On Wednesday, at the RSA conference in San Francisco, Microsoft veep Scott Charney outlined a new security mechanism in Windows 10 called Device Guard ( https://blogs.windows.com/business/2015/04/21/windows-10-security-innovations-at-rsa-device-guard-windows-hello-and-microsoft-passport/ ). We've taken a closer look.
The details are a little vague – more information will emerge at the Build event next week – but from what we can tell, Device Guard wraps an extra layer of defense around the operating system to prevent malware from permanently compromising a PC.
Device Guard, when enabled by an administrator, checks to see if each and every application is cryptographically signed by Microsoft as a trusted binary before it is allowed to run. Device Guard itself runs in its own pocket of memory with its own minimal instance of Windows, and is protected from the rest of the system by the IOMMU features in the PC's processor and motherboard chipset.
These IOMMU features (outlined here by the Minix project http://www.minix3.org/docs/szekeres-iommu.pdf ) wall off Device Guard from the computer's hardware, so it cannot be tampered with by other software, no matter how low level that software is.
If the Windows 10 kernel, which has control over the PC, is compromised, Device Guard will remain fire-walled off, and cannot be subverted into allowing unauthorized code to run. A hypervisor running beneath the kernel and Device Guard enforces this.
(In theory, that is – similar "secure execution environments" have been defeated in the past.)
http://atredispartners.blogspot.com/2014/08/here-be-dragons-vulnerabilities-in.html
http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html
http://www.theregister.co.uk/2015/04/23/microsoft_windows_10_device_guard/
Do you think that Microsoft can make this work as described?
(Score: 4, Informative) by nethead on Sunday April 26 2015, @04:05AM
This is for sysadmins in enterprise situations to keep the users from infecting the whole network. This isn't a feature for geeks like us to use on our own computers. Remember that almost all business runs on Windows and keeping the crap out of a network is a full time nightmare.
How did my SN UID end up over 3 times my /. UID?
(Score: 2, Interesting) by Anonymous Coward on Sunday April 26 2015, @10:14AM
I agree that this will be beneficial to sys admins (and their sanity), but I'm betting the new system setup process will ask the user/consumer if they want their system to be protected from/against unknown software. The phrasing of the question might (and probably will) result in many opting in. And do you know how many installers for existing software (let alone the software itself) are cryptographicly signed by MS? Very few (if any) non-MS titles, and not many MS software titles released before Win 8.
This can, and will, result in frustrations and unnecessary new software purchases right out of the box for consumers.
(Score: 3, Interesting) by Bot on Sunday April 26 2015, @11:44AM
MS pushed a mobile OS on desktop users, it can surely push an enterprise feature on desktop users as well.
In other news, Steam business decision to expand to Linux seems now a good move, possibly the next desktops with MS stuff on it should not be labeled PC but XBOX.
Account abandoned.
(Score: 3, Interesting) by TheLink on Sunday April 26 2015, @06:49PM
I would prefer something like this:
https://bugs.launchpad.net/ubuntu/+bug/156693 [launchpad.net]
See also: https://soylentnews.org/comments.pl?sid=379&cid=9518 [soylentnews.org]
So it's like trust an app but enforce the limits of the trust.
(Score: 0) by Anonymous Coward on Sunday April 26 2015, @06:57PM
OK it's me again- forgot to mention see in particular Scenario C - that's useful for Enterprise stuff.
Smart phones do something like it, but the granularity seems rather poor. Should have stuff like "can see my public/private/work info".
I think Apple has done something like it? https://developer.apple.com/app-sandboxing/ [apple.com]