Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday April 26 2015, @02:47AM   Printer-friendly
from the hurdles-all-the-way-down dept.

On Wednesday, at the RSA conference in San Francisco, Microsoft veep Scott Charney outlined a new security mechanism in Windows 10 called Device Guard ( https://blogs.windows.com/business/2015/04/21/windows-10-security-innovations-at-rsa-device-guard-windows-hello-and-microsoft-passport/ ). We've taken a closer look.

The details are a little vague – more information will emerge at the Build event next week – but from what we can tell, Device Guard wraps an extra layer of defense around the operating system to prevent malware from permanently compromising a PC.

Device Guard, when enabled by an administrator, checks to see if each and every application is cryptographically signed by Microsoft as a trusted binary before it is allowed to run. Device Guard itself runs in its own pocket of memory with its own minimal instance of Windows, and is protected from the rest of the system by the IOMMU features in the PC's processor and motherboard chipset.

These IOMMU features (outlined here by the Minix project http://www.minix3.org/docs/szekeres-iommu.pdf ) wall off Device Guard from the computer's hardware, so it cannot be tampered with by other software, no matter how low level that software is.

If the Windows 10 kernel, which has control over the PC, is compromised, Device Guard will remain fire-walled off, and cannot be subverted into allowing unauthorized code to run. A hypervisor running beneath the kernel and Device Guard enforces this.

(In theory, that is – similar "secure execution environments" have been defeated in the past.)
http://atredispartners.blogspot.com/2014/08/here-be-dragons-vulnerabilities-in.html
http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

http://www.theregister.co.uk/2015/04/23/microsoft_windows_10_device_guard/

Do you think that Microsoft can make this work as described?

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by Anonymous Coward on Sunday April 26 2015, @03:12AM

    by Anonymous Coward on Sunday April 26 2015, @03:12AM (#175251)

    checks to see if each and every application is cryptographically signed by Microsoft as a trusted binary

    Does this mean that MS will need to "approve" your app by signing it? Hmm ... maybe the only place to get a cryptographically signed version of an app will be the Microsoft Store built into Windows 10?

    Starting Score:    0  points
    Moderation   +3  
       Insightful=2, Interesting=1, Total=3
    Extra 'Insightful' Modifier   0  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Sunday April 26 2015, @03:55AM

    by Anonymous Coward on Sunday April 26 2015, @03:55AM (#175261)

    Do you have anything to back up your claims? Or are you just speculating?

    • (Score: -1, Redundant) by Anonymous Coward on Sunday April 26 2015, @04:38AM

      by Anonymous Coward on Sunday April 26 2015, @04:38AM (#175268)

      The disruption of communication and requiring cryptographically signed code can only mean one thing: invasion. The Trade Federation is making their move. Sometimes speculation is strategically necessary.

    • (Score: 5, Interesting) by maxwell demon on Sunday April 26 2015, @06:53AM

      by maxwell demon (1608) on Sunday April 26 2015, @06:53AM (#175287) Journal

      The summary says: Only code signed by Microsoft will be allowed to run.

      Obviously only Microsoft will be able to sign code (well, and anyone managing to get Microsoft's private key; so the NSA probably will be able, too, but certainly not normal programmers). Therefore Microsoft has full control about which code runs on systems with Device Guard enabled. The whole point of signing is approving.

      It is also obvious that Microsoft will take advantage of that requirement to make money. After all, it is a publicly traded company, where the investors expect that any money-making opportunity is used. Requiring the application to be sold exclusively over Microsoft Store would be one possible way for Microsoft to profit from it, and there's precedent to requiring applications to be sold through a store owned by the OS makes (namely Apple), so the idea is certainly not completely off.

      Of course it might also be that Microsoft just makes the actual signing process expensive. Expensive enough that independent developers won't be able to afford it. And certainly expect Microsoft to have rules to prevent anything they don't like, as far as they can get away with it (again, there's Apple precedent).

      --
      The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 2, Interesting) by Anonymous Coward on Sunday April 26 2015, @09:57AM

      by Anonymous Coward on Sunday April 26 2015, @09:57AM (#175312)

      Do you have anything to back up your claims? Or are you just speculating?

      The OP asked two questions (just like you did). I don't see that s/he made any "claims".

      Considering the "signed by Microsoft" BS that MS required in UEFI's "trusted" mode in order to boot a non-MS OS (referenced by someone else in these posts) I think Device Guard's "signed by Microsoft" requirement would be the same.

