Malware Resistant by Design Nathan Ide Chris Hallum Principal Development Lead Senior Product Manager Microsoft Corporation Microsoft Corporation SIA309 Agenda Securing the Boot Windows Editions and Form Factors ID: 411430
Download Presentation The PPT/PDF document "Windows 8" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Windows 8 Malware Resistant by Design
Nathan Ide Chris Hallum
Principal Development Lead Senior Product ManagerMicrosoft Corporation Microsoft Corporation
SIA309Slide2
Agenda
Securing the
Boot
Windows Editions and Form Factors
Windows 8 Investment Areas
Securing After the Boot
Enhanced Security with Modern Hardware
Securing the CoreSlide3
P
hone-call security scam targeting PC users
Microsoft is warning customers about a new threat where criminals acting as computer security
engineers call people at home to warn them about a security threat.
In the news…
Lost Devices Cost
Companies
Billions
Last month, an oil giant announced an unencrypted laptop containing sensitive information on 13,000 individuals. The incident may cost
The
Stealthiest Rootkit in the Wild
?
Feds launched the raids against individuals who have allegedly been managing the
Rustock
"botnet," a vast network of computers around the globe, that have been infected with malicious software that allows the devices to distribute enormous volumes of spam...
Michigan
firm
about to determine 200,000 account
passwords in under an
hour
The most popular
passwords
among nearly 400,000 exposed by the Gawker hack was "
123456“ and “password”
according to an analysis done by a
Michigan security
firm.
itself
.
RSA warns
customers
after company is hacked
SecurID
tokens from EMC's RSA Security
division, which are used for two-factor authentication, have been compromised after a sophisticated cyber-attack…
Security
firm's confidential data
is exposed after successful hack
A web application security provider has just revealed that a
cyber attack
appears to have exposed sensitive data about the companies partners and
employees
, including there login credentials. Representatives form the company
haven't
respond to emails asking confirmation...
Microsoft Work Exposes Magnitude of Botnet
Threat
Microsoft's
Security
Intelligence Report
sheds light on the expanding
threat that bots…
Researchers Discover Link Between
a Series of Trojans
A difficult to remove rootkit behind
numerous sophisticated attacks, appears to have helped spread
yet
another Trojan.Slide4
Windows 8 investments in client security
Groundbreaking Malware Resistance
Protects
the client, data, and corporate
resources
by making the client inherently
secure
and less vulnerable from the effects
from
malware.
Pervasive Device Encryption
Simplifies provisioning and compliance
management the of encrypted drives
on
the
widest
variety of PC form
factors
and storage
technologies
Modernized Access Control
Modernizes access control and data
management while increasing data
security within
the enterprise.Slide5
Malware can hide
from
Anti-Malware software
Anti-Virus is always playing catch-up with latest malware
Malware can compromise
PC before starting Windows
Malware can
compromise Anti-Malware software by tampering or starting
Vulnerabilities can be minimized but not completely eliminated
Challenges That We Face In Combatting MalwareSlide6
Secure Hardware
Hardware Root of TrustUniversal Extensible Firmware Interface (UEFI)Trusted Platform Module (TPM)Slide7
Why UEFI?
What is UEFI?
An interface built on top of and replaces some aspects of traditional BIOS
Like BIOS it hands control
of
the pre-boot environment to
an
OS
Key Benefits
architecture-independent
enables device initialization and operation (mouse, pre-os apps, menus)
Key Security Benefits:
Secure Boot Encrypted Drive support for BitLockerNetwork unlock support for BitLocker
A Windows Certification Requirement (UEFI 2.3.1)Slide8
Trusted Platform Module 2.0
TPM Value PropositionEnables commercial-grade security via physical and virtual key isolation from OSTPM 1.2 spec: mature standard, years of deployment and hardening
Improvements in TPM provisioning lowers deployment barriersTCG Standard evolution: TPM 2.0*Algorithm
extensibility allows for implementation and deployment in additional
countries
Security
scenarios are compatible with TPM 1.2 or 2.0
Windows 8: TPM 2.0 support enables implementation choiceDiscrete TPMFirmware-based (ARM TrustZone® ; Intel’s Platform Trust Technology (PTT))
Windows Logo Requirement for AOAC Only* Microsoft refers to the TCG TPM.Next as “TPM 2.0”. Slide9
Hardware Requirement and Feature Usage
#Feature
TPM 1.2/2.0UEFI 2.3.11
BitLocker: Volume Encryption
X
2
BitLocker: Volume Network Unlock
XX
3Trusted Boot: Secure BootX4
Trusted Boot: ELAMX5Measured Boot
X6
Virtual Smart CardsX
7Certificate Storage (Hardware Bound)X
8
Address Space Layout Randomization (ASLR)X9
Visual Studio Compiler
X
10More…Slide10
Securing the Core
Preventing Vulnerabilities Mitigating Exploitation Slide11
What motivates the attacker?
