On Wednesday, at the RSA conference in San Francisco, Microsoft veep Scott Charney outlined a new security mechanism in Windows 10 called Device Guard ( https://blogs.windows.com/business/2015/04/21/windows-10-security-innovations-at-rsa-device-guard-windows-hello-and-microsoft-passport/ ). We've taken a closer look.
The details are a little vague – more information will emerge at the Build event next week – but from what we can tell, Device Guard wraps an extra layer of defense around the operating system to prevent malware from permanently compromising a PC.
Device Guard, when enabled by an administrator, checks to see if each and every application is cryptographically signed by Microsoft as a trusted binary before it is allowed to run. Device Guard itself runs in its own pocket of memory with its own minimal instance of Windows, and is protected from the rest of the system by the IOMMU features in the PC's processor and motherboard chipset.
These IOMMU features (outlined here by the Minix project http://www.minix3.org/docs/szekeres-iommu.pdf ) wall off Device Guard from the computer's hardware, so it cannot be tampered with by other software, no matter how low level that software is.
If the Windows 10 kernel, which has control over the PC, is compromised, Device Guard will remain fire-walled off, and cannot be subverted into allowing unauthorized code to run. A hypervisor running beneath the kernel and Device Guard enforces this.
(In theory, that is – similar "secure execution environments" have been defeated in the past.)
http://atredispartners.blogspot.com/2014/08/here-be-dragons-vulnerabilities-in.html
http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html
http://www.theregister.co.uk/2015/04/23/microsoft_windows_10_device_guard/
Do you think that Microsoft can make this work as described?
(Score: 1, Funny) by Anonymous Coward on Sunday April 26 2015, @02:50AM
Why doesn't Linux have advanced security functionality like this?
(Score: 0) by Anonymous Coward on Sunday April 26 2015, @03:08AM
Why doesn't Linux have advanced security functionality like this?
Because it's not made of Swiss Cheese like Windows is? Or, for those who are metaphorically impaired, because it doesn't need it.
(Score: 2) by ls671 on Sunday April 26 2015, @05:21AM
Changes in Minix 3 mentioned in TFS will be backported to Linux.
Everything I write is lies, including this sentence.
(Score: 0) by Anonymous Coward on Monday April 27 2015, @07:51AM
Linux has no monopoly to protect.
Note that this was not "allowing only authorized software", but "allowing only software signed by Microsoft". LibreOffice is not allowed, MS Office with their famous macro viruses is, XMPP is not allowed, Skype with the centralized servers with a separate line straight to the NSA is.
(Score: 1, Insightful) by Anonymous Coward on Monday April 27 2015, @06:59PM
I haven't read TFA, but I'm guessing programs can be added to a whitelist--maybe during installation--with the user's authorization. I don't think it would be in Microsoft's interests to destroy the "open-ness" (i.e. run what programs you want) of Windows.
(Score: 3, Insightful) by Reziac on Tuesday April 28 2015, @04:01PM
I agree, but what if you want to run something that Microsoft would not approve; say, a software crack or ripping program?? And don't think this hasn't crossed their minds.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 5, Insightful) by aristarchus on Sunday April 26 2015, @02:52AM
If the Windows 10 kernel, which has control over the PC, is compromised, Device Guard will remain fire-walled off, and cannot be subverted into allowing unauthorized code to run.
Compromised, as in claiming to actually be Windows 8.1, or Windows 8, or 7, or Wista, or XP or Win95. Or Linux. Yep. Prepare to be Upgraded, big time!
(Score: 1, Insightful) by Anonymous Coward on Sunday April 26 2015, @02:58AM
What are you talking about?
(Score: 0) by Anonymous Coward on Sunday April 26 2015, @03:14AM
I think GP is claiming the 11-ness of Windows 10's "OMG Ponies!"-ness will lead to the assimilation of one and all. Resistance will be futile.
(Score: 1, Flamebait) by aristarchus on Sunday April 26 2015, @03:24AM
Do you find that you having difficulty following conversations? Do the things that other people say sometimes not make sense? Do you have to ask for explanations constantly? Maybe you need a hearing aid!!! Except that, this is reading. Oh. Sorry. You need education! Look up "redux", it's French, actually. And if you seriously do not know what UEFI is, may the gods have mercy on your soul, or at least may you be in heaven well before systemd even knows you're dead.
