Security in the industry H/W & S/W What is AMD’s ”enhanced virus protection” all about? What’s coming next? Presented by: Micha Moffie

NUCAR2 Outline Security Objectives Happening now…  AMD Solution – ‘enhanced virus protection’  WinXP support in SP2 Coming soon …  Intel LaGrande technology  Windows Palladium/NGSCB

NUCAR3 Security - Objectives Protect  User Confidential Data From:  Attacks on executing software Software vulnerabilities  Attacks from malicious software Viruses/worms/Trojan horses  Attacks on hardware Access to keyboard & mouse data / screen output

NUCAR4 AMD’s ‘Enhanced Virus Protection’ Hardware support against stack smashing  Stack smashing attack - reminder Hardware implements  NX bit - No eXecution on predefined pages.  Each page in the translation pages has a new NX bit, when the instruction TLB is loaded with a new page, this bit is checked. if the bit is set (we are trying to execute from a non executable page) we will get a page fault exception.  this applied to all privilege levels (from AMD manual)

NUCAR5 The OS role Window XP (Service Pack 2) Microsoft uses NX bit to: ”prevents the execution of code in memory regions that are marked as data storage”  This will NOT prevent an attacker from overrunning the data buffer, but will prevent him from executing his attack (generate an exception) Some problems with legitimate code  a ”Data Execution Prevention" error message – for legitimate code  Workaround - Microsoft allow exceptions, per application. (I.e. turn DEP off for specific apps.)

NUCAR6 Who else? Transmeta  already supported Intel  Itanium supports this bit  Intel Pentium … in the near future Linux  a patch to the Linux kernel exists that supports the NX bit 

NUCAR7 Outline Security Objectives Happening now…  AMD Solution – ‘enhanced virus protection’  WinXP support in sp2 Coming soon …  Intel LaGrande technology  Windows Palladium

NUCAR8 Intel LaGrange Technology (LT) New Hardware Components complemented with New OS & New applications:  protect data from software attacks  protect data confidentiality & integrity Hardware Capabilities  Isolated execution Protected memory pages  Sealed storage (TPM)  Protected I/O (keyboard/mouse/graphics)  Attestation (Proof of current protected environment)

NUCAR9 LT Hardware enhancements

NUCAR10 LT Protection Model Standard partition  execute: legacy code, non secure portion of new code  provides regular IA32 semantics Protected partition  execute new security modules & services  Provides execution isolation sealed storage Protected I/O Attestation

NUCAR11 LT Protection Model - Cont

NUCAR12 Microsoft Palladium  NGSCB Next Generation Secure Computing Base security technology for the Microsoft® Windows® platform,  will be included in “Longhorn” Includes a new operating system module: “Nexus”  enable secure interaction with applications, peripheral hardware, memory and storage

NUCAR13 Microsoft NGSCB Four key features:  Strong process isolation even against attacks from the kernel  Sealed storage accessible only to program, nexus & machine  Secure path to/from user  Attestation

NUCAR14 The nexus Essentially the kernel of an isolated software stack runs alongside the existing OS software stack.  not underneath it Provides a limited set of APIs and services for applications, including sealed storage and attestation functions. Special processes that work with nexus are called “Agents” Can run different nexuses on a machine  But only one nexus at a time

NUCAR15 NGSCB - run time environment

NUCAR16 References AMD64 Architecture Programmer's Manual Volume 2: System Programming, 3.09 edition, Sep Publication No Microsoft Knowledge Base Articles & Intel, LaGrande Technology Architectural Overview, , September 2003 Microsoft The Next-Generation Secure Computing Base: Four Key Features, June 2003 Microsoft Next-Generation Secure Computing Base - Technical FAQ, July 2003 Microsoft "Palladium": A Business Overview, August 2002 TPM Main Part 1 Design Principles, Specification Version 1.2 Revision 62 2 October 2003 Published ARM, A New Foundation for CPU Systems Security, Security Extensions to the ARM Architecture, Richard York, May 2003 A wooden fence in Kyoto, /mari/54.htm

NUCAR17 The End Thanks, Questions ?

NUCAR18 Backup & links

NUCAR19 Stack Smashing Attack main(int argc, char **argv) { … foo(argv[1], 10); … } void foo(int i, char *s) { char b[16]; strcpy(b, s); …… } main( ) auto variables return addr of foo( ) frame ptr of foo( ) Stack ptr Frame ptr Stack grows Buffer grows 10 ptr to input string dddd +12 cccc bbbb aaaa b[0] b[1] b[2] b[3] Stack

NUCAR20 0x0012ff12 Stack grows Buffer grows start of attack code 0x0012ff **** +12 **** b[0] b[1] b[2] b[3] Stack 0x0012ff12 0x0012ff08 0x0012ff04 0x0012ff00 attack code Attacker code executed in Stack Segment.. Stack Smashing Attack - II return addr of foo( ) Has changed! it will return to 0x0012ff12, the attacker code

NUCAR21 TPM Trusted Platform Module also called SSC - Security Support Component Stores hardware secret key Base of trust Cryptographic co-processor more…

NUCAR22 TPM architecture

NUCAR23 Transitive Trust

NUCAR24 ARM – TrustZone Extending the CPU to enable more security Main problem with current OS  It is huge, millions of code lines - Complex difficult to establish a ‘trusted code base’  A rich API - Open enables widespread access to OS from non-secure code Main idea:  establishing a trusted code base  using a hardware enforced security domain to systemize the implementation of secure systems

NUCAR25 ARM - cont Current typical security structure

NUCAR26 ARM - Cont New security structure

NUCAR27 ARM - Cont Introduce an NS-bit  use this bit to identify secure data throughout system cache pages Monitor  manages the NS-bit  manages transition in & out of security mode  Small fixed API