Back From Black Hat

Well, we’re back after an exciting week in Las Vegas presenting on Microsoft Windows Vista. There are plenty of reports out there recapping what we discussed, so I won’t go any further into that in this post.

But there were many presentations outside of the Windows Vista track at Black Hat last week, including the Device Drivers presentation by David Maynor and Johnny Cache, which generated significant buzz afterwards. In the end, David and Johnny even demo’d a method to take over a Mac OS X box using a wireless vulnerability. To be fair, that weakness isn’t unique to Mac OS X, and our wireless teams have already been working on mitigations with the Wi-Fi Alliance.

A presentation that pertained directly to Windows Vista was Joanna Rutkowska’s “Blue Pill” demonstration. Joanna’s obviously incredibly talented. She demo’d a way for someone who has admin level access to attempt to insert unsigned code into the kernel on the x64 versions of Windows Vista. Some people have commented that this demo means that some of Microsoft’s security work in Windows Vista doesn’t matter. Untrue. It is important to consider a couple of different things: There is no “silver bullet” when it comes to security, and it’s very difficult to protect against an attacker that is sitting at the console of your computer with an administrator command window open. With the two demos that were shown relating to driver signing and virtualization, both started by assuming that the person trying to execute the code already had administrative privileges on the computer. We’re certainly looking into her research to determine if any changes should be made before the final release of Windows Vista; however, it’s difficult for any operating system to limit the powers of someone who already has administrative privileges on a computer. But the way I look at it, that’s the very reason why Windows Vista is built with a defense-in-depth mindset—to help prevent attackers from getting administrative privileges in the first place. Remember, that’s the goal: using multiple layers to try and prevent elevation of privilege. For Windows Vista, we’re a lot like Shrek’s onion analogy—lots of layers. Firewall on by default, running as standard user, Windows Service Hardening, Internet Explorer 7 protected mode, support for hardware data execution prevention (/NX), Address Space Layout Randomization, Windows Defender…and that’s just to name seven.

Like the previous examples, signed driver checking on x64 versions of Windows Vista is a defense-in-depth measure. It is designed to make potential attacks more difficult, but it is not impervious on its own. A driver-signing requirement also helps improve the reliability of Windows Vista. Microsoft’s crash analysis reports indicate that many system crashes result from inadequate design and testing of kernel-mode drivers. Requiring the authors of these drivers to identify themselves makes it easier for Microsoft to determine the cause of system crashes and work with the responsible vendor to resolve the issue.

So for those who think that all of the security work that has gone into Windows Vista doesn’t matter because someone who already had administrative privileges was able to install malware, we respectfully disagree. To get a better understanding of our approach to security in Windows Vista, see our white paper.

It was a great Black Hat, and we already have our teams combing through information to make Windows Vista even better because of it. Special thanks to Black Hat for having us and to all the security researchers I talked to.

- Austin Wilson

Comments

  • Anonymous
    August 09, 2006
    The comment has been removed

  • Anonymous
    August 10, 2006
    The comment has been removed

  • Anonymous
    August 21, 2006
    The comment has been removed

  • Anonymous
    August 22, 2006
    Just a quick comment on the Admin aspect of this post.

    I work around many different OS's and you always hear arguments why people need 'Administrator/root' privledges for thier system.  As far as I am concerned any no one should be on a system with Administrative/Super User privledges to begin with.  Why do you think *NIX makes you create a 'USER' account during OS Installation.

    Proper security practices need to be taught to all...create a normal user (No Privledges to destroy the system) and if you need to install something you can 'Run As...' or you can 'SU...' to get it on the system.

    Just my 2 cents worth and hope that it is worth it.

  • Anonymous
    August 22, 2006
    The comment has been removed

  • Anonymous
    August 30, 2006
    Web Resources



     

    [SQL Server and Data Access] 2006 PASS Community Summit: Microsoft SQL...

  • Anonymous
    September 08, 2006
    I can't see the problem here.  If an admin trashes the server, they may find it difficult to find gainful employment in the future.

    If the admin does something stupid, then they have to fix it.  Hopefully, they are intelligent enough to know how to fix it.

  • Anonymous
    September 12, 2006
    The comment has been removed

  • Anonymous
    September 12, 2006
    The comment has been removed

  • Anonymous
    September 26, 2006
    PingBack from http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/07/691441.aspx

  • Anonymous
    January 05, 2007
    PingBack from http://www.vistalogy.com/2006/08/07/back-from-black-hat/

  • Anonymous
    January 29, 2007
    PingBack from http://capslockassassin.com/?p=6

  • Anonymous
    February 11, 2007
    The comment has been removed

  • Anonymous
    February 11, 2007
    The comment has been removed