(Score: 2, Insightful) by Anonymous Coward on Sunday April 26 2015, @03:53AM
No, I don't have difficulty following conversations when the people involved aren't babbling like a fucking moron, as you seem to have a tendency to do. You need to think before you type. Write words and sentences that flow together into the expression of coherent ideas. When you do that, people will find it easier to understand what you're trying to say.
(Score: 0, Troll) by aristarchus on Sunday April 26 2015, @04:29AM
Sorry, I couldn't make out what you were saying? Are you a Micro$oft shill? I cannot conceive of any other reason some one would be complaining about their own lack of comprehension. And since YOU are the AC, I claim no backs.
(Score: 0) by Anonymous Coward on Sunday April 26 2015, @12:18PM
You are a lost cause. You wrote an incomprehensible comment that basically just listed different versions of Windows, and now everybody else is to blame for your comment being incomprehensible? Son, please think before you write. Submit comments that make sense, and people won't laugh at you.
(Score: 3, Insightful) by Runaway1956 on Sunday April 26 2015, @10:52AM
Parent post is flamebait? Come on children, I laughed out loud - literally - when I read that.
(Score: 3, Touché) by aristarchus on Sunday April 26 2015, @11:36AM
Runaway!! Is that you? (cough, cough!) You are the last one I expected to come to my aid! Sorry about the disagreements we had! (Hack, brrachhh!) They hit me with a spam mod, Runaway! I never even saw it coming. Most likely from orbit, they thought it was the only way to be sure. Looks like it curtains for me!!! (Ouch, ow, moan.)
All I can say, is save yourself! I thought those who were complaining about mod bombers were complaining about the rest of us here on Soylent News, but now I realize that it was more of a threat than a complaint! My karma is the lowest it's ever been, in spite of actually submitting an article that actually got accepted (for a change), I don't think I will survive this! Oh, the irony, to have lived 2400 years as a human, only to be brought down by anonymous modders on Soylent News. Say goodbye to all the Soylentils for me, tell Laura I love her, and (gasp) remember me to Broadway! Thanks for being here for me, bro!!
(Oh, word to the wise, STAY OUT OF PLAYREADY ThREAD!!!! It's a trap!!)
(Score: -1, Flamebait) by Anonymous Coward on Sunday April 26 2015, @12:46PM
"Pathetic" would be a better mod. Or possibly "Retarded".
(Score: 1, Insightful) by Anonymous Coward on Sunday April 26 2015, @03:02AM
so is the source code.
(Score: 0, Disagree) by Anonymous Coward on Sunday April 26 2015, @03:04AM
Just because it's vague to you it does not mean that it's vague to Microsoft.
(Score: 0) by Anonymous Coward on Sunday April 26 2015, @03:08AM
...And the NSA.
(Score: 4, Funny) by Anonymous Coward on Sunday April 26 2015, @03:40AM
... and Lennart Poettering.
(Score: 3, Insightful) by Anonymous Coward on Sunday April 26 2015, @03:12AM
checks to see if each and every application is cryptographically signed by Microsoft as a trusted binary
Does this mean that MS will need to "approve" your app by signing it? Hmm ... maybe the only place to get a cryptographically signed version of an app will be the Microsoft Store built into Windows 10?
(Score: 0) by Anonymous Coward on Sunday April 26 2015, @03:55AM
Do you have anything to back up your claims? Or are you just speculating?
(Score: -1, Redundant) by Anonymous Coward on Sunday April 26 2015, @04:38AM
The disruption of communication and requiring cryptographically signed code can only mean one thing: invasion. The Trade Federation is making their move. Sometimes speculation is strategically necessary.
(Score: 5, Interesting) by maxwell demon on Sunday April 26 2015, @06:53AM
The summary says: Only code signed by Microsoft will be allowed to run.
Obviously only Microsoft will be able to sign code (well, and anyone managing to get Microsoft's private key; so the NSA probably will be able, too, but certainly not normal programmers). Therefore Microsoft has full control about which code runs on systems with Device Guard enabled. The whole point of signing is approving.
It is also obvious that Microsoft will take advantage of that requirement to make money. After all, it is a publicly traded company, where the investors expect that any money-making opportunity is used. Requiring the application to be sold exclusively over Microsoft Store would be one possible way for Microsoft to profit from it, and there's precedent to requiring applications to be sold through a store owned by the OS makes (namely Apple), so the idea is certainly not completely off.
