Re: Palladium: hardware layering model
Adam Back writes:
some definitions:
hw layer -- SCP which I think provides crypto key store, crypto co-processor for sealing, remote attesation
ring 0 -- new layer which controls memory management unit and secured code compartments
supervisor mode -- normal supervisor mode, which can now only read user space, but not trusted agents running in code compartments
user mode -- legacy user level apps under complete control of supervisor mode
and some ASCII art:
+---------------+------------+ | trusted-agent | user mode | | space | app space | | (code +------------+ | compartment) | supervisor | | | mode | +---------------+------------+ | ring-0 / Memory mgmt unit | +----------------------------+ | hardware / SCP key manager | +----------------------------+
each layer below can decide policy and information disclosure through APIs to the layer above.
I don't think this is right, as Peter said that the Palladium stuff could load many days after boot. So I don't think the "ring-0" mode underlies normal supervisor mode as you have shown it. Instead I think they are relatively orthogonal. I'm not sure how to draw it, but I would envision the TOR as a device driver which controls two devices: the trusted execution space, which is some special memory (on the cpu?), and the SCP, the crypto processor. Let us suppose that there is a special instruction to load a block of code into the trusted execution space and give it a new process ID. At the same time this causes the SCP to hash it so that it can attest to it later. Let us also suppose that the ring-0 mode is used only when running code out of the trusted execution space (TE space). What is special about ring-0? Two things: first, it can see the code in the TE space so that it can execute it. And second, it doesn't trap into supervisor mode for things like debugger single-stepping. I'm not familiar with the details of the Pentium family but on most CPUs the debugger single-steps things by setting a flag and returning into the code. The code executes one instruction and then automatically traps into supervisor mode, which hands off to the debugger. This process must be suppressed in ring-0 mode, and likewise for any other features which can force a ring-0 process to trap involuntarily into supervisor mode, which exposes the registers and such. The TOR would then manage the various processes running in the TE space, and their interactions with ordinary code, and possibly the interactions of both with the SCP. I'm not sure if the TOR runs in ring-0 mode and in the TE space; probably it does, as the SCP can attest to it, and we wouldn't want non-Palladium processes to debug it. So really the whole TOR/SCP/TE-space/trusted-agents stuff is relatively orthogonal to the rest of windows. It's almost like you had a fully functional 2nd CPU in there that you could load code into and have it run; that CPU's memory is the TE space, its mode is the ring-0, it has access to the SCP, and it runs the TOR and trusted agents. But Palladium has to use the regular CPU for this so they firewall it off with the ring-0 mode which locks it into this restrictive mode. That's just a guess, probably wrong in many details, but consistent with what I understand so far. Mostly I am hoping to encourage Peter to come forward and correct our misconceptions.
The implications of which are:
- the SCP can implement sealing with data separation against ring-0 (ring-0 can't bypass sealing data separation)
I have this as well; loading a user agent into TE space creates the hash "fingerprint" which will be used for sealing and attestation; other ring-0 agents will have their own fingerprints and won't be able to unseal what this agent does. The SCP compares fingerprints at unseal time to what it was at seal time and (optionally) won't unseal if they don't match. (This is one of multiple sealing options.)
- ring-0 can read all superviser, user, and trusted agent space, but
I don't think so; not necessary in my model, would require significant re-architecting of Windows which won't happen, and inconsistent with the claim that Palladium can load days after boot.
- ring-0 and MMU can compartmentalize trusted agents so they can't tamper with each other, and
Must be true. Some questions: how big is the TE space? How many agents can live there at once? Do they swap in/out? Does data go there, or just code?
- ring-0 and MMU can exclude supervisor mode from trusted agent space and ring-0 space; supervisor mode is itself just another compartmentalized trusted-agent level space. Therefore ring-0 can restrict what supervisor mode (where the normal OS is located) can do.
But ring-0 cannot make arbitrary restrictions on sup. mode. Remember they can't afford to re-architect either the entire CPU nor the entire OS for this. The simplest is that in ring-0 mode you disable certain functions that could trap you into supervisor mode thereby losing control of the CPU, and this ring-0 mode gains you access to the TE space.
whereas the normal protected CPU architecture is just:
+------------+ | user mode | | app space | +------------+ | supervisor | | mode | +------------+
I'm not much of artist but I would put the new stuff off to the side of this in its own tower. Ring-0 mode at the bottom, running the TOR which is shown above it, which manages the user agents which would be on top. The SCP is further off to the side, perhaps managed by the TOR.
- from these assumptions it appears an OS could be implemented so that all OS calls pass through ring-0 APIs and mediation to get to supervisor mode OS. In this case the OS could observe system calls the trusted agent makes, but not in general read, debug, modify virtualize or modify trusted-agent code. The non-virtualization presumes encrypted trusted-agent code, which Peter said is not done, so this can't be how it works.