Gains per use xOpportunities to use
Cost to acquire vulnerability+Cost to weaponize
Attacker Return
-
=
Maximize the window of time to use the exploit
Cheaply develop exploits
Cheaply find vulnerability exploits
Attacker want to
maximize
ROI
We will
minimize
ROI
Limit apps ability compromise user privacy and data
Minimize attack window
????
Find and eliminate vulnerability classes
Break cookbook techniques and make exploits unreliableSlide12
Securing the Code and Core
Preventing vulnerabilitiesSoftware Development Lifecycle (SDL)Training, Requirements, Design, ImplementationVerification, Release, ResponseToolsThreat Modeling, Static Code Analyzers, FuzzersCompilers (VS), More…
Reduce the ability to exploit vulnerabilitiesAnalyzed telemetry to determine requirementsAdd mitigations to reduce the impact exploitsASLR, DEP, Windows Heap, Process Integrity Levels
Mitigations
System Memory
ApplicationsSlide13
Securing the Boot
Booting a trustworthy operating systemSecuring the Windows 8 boot p
rocessSecuring resources from unhealthy systemsSlide14
UEFI Secure
Boot: Legacy vs. Modern
Legacy Boot
Modern Boot
BIOS Starts any OS Loader, even malware
Malware may starts before Windows
The firmware enforces policy, only starts signed OS loaders
OS loader enforces signature verification of Windows components. If fails Trusted Boot triggers remediation.Result - Malware unable to change boot and OS componentsSlide15
Securing and Maintaining UEFI
UEFI is Secure by DesignUEFI Firmware, Drivers, Applications, and Loaders must be trusted (i.e.: signed)UEFI Database lists trusted and untrusted Keys, CA’s, and Image HashesSecured RollBack feature prevents rollback to insecure version
Untrusted (unsigned) Option ROMs (containing firmware) can not runNote: Core firmware image must be integrity protected by the manufacturer
Maintaining UEFI with Windows Update
Updates to UEFI
Firmware, Drivers, Applications, and
LoadersRevocation process for signatures and image hashesUEFI Remediation
UEFI able to execute UEFI firmware integrity check and self-remediateUEFI able recover Windows boot manager if integrity checks failSlide16
Trusted and Measured Boot
Trusted BootEnd to end boot process protection: Windows operating system loaderWindows system files and drivers Anti-malware software Ensures and prevents: a compromised operating system from startingsoftware from starting before Windows3rd party software from starting before Anti-malware
Automatic remediation/self healing if compromised
Measured Boot
Creates comprehensive set of measurements based on Trusted Boot execution
Can offer measurements to a Remote Attestation Service for analysisSlide17
Trusted Boot: Early Load Anti-Malware
Windows 7
Windows 8
Malware is able to boot before Windows and Anti-malware
Malware able to hide and remain undetected
Systems can be compromised before AM starts
Secure Boot
loads
Anti-Malware early in the boot process
Early
Load Anti-Malware (ELAM
) driver
is specially signed by MicrosoftWindows starts AM software before any 3rd party boot drivers
Malware can no longer bypass AM inspectionSlide18
demo
Trusted Boot
Chris Hallum
Senior Product Manager
Windows
Client SecuritySlide19
Measured Boot
Windows 8
Windows 7
Measurements of some boot components evaluated as part of boot
Only enabled when BitLocker has been provisioned
Measures all boot components
Measurements are stored in a Trusted
Platform Module (TPM)
Remote attestation, if availabl
e
, can evaluate
client
state
Enabled
when TPM is present. BitLocker not requiredSlide20
Malware Resistance : Putting it all together
Windows
OS Loader
UEFI Boot
Windows Kernel and Drivers
AM Software
AM software is started before all 3
rd
party software
Boot Policy
AM Policy
3
rd
Party Software
2
TPM
3
Measurements of components including AM software are stored in the TPM
Client
Remote Attestation Service
5
Client retrieves TPM measurements of client and sends
it to Remote Attestation Service
Windows Logon
Client Health Claim
6
Remote Attestation Service issues Client Health Claim to Client
Secure Boot prevents malicious OS loader
1
Remote Resource
(Fie Server)
4
Client attempts to access resource. Server requests Client Health Claim.