      As mentioned above, this is similar to Apple's approach for applications on iOS (except Apple doesn't allow this type of "feature" to be turned off; it requires jail breaking your iOS device).

  • (Score: 4, Informative) by nethead on Sunday April 26 2015, @04:05AM

    by nethead (4970) <joe@nethead.com> on Sunday April 26 2015, @04:05AM (#175262) Homepage

    This is for sysadmins in enterprise situations to keep the users from infecting the whole network. This isn't a feature for geeks like us to use on our own computers. Remember that almost all business runs on Windows and keeping the crap out of a network is a full time nightmare.

    --
    How did my SN UID end up over 3 times my /. UID?
    • (Score: 2, Interesting) by Anonymous Coward on Sunday April 26 2015, @10:14AM

      by Anonymous Coward on Sunday April 26 2015, @10:14AM (#175313)

      I agree that this will be beneficial to sys admins (and their sanity), but I'm betting the new system setup process will ask the user/consumer if they want their system to be protected from/against unknown software. The phrasing of the question might (and probably will) result in many opting in. And do you know how many installers for existing software (let alone the software itself) are cryptographicly signed by MS? Very few (if any) non-MS titles, and not many MS software titles released before Win 8.

      This can, and will, result in frustrations and unnecessary new software purchases right out of the box for consumers.

    • (Score: 3, Interesting) by Bot on Sunday April 26 2015, @11:44AM

      by Bot (3902) on Sunday April 26 2015, @11:44AM (#175321) Journal

      MS pushed a mobile OS on desktop users, it can surely push an enterprise feature on desktop users as well.

      In other news, Steam business decision to expand to Linux seems now a good move, possibly the next desktops with MS stuff on it should not be labeled PC but XBOX.

      --
      Account abandoned.
    • (Score: 3, Interesting) by TheLink on Sunday April 26 2015, @06:49PM

      by TheLink (332) on Sunday April 26 2015, @06:49PM (#175411) Journal

      I would prefer something like this:
      https://bugs.launchpad.net/ubuntu/+bug/156693 [launchpad.net]
      See also: https://soylentnews.org/comments.pl?sid=379&cid=9518 [soylentnews.org]

      So it's like trust an app but enforce the limits of the trust.

      • (Score: 0) by Anonymous Coward on Sunday April 26 2015, @06:57PM

        by Anonymous Coward on Sunday April 26 2015, @06:57PM (#175412)

        OK it's me again- forgot to mention see in particular Scenario C - that's useful for Enterprise stuff.

        Smart phones do something like it, but the granularity seems rather poor. Should have stuff like "can see my public/private/work info".

        I think Apple has done something like it? https://developer.apple.com/app-sandboxing/ [apple.com]

  • (Score: 3, Interesting) by MichaelDavidCrawford on Sunday April 26 2015, @04:19AM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Sunday April 26 2015, @04:19AM (#175263) Homepage Journal

    If I provide software for download from my own website, will it be signed by microsoft?

    --
    Yes I Have No Bananas. [gofundme.com]
    • (Score: 2) by gnuman on Sunday April 26 2015, @05:26AM

      by gnuman (5013) on Sunday April 26 2015, @05:26AM (#175275)

      It probably means signed, not signed by Microsoft. Compromised keys could be revoked by Microsoft.

    • (Score: 2, Interesting) by Anonymous Coward on Sunday April 26 2015, @12:56PM

      by Anonymous Coward on Sunday April 26 2015, @12:56PM (#175337)

      In a similar vein, if I develop specialized software (perhaps for just one customer), how much extra will I be forced to charge my customer to have it signed so that the customer can run it?

  • (Score: 0) by Anonymous Coward on Sunday April 26 2015, @12:33PM

    by Anonymous Coward on Sunday April 26 2015, @12:33PM (#175331)

    They probably want to get rid of independent software developers and small companies and instead have corporations take their place. Let all code be written by MS or one of its "affiliates". This way if anyone wants to make money writing code for MS Windows will either be working for MS directly or its gang of affiliates.

    Sorry, but I do not wish to work for MS or its gang. They can shove their "dream" jobs. Same goes for Google and Farcebook. And the rest of the NSA/CIA/Mossad friends.

    Or maybe they will add a "Microsoft-approved" virus to the binaries while signing them. They are capable of anything.