I'm not sure what you mean by the OS observing system calls. By definition, system calls go into the OS. So I don't think that will ever stop happening. But it does mean that when a ring-0 trusted agent makes a system call, we change to normal supervisor mode which makes the trusted space invisible. The point we are dancing around is this. How does it protect the data, along the whole path from the remote machine, through where it is processed locally, until it is sealed on the local disk? It seems that it must be in the clear for a while on the local machine. Where is that - in regular memory, or TE space? It's not that big a deal to be unable to read TE *code*. From what Peter says, that is typically not encrypted on the disk. So the code is no secret. What we must be unable to read are the data being handled by this code: the registers, the contents of memory that are sensitive. And by the registers I include the PC, since that would leak information about the data. We can't single-step it, we can't put breakpoints into it, we can't change it while it is running.
I would be interested to hear what model takes for Palladium mapping the interactions and restrictions between Trusted Agents, user space, OS kernel, TOR to the hardware. We need this kind of detail to reason about limits of the Palladium and make distinctions between what is possible with Palladium implementation choices vs what other types of OSes could be built from the hardware features.
I am curious about this from the technical perspective. I think this is one of the most interesting developments in many years on the security front. But frankly I don't think it will do them much good to tell you and most other cypherpunks about it, because whatever they say, you and others will twist it and lie if necessary a la Lucky to turn it into some horrible perversion. Even if the design were totally benign, that doesn't mean Microsoft/Intel couldn't change it someday, right? They could put a machine gun into every PC aimed at the user, and a camera over his head. That's the level of reasoning in Lucky's Defcon presentation, except that he says that they've already done it. I applaud Peter's patience but pity him for his naive belief that he is engaging in a good faith exchange where he will get a fair hearing.
One idea I think would be interest is as follows:
- the TOR (which lives in ring-0) _could_ be used together with the OS to force all trusted-agent in-flows and out-flows (network traffic) to go through code under supervisor mode control.
I think this is pretty likely, but with the data encrypted by the time the supervisor mode sees it.
I don't think this is likely in the current design; but this change would be an improvement:
- it would at least allow user audit and control of in-flows and out-flows;
If the data is in the clear, it would undermine the security guarantees! Look at my online poker game - if the dealer can tap into the data going out, he will learn what everyone else's hands are. Look at the anonymous network - an eavesdropper can learn where all the data is and how it is flowing. The data must not be made available in the clear anywhere the user can get at it, to provide the proper security.
- the user could block suspicious phone-home information out-flows,
Well, he *does* know at least the address the data is going to. There's no way to hide that (short of anonymous message forwarding).
- the user could read out-flows and demand un-encrypted documented formats, or if encrypted, encrypted with keys the supervisor mode gets copies of.
There are some applications which will still work if all the users can *see* all of the data, but just not modify it. Maybe my digital cash example would fall into that category. You can see how much you're spending, but you can't manipulate your wallet. But there are many others, such as those above, where being able to hide even information disclosure from network participants adds tremendous power. You remember the Eternity network, how one concept had files being shared across multiple nodes such that no one knew which files were on his own computer. That was crucially important for non-repudiation and censorship-resistance. This was done with cryptography, but the point is the same: hiding information from network participants can greatly increase security. With TCPA/Palladium you can get some of the same security properties with much simpler ode (with admittedly lower levels of security until hardware improves). Skipping down...
And of course remote attestation will not work either, if the app has been meddled with.
Remote attestation, which is not itself general -- just a remote dongle thing -- if not tied to remote dongle controlled sealing which is necessary for the main application function could be nopped out.
I am assuming that you are attesting to the remote system, and you only can control your local one. You want to get something from the remote, and it will only give it if you are running "clean" on real hardware. So you can't virtualize and still attest, since ultimately you don't have a TPM endorsement key (or Palladium equivalent) with a nice TPME endorsement certificate issued on it. Of course if you have control of the server machine, you can ignore attestation. But that just says that the operator of the remote machine can choose for himself which apps to run. He can run an app that checks remote client integrity or he can run one which doesn't care.
So in the general case it seems that remote attestation is also effectively virtualizable, modifiable and debuggable by first nopping out remote attestation checks. (This is not strictly virtualizable as the remote dongle call nopping modification makes it no longer the same application, but as I said unless this is necessary for the application it doesn't otherwise change it's behavior, so it's effectively virtualizable).
I'm not sure I follow this, but it sounds like you are talking about manipulating the server machine doing the checks, while in most cases you can only manipulate the client machine making the request.
On Wed, 7 Aug 2002, AARG! Anonymous wrote:
What is special about ring-0? Two things: first, it can see the code in the TE space so that it can execute it. And second, it doesn't trap into supervisor mode for things like debugger single-stepping. I'm not familiar with the details of the Pentium family but on most CPUs the debugger single-steps things by setting a flag and returning into the code. The code executes one instruction and then automatically traps into supervisor mode, which hands off to the debugger. This process must be suppressed in ring-0 mode, and likewise for any other features which can force a ring-0 process to trap involuntarily into supervisor mode, which exposes the registers and such.
