Well, we’re back after an exciting week in Las Vegas presenting on Microsoft Windows Vista. There are plenty of reports out there recapping what we discussed, so I won’t go any further into that in this post.
But there were many presentations outside of the Windows Vista track at Black Hat last week, including the Device Drivers presentation by David Maynor and Johnny Cache, which generated significant buzz afterwards. In the end, David and Johnny even demo’d a method to take over a Mac OS X box using a wireless vulnerability. To be fair, that weakness isn’t unique to Mac OS X, and our wireless teams have already been working on mitigations with the Wi-Fi Alliance.
A presentation that pertained directly to Windows Vista was Joanna Rutkowska’s “Blue Pill” demonstration. Joanna’s obviously incredibly talented. She demo’d a way for someone who has admin level access to attempt to insert unsigned code into the kernel on the x64 versions of Windows Vista. Some people have commented that this demo means that some of Microsoft’s security work in Windows Vista doesn’t matter. Untrue. It is important to consider a couple of different things: There is no “silver bullet” when it comes to security, and it’s very difficult to protect against an attacker that is sitting at the console of your computer with an administrator command window open. With the two demos that were shown relating to driver signing and virtualization, both started by assuming that the person trying to execute the code already had administrative privileges on the computer. We’re certainly looking into her research to determine if any changes should be made before the final release of Windows Vista; however, it’s difficult for any operating system to limit the powers of someone who already has administrative privileges on a computer. But the way I look at it, that’s the very reason why Windows Vista is built with a defense-in-depth mindset—to help prevent attackers from getting administrative privileges in the first place. Remember, that’s the goal: using multiple layers to try and prevent elevation of privilege. For Windows Vista, we’re a lot like Shrek’s onion analogy—lots of layers. Firewall on by default, running as standard user, Windows Service Hardening, Internet Explorer 7 protected mode, support for hardware data execution prevention (/NX), Address Space Layout Randomization, Windows Defender…and that’s just to name seven.
Like the previous examples, signed driver checking on x64 versions of Windows Vista is a defense-in-depth measure. It is designed to make potential attacks more difficult, but it is not impervious on its own. A driver-signing requirement also helps improve the reliability of Windows Vista. Microsoft’s crash analysis reports indicate that many system crashes result from inadequate design and testing of kernel-mode drivers. Requiring the authors of these drivers to identify themselves makes it easier for Microsoft to determine the cause of system crashes and work with the responsible vendor to resolve the issue.
So for those who think that all of the security work that has gone into Windows Vista doesn’t matter because someone who already had administrative privileges was able to install malware, we respectfully disagree. To get a better understanding of our approach to security in Windows Vista, see our white paper.
It was a great Black Hat, and we already have our teams combing through information to make Windows Vista even better because of it. Special thanks to Black Hat for having us and to all the security researchers I talked to.
- Austin Wilson