Slashdot Mirror

← Back to Stories (view on slashdot.org)

64-Bit Vista Kernel Will Be a "Black Box"

Posted by ryuzaki0 on from the abandon-all-hope-ye-who-ener-here dept.

ryanskev writes with news from RSA Europe, where a Microsoft VP spoke bluntly about the lock-down that will apply to 64-bit Vista. From the article: "Microsoft will operate 64-bit versions of Windows Vista as a tabernacle, with the kernel as the holy of holies, where only its own high priests of security may venture." While Microsoft has seemed to be making some concessions to the likes of Symantec and McAfee, considerable doubt remains as to their ultimate future.

8 of 402 comments (clear)

  1. Sounds like the right plan by Zeinfeld · · Score: 5, Interesting

    Sounds like the right approach to me. We will soon find out whether Symantec and McAfee are helping or hindering security.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
    1. Re:Sounds like the right plan by QuantumG · · Score: 4, Interesting

      I'm trying to understand what you're in favour of here (and what the article is all about). As I understand it, Windows Vista 64bit Edition will simply not allow kernel drivers to load unless they are signed with Microsoft's private key. Which means that you'll need to either exploit kernel bugs to load your own code (which they'll plug eventually) or boot off a CD and patch the kernel files on disk to disable this checking (which will be hard to do without destablizing the whole system). If that's what we're talking about (and I have no idea if it is) how can you possibly be in favour of it? I mean, it sounds like The Right To Read all over again.

      --
      How we know is more important than what we know.
    2. Re:Sounds like the right plan by QuantumG · · Score: 4, Interesting

      Yeah, that's what happens when you clump people together and claim they all hold the same opinion, you get contradictions like that. Some of us think it should be locked down. Some of us think that's a terrible idea. We're not the fuckin' Borg. What's your opinion? I mean, shit, this is the ancient choice between freedom or security.

      --
      How we know is more important than what we know.
  2. Why is Microsoft even bothering.. by flummoxd · · Score: 5, Interesting

    ..to release a 32-bit version of Vista?

    Every week, I hear about a new thing that will "only be in 64-bit Vista". First it was HDTV content only on 64-bit for DRM reasons. Now, we're hearing the reasoning that Windows will be more secure if we don't let third parties in the kernel. Fine, whatever. If we were to assume that makes it more secure, then so be it.

    But why bother to release an inferior 32-bit version? Under the presumption that closing the 64-bit kernel off will make things better, why not use the same strict security policies in 32-bit? Surely, there can't be any technical reason for all of this. It's all marketing, right? ("Microsoft recommends a 64-bit PC.")

    Or is there some real reason why it feels like 32-bit Vista and 64-bit Vista are two entirely different operating systems?

  3. How to patch the kernel anyway by Beryllium+Sphere(tm) · · Score: 4, Interesting

    Joanna Rutkowska gave a talk about this at Blackhat. Take a program in usermode but with administrative privileges, force the kernel to get paged out, edit the pagefile.

    In a recent blog entry, Rutkowska criticizes Microsoft's response to the pagefile attack. Boiled down, it amounts to the problem that as long as a disk utility can run, someone can still edit the pagefile. Her preferred fixes would have been encrypting the pagefile or simply not swapping the kernel. NetBSD's Elad Efrat suggested simply hashing the kernel for integrity checking.

  4. It's a matter of trust by UnknowingFool · · Score: 4, Interesting
    Microsoft will operate 64-bit versions of Windows Vista as a tabernacle, with the kernel as the holy of holies, where only its own high priests of security may venture."

    I think the crux of debate will be what MS considers its own high priests. If that means MS security products that compete with Symantec and McAfee, then the two vendors have a legitimate gripe that MS is using its monopoly power to lock them out. MS has said that its security products will not have access to undocumented APIs, but how much do you trust MS at their word? I don't trust them that much because I think MS still plays dirty. As recently as the Burst lawsuit in 2004, you can still see MS is refusing not only play fair but abide by court orders: Both parties were told to disclose emails as part of discovery. Burst.net discovered that not only did MS destroy emails but it was the policy of a multi-billion dollar company not to retain any emails over 30 days. And Burst listed out the many ways the company actively followed this policy.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  5. What about devs? by Teppic_52 · · Score: 4, Interesting

    So, if your writing (alpha) drivers for a new piece of hardware, how do you get them into the kernel to test them? Do you have to get MS to approve your H/W as pretty enough to make it in to Vista first?

  6. 64 bit Vista == Palladium without the hardware by radux · · Score: 4, Interesting

    Microsoft has been attempting to deploy an architecture like this for some time. Check out Microsoft's NGSCB/Paladium/TCPA initiatives (http://en.wikipedia.org/wiki/Palladium_operating_ system). This is a paper tiger without the special hardware. In a few years a push will be made to get people to adopt the hardware. It will be interesting to see how they sell it.

    --

    Kanga: That's not a fish, that's a bird.
    Pooh: Yes, but is it a starling or a mackeral?