The lessons of Software Monoculture and Windows Embedded Security

  • Article

Spotted "The lessons of Software Monoculture" being discussed on the MSTools blog - an article on the SDTimes site that discusses software bugs and hackers from a slightly different perspective - Most discussions around Microsoft software tend to focus on the desktop operating system (no surprise there considering the installed base) - but what about Microsoft "Embedded" operating systems?

Microsoft has two embedded operating systems, Windows CE, and Windows XP Embedded - both have interesting security aspects.

Windows CE - Windows CE is built from the ground up to be a componentized, real-time operating system - the operating system runs on multiple processor cores (x86, MIPS, ARM, SHx) and is built from a totally different code base to the desktop version of Windows. Desktop Windows has three core components, GDI32, User32, and Kernel32 - Windows CE only has two core components, Coredll (can be thought of as "kernel" from the desktop), and GWES (the graphical and Windowing Event Subsystem), this can be thought of as a combination of GDI and USER on the desktop. Let's assume you are running an x86 based Windows CE device and this device doesn't have any security implemented on the platform [more on this later] - would even a simple x86 desktop application like Notepad run on the Windows CE device ? - Answer No, the imports needed to run Notepad do not exist on Windows CE, therefore Notepad won't run - this also means that other desktop applications, worms or viruses also won't run on the Windows CE device.

Is binary incompatibility between the desktop and Windows CE applications sufficient to provide a 'secure' operating system ? - No, there are additional levels of protection, first the operating system is componentized, therefore you only include the operating system technologies that your device needs - if you don't need a web server, DCOM, MSMQ or other technologies then you don't include them into your operating system image - but this still doesn't go far enough, you might want to lock down the operating system image even further, Windows CE exposes a kernel level function called OEMCertifyModule - this function is passed the binary image of all executable code (EXE, DLL, OCX) before the executable code is loaded - this gives an OEM the ability to verify the image and assign a level of trust, verification can be through CRC check, digital signature, or whatever mechanism the OEM wants to implement - there are three levels of trust.

  • Full Trust - The application/DLL can call protected API's, step into kernel mode etc...
  • Partial Trust - The application/DLL can only call non-protected API's, the code can't step into kernel mode, alter thread priorities/quantums etc...
  • No Trust - the application/DLL isn't loaded into memory

Add to this 'physical security', applications running on a device can request user validation before allowing certain pieces of code to run, for example - before connecting to the Internet or making a VPN connection to your corporate network or allowing access to local database information a user would be requested to provide authentication information, through PIN/Password or whatever.

Windows CE 5.0 also ships with tools such as PREfast to analyze your C/C++ source and look for potential coding errors, and runtime tools to examine memory load, memory leaks, GDI and Handle leaks.

Windows XP Embedded -  Windows XP Embedded is based on the same binaries as Windows XP on the desktop - right now Windows XP Embedded is at parity with Windows XP Professional SP1, there's also a Tech Preview of Windows XP Embedded SP2 available for download from the Microsoft/Embedded web site.

Since Windows XP Embedded is based on the same binaries as the desktop doesn't this mean that Windows XP Embedded is "as secure" as the desktop operating system ? - There are some aspects of Windows XP Embedded you need to take into account, first Windows XP Embedded is a componentized operating system [there are about 10,000 components in the Windows XP Embedded operating system catalog, approx 8,000 of these components are drivers, the rest of the components are operating system features] - so componentization is the first aspect of making your device secure, if you don't need an Internet Information Server then leave it out, if your application doesn't use RPC or DCOM then don't include the components in your operating system image

[Note that DCOM is an interesting IPC mechanism inside your corporate firewall but is not ideal for "internet" to "coroprate network" communication, DCOM uses a number of ports all of which need to be open on your corporate firewall for this to work - I'd certainly recommend looking at SOAP/Web Services for internet to corporate network communication].

So, a smaller operating system which boots a subset of the desktop services and technologies will offer a smaller surface of attack compared to the desktop version of Windows XP - 3rd parties such as Computer Associates and Trend Micro have anti-virus components for the Windows XP Embedded operating system, add the SP2 Firewall and NX (No eXecute) technologies, and the fact that your device can be locked down to not allow 3rd party applications to be installed and you have a pretty secure device. "NX" is also known as Data Execution Prevention, more information about DEP can be found on the Microsoft Support Site.

Here are some of the updates for Windows XP Embedded SP2 [Lifted directly from the Windows XP Embedded SP2 web page, so I apologize the marketing speak!]

Security and Networking Enhancements—The SP2 Tech Preview includes the new Windows Firewall. This component enables device builders to configure the firewall by opening and closing certain ports (based on the network topology that the device will be deployed to). Additionally, inbound connections are not permitted by default. The Technology Preview also includes a hardened Internet Explorer that enables more reliable browsing through stronger security profiles. Finally, partners such as Computer Associates and Sygate offer supported anti-virus and network protection clients for Windows XP Embedded.

Enterprise-class Manageability—Easily integrate your Windows XP Embedded-based devices into pre-existing network infrastructures, by using Microsoft-wide management technologies such as Software Update Services (SUS) and Systems Management Server 2003 (SMS). SUS enables automatic scanning and deployment of Microsoft-issued security updates on Windows XP Embedded-based devices. SMS enables you to update your line-of-business application. Choose the technology that's right for your device.

New Features for Innovation—Build powerful multimedia appliances using DirectX 9.0c capabilities. Integrate your device into a broader array of networking infrastructures by implementing Bluetooth support. Enable your device to boot quickly using our new faster boot technology.

Want more information about Windows CE and Windows XP Embedded Security ? - Take a look at the Windows Mobile and Embedded Security Site.

Perhaps one of the upcoming "MSDN Get Embedded" article should focus on Windows CE and security - let me know what you think...

- Mike