64-Bit Vista Kernel Will Be a "Black Box"

ryanskev writes with news from RSA Europe, where a Microsoft VP spoke bluntly about the lock-down that will apply to 64-bit Vista. From the article: "Microsoft will operate 64-bit versions of Windows Vista as a tabernacle, with the kernel as the holy of holies, where only its own high priests of security may venture." While Microsoft has seemed to be making some concessions to the likes of Symantec and McAfee, considerable doubt remains as to their ultimate future.

I think MS is right

I know this isn't PC to say on Slashdot.. but MS shouldn't allow undocumented hooks to the kernel. Instead they should provide an API for that.

Re:I think MS is right

That'll lead to ugly hacks when the developers find that the API either doesn't allow them to do what they need to do, or it's otherwise buggy and needs to be worked around.

It's enough trouble writing solid modules for the Linux or FreeBSD kernels, and the source code to those is open and widely available. When your module code runs into problems, you can easily see what's going on in other portions of the kernel. It's a very, very useful debugging tool.

Now take this Vista kernel API you speak of. It'll end up being just like the Win32 API. Often times developers had to resort to undocumented calls in order to get their application to perform a certain task. This sort of shooting-in-the-dark coding leads to bugs and security glitches. Even if you understand 98% of what an undocumented API does, it's that remaining unknown 2% that'll fuck you, your product, and your customers over in the end.

Reliable and secure software comes from the developers having a complete understanding of the systems they're working with and building upon. By limiting developer access to such knowledge, they'd be directly promoting buggy, insecure software.

I'm confused

[maynard]

Fathi conceeded for 32-bit systems the firm will never have the amount of control over security. He said: "That train has left the station."

For 32-bit versions of Vista, it'll be mostly as you were on security. Developers will be able to patch the kernel, only now they'll have to compete with Microsoft's own brand anti-spyware, encryption, and anti-spam offerings. Fathi lamented Microsoft had "missed a great opportunity" last time round.

What's the difference between the 32 bit and 64 bit kernel? And what does a 'tabernacle of security' mean?

I don't think there's a significant difference in DRM hardware between 32bit and 64bit systems. Why make the distinction? If they're going to secure Windows - why not secure Windows?

Re:I'm confused

[QuantumG]

Signed by who though? I have no idea. Is it signed by any code signing certificate issued by Microsoft? How hard is it to get one of those? Sounds like a nice thing for hackers to steal and sell to spyware makers.

"Concessions to.."

[MoriaOrc]

Am I the only one who read the line "Making concessions to Symantec and McAffee," and the first concessions that popped into my mind were "Just a little security hole here, buffer overflow there, ect."

I'm no fan of MS, especially when it comes to their horrible security track record. However, if they really can manage to get it right (or even significantly better) in Vista, they shouldn't be going and making concessions to the people who've been making a living off the things that were broken in their last OS.

Sounds like security by obscurity

[49152]

Isn't this just another variation of security by obscurity?

Which everyone by now should have learned does *not* work.

Re:Sounds like the right plan

[Coopjust]

Either way Mcafee & Symantec will claim that it was needed later, simple business.

If the new model seems to be secure, Mcafee and Symantec will boast about how they've kept the next generation of Windows safe.

If the new model is less secure, McAfee & Symantec will "point out" the need for their products.

Win win for AV companies...

Re:Worth mentioning ...

[QuantumG]

Yeah, and no-one really needs more than 640k of ram.

Sayonara, Symantec

[Cid+Highwind]

There's going to be a kybosh on naughty developers mucking about with the 64-bit kernel; patching will be banned.

If it will stop crapware like StarForce and the Sony rootkit from sneaking extra drivers in, bring on the kibosh. People who want to tinker can use one of the fine Open Source operating system kernels that run on 64-bit Intel machines. Those that just want to play games or run Office can feel a little bit safer from malware.

Sorry Symantec, but after dealing with the disaster that is Norton Internet Security, I won't shed a tear when I read that you've filed for Chapter 7.

Adoption of Vista 64-bit

[postmortem]

Will not go very well, at least in beginning. This enhanced security won't sell it. There won't be drivers for some existing stuff ever. Seems that MS wants to push this version and keep 32-bit as legacy, but in the end when end user can't make it work as well as 32-bit, it is just going to slip and create confusion. In long run it may pay off, when systems and components are designed for 64-bit, until then, 32-bit will be preference. I wonder if any of corporate users are going to put 64-bit on employeees workstations in upcoming months -it seems as a big risk without much gain.

The article is filled with such great lines!

[Psykechan]

For 32-bit versions of Vista, it'll be mostly as you were on security
Translation: You're screwed! Upgrade to 64 bit ASAP (P.S. some of your software won't work)

Defender has already become the most popular download ever from Microsoft
If I was MS, I certainly wouldn't brag about anti-malware being the most popular application.

referring to third parties being able to patch 64 bit Vista - "It's just not the way the box was designed...we're putting a stop to that."
Great. What happens when MS doesn't quickly put out a patch... no choice on using the good samaritan patches anymore, you just have to sit and twiddle your thumbs.

referring to ever being able to secure 32 bit Windows - "That train has left the station."
I think it's more like the Windows train has left the station. Why bother to convert to 64 bit Windows? Switch to something else as soon as possible.

Re:Sounds like the right plan

[Zeinfeld]

As I understand it, Windows Vista 64bit Edition will simply not allow kernel drivers to load unless they are signed with Microsoft's private key. Which means that you'll need to either exploit kernel bugs to load your own code (which they'll plug eventually) or boot off a CD and patch the kernel files on disk to disable this checking (which will be hard to do without destablizing the whole system). If that's what we're talking about (and I have no idea if it is) how can you possibly be in favour of it? I mean, it sounds like The Right To Read all over again.