If there's no way to debug the "hidden" (so called "trusted") code using standard techniques, then how can you know it works right? Most all processors now have hardware debugging capability - it is a requirement due to the complexity of the chips. *Somebody* has to be able to run a hardware debugger and have access to the raw hardware, even if it's just Intel running with the covers off. If I'm going to write a TOR, I want access to internal registers. So I'd expect there's a hardware interface to do that. This basicly breaks the whole thing. You can't have a generic platform *and* a trusted platform. You can have a trusted platform which is *specific* - nobody but the manufacturer knows the guts. If people want to buy it because it does something useful, that's ok, but don't call it a generic PC. As an aside, check out http://www.beastrider.com it's a hardware debugger for a DSP (which I built). The Intel processor may not work the same way, but it's got to have some kind of similar interface, and anybody like me can build an interface into it. If the processor is sealed into a tamper proof case (like the IBM 4875) Then it can be made secure for one manufacturer. The system is checked before being sealed. If people want to add one to their PC they are free to do so, but they understand who owns the key inside the sealed case. With TCPA people do not know who owns the key - and that's its basic problem. Until we know real hardware details, we're not really going to figure out what's going on. Since Palladium guys claim that TCPA doesn't do what they want, it seems that the hardware hasn't been figured out yet. If the processor isn't sealed to prevent people like me from building hardware debuggers, then Palladium will be cracked by someone. If it is sealed then it's not a generic PC anymore. I don't think it's possible to outlaw a generic pc, but I guess I'm not willing to let congress begin to think about it either :-\ Patience, persistence, truth, Dr. mike
On Wed, Aug 07, 2002 at 04:55:11PM -0700, AARG!Anonymous wrote:
Adam Back wrote:
+---------------+------------+ | trusted-agent | user mode | | space | app space | | (code +------------+ | compartment) | supervisor | | | mode | +---------------+------------+ | ring-0 / Memory mgmt unit | +----------------------------+ | hardware / SCP key manager | +----------------------------+
each layer below can decide policy and information disclosure through APIs to the layer above.
I don't think this is right, as Peter said that the Palladium stuff could load many days after boot. So I don't think the "ring-0" mode underlies normal supervisor mode as you have shown it. Instead I think they are relatively orthogonal.
No I think the above diagram is closer than what you propose. Peter also pointed us at Seth Schoen's blog [1] which is a write up of a briefing Microsoft gave to EFF. It contains the statement: | The nub is a kind of trusted memory manager, which runs with more | privilege than an operating system kernel. The nub also manages access | to the SCP. Looks consistent with my picture to me. Your other objection:
I don't think this is right, as Peter said that the Palladium stuff could load many days after boot.
I think would just be covered by the details of how the machine switches from this picture: +------------+ | user mode | | app space | +------------+ | supervisor | | mode | +------------+ to the one above. For example imagine a default stub nub/TOR that leaves the new MMU features wide open. (Supervisor mode can access everything, no Trusted Agent code compartments running). The would be some API to allow the supervisor mode code to load a TOR and switch the TOR code to ring-0 while leaving the OS running in supervisor mode. Or alternatively and with equivalent effect: with the boot state, the OS runs in full ring-0 mode, but just isn't written to make use of any of the extra ring-0 features. When it switches to loading a nub/TOR the OS is relagated to supervisor mode, some MMU permission bits are juggled around and the TOR occupies ring-0, and the TOR is just an OS micro-kernel which happens to be written to use the new hardware features (code compartmentalization, new MMU features, sealing etc) Clarification on this:
So in the general case it seems that remote attestation is also effectively virtualizable, modifiable and debuggable by first nopping out remote attestation checks. (This is not strictly virtualizable as the remote dongle call nopping modification makes it no longer the same application, but as I said unless this is necessary for the application it doesn't otherwise change it's behavior, so it's effectively virtualizable).
I'm not sure I follow this, but it sounds like you are talking about manipulating the server machine doing the checks, while in most cases you can only manipulate the client machine making the request.
Not what I meant. Say that you have some code that looks like this: /* some code */ if ( ! remote_attest( /* ... */ ) ) { exit 0; } /* lots more code */ then the remote attest is not doing anything apart from acting as a remote dongle, so all I have to do to virtualize this code, or break the licensing scheme based on the remote dongle is nop out the remote attest verification, then the code can be run as a user application rather than a trusted agent application and so can be run in a debugger, have it's state examined etc. If on the other hand the code says: download_sealed_content( /* ... */ ); key = remote_attest_and_key_negotiate( /* ... */ ); decrypt_sealed_content( key, /* ... */ ); then nopping out the remote_attest will have a deleterious effect on the applications function, and so virtualizing it with the remote attests nopped out will not be useful in bypassing it's policies. Adam -- http://www.cypherspace.org/adam/
participants (3)
-
AARG! Anonymous -
Adam Back -
Mike Rosing