Remote Resource
(File Server)
7
Client provides Client Health Claim. Server reviews and grants access to healthy clients. Slide21
Securing
After BootProtecting the System and User while OnlineProtecting the System from the UserSlide22
Securing the System Post Boot
Protecting the system from known and unknown threatsWindows Defender, a comprehensive Anti-Malware SolutionProtects against full range of malware, not just adware and spywareReal-time (active) protectionHigh performance
Optimized for the user experienceSystem Center Endpoint Protection (SCEP) adds manageabilityShares same anti-malware engine with Windows DefenderAdds the ability to block infections before they occur with Network
Inspection
System (NIS).
Reduce the surface area of attacks with Windows Firewall protection
Provides firewalling and packet filtering functionsImproved to support new technologiesManageable
with System Center Endpoint Protection (SCEP) Slide23
Securing the System Post Boot – Metro Apps
Windows Store contains Trustworthy AppsISV onboarding and app screening processCommunity based ratings and reviewsInstallationHandled completely by the OSDiscrete and private location for eachApplication Capabilities
Run with Low PrivilegeAccess to Resources (Capabilities)ContractsSlide24
Securing the System Post Boot
Internet Explorer 9 – Smart Screen Helps detect phishing sites and malicious downloadsHas blocked >1.5B malware and >150M phishing attacksInternet Explorer 10 – Smart ScreenApplication Reputation has been moved into core Protects users of regardless of browser, mail, IM, etc client
Internet Explorer 10 – Enhanced Protected ModeDifficult to exploit due to ASLRTabs and Process Isolation Requires user interaction to gain access to user dataDo Not Track (DNT) capabilitySlide25
demo
Protecting Users Online
Chris Hallum
Senior Product Manager
Windows
Client SecuritySlide26
Devices and Security
Windows Editions and Security CapabilitiesEnhanced Security with Modern Hardware Slide27
Windows Edition and Device Considerations
Windows Editions
All Windows editions share the same security fundamentals
Pro and
Ent
editions have additional business related security
capabilities
Windows RT uses device encryption powered by BitLocker technology
Devices
Device Types: Tablet, Convertible, Notebook, All In One, Desktop
Connected Standby devices will include UEFI and TPM, others might!Slide28
In Review: Session Objectives and Takeaways
Session Objective(s): Inform you of hardware advancements that improve Windows 8 securityEducate you on how Windows 8 protects the system from intrusionKey Take Away(s)Software alone can’t solve Windows security needs. Hardware is required.Malware is unable to take permanent residence within the PC boot processMost known attacks either no longer work or at least impact is contained
Access to resources can be gated based on the health of a systemSlide29
Related Content
SIA308 - Antimalware
Smackdown
- Tuesday -
3:15 PM
SIA302 - Malware Hunting with the
Sysinternals
Tools - Tuesday - 4:30 PMSIA301 Crouching Admin, Hidden Hacker… - Wednesday -
10:15 AMWCL282 - Windows 8: BitLocker - Wednesday - 5:00 PMSIA309 - Windows 8: Malware Resistant by Design - Thursday –
8:30 AMWCL288 - Windows 8: Desktop Security Strategy - Thursday - 10:15 AMWCL286 - Windows 8: Malware Resistant by Design - Thursday –
1:00 PMWCL386 - Windows Intune
: Managing COIT – Thursday - 1:00 PM
SIA324 - Defense Against the Dark Ages: Your Old Web Apps Are… - 1:30 PM
Breakout Sessions (session codes and titles
)Slide30
Track Resources
Protecting you from malware -
MSDN Blogs > Building Win
8
Protecting the pre-OS environment with
UEFI
-
MSDN Blogs > Building Win
8
Signing in with a
picture password -
MSDN Blogs > Building Win
8
Protecting your digital identity - MSDN Blogs > Building Win 8
Delivering reliable and trustworthy Metro
apps-
MSDN Blogs > Building
Win 8
Web browsing in Windows 8
CP with
IE10-
MSDN Blogs > Building Win
8Slide31
Track Resources
www.microsoft.com/twc
www.microsoft.com/security
www.microsoft.com/privacy
www.microsoft.com/reliabilitySlide32
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn Slide33
Required Slide
Complete an evaluation on CommNet and enter to win!Slide34
MS Tag
Scan the Tag
to evaluate this
session now on
myTechEd
MobileSlide35
©
2012 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part
of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide36