back to article Windows 10 Device Guard: Microsoft's effort to keep malware off PCs

On Wednesday, at the RSA conference in San Francisco, Microsoft veep Scott Charney outlined a new security mechanism in Windows 10 called Device Guard. We've taken a closer look. The details are a little vague – more information will emerge at the Build event next week – but from what we can tell, Device Guard wraps an extra …

Page:

  1. Anonymous Coward
    Anonymous Coward

    As much as an MS fanboi that i am,

    why do I get a bad feeling about this.

    Much like UEFI, I cant help but feel this is a way to tie folks into something further down the line.

    Like the app store for example..

    Not to mention it will ultimately be cracked....

    Or am I just being old and cynical...

    1. Anonymous Coward
      Anonymous Coward

      Re: Why do I get a bad feeling about this...

      Because you're running a Core 2 Duo and not a Intel nehalem processor (i3,i5,i7) series or newer?

      Given past history, the final release could cut off anything below a nehalem.

      (Is there a hidden context to the free consumer upgrade, in that you need nehalem onwards)

      It would save an awful lot of free upgrades for MS, and keep HP, Dell and Lenovo Happy.

      Do MS really want to support anything below, given all the proprietary driver issues - Authentec Fingerprint Readers as a good example of no longer getting support (now owned by Apple).

      1. Sandtitz Silver badge

        Re: Why do I get a bad feeling about this... @Adam

        "Given past history, the final release could cut off anything below a nehalem."

        Windows 8 requires at least Pentium 4 "Prescott" (circa 2004) or any AMD64 capable CPU (2003). Microsoft has communicated that the requirements will be the same for Windows 10. This could change - of course - but what OS-specific features do Nehalems have that earlier CPUs didn't?

        Windows Vista/7/8 had the Upgrade Advisor program which checked whether your installed SW and HW was supported or had workarounds available.

        "Authentec Fingerprint Readers as a good example of no longer getting support"

        This would really depend on the support agreement between Authentec and OEMs. The agreements may contain provisions of driver support for upcoming Operating Systems (or) for the next X years.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why do I get a bad feeling about this...

          Nehalems (i3,i5,i7) support VT-d, (the point of the article), without VT-d hardware support - Device Guard doesn't work, older processors below Nehalems don't have it.

          In terms of Authentec Drivers, they were removed, when Apple removed the Authentec Website (without notice either). HP have switched software, so I very much doubt they will be writing new drivers for Windows 10, for older hardware. Past experience also says it won't happen.

      2. BinkyTheMagicPaperclip Silver badge

        Re: Why do I get a bad feeling about this...

        VT-d is a chipset technology, not a processor technology. From Nehalem onwards the memory controller was integrated into the CPU package meaning that the lines became increasingly blurred.

        VT-d works fine (for varying values of 'fine') on Core 2 chipsets provided it is the right chipset (X38, X48, S3200/S3210, most of the Q chipsets) and the BIOS has it enabled with a bug free implementation (in reality this means nothing from Asus will work, most Intel boards will, plus Supermicro, some DFI IIRC)

        1. BinkyTheMagicPaperclip Silver badge

          Re: Why do I get a bad feeling about this...

          ..although, this will naturally be a version of Windows 8's Hyper-V, with additions. Therefore it will require a 64 bit CPU with second level address translation, which is indeed Nehalem onwards for Intel.

          See http://blogs.msdn.com/b/uk_faculty_connection/archive/2012/10/24/hyper-v-list-of-slat-capable-cpus-for-hosts.aspx

        2. Ammaross Danan

          Re: Why do I get a bad feeling about this...

          You also forget that the K-branded i-series CPUs (e.g. Core i7-4790K, et al) do NOT have VT-d (as opposed to the non-K CPUs such as the Core i7-4770 which do have VT-d). Fortunately, people interested in K-branded CPUs are likely intelligent enough to not need this particular form of malware protection.

          "But if an enterprise is saying 'Hey, sign this for me,' it will be done with a key that only works for that company."

          Now if it can be done for individual users that have some legacy software (such as the original Starcraft....), I think this would work well for home users. Otherwise, you'll severely limit the amount of software one is able to run...

          1. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Re: Why do I get a bad feeling about this...

        @Adam Jarvis.

        The issue of the CPU hadn't even entered my mind. But for what its worth, I'm running an i7 on a Samsung RF710.

      4. Roger B

        Re: Why do I get a bad feeling about this...

        Huh, it's almost like you are looking at my laptop, Intel Dual-Core T2390 with an Authentec Fingerprint reader! Anyhows, hopefully you are wrong, this is going to be one of two PCs I am hoping will be taking Windows 10, the other being a just as ancient Dual core desktop machine.

    2. Anonymous Coward
      Anonymous Coward

      Re: As much as an MS fanboi that i am,

      We have been there before. It's not exactly a new thing to digitally sign applications to stop them from being altered, but the problem is that such a mechanism immediately gets used as a revenue generator, thus shutting out all those applications you have been using for years but whose developers cannot afford the usually extortionate fee.

      OSX has a similar mechanism (t's one of the reasons you need to register as a developer). That's not expensive (I think it's $99 or so), but ensures there is at least some track back to the developer.

      In both cases, however, the question emerges how inhouse and contracted developments and customisations are approved - to me, that's the threat vector (next to ruthless exploitation of this lock down, because the real aim could be to kill off pesky competing software such as LibreOffice - which, by the way, does not have a dev registration for OSX either).

      No, I'm not a fan of handing Microsoft any control.

      1. david 12 Silver badge

        Re: As much as an MS fanboi that i am,

        No, OSX does not have a similar mechanism. This is a HARDWARE ENFORCED mechanism.

        1. Anonymous Coward
          Anonymous Coward

          Re: As much as an MS fanboi that i am,

          No, OSX does not have a similar mechanism. This is a HARDWARE ENFORCED mechanism.

          Ah, OK, so we're back to trust chips and the like. Yeah, that really worked the last time, didn't it?

          There seems to be a cycle in here: however stupid the idea is, leave it on the shelf for 7 years or so and it'll show up again. We need a term for this, like zombie tech.

          1. Anonymous Coward
            Anonymous Coward

            Re: As much as an MS fanboi that i am,

            "Ah, OK, so we're back to trust chips and the like. Yeah, that really worked the last time, didn't it?"

            Erm yes it did. Secure Boot has had no significant security breaks so far.

      2. MIc

        Re: As much as an MS fanboi that i am,

        THEN DON'T USE THE FEATURE

        I know... it's complicated

        1. Anonymous Coward
          Anonymous Coward

          Re: As much as an MS fanboi that i am,

          @ Mic:

          Genuinely trying to work out what you are saying.

          1. b166er

            Re: As much as an MS fanboi that i am,

            Well perhaps he means that Device Guard isn't mandatory?

    3. streaky

      Re: As much as an MS fanboi that i am,

      It does somewhat rely on the HV itself being secure, which they commonly aren't. I'd suspect all that's really happening is a raising of the competency barrier required to insert malicious code into the kernel - which might not actually be a bad thing, what's probably at question is the extent to which it's actually a good thing, or rather how competent it is.

    4. Anonymous Coward
      Anonymous Coward

      If you use the word extortion again

      I'll have your legs broken.

      This is all about Microsoft extorting money from developers go get their applications signed by Microsoft. Nothing more.

    5. Anonymous Coward
      Anonymous Coward

      Re: As much as an MS fanboi that i am,

      "Not to mention it will ultimately be cracked...."

      Since SMM in some intel chips has been cracked and SMM can do whatever it damn well pleases and not even a hypervisor can stop it - this is all just playing to the crowds. The real reason obviously is MS wanting you to have to get their permission to run programs on their OS by requiring them to be signed. This facility might be "optional" for now, but I bet it won't stay that way.

      1. Michael Wojcik Silver badge

        Re: As much as an MS fanboi that i am,

        Since SMM in some intel chips has been cracked and SMM can do whatever it damn well pleases and not even a hypervisor can stop it - this is all just playing to the crowds.

        Excessively reductive. An IOMMU-protected watchdog still prunes a significant portion of the attack tree, even if SMM represents a way around it. There is certainly plenty of non-SMM-based malware out there, and there will continue to be such malware for the foreseeable future.

        Security is about cost transfer under threat models. It's not about perfect solutions. I don't know why some people find that concept so difficult.

        No software security mechanism protects against suborning an authorized user. That doesn't mean no all software security is a waste of time.

  2. JimmyPage Silver badge
    Stop

    My first thought

    Have Microsoft detailed their policy on signing enterprise software specifically:

    1) How long the process will take ?

    A 24-hour turnaround would be acceptable. However I suspect there will be all sorts of hurdles to jump over that means an organisation needs to have a definite timeline to fit into migration/deployment projects.

    2) Cost ?

    AND

    3) Support lifecycle

    because once you have Device Guard in your organisation, it would be a little unfortunate if Microsoft suddenly stopped offering to sign Enterprise software, or decided that it would charge $10,000 per executable.

    1. Anonymous Coward
      Anonymous Coward

      Re: 1: RTFA

      "Enterprises with legacy apps can send hashes of the executables to Redmond to be signed within minutes, we're told."

    2. Suricou Raven

      Re: My first thought

      4) Terms of acceptability.

  3. Christopher Reeve's Horse

    But what about...

    ...individuals with legacy 'apps'? Or does this render your back catalogue of purchased software obsolete?

    If the solution is to click OK on a UAC type pop up window, then I'm not sure this would really solve anything.

    I can't imagine a middle ground, so I'm just going to assume legacy 'apps' are doomed.

    1. Dave Pickles

      Re: But what about...

      And what about developers? Even if the compiler is allowed to run, it wouldn't be possible to test the resulting executable without waiting for a signature. Could play havoc with project timescales...

      1. Dave 126 Silver badge

        Re: But what about...

        >And what about developers?

        Again, Device Guard will have to be actively turned on by an administrator.

    2. Dave 126 Silver badge

      Re: But what about...

      >But what about... ...individuals with legacy 'apps'?

      The article says: Device Guard, when enabled by an administrator...

      So, to answer your question: If you don't want it, don't enable it.

      1. Roland6 Silver badge

        Re: But what about...

        Device Guard, when enabled by an administrator...

        Expect that to be implemented as enabled by default on home/consumer rated OEM installs and disabled by default only on volume licence distributions.

        Also we can expect Windows Security to permanently flag the PC as being insecure, just because you've disabled this 'security' feature, thereby masking all other security events... You can see this at with XP, simply enable/disable the option to automatically check for Windows updates and see Windows XP go from being secure to being insecure!

        1. h4rm0ny

          Re: But what about...

          >>"Expect that to be implemented as enabled by default on home/consumer rated OEM installs and disabled by default only on volume licence distributions."

          IF your unsupported assumption turns out to be true, then the user could, you know, turn it off again. And if a user can't manage that then they're exactly the sort of person who shouldn't be turning it off anyway.

          1. Roland6 Silver badge

            Re: But what about... @h4rm0ny

            >>" And if a user can't manage that then they're exactly the sort of person who shouldn't be turning it off anyway."

            That was the reason why I was suggesting that MS would enable this as default on Home/Consumer systems. The article and discussion was assuming that MS would ship Device Guard disabled across the range, so only knowledgeable users would enable it, but that sort of defeats the primary objective of making Windows more secure/safe for normal users...

            But then they've kept EMET out of Windows because it could cause badly written programmes to crash...

            My objection was that I would hope MS will permit me to turn this off and not to automatically red flag the security status of my machine in the system tray because of this.

  4. Tomislav

    What about free software for home users, like Putty or Wireshark? Or something that updates often and does not like Microsoft very much like Java or Flash? Seems like Microsoft is trying to go the walled garden iRoute...

    1. Steve Davies 3 Silver badge
      Mushroom

      FOSS is the Devil in the Microsoft World

      despite their overtures towards it.

      FOSS can't be controlled in the same was other vendors can.

      Microsoft do look at the environment that Apple have created for the iPhone/iPad/iPod and want to copy it. But even Apple has developer access. If they didn't then how would the gazillion apps for the iPhone etc be created.

      As a developer, the first thing I'll do is work out how to bypass this. I have apps that will never get signed my Microsoft. I'm certainly not going to pay them a fee for developing programs for my own use. I know that I'm not alone there.

      If you can't bypass the signing then MS will be signing (sic) their own death warrant.

      Even on Crapple MacBook etc systems, I can code an application and run it without signing.

      1. Anonymous Coward
        Anonymous Coward

        Re: FOSS is the Devil in the Microsoft World

        On OS X in "System Preferences" - "Security" there's:

        Allow apps downloaded from:

        (1) Mac App Store

        (2) Mac App Store & Identified Developers

        (3) Anywhere

        I don't see why Microsoft wouldn't implement a similar function.

        1. Lostintranslation

          Re: FOSS is the Devil in the Microsoft World

          I can, and it begins with a $ sign.