Thats exactly what I want. I do not want to have any software patch the kernel.

If there is no way for the spyware to patch the kernel I don't need McAfee or Symantec there at all. First thing I do with a new home machine is to strip off the AV software provided by Dell as cramware. Machines run so much faster and more reliably without. Then I turn off AutoRun and hook it up to my internal network which has twin SPI firewalls.

I have never had a virus but I have had machines go wonky because of buggy AV code.

I want to have as few kernel mode device drivers as is possible. Printers should not require kernel mode, nor should video cameras etc. Only the bare essentials talking directly to the DMA interfaces should ever use kernel mode.

I don't need to run my code in kernel space and I don't think anyone else does either.

Black box for video and audio devices...

[(H)elix1]

You can bet this is going to make life very hard for the folks like VLC or anyone who wants to do something clever with the audio system. Wonder how they are going to push it, however? Sure, they can go for attrition, and make sure all new machines come with Vista, but there are a lot of Win32 machines out there that have more than enough CPU. There were some big jumps from the 200mhz-600mhz range, but now with 2-3ghz more or less normal and no 'got to have it' devices like USB3 this is going to be a tough sell. Heck, even with DirectX 10 being reserved for Vista, game publishers would be suicide to go after that market for a couple years. While it might give a few more FPS, you can bet the vice-like grip on hardware will doom any of the older games from running on the system... I mean, heck, if you could access the video, you might just try to display content without the secret hardware handshake.

Security Not Needed

[the+eric+conspiracy]

This makes me think of Kid-Proof caps. Only the kids will be able to open the cap to get into the kernel. Users who want to install legit stuff, forget it.

Why the kernel is an issue

[Sloppy]

The kernel has a reputation for being not particularly bad.

The reason the kernel is an issue, is that the new "threat" against Windows security is the owner/administrator of the machine. Microsoft needs to try to implement DRM, in order to get into bed with the media companies and sell music and Zunes to play it. You can't implement DRM if the user can patch the kernel to work around the DRM. Thus, they're going to try to prevent end-users from having the capacity to modify this behavior of their own computer.

The "security companies" are taking collateral damage from this, because their applications have to intercept all reads/writes (to files, the network, whatever) in order to scan all data against a blacklist of known malware in order to try to protect the comically fragile userspace. This scanning is implemented through kernel patches, I guess.

Re:"Sounds like security by obscurity" is good

[Chris+Burke]

That's partly true*, but the reason that security through obscurity is derided is because it is typical of a mindset that has implications beyond just using obscurity as a security mechanism on top of other well-formed policies. Very often, obscurity is the only measure used, in large part because of a lack of substantive review of the other security policies that would reveal their endimic flaws. The belief is "what others don't know can't hurt us". Even worse is that "others" is often not "black hats" but "customers".

The NSA is a good example of an organization that uses security through obscurity well. They employ the best cryptographers and system designers around, but they are also not about to tell anyone how those systems work. If you did know exactly what they were doing, though, you would still find them to be some of the most secure systems anywhere.

Microsoft, on the other hand, has a history of using obscurity as a method of covering up embarassing security flaws. They do not have a history of having the best security. Do I think that Microsoft intends to hide the internals of their kernel as part of a comprehensive security regime in which obscurity is only the last layer thus making Vista an impregnable fortress, or is this an attempt by Microsoft to squelch competition from other AV vendors under the guise of fixing their tarnished security image? Well, it's obvious what I think. Which do you think it is?

* The fundamental problem with security through obscurity is that you can't count on it. Either a clever hacker will figure it out, or an insider will leak or exploit information about the system. Your system must be as secure as you know how to make it assuming that your enemy has full knowledge of the system. Only then does layering obscurity on top of that make sense as an additional mechanism. Otherwise it's a false sense of security.

Re:Sounds like the right plan

[IamTheRealMike]

Yeah, ok. There's so many things wrong with your world view that I'm having trouble understanding where to start.

No, Zeinfelds world view is entirely sane and very defensible. I agree with him.

Let's review a few facts:

• The collapse of residential computer security has meant that virtually nobody can keep their Windows machine secure anymore. Not even gurus. There are just way too many 0-day exploits for browsers and others out there, even for Firefox.
• The usage of rootkits on Windows is now a common technique, often used to hide spyware. Once the machine has been rootkitted it is impossible to repair short of wiping the system clean and starting from scratch. But because of the first point, this is not practical.
• Thanks to the first and second points doing business on the internet is rapidly becoming difficult or impossible. It started with online casinos and porn sites, but is spreading to "clean" business too. How can you run a company when any 16 year old with a botnet can shut you down at a whim?

The foundation of any security system is the kernel. If the kernel is not running in a known state, you have no security system - period.

There is absolutely zero point in having user accounts, authentication, file permissions and so on if programs can load code into the kernel ... which they can, because for historical reasons Windows programs require admin rights, and even if they didn't, ultimately any program can ask the user to do something on its behalf and most will.

The solution is clear - forbid any unknown code from loading into the kernel. Only then can you have a sane system built on solid foundations. It is not a "right to read" scenario, because you can still mark individual drivers as loadable in Vista IIRC if you put it into developer mode (which makes it clear that you are in a special mode), but even if it wasn't, it'd be a price worth paying to help fix the internet.

Re:Sounds like the right plan

[greenbird]

The solution is clear - forbid any unknown code from loading into the kernel.

Unfortunately that's not the solution Microsoft chose. What they did is make a kernel that will only load code that has been approved by and paid a toll to Microsoft the amount of which is determined by Microsoft. That's vastly different than what you presented as the solution. On my Linux box unknown code is not permitted to load in the kernel but I'm the one who determines what is loaded into the kernel not Microsoft and there is no required payoff to allow code to load into the kernel.