Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday April 26 2015, @02:47AM   Printer-friendly
from the hurdles-all-the-way-down dept.

On Wednesday, at the RSA conference in San Francisco, Microsoft veep Scott Charney outlined a new security mechanism in Windows 10 called Device Guard ( https://blogs.windows.com/business/2015/04/21/windows-10-security-innovations-at-rsa-device-guard-windows-hello-and-microsoft-passport/ ). We've taken a closer look.

The details are a little vague – more information will emerge at the Build event next week – but from what we can tell, Device Guard wraps an extra layer of defense around the operating system to prevent malware from permanently compromising a PC.

Device Guard, when enabled by an administrator, checks to see if each and every application is cryptographically signed by Microsoft as a trusted binary before it is allowed to run. Device Guard itself runs in its own pocket of memory with its own minimal instance of Windows, and is protected from the rest of the system by the IOMMU features in the PC's processor and motherboard chipset.

These IOMMU features (outlined here by the Minix project http://www.minix3.org/docs/szekeres-iommu.pdf ) wall off Device Guard from the computer's hardware, so it cannot be tampered with by other software, no matter how low level that software is.

If the Windows 10 kernel, which has control over the PC, is compromised, Device Guard will remain fire-walled off, and cannot be subverted into allowing unauthorized code to run. A hypervisor running beneath the kernel and Device Guard enforces this.

(In theory, that is – similar "secure execution environments" have been defeated in the past.)
http://atredispartners.blogspot.com/2014/08/here-be-dragons-vulnerabilities-in.html
http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html

http://www.theregister.co.uk/2015/04/23/microsoft_windows_10_device_guard/

Do you think that Microsoft can make this work as described?

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by kaszz on Sunday April 26 2015, @08:51AM

    by kaszz (4211) on Sunday April 26 2015, @08:51AM (#175304) Journal

    You can implement what you describe by using a write-once disc (CD, DVD, BD) and push the WR pin of the flash memory hard to high or such.

    But the problem isn't the flash memory in principle it's the design of the operating system. Especially how things are compartmentalized.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1) by anubi on Monday April 27 2015, @07:16AM

    by anubi (2828) on Monday April 27 2015, @07:16AM (#175605) Journal

    Problem is CDR is slow to access and you can't really "install" to CDR that easily, albeit I believe it could be done. Shadowing it to RAM would be tricky as a rogue program could alter the RAM copy on the fly.

    Like you say, the way Windows is written is not compatible with doing it this way.

    I ran my gamut of DOS bugs like everyone else. I feel I got a pretty good idea of how risky it is to run stray executables. The first malware I got "over the phone" was an ANSI bomb. I also got several boot sector infectors and assorted other nasties sharing executables with others. It took several years, but eventually I learned pretty well how a DOS machine worked and the ways it could be sabotaged.

    By then I knew how my machine worked. I do not believe you could have done anything worse to me than force me to re-initialize my system. By that time, I was well aware of the wisdom of backing up. Frequently. And how to keep track of "signatures" of executables ( I liked the MD5 checksummer I corked up in Borland TurboC++, but CRCheck would work as well ).

    Then came Windows. I got my first macro virus shortly thereafter - from a client no less. The Word Concept virus. This was Windows95! And Microsoft is STILL coding their stuff with embedded executables.

    Microsoft will call 'em "macros", "scripts", or other business lingo so as to make the business tie-guys think they are on the leading edge of technology, when what they are really doing is accepting a system someone else controls - that "someone else" being the guy who coded that script or macro that the business tie-guy runs when he tries to read that document.

    I was just watching a re-run of the old 1950's Titanic movie last night... watching the engineer tell the captain his ship is sinking. At least the captain took his engineer seriously - and did not lay him off for not being a team player or ridicule him for being a conspiracy theorist. The engineer understood the hydraulics and water displacement physics of the ship, and time remaining until the ship sinks. He had to stand there helpless watching one bulkhead after another fail in cascade as the pressures mounted.

    I was pondering how many of us right here are watching our computational infrastructure listing in the same way. We watch the hand of the Lobbyist shake the hand of the Congressman. We see laws being penned for the hopeless paradigm of supposedly having only selected parties controlling our machines from afar, enforcing their wishes. Yet we know those same techniques being used by the people "in control" will also be used by others with nefarious intentions. The Titanic engineer knew the weight of those relentless streams of water entering the Titanic, just as a lot of us know of the constant greed of business elite as well as how likely a bribed uneducated ( as far as knowing how his machine works ) Congressman would honor their request. By mandating machines riddled with secret backdoors, we have foisted upon ourselves a computing infrastructure no-one can trust.

    Its the very pens of those Congressmen that has steered our computational infrastructure into being an enforcer and tattletale for those who know the backdoor structures.

    Remember that story here about the farmers who no longer can control their own tractor?

    Lobbyists walk away with a smile after having a Congressman sign law for them. No-one learned anything from Concept? How about all those business elite who formed the DVD-CCA and their highly secret "Content Scramble System". The Secret Sauce gets out and now anyone copies DVD's. So Business wants to do the very same thing with computers? They really think all this encryption stuff is going to "protect their property"? Would making contracts illegible make them more secure? All they are doing is paving the road for others to game the system by discovering the secret sauce and penetrating everyone's machine.

    I lost my job with a government contractor over pointing stuff like this out.

    I feel as helpless watching our computer infrastructure become unusable as the engineer on the Titanic seeing water flooding compartment after compartment, except in my case, I would have been relieved of duty for pointing it out.

    I get so frustrated. Why is it people like me experience first-hand the effects of mixing code and data, and keep seeing it happen over and over and over, and can't do a damned thing about it. Then get in trouble for trying to steer around it, only to see others do exactly what I know good and well not to do, get promoted, and enjoy a cushy retirement, compliments of Uncle Sam?

    There was a Star Trek TNG episode where the whole ship, except Wesley Crusher, went all-a-gaga over some little game. Everybody got so absorbed in it as the ship went to hell. I feel the same thing watching our computational infrastructure going to hell because somebody feels they have the rights to control what you do on your own machine - and they are sweet-talking Congress into their way of thinking. And Congress, apparently ignorant of how important it is to have trustworthy machines, is going along with it.