        2. Roland6 Silver badge

          Re: FOSS is the Devil in the Microsoft World

          I don't see why Microsoft wouldn't implement a similar function.

          Suspect they will, only it will be via a registry key for which there is no public documentation.

          Which means because this function will be enabled/disabled via the Windows Administrator rather than in the BIOS etc. we have already identified the weak point in Device Guard's security...

          1. Dave 126 Silver badge

            Re: FOSS is the Devil in the Microsoft World

            >What about... ...Java or Flash?

            And your point is? :)

    2. Ammaross Danan

      "But if an enterprise is saying 'Hey, sign this for me,' it will be done with a key that only works for that company."

      This would allow businesses to get a hash for a specific version of Java they must have. Home users are likely more SOL for that aging copy of Starcraft however....

  5. Warm Braw

    Identity badges don't guarantee good behaviour

    The trouble with this type of approach to security is that knowing (or thinking you know) what something "is" doesn't really tell you very much about what it "does" - or might do when it thinks you aren't looking.

    The real problem is the old-fashioned idea of user-level permissions: just because a user launches an executable file doesn't mean that the resulting process context should have access to everything the launching user has access to. There has to be an intermediate step of delegating only sufficient access for the application to do its job. There are ways of doing this that aren't too painful - for example by giving the application access only to those files that the user has explicitly picked in the user interface - but there is inevitably some additional inconvenience in doing this. Unfortunately, a small loss of convenience doesn't seem to be a price most users are prepared to pay for better security.

    1. Vehlin

      Re: Identity badges don't guarantee good behaviour

      This is why the best solution is to run on an account with the minimum privileges and elevate when required. Much less pain for the user and almost as secure.

      1. Adam 1

        Re: Identity badges don't guarantee good behaviour

        Minimal access levels is a good idea because the attack surface is reduced and the bad things the malware can achieve is more limited. But I will point out that encrypting all the xlsx files under "My Documents" doesn't require any privileges beyond what such a user would have.

    2. h4rm0ny

      Re: Identity badges don't guarantee good behaviour

      >>"The trouble with this type of approach to security is that knowing (or thinking you know) what something "is" doesn't really tell you very much about what it "does" - or might do when it thinks you aren't looking."

      That's not the way it helps. The point is that if it isn't what it's supposed to be, you're unlikely to be the first victim. It will rapidly be reported and its signature revoked.

  6. Anonymous Coward
    Anonymous Coward

    Sounds more like a DRM mechanism than helping protect the OS from compromise.

    1. h4rm0ny

      >>"Sounds more like a DRM mechanism than helping protect the OS from compromise."

      Ideally, it would be both. If software can be verified at the hardware level then you can say goodbye to intrusive DRM that can hit performance or has to keep signing you into an online account, etc. Win-Win, imo.

  7. Jess--

    I see mention of being able to get an executable signed for use within an enterprise (but only within that enterprise).

    but the only way I see of getting an executable signed to run on ANY machine is submitting it to the windows store.

    Seems to me that they are trying to make it so that in the future if you want to develop for the windows platform you MUST sell it through the windows store.

    1. John P

      It clearly states "when enabled by an administrator", so this is going to be much like Bitlocker or any other security feature that MS have introduced over the last 10 years, a great feature but you only turn it on if you know it won't cause you any issues.

      1. jason 7

        Bingo! That's what I was going to ask. Is it switched on by default? I guess not.

        MS has loads of security built into Windows but they always leave it switched off by default.

        I'm amazed they haven't bothered to build EMET into Windows 10 yet.

        I think MS are terrified to becoming branded security Nazis by the press if they happen to switch on security that could blow out some old guys bit of shareware from 2002.

        Damned if they do...

        1. Roland6 Silver badge

          Building EMET into Windows would actually be doing something useful - it would improve Windows and permit EMET to run at a much higher security level than it does as a user space add-on!

        2. Anonymous Coward
          Anonymous Coward

          @Jason7 - You know very well...

          this is not about security, do you? Security is the justification for taking away control from you like in UEFI Secure Boot.

          1. h4rm0ny

            Re: @Jason7 - You know very well...

            >>"Security is the justification for taking away control from you like in UEFI Secure Boot."

            Well on any x86 device so far, that's only meant taking away control from people who can't work out how to get into the UEFI BIOS and switch Secure Boot to "Off".

            Which admittedly, may include you.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like