64-Bit Vista Kernel Will Be a "Black Box"

ryanskev writes with news from RSA Europe, where a Microsoft VP spoke bluntly about the lock-down that will apply to 64-bit Vista. From the article: "Microsoft will operate 64-bit versions of Windows Vista as a tabernacle, with the kernel as the holy of holies, where only its own high priests of security may venture." While Microsoft has seemed to be making some concessions to the likes of Symantec and McAfee, considerable doubt remains as to their ultimate future.

Sounds like the right plan

[Zeinfeld]

Sounds like the right approach to me. We will soon find out whether Symantec and McAfee are helping or hindering security.

Re:Sounds like the right plan

[PieSquared]

I get the feeling it will end up that Symantec and McAfee products will be able to replace the default windows security, but since the windows version is free and just as good there will be no reason to pay and security vendors will fade into obscurity. About two years later, after the old security vendors are all dead, the windows security will stop getting major updates and ten years later (shortly before they release the next version of windows) free, open source replacements that are disadvantaged from the start due to not being worked into the OS will begin being used because the old windows version does pretty much nothing at this point! Suddenly one of these will break out from the others with massive marketing and slowly people will begin to switch, eventually forcing windows to finally update again.

Re:Sounds like the right plan

[QuantumG]

I'm trying to understand what you're in favour of here (and what the article is all about). As I understand it, Windows Vista 64bit Edition will simply not allow kernel drivers to load unless they are signed with Microsoft's private key. Which means that you'll need to either exploit kernel bugs to load your own code (which they'll plug eventually) or boot off a CD and patch the kernel files on disk to disable this checking (which will be hard to do without destablizing the whole system). If that's what we're talking about (and I have no idea if it is) how can you possibly be in favour of it? I mean, it sounds like The Right To Read [gnu.org] all over again.

Re:Sounds like the right plan

[smittyoneeach]

MicroSoft has historically, and cleverly, built the market by putting out, shall we say "minimalist" interfaces and then let third parties do the grunt work of establishing the product category.
If the category becomes profitable, Mr. Softy can "find the principle, and buy him[1]"
You see this in tools, as Redmond pushes a Visual Studio release, and little third-party vendors groan as thier value-added kits have their coolness reduced by new chrome and tailfin on the library widgets. I'm guessing that there will be suffiecient room to put some polish on 'Doze.
Too, there are going to be plenty of people that puke at the odious licensing policies, and stick with the tools that have helped them limp along thus far.

[1] To quote my personal favorite Redmond Sales drone, on the consumption of Groove Networks.

Why is Microsoft even bothering..

[flummoxd]

..to release a 32-bit version of Vista?

Every week, I hear about a new thing that will "only be in 64-bit Vista". First it was HDTV content only on 64-bit [slashdot.org] for DRM reasons. Now, we're hearing the reasoning that Windows will be more secure if we don't let third parties in the kernel. Fine, whatever. If we were to assume that makes it more secure, then so be it.

But why bother to release an inferior 32-bit version? Under the presumption that closing the 64-bit kernel off will make things better, why not use the same strict security policies in 32-bit? Surely, there can't be any technical reason for all of this. It's all marketing, right? ("Microsoft recommends a 64-bit PC.")

Or is there some real reason why it feels like 32-bit Vista and 64-bit Vista are two entirely different operating systems?

How to patch the kernel anyway

[Beryllium Sphere(tm)]

Joanna Rutkowska gave a talk about this at Blackhat. Take a program in usermode but with administrative privileges, force the kernel to get paged out, edit the pagefile.

In a recent blog entry, Rutkowska criticizes Microsoft's response to the pagefile attack [blogspot.com]. Boiled down, it amounts to the problem that as long as a disk utility can run, someone can still edit the pagefile. Her preferred fixes would have been encrypting the pagefile or simply not swapping the kernel. NetBSD's Elad Efrat suggested simply hashing the kernel for integrity checking.

It's a matter of trust

[UnknowingFool]

Microsoft will operate 64-bit versions of Windows Vista as a tabernacle, with the kernel as the holy of holies, where only its own high priests of security may venture."

I think the crux of debate will be what MS considers its own high priests. If that means MS security products that compete with Symantec and McAfee, then the two vendors have a legitimate gripe that MS is using its monopoly power to lock them out. MS has said that its security products will not have access to undocumented APIs, but how much do you trust MS at their word? I don't trust them that much because I think MS still plays dirty. As recently as the Burst lawsuit in 2004, you can still see MS is refusing not only play fair but abide by court orders: Both parties were told to disclose emails as part of discovery. Burst.net discovered that not only did MS destroy emails but it was the policy of a multi-billion dollar company not to retain any emails over 30 days. And Burst listed out the many ways the company actively followed this policy. [groklaw.net]

The holy of holies!