Of course it might also be that Microsoft just makes the actual signing process expensive. Expensive enough that independent developers won't be able to afford it. And certainly expect Microsoft to have rules to prevent anything they don't like, as far as they can get away with it (again, there's Apple precedent).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2, Interesting) by Anonymous Coward on Sunday April 26 2015, @09:57AM
Do you have anything to back up your claims? Or are you just speculating?
The OP asked two questions (just like you did). I don't see that s/he made any "claims".
Considering the "signed by Microsoft" BS that MS required in UEFI's "trusted" mode in order to boot a non-MS OS (referenced by someone else in these posts) I think Device Guard's "signed by Microsoft" requirement would be the same.
As mentioned above, this is similar to Apple's approach for applications on iOS (except Apple doesn't allow this type of "feature" to be turned off; it requires jail breaking your iOS device).
(Score: 4, Informative) by nethead on Sunday April 26 2015, @04:05AM
This is for sysadmins in enterprise situations to keep the users from infecting the whole network. This isn't a feature for geeks like us to use on our own computers. Remember that almost all business runs on Windows and keeping the crap out of a network is a full time nightmare.
How did my SN UID end up over 3 times my /. UID?
(Score: 2, Interesting) by Anonymous Coward on Sunday April 26 2015, @10:14AM
I agree that this will be beneficial to sys admins (and their sanity), but I'm betting the new system setup process will ask the user/consumer if they want their system to be protected from/against unknown software. The phrasing of the question might (and probably will) result in many opting in. And do you know how many installers for existing software (let alone the software itself) are cryptographicly signed by MS? Very few (if any) non-MS titles, and not many MS software titles released before Win 8.
This can, and will, result in frustrations and unnecessary new software purchases right out of the box for consumers.
(Score: 3, Interesting) by Bot on Sunday April 26 2015, @11:44AM
MS pushed a mobile OS on desktop users, it can surely push an enterprise feature on desktop users as well.
In other news, Steam business decision to expand to Linux seems now a good move, possibly the next desktops with MS stuff on it should not be labeled PC but XBOX.
Account abandoned.
(Score: 3, Interesting) by TheLink on Sunday April 26 2015, @06:49PM
I would prefer something like this:
https://bugs.launchpad.net/ubuntu/+bug/156693 [launchpad.net]
See also: https://soylentnews.org/comments.pl?sid=379&cid=9518 [soylentnews.org]
So it's like trust an app but enforce the limits of the trust.
(Score: 0) by Anonymous Coward on Sunday April 26 2015, @06:57PM
OK it's me again- forgot to mention see in particular Scenario C - that's useful for Enterprise stuff.
Smart phones do something like it, but the granularity seems rather poor. Should have stuff like "can see my public/private/work info".
I think Apple has done something like it? https://developer.apple.com/app-sandboxing/ [apple.com]
(Score: 3, Interesting) by MichaelDavidCrawford on Sunday April 26 2015, @04:19AM
If I provide software for download from my own website, will it be signed by microsoft?
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by gnuman on Sunday April 26 2015, @05:26AM
It probably means signed, not signed by Microsoft. Compromised keys could be revoked by Microsoft.
(Score: 2, Interesting) by Anonymous Coward on Sunday April 26 2015, @12:56PM
In a similar vein, if I develop specialized software (perhaps for just one customer), how much extra will I be forced to charge my customer to have it signed so that the customer can run it?
(Score: 0) by Anonymous Coward on Sunday April 26 2015, @12:33PM
They probably want to get rid of independent software developers and small companies and instead have corporations take their place. Let all code be written by MS or one of its "affiliates". This way if anyone wants to make money writing code for MS Windows will either be working for MS directly or its gang of affiliates.
Sorry, but I do not wish to work for MS or its gang. They can shove their "dream" jobs. Same goes for Google and Farcebook. And the rest of the NSA/CIA/Mossad friends.
Or maybe they will add a "Microsoft-approved" virus to the binaries while signing them. They are capable of anything.
(Score: 5, Insightful) by meisterister on Sunday April 26 2015, @05:49AM
...to disable if I ever decide to install this POS.
(May or may not have been) Posted from my K6-2, Athlon XP, or Pentium I/II/III.
(Score: 2) by kaszz on Sunday April 26 2015, @06:09AM
Wrong philosophy again!
Microsoft isn't trusted so - FAIL!
Summary TL;DR: Bad security philosophy and you can't trust the vendor so throw it into a virtual environment where it belongs.
