has
HAL
not been negatively
impacted by the driver
NGSCB Quadrants
Standard-Mode (LHS) Nexus-Mode (RHS)
User
Agent Agent Agent
NxSvc.exe
User Apps.
Main OS
Kernel
Nexus
NexusMgr.sys
Driver NAL
HAL
User
Agent Agent Agent
NxSvc.exe
User Apps.
Main OS
Kernel
Nexus
NexusMgr.sys
Driver NAL
HAL
User
Kernel
Hazard
USB
Host
Controller
Secure Input
Standard-Mode (“std-mode”/LHS) Nexus-Mode (RHS)
User
Kernel
Hazard
E
USB
E Host
Controller
E = Encrypted
Secure Input
Standard-Mode (“std-mode”/LHS) Nexus-Mode (RHS)
User
Kernel
Hazard
E
USB
E Host
Controller
E = Encrypted
Secure Input
Standard-Mode (“std-mode”/LHS) Nexus-Mode (RHS)
User
Kernel
Hazard
E
USB
Host E = Encrypted
Controller
E
Secure Input
Standard-Mode (“std-mode”/LHS) Nexus-Mode (RHS)
User
Kernel
Hazard
E
USB
Host E = Encrypted
Controller
E
Secure Input
Standard-Mode (“std-mode”/LHS) Nexus-Mode (RHS)
User
Kernel
Hazard
E
Decrypted
Text
USB
Host E = Encrypted
Controller
E
Mobile PC Secure Input
Standard-Mode (“std-mode”/LHS) Nexus-Mode (RHS)
User
E
Chipset
Kernel South Bridge
(LPC bus Hazard
Controller)
E
Key Board
Controller
(KBC)
E = Encrypted
Secure Input
Encryption for Human Interface Device
(HID) will be done on the outboard side
of a USB host
1. Built into USB root hub
2. Built into any USB hub
3. Inside the device of interest
4. In-line device (dongle) between the
machine and the input device
Best solution is #1
Secure Input Work In Progress
For desktops
Evaluating several different ways of establishing
shared secret
Security versus OEM and IT deployment tradeoffs
For laptops
Evaluating different ways to partition Secure Input
Path firmware/microcode in Embedded Controller
Legacy versus security certification issues
Alternatives being evaluated
More information in calls-to-action
Secure Video
Threat Model for video
NO Software-Only attacks against Secure Windows
and the information displayed in them
NO Break-Once/Break-Everywhere (BOBE) attacks
This is not the ONLY hazard relevant to all
stake holders
It is what we can secure
Security for external video interfaces is a matter
for hardware standards
NGSCB could support link protections but won’t require it
Secure Video
Standard-Mode (“std-mode”/LHS) Nexus-Mode (RHS)
User
Graphics Kernel
Adaptor
(nexus-mode)
Graphics
Adaptor Hazard
(std-mode)
USB
Host
Controller
Secure Video
Secure Video assures
Secure windows cannot be obscured
Secure windows cannot be captured by
unauthorized software
Secure windows cannot be altered by
unauthorized software
Graphics adaptor may communicate
with display in various formats
We are working on accessibility
Secure Video
The Challenge
How does the video data get from
nexus-mode to the graphics processor?
Two general ways
Closed path – video MUST be integrated device
Depends on special hardware path from nexus to
video device
Works when the video device is in close cooperation
with the memory controller
Encrypted path – data is encrypted in
nexus-mode and decrypted by the
graphics adaptor
Can reuse LHS driver stack
Closed Path T-Vid
Standard-Mode (“std-mode”/LHS) Nexus-Mode (RHS)
Trusted
Video
Abstractor
User
Graphics Kernel
Adaptor Hazard
(nexus-mode)
Graphics
Adaptor
(std-mode)
USB
Host
Controller
Crypto Path T-Vid
Standard-Mode (“std-mode”/LHS) Nexus-Mode (RHS)
Trusted
Video
Abstractor
User
E
Graphics Kernel
Adaptor
(nexus-mode) E
Graphics
Hazard
Adaptor
(std-mode)
USB
Host E = Encrypted
Controller
NGSCB: Ecosystem
Works today on x86 flat 32-bit
architectures from multiple sources
Could work on any CPU with
User/kernel modes
Page granular virtual memory mapping
With effort, could be adapted to other
CPU models
NGSCB: Ecosystem
Building an NGSCB capable machine
requires:
NGSCB NGSCB Secure Secure
SSC
CPU Chipset Input Video
Syscall Dispatcher
NGSCB
Calls
Thread Manager
Process Loader
Native SRM
IO Manager
Manager
Manager
Runtime
Memory
Process
Objects
Library
Sync
Porch
Traps
User
Trusted User
Engine (TUE)
User Apps.
TSP TSP TSP
Main OS
Kernel Nexus
USB NexusMgr.sys
Driver
NAL
HAL
User
Secure
Shadow Admin Nexus Mgr
Video Service Service IPC
Filter Driver
Nexus
Nexus Manager Core Dispatch
Secure Services
Kernel Input
Filter Driver HW Allocator
Object Security Shared Resource
(memory
Manager Manager
wholesaler)
Normal Page
Virtual
Address Normal Page
addresses Translation
Protected Page
Address Translation Control
This is curtained memory (or strong
process isolation)
Can’t tamper with a page unless you have a
mapping to it
On current PCs
Any kernel mode code can modify Virtual Address (VA) →
Physical Address (PA) mapping structures
There’s untrusted code in kernel mode
NGSCB hardware calls nexus before
Page map changes (process swap)
Edits to mapping structures
Turning off paging
Address Translation Control
When the page map changes,
the nexus
Walks the tree of pages it maps
Makes sure no protected pages are
mapped
No read/write mappings to the page map
Now the map will remain safe, so
hardware and software can manage a list
of known safe page maps
Address Translation Control
When a mapping structure changes,
the nexus
Walks the tree of pages getting mapped
Makes sure no protected pages are
getting mapped
Ensures no read/write mappings to the
page map
ATC will almost always allow the
mapping to change
Legacy code will still work unless it
attempts to access nexus space pages
Address Translation Control
ATC protects
Agent and nexus data
Agent and nexus code
All page mapping structures (LHS/RHS)
Also protected from DMA (thanks to
special hardware)
Correct ATC implementation vital to
NGSCB security
Memory Management (MM)
Simplicity, robustness preferred over
maximizing performance
Allocate/free whole pages
No shared memory between agents
No paging-to-disk in this version
If nexus were to page to disk, it would
encrypt and sign the pages, then ask the
main OS to flush them
Memory Management (MM)
Nexus keeps some free pages that ATC
is protecting
Nexus can request extra pages from ke
rnel via NexusMgr (seize)
Nexus MM asks ATC if new pages are s
afe to use - “any left side mappings?”
Nexus can give surplus pages back to k
ernel if the kernel needs them
Nexus Abstraction Layer (NAL)
Multiple CPU vendors
Different Security Support Components
(SSC)
Much nexus code is architecture
independent
Interrupts
Interrupts enabled on the RHS
Most drivers are still on the LHS