[Anonymous Coward]

I wonder if the "holy of holies" reference is a deliberate evocation of "The Cathedral and the Bazaar"? http://en.wikipedia.org/wiki/The_Cathedral_and_the _Bazaar [wikipedia.org]

The Cathedral and the Bazaar is an extended essay that says that the proprietary development model (the cathedral) cannot compete with the open source model (the bazaar). The reason is not price, it is quality. Because of the number of eyes available to look at open source code, it will be less buggy than its proprietary cousin.

Given the delays in the introduction of Vista, I would say there is some evidence that ESR (Eric S. Raymond the author of CatB) is right.

Re:Sounds like the right plan

[QuantumG]

Yeah, that's what happens when you clump people together and claim they all hold the same opinion, you get contradictions like that. Some of us think it should be locked down. Some of us think that's a terrible idea. We're not the fuckin' Borg. What's your opinion? I mean, shit, this is the ancient choice between freedom or security.

What about devs?

[Teppic_52]

So, if your writing (alpha) drivers for a new piece of hardware, how do you get them into the kernel to test them? Do you have to get MS to approve your H/W as pretty enough to make it in to Vista first?

Re:Worth mentioning ...

[newt0311]

flamebait but i'll bite. 64 bit isn't just about the larger numbers that could be stored. heck, that could already be done through the use of the x87 ISA (upto nearly 80 bit I think actually) and the vector registers (think sse1,2,3 and 3dnow) could all work with 64 bit numbers. that wasn't the issue at all. what is great about 64bit is

1)the amount of register space literally doubles. Optimized properly, that can go a long ways.

2)simpler memory model: 52 physical bits for physical RAM (don't believe me, look at http://www.amd.com/us-en/Processors/DevelopWithAMD /0,,30_2252_869_875%5E7044,00.html [amd.com]) and 64 bits of virtual addressing space. No segments, just a flat memory model.

3) removal of the old priveledge system and intro of a new user/kernel page allocation scheme to simplify the memory model.

4)Direct addressing of a very large amount of ram directly accessible.

Those are just some of the advantages. if you want to look them up in detail, go look at the link that I have given in this post to the AMD64 manuals.

Re:I'm confused

[SpiritGod21]

I suspect they're referring to the tabernacle of Judaism, due to the reference to the "Holy of Holies," or the inner sanctum of the temple. Prior to the building of the temple, the "tabernacle" was a tent the Israelites carried and inside of which they stored the Ark of the Covenant, which was the container for the Ten Commmandments. After the temple was built, the Ark was stored behind a covering in the Holy of Holies AKA The Most Holy Place (the area directly outside this was the Holy Place) and it was only entered once a year by the high priest on Yom Kippur, or the Day of Atonement, when sacrifices were presented to God for the forgiveness of the entire nation's sins.

Anyone who entered the Holy of Holies or touched the Ark (who wasn't the high priest on Yom Kippur who had undergone rituals of cleansing) was said to die instantly. Even the high priest couldn't be sure he would live: they tied bells to his shawl so they could hear him moving once he was inside and a rope to his ankle so they could pull him out if he died while inside the Most Holy Place.

So the lesson is, I suppose, that if you screw with Vista 64's kernel, prepare to die :-P

64 bit Vista == Palladium without the hardware

[radux]

Microsoft has been attempting to deploy an architecture like this for some time. Check out Microsoft's NGSCB/Paladium/TCPA initiatives (http://en.wikipedia.org/wiki/Palladium_operating_ system [wikipedia.org]). This is a paper tiger without the special hardware. In a few years a push will be made to get people to adopt the hardware. It will be interesting to see how they sell it.

Re:Sounds like the right plan

[IamTheRealMike]

No, it's subtly different. Microsoft are the gatekeepers because that lets them pull the plug on any kernel code that is found to be malicious. I'm pretty sure the toll isn't that expensive (unless they changed it since I looked) and is there to cover the costs of the scheme. On your Linux box unknown is allowed to load into the kernel - all it has to do is acquire root, which is not terribly difficult on a desktop machine, and then go ahead and start patching code. That is what you cannot (in theory) do on Windows.

Re:All CPU's going 64-bit

[Anonymous Coward]

This isn't about NOT ALLOWING KERNEL ACCESS to anyone. No sane operating system has ever done that.

This is about Microsoft moving to a system whereby YOU don't get to decide. It's more to do with DRM than anything else. A Microsoft exec let it slip recently -- device signing (and the enforcement) is about reducing the number of device makers to a more manageable level. Every device will be require to honour digital restrictions, or not get a signing key... and, of course, the NGSB (palladium as it was once called) will call home to ask which key should be revoked on a regular basis.

So MS people are priests now?

[Unit3]

This actually kind of makes sense, considering their technical decisions seem to be made without any logic or reason, and considering the ass raping they've been giving consumers for years now. ;)