November 25, 2003

Understanding Secure Computing Base

Today Alan was showing a bit of paranoia talking about how BIOS manufacturers are putting in new features that will create the first stages of the chain of trust for "trustworthy computing".

I would like to respond to his comments by explaining WHY the idea of the Next Generation Secure Computing Base (NGSCB) should be embraced and not frowned upon. Even if it is coming from Microsoft.

First off, let me be clear. Trustworthy Computing does not have to be looked upon as a Microsoft thing. The idea is being leveraged by many vendors. I had a chance to talk to one of the guys dealing with it at Seagate when I was at the DevCon presentation of NGSCB. Microsoft is just one of the first vendors that is actually making it part of the operating system in Longhorn.

Let me give you a practical scenerio of where Trustworthy Computing is vital to a secure computing environment. If you may recall from previous months, there was an attacker by the name of Juju Jiang who placed a software keystroke logger at various Kinkos in New York to hijack their passwords and other vital information. There have been other attacks who have done the same thing with hardware keystroke loggers at other public terminals (like libraries). These are hard to detect at times, and can be easily planted by attackers with very little experience or expertice.

Here is where NGSCB comes into play. Lets first talk about the problem with the existing system. If you can get code into the Windows kernel (a software driver as an example), the system can practically be owned at that point in regards to this. The reason is that pluggable kernel components can access literally any memory and scrape any data they want. What NGSCB can do is partition the execution environment by adding a mechanism (with the help of a new mode flag in the CPU) which can determine if access is trusted or not, and can set up memory so that it can ONLY be accessed by trusted components. If you don't understand what I mean, don't fret... let me take our example and follow it through.

Right now in existing operating systems, some sort of keyboard driver will translate the keystrokes coming down the wire into characters and pass it where it needs to be. Of course, anywhere between the driver and the keryboard can be compromised. It's not TEMPEST. You can tamper with the physical cable, between the cable and the keyboard port, or directly in the software. Now imagine this scenerio to fight this:

  1. The keyboard and OS are NGSCB aware.
  2. They have been configured to work together. (Leave the discussion for HOW that happens another day)
  3. The keyboard will ENCRYPT all keystrokes and ensure the integrity of the data with a message digest and send the secure payload to the OS.
  4. The OS kernel driver for the keyboard receives the data. The keyboard driver is untrusted, and can do nothing with the data except drop it. Ok. Denial of service if this is a rogue driver. But nothing else can happen. No information disclosure. It can't read the information. A proper keyboard driver would see this special payload and transfer it to the trusted environment through the use of a secure conduit transport. (Microsoft calls their particular environment Nexus, and have easy to use API to accomplish this)
  5. Here the trusted computing base can pass the payload to the proper secure driver, in this case a secure keyboard driver that can verify the integrity of the data and unencrypt it. It can then determine what information can be passed back to the untrusted kernel. Microsoft calls these drivers agents, or more commonly NCA. In the case of password management, they can verify passwords securely on the trusted side, and just pass back particular results to the untrusted side.

At this point... both software and hardware keystroke loggers become useless. They can do very little but record the encrypted payload. (Of course they could try to brute crack this.. but a good design would account for this). It's actually quite a neat design... except that you have to trust the "trusted code base". Of course, you don't HAVE to. You could replace Microsoft's Nexus with your own. And from my understanding they are making provisions for that in Longhorn. But should I trust you any more than Microsoft?

I am over simplifing what the NGSCB is, but my point is that its actually a good thing. Imagine another scenerio. You have a secure application in which you do not wish rogue application to be able to "automate" or replay. Currently you can actually script with the Win32 API ways to automate button presses, keyboard input etc to completely act as a logged on user to perform actions... attacks which I HAVE seen in the field. One such example would transfer money from one bank account to another without the teller knowing. Anyways, you can write a video driver and a mouse driver that support NGSCB and have it so that when a mouse enters a particular region on screen (say, the region of the secure application window) that all mouse movements and actions (button clicks) are encrypted and cannot be seen by the base operating system. Now there is no way for any foreign access to the application. Moreover, the trusted window can be drawn differently to denote it (imagine if all trusted windows had a red border drawn by the video driver so you KNEW what information was classified as protected/secret or above? Kinda neat if you ask me.) You can do some pretty kewl stuff with this.

There is still work to be done on the NGSCB, and I hope it is audited by a third party, similar to how the security framework for .NET was reviewed. But all in all, you can take advantage of the new secure computing base with properly designed drivers. Of course, you can just install a different OS that ignores all this.... including the issues with the bios.

I only hope I get to take part in building some of these applications with the NGSCB. I think it will be a lot of fun... and can already imagine a few great applications for secure terminals for military and government operations. Dunno if the commercial world would buy them though. Guess time will tell how this all unwinds itself.

Posted by SilverStr at November 25, 2003 10:03 AM | TrackBack
Comments

And I'm sure that none of this will be used to leverage an existing monopoly, crush competition, and other alternative OSs will be fully supported, right?

You have good points, but you've been in scoble's koolaid lately, so.....

:)

Posted by: Arcterex at November 25, 2003 10:17 AM

Nothing to do with Koolaid. Besides, this would need to include vodka with the koolaid to give me any kind of buzz. Scoble is clueless when it comes to this sort of thing. (No offense Robert :) )

The fact remains.. the idea behind the NGSCB is sound. Its the implimentation that we need to watch for. As an example... locking down movies and music is pretty useless unless you actually have NGSCB aware sound and video drivers... which you can get around. :)

I liked the though though of vendors like Seagate getting involved. Imagine a NGSCB aware harddisk that can protect/encrypt the data in the hardware bypassing threats exposed by the OS? There is some real potential here.