(Score: 4, Interesting) by anubi on Sunday April 26 2015, @07:51AM
What I propose might be full of holes... but I sure liked the old way of doing things where I had EPROM bios ROM and it took physical removal of the chip, an ultraviolet lamp, and a dedicated EPROM burner to change the BIOS code.
Memory was small and expensive back then. I remember a lot of the "later" BIOS was on 27C256 or 27C512 EPROM.
Now, humongous flash memory is pretty cheap.
One thing I think I would really like is to have my "pristine" copy of my OS kernel in a flash-ROM kind of device with a write-enable jumper. When I am loading the OS for the first time from original sources, I put the jumper on and write to it. Once the software has seen the innards of the machine I am installing it into and has gotten all its drivers in order, then I can remove the jumper and proceed to use it, knowing nothing can write back to it. This would be the "fresh out of box" state.
At any time, should I get malware, I should be able to use the non-infectable kernel programs on the ROM to assist in finding the problem.
And if worse comes to worse... FORMAT C: ( I got shivers typing that! ). After that, I am back to "fresh out of box" state. Sure, all the data is gone, and if I had been keeping backups, I could carefully move my data files back over and re-establish the executables from trusted sources.
Having the kernel itself exposed in the way it is now just looks plain foolish. I believe kernel code should only be writable during OS installation. Once installed, I believe it should take physical access to the machine to overwrite it. There is nothing I can do to keep from being tricked into running rogue code now and then... however I would love my machine configured in such a way that there is no hardware mechanisms available to do much harm. Anything needing to modify the kernel ( keylogger, spyware, anything hooking onto system I/O functions ) would require me to insert the jumper. The kernel itself should be able to give me accurate reports of which processes it is running. Hide your process from the kernel - and it won't execute.
Our systems have become so fragmented by "rights management", where some people can do things others are disallowed. It is no longer an issue of who has the "rights", rather it has become the issue of "who knows how to get around the guard". In a secure system, everything should be open and verifiable to the user. And ( unfortunately for some ), that means the end of "digital rights management". Either all can do it, or nobody can do it. Just like the old DOS system. Having mechanisms in place to use my machine to do something for you behind my back only invites others to do the same, except the others likely have nefarious things they want my machine to do for them.
Personally, I do not think Congress is going to take the issue of computer system robustness seriously until we have most of our income taxes done through our computers, and a good round of malware causes a very significant amount of tax returns to be botched. Having a load of sewage put in along with the meal will get Vaal's ( Star Trek reference ) attention. I feel this scenario is inevitable given the path we are on.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by kaszz on Sunday April 26 2015, @08:51AM
You can implement what you describe by using a write-once disc (CD, DVD, BD) and push the WR pin of the flash memory hard to high or such.
But the problem isn't the flash memory in principle it's the design of the operating system. Especially how things are compartmentalized.
(Score: 1) by anubi on Monday April 27 2015, @07:16AM
Problem is CDR is slow to access and you can't really "install" to CDR that easily, albeit I believe it could be done. Shadowing it to RAM would be tricky as a rogue program could alter the RAM copy on the fly.
Like you say, the way Windows is written is not compatible with doing it this way.
I ran my gamut of DOS bugs like everyone else. I feel I got a pretty good idea of how risky it is to run stray executables. The first malware I got "over the phone" was an ANSI bomb. I also got several boot sector infectors and assorted other nasties sharing executables with others. It took several years, but eventually I learned pretty well how a DOS machine worked and the ways it could be sabotaged.
By then I knew how my machine worked. I do not believe you could have done anything worse to me than force me to re-initialize my system. By that time, I was well aware of the wisdom of backing up. Frequently. And how to keep track of "signatures" of executables ( I liked the MD5 checksummer I corked up in Borland TurboC++, but CRCheck would work as well ).
Then came Windows. I got my first macro virus shortly thereafter - from a client no less. The Word Concept virus. This was Windows95! And Microsoft is STILL coding their stuff with embedded executables.
Microsoft will call 'em "macros", "scripts", or other business lingo so as to make the business tie-guys think they are on the leading edge of technology, when what they are really doing is accepting a system someone else controls - that "someone else" being the guy who coded that script or macro that the business tie-guy runs when he tries to read that document.
I was just watching a re-run of the old 1950's Titanic movie last night... watching the engineer tell the captain his ship is sinking. At least the captain took his engineer seriously - and did not lay him off for not being a team player or ridicule him for being a conspiracy theorist. The engineer understood the hydraulics and water displacement physics of the ship, and time remaining until the ship sinks. He had to stand there helpless watching one bulkhead after another fail in cascade as the pressures mounted.
