A Trusted Open Platform
Total Page:16
File Type:pdf, Size:1020Kb
COVER FEATURE A Trusted Open Platform Microsoft’s next-generation secure computing base extends personal computers to offer mechanisms that let high-assurance software protect itself from the operating systems, device drivers, BIOS, and other software running on the same machine. omputers are entrusted with more per- a game with a vulnerability or back door. Paul sonal and valuable data every day, and •A user’s home finance transactions and data England local and remote users need mechanisms are vulnerable to Trojan horses that “snoop” Butler to safeguard this data against misuse. A actions and passwords. variety of access-control mechanisms •A bank cannot distinguish a legitimate trans- Lampson C 1 address this problem. For example, most com- action initiated by a person from an illegitimate John mercial systems require users to provide a pass- or sabotaged transaction instigated by a sub- Manferdelli word to log on. Users and administrators can con- verted application. Marcus figure the system to restrict access to resources, Peinado such as files containing sensitive data. One solution to these problems is to provide However, such mechanisms have limited effec- stricter control over platform hardware and soft- Bryan tiveness in a mass-market setting because the ker- ware by using a closed system. Set-top boxes, game Willman nel’s integrity cannot be ensured. One of the main machines, and smart cards take this approach. If it Microsoft reasons is that the commercial need for an open soft- is difficult or impossible to make a change to the Corporation ware and hardware architecture leads to operating operating system or run an unknown or unautho- systems that contain a large collection of peripheral rized application, it is easier to ensure data and devices and device drivers containing millions of transaction integrity. However, closed systems are lines of code. A single programming error or inten- far less flexible than open systems and are unlikely tional back door in this large and diverse code base to replace the personal computer. can give rise to an attack that renders the access- control system ineffective. Viruses and Trojan horses NEXT-GENERATION SECURE exploit such errors on large numbers of machines COMPUTING BASE on the Internet. Microsoft’s next-generation secure computing Furthermore, most home and corporate desktop base aims to provide robust access control while computers today are rather loosely administered. retaining the openness of personal computers. Even a functioning access-control system will be Unlike closed systems, an NGSCB platform can run ineffective if it is not correctly configured. any software, but it provides mechanisms that allow These problems expose open-system users to con- operating systems and applications to protect them- crete vulnerabilities: selves against other software running on the same machine. For example, it can make home finance •A corporate document prepared with a trust- data inaccessible to programs that the user has not worthy program is also accessible to a virus or specifically authorized. 0018-9162/03/$17.00 © 2003 IEEE Published by the IEEE Computer Society July 2003 55 To enable this mode of operation, NGSCB deployed that are also robust against hardware NGSCB platforms platforms implement attacks, especially in high-security corporate and government settings. isolate operating • isolation among operating systems and systems and among processes. OS isolation is related to AUTHENTICATED OPERATION processes and virtual machine monitors. However, some Traditional access-control systems protect data implement key NGSCB innovations make it more against unauthorized access through an authentica- robust than traditional VMMs by enabling tion mechanism such as a password, biometric data, hardware and a small machine monitor to isolate itself or smart card. Each access request triggers a system software security and other high-assurance components component, the guard, that is part of the trusted primitives. from the basic input/output system (BIOS), computing base. The guard grants or denies access, device drivers, and bus master devices. and can audit access requests according to the user, • hardware and software security primitives the request, and the system’s access-control policy.1 that allow software modules to keep Authenticated operation bases access-control secrets and authenticate themselves to local decisions in part on the identity of the program and remote entities. These primitives main- making a request. For example, a user can restrict tain the trustworthiness of OS access pro- access to files containing financial data to only cer- tections without preventing the platform tain authorized programs. from booting other operating systems. It is straightforward to extend most existing user-based access-control systems to code-based We refer to a security regimen that allows any access models.2 For example, a resource can have software to run but requires it to be identified in an access-control list that grants access only to a access-control decisions as