I only hope other communities like Linux, BSD and Apple see the potential here and start building support for it in future versions.

We will have to wait and see.

Posted by: SilverStr at November 25, 2003 10:34 AM

I still see it as a "thinly veiled attempt at shifting some of the security-onus from the OS to the hardware with the blessing of Microsoft along with the side "benefit" of Digital Rights Management." (quote from /. discussion) that I couldn't have said better myself (and probably didn't! :)

Posted by: Arcterex at November 25, 2003 12:18 PM

I think Alan squarely hit the main issue. A lot of people were really scared that MS would abuse this ability, by enforcing whether certain "music files" are playable or not.

Posted by: Wim at November 25, 2003 11:13 PM

Your defense of NGSCB / Trusted Computing fails for the exact same reason as all the others. There is nothing wrong with "new hardware". However the CENTRAL DESIGN CRITERIA for Trusted Computing is that the owner of the computer is forbidden to know his own master key (the PrivEK and/or SRK).

Consider an identical computer with identical hardware. It has identical capabilities and is just as effective at protecting you, the owner. The only difference being that you get a printed copy of your keys. Perhaps you put that printed copy of the keys in your bank saftey deposit box. You still get all of the protection against trojans and keyloggers as you discuss. All of your data is just as secure against hackers.

There is absolutely no legitimate justification to forbid the owner to know his own key. It is purely malicious.

The only thing that forbidding the owner to know his own key accomplishes is to lock the owner out of control of his own computer and files, and to enforce monopoly lock in. If the owner were to know his key he'd be able to unlock his own files if he chose to, avoiding lock-in and lock-out. He can have full control of his computer - if he chooses to.

Letting the owner know his own key preserves every benefit he gets from having such a machine, while simultaneously eliminating EVERY legitimate criticism. Go ahead and advocate "new hardware" if you like, but you have failed to defend/justify trusted Computing. Its central design requirement is purely malicious.

Posted by: Alsee at July 1, 2004 11:02 PM

Alsee,

I don't think anyone here will disagree with you. Nor did anyone say you SHOULDN'T have your key. I agree that having the key (properly stored of course), is a good thing(c).

BTW, with the current implimentation you can tap the bus and get the key if you want it as its decrypted there before use.

Posted by: SilverStr at July 1, 2004 11:25 PM

Ah good. I'm glad you understand the issue about having your keys.

However you are mistaken about tapping the bus to get at these keys. The Trusted Computing Group's tech specs are quite specific that the SRK and PrivEK are forbidden to ever leave the chip. Any encryption/decryption using these keys is required to be done inside the Trusted Platform Module (TMP) itself. The TPMs are also designed to self-destruct / wipe the key if the owner attempts to "tamper" with it in an attempt to get at his keys.

If you have seen the recent IBM ThinkPad commercials you've probebly even seen them advertize that very fact. The one where a government agent-type warns that a hacker can steal your data in a matter of seconds. The owner says his computer is protected with a chip. The agent says chips can be removed. The owner says the chip self-destructs.

It's also in the tech specs of Atmel and the other TPM chip manufacturers, mutiple forms of tamper resistance and tamper detection.

Posted by: Alsee at July 5, 2004 04:26 PM

Its not actually the keys at issue but the op codes. OP codes are plaintext on the bus. As such, they can easily be microprobed off the bus. The latest specs do indeed look at encrypting CPU instruction sets, but it's (a) not widely used (b) not widely accepted in manufacturing YET. The next generation TPM CPU should be using this more, but until TPM chip manufacturers look at more resilient tamper resistant mechanisms... this is a sad state of the technology. I can't comment on the ThinkPad, but I am not suprised that its using the new system.... they seem to always be first to adopt it.

If you go looking around, there are two different DefCon presentations where demos of how to probe the bus and get at this were shown. I quite enjoyed the one presented by Lucky Green at DefCon X.

Posted by: SilverStr at July 5, 2004 07:49 PM

Tapping busses or even feeding falsified data onto busses gets you a lot, but it's not really a complete and satisfactory defeat of the system. The TPM effectively has a low power CPU inside. Actual encryption/decryption occurs inside the TPM itself. All the TPM instructions (including encryptions/decryptions) can be logged within the TPM itself. (Specificly a running hash in a PCR). Communication into and out of the TPM can be encrypted to that log using a key that never leaves the TPM. The contents of that communication never appear ouside the TPM. No matter how much you tap any bus you cannot tamper with those instructions or with that log without voiding remote attestation and without losing the ability to decrypt anything encrypted with keys bound to that log state.

There is no bus to tap there other than ripping the TPM itself open, and that point you may as well just read out the RSK and PrivEK.

Bus tapping external to the TPM may let you clone cleartext out of the Trust system and strip DRM, but all remote communications and all additional decryptions are still forced to go through the properly fuctioning TPM and only using the authorized sequence of commands. You've still got a pretty substantial noose hanging around your neck.

You also wind up pretty much toast once they move the TPM inside the CPU package and start encrypting data to and from RAM.

Posted by: Alsee at July 6, 2004 11:27 AM