I was pondering how many of us right here are watching our computational infrastructure listing in the same way. We watch the hand of the Lobbyist shake the hand of the Congressman. We see laws being penned for the hopeless paradigm of supposedly having only selected parties controlling our machines from afar, enforcing their wishes. Yet we know those same techniques being used by the people "in control" will also be used by others with nefarious intentions. The Titanic engineer knew the weight of those relentless streams of water entering the Titanic, just as a lot of us know of the constant greed of business elite as well as how likely a bribed uneducated ( as far as knowing how his machine works ) Congressman would honor their request. By mandating machines riddled with secret backdoors, we have foisted upon ourselves a computing infrastructure no-one can trust.
Its the very pens of those Congressmen that has steered our computational infrastructure into being an enforcer and tattletale for those who know the backdoor structures.
Remember that story here about the farmers who no longer can control their own tractor?
Lobbyists walk away with a smile after having a Congressman sign law for them. No-one learned anything from Concept? How about all those business elite who formed the DVD-CCA and their highly secret "Content Scramble System". The Secret Sauce gets out and now anyone copies DVD's. So Business wants to do the very same thing with computers? They really think all this encryption stuff is going to "protect their property"? Would making contracts illegible make them more secure? All they are doing is paving the road for others to game the system by discovering the secret sauce and penetrating everyone's machine.
I lost my job with a government contractor over pointing stuff like this out.
I feel as helpless watching our computer infrastructure become unusable as the engineer on the Titanic seeing water flooding compartment after compartment, except in my case, I would have been relieved of duty for pointing it out.
I get so frustrated. Why is it people like me experience first-hand the effects of mixing code and data, and keep seeing it happen over and over and over, and can't do a damned thing about it. Then get in trouble for trying to steer around it, only to see others do exactly what I know good and well not to do, get promoted, and enjoy a cushy retirement, compliments of Uncle Sam?
There was a Star Trek TNG episode where the whole ship, except Wesley Crusher, went all-a-gaga over some little game. Everybody got so absorbed in it as the ship went to hell. I feel the same thing watching our computational infrastructure going to hell because somebody feels they have the rights to control what you do on your own machine - and they are sweet-talking Congress into their way of thinking. And Congress, apparently ignorant of how important it is to have trustworthy machines, is going along with it.
(Score: 5, Informative) by PizzaRollPlinkett on Sunday April 26 2015, @10:20AM
Stuxnet was spread by a valid, signed cryptographic key, so this trust-until-revoked thing doesn't seem to have worked in the past. Oh, and the SecureID thing from RSA used the same model, and it was compromised. Has trust-until-revoked ever worked?
(E-mail me if you want a pizza roll!)
(Score: 4, Interesting) by pTamok on Sunday April 26 2015, @01:20PM
"Device Guard, when enabled by an administrator, checks to see if each and every application is cryptographically signed by Microsoft as a trusted binary before it is allowed to run."
It would not be difficult for Microsoft to code this to allow a PC's owner to trust a set of signing keys - Microsoft could be one, but so could the FSF, or Google, or anyone else. Device Guard then becomes a whitelisting mechanism, and those who want to trust Microsoft only, could, and those who wanted to code their own applications, or trust another software supplier could.
By restricting it to Microsoft signing keys, Microsoft are showing in no uncertain terms they do not want to support choice.
(Score: 2, Interesting) by pmontra on Sunday April 26 2015, @07:20PM
I suggested this to a friend today, after removing a ton of malware for the nth time (lately he had a PC that randomly opened web pages on dubious sites). Wipe the machine, install a random Linux distro and forget about it. Install VirtualBox, install Windows inside it, install everything you need and put your data on the D: disc, shared from the Linux host. Make a snapshot of the Windows VM and back it up. Keep working in Windows as you always did. When Windows is too infested, wipe it and start again from the snapshot. I'll be happy to do the installation myself and not having to worry about viruses anymore.
Maybe MS could do something like that, expendable Windows guests, but please don't use Linux as host OS because I don't want crooks to start targetting it with rootkits.
(Score: 2) by arslan on Sunday April 26 2015, @11:23PM
So, doesn't this effectively turn Windows 10 into an App-Store-esque environment like all the iDevices? Nothing new here then.. whether Jobs will reach out from his grave and sue MS remains to be seen.