authenticated operation, list of programs rather than to users who run these and we call a hardware-software platform that programs. We expect that most systems built to supports authenticated operation a trusted open support authenticated operation will base access- system. control decisions on both program and user A variety of commercial requirements and secu- resource requests. rity goals guided the NGSCB system design. The main commercial requirement was for an open Definition of code ID architecture that allows arbitrary hardware periph- Code-based access control requires a method of erals to be added to the platform and arbitrary establishing a program’s identity. If the operating software to execute without involving a central system can guarantee file-system integrity, it can authority. Furthermore, the system had to operate simply assume that the program “is who it says it in the legacy environment of personal computers. is.” However, in distributed systems or platforms While we introduced changes to core platform that let mutually distrustful operating systems run, components, most of the PC architecture remained establishing a cryptographic identity for programs unmodified. The system had to be compatible with is necessary. the majority of existing peripherals. Finally, the The simplest example is a cryptographic digest hardware changes had to be such that they would or “hash” of the program executable code. Within not have a significant impact on PC production this model the platform or operating system makes costs. no assumptions about the security of applications Our main security goal was assurance. Assurance stored on disk or on the network: If the application is not any particular security function. It refers to is modified, its cryptographic hash—and hence its the degree of confidence the owner of a system can identity and the services to which it is entitled— have in its correct behavior—especially in the pres- will change. Similar code ID mechanisms have been ence of attacks. A further goal was to enable used elsewhere.3-5 authenticated operation. The hardware platforms are not required to pro- Use of code ID vide protection against hardware tampering. Sealed storage and attestation are two mecha- Protection against tampering costs money, and it is nisms that rely on code IDs. clear that most security attacks facing users are Sealed storage. Sealed storage is a cryptographi- launched by malicious software, or are remotely cally implemented access-control mechanism in launched and exploit bugs in otherwise benign soft- which the sealer of a secret states which programs ware. However, we anticipate platforms will be (given by their code IDs) can unseal (read) the 56 Computer Figure 1. Seal and Seal Unseal Unseal primitives. Seal allows a piece Program Program Program Program 1 1 2 3 of software to protect a secret S Seal (S1, N1) Seal (S2, N2) Unseal (blob) and to name the Seal (S1, N1) Seal (S2, N2) Seal (S1, N1) Seal (S2, N2) programs N that can access the secret. If a program calls Unseal on previously sealed data. The secret. Sealed storage provides confidentiality and case of unsealed information being used as a cryp- secret is revealed integrity for persistently stored data. In principle, tographic key, the unsealer needs to know that an only if the sealed-storage primitives can be implemented at adversary did not provide the key. requester’s identity any system layer. For example, the hardware could Attestation. Sealed storage is a restricted form of is as specified in the implement sealed storage as a service to operating symmetric encryption that lets software programs sealed data block. systems or an operating system could implement keep long-lived secrets in persistent storage. Red lines indicate it as a service to applications. Attestation is a variant of public-key encryption failed Unseal Figure 1 illustrates the Seal and Unseal primi- that lets programs authenticate their code ID to requests, and green tives. Programs can call Seal and name their own remote parties.8 lines indicate code ID (the common case) or any other program’s A platform must have a certified public/private- successful code ID as the entity allowed to access the data. key pair for attestation. Consider the signing vari- Unseal requests. If called by a program that has the sealed code ant that we call Quote. The Quote operation ID, Unseal returns the sealed secret and the sealer’s concatenates an input string from the program code ID. If the requesting program has a differ- wishing to authenticate itself with the program’s ent code ID, Unseal returns an error. code ID, signs the resulting data structure with the Seal is designed as a local secret-storage mecha- platform’s privacy quoting key, and returns the nism: Sealed secrets are not accessible to other result to the caller. The requesting program can machines. The Seal and Unseal primitives have con- send this signed data structure to a remote party, siderable implementation flexibility.6 In general, the typically along with platform certificates that sup- implementation layer—for example, the hardware port use of the platform-quoting key.