64-Bit Vista Kernel Will Be a "Black Box" 402
ryanskev writes with news from RSA Europe, where a Microsoft VP spoke bluntly about the lock-down that will apply to 64-bit Vista. From the article: "Microsoft will operate 64-bit versions of Windows Vista as a tabernacle, with the kernel as the holy of holies, where only its own high priests of security may venture." While Microsoft has seemed to be making some concessions to the likes of Symantec and McAfee, considerable doubt remains as to their ultimate future.
I think MS is right (Score:3, Insightful)
I'm confused (Score:4, Insightful)
What's the difference between the 32 bit and 64 bit kernel? And what does a 'tabernacle of security' mean?
I don't think there's a significant difference in DRM hardware between 32bit and 64bit systems. Why make the distinction? If they're going to secure Windows - why not secure Windows?
"Concessions to.." (Score:5, Insightful)
I'm no fan of MS, especially when it comes to their horrible security track record. However, if they really can manage to get it right (or even significantly better) in Vista, they shouldn't be going and making concessions to the people who've been making a living off the things that were broken in their last OS.
Should surprise no one..... (Score:3, Insightful)
Good luck (Score:2, Insightful)
If it uses trusted hardware, then it will have other serious problems, like making virtualisation hard or impossible, something that could make it fail entirely in the market.
This tough act is just a smokescreen for something else. Hmmm. Do they think they could get around some (e.g. EU) interoperability requirements that way?
Sounds like security by obscurity (Score:5, Insightful)
Which everyone by now should have learned does *not* work.
Re:Sounds like the right plan (Score:5, Insightful)
If the new model seems to be secure, Mcafee and Symantec will boast about how they've kept the next generation of Windows safe.
If the new model is less secure, McAfee & Symantec will "point out" the need for their products.
Win win for AV companies...
"Sounds like security by obscurity" is good (Score:2, Insightful)
Actually it does work. Where people go wrong is using it as their sole security measure. In concert with various other good practices obscurity is good.
Re:Worth mentioning ... (Score:4, Insightful)
Are you allowed to modify your house wiring? (Score:3, Insightful)
Re:Worth mentioning ... (Score:1, Insightful)
So, it's not about the integers, it's about the pointers (logically).
Re:I think MS is right (Score:3, Insightful)
It's enough trouble writing solid modules for the Linux or FreeBSD kernels, and the source code to those is open and widely available. When your module code runs into problems, you can easily see what's going on in other portions of the kernel. It's a very, very useful debugging tool.
Now take this Vista kernel API you speak of. It'll end up being just like the Win32 API. Often times developers had to resort to undocumented calls in order to get their application to perform a certain task. This sort of shooting-in-the-dark coding leads to bugs and security glitches. Even if you understand 98% of what an undocumented API does, it's that remaining unknown 2% that'll fuck you, your product, and your customers over in the end.
Reliable and secure software comes from the developers having a complete understanding of the systems they're working with and building upon. By limiting developer access to such knowledge, they'd be directly promoting buggy, insecure software.
"Our old stuff was crap" (Score:3, Insightful)
Given that Joe Public no longer believes MS has control over security, they need to build some new mental images to sell. 64-bit black boxes sound pretty solid.
Sayonara, Symantec (Score:5, Insightful)
If it will stop crapware like StarForce and the Sony rootkit from sneaking extra drivers in, bring on the kibosh. People who want to tinker can use one of the fine Open Source operating system kernels [kernel.org] that run on 64-bit Intel machines. Those that just want to play games or run Office can feel a little bit safer from malware.
Sorry Symantec, but after dealing with the disaster that is Norton Internet Security, I won't shed a tear when I read that you've filed for Chapter 7.
Adoption of Vista 64-bit (Score:3, Insightful)
The article is filled with such great lines! (Score:5, Insightful)
Translation: You're screwed! Upgrade to 64 bit ASAP (P.S. some of your software won't work)
Defender has already become the most popular download ever from Microsoft
If I was MS, I certainly wouldn't brag about anti-malware being the most popular application.
referring to third parties being able to patch 64 bit Vista - "It's just not the way the box was designed...we're putting a stop to that."
Great. What happens when MS doesn't quickly put out a patch... no choice on using the good samaritan patches anymore, you just have to sit and twiddle your thumbs.
referring to ever being able to secure 32 bit Windows - "That train has left the station."
I think it's more like the Windows train has left the station. Why bother to convert to 64 bit Windows? Switch to something else as soon as possible.
Re:Sounds like security by obscurity (Score:3, Insightful)
-matthew
Re:Sounds like the right plan (Score:5, Insightful)
Thats exactly what I want. I do not want to have any software patch the kernel.
If there is no way for the spyware to patch the kernel I don't need McAfee or Symantec there at all. First thing I do with a new home machine is to strip off the AV software provided by Dell as cramware. Machines run so much faster and more reliably without. Then I turn off AutoRun and hook it up to my internal network which has twin SPI firewalls.
I have never had a virus but I have had machines go wonky because of buggy AV code.
I want to have as few kernel mode device drivers as is possible. Printers should not require kernel mode, nor should video cameras etc. Only the bare essentials talking directly to the DMA interfaces should ever use kernel mode.
I don't need to run my code in kernel space and I don't think anyone else does either.
Re:Sounds like the right plan (Score:3, Insightful)
Black box for video and audio devices... (Score:4, Insightful)
Re:I'm confused (Score:4, Insightful)
Security Not Needed (Score:4, Insightful)
Re:Not trying to be a troll... (Score:3, Insightful)
One thing would be the Xbox hack, although that involved an attack on the hardware as well.
There are counless successful projects to port Linux to some closed (i.e. black-box) hardware.
Re:Why is Microsoft even bothering.. (Score:3, Insightful)
So the 32 bit will be if you want anything to run, the 64 bit will be for people who want to play DRM'd content on their PC. Maybe an exaggeration, but I think that's about it.
You keep holding on to that raft .. (Score:1, Insightful)
And there are thousands of Philistines, including some very 1337 H4x0r5, at the gates
Just to be pedantic... (Score:3, Insightful)
And Apple makes most of its money from selling hardware, so I sincerely doubt they'll drop that and try to squeeze money out of selling an operating system exclusively.
Why the kernel is an issue (Score:5, Insightful)
The kernel has a reputation for being not particularly bad.
The reason the kernel is an issue, is that the new "threat" against Windows security is the owner/administrator of the machine. Microsoft needs to try to implement DRM, in order to get into bed with the media companies and sell music and Zunes to play it. You can't implement DRM if the user can patch the kernel to work around the DRM. Thus, they're going to try to prevent end-users from having the capacity to modify this behavior of their own computer.
The "security companies" are taking collateral damage from this, because their applications have to intercept all reads/writes (to files, the network, whatever) in order to scan all data against a blacklist of known malware [ranum.com] in order to try to protect the comically fragile userspace. This scanning is implemented through kernel patches, I guess.
Re:Sounds like the right plan (Score:3, Insightful)
firefox kicked their assess with the better browser. Mac could do the same with the better platform.
How has Firefox "kicked their ass"? I'm not trying to defend IE, but last I saw, it still had nearly 90% of the marketshare. That's the kind of market domination that many companies would kill for.
Re:"Sounds like security by obscurity" is good (Score:5, Insightful)
The NSA is a good example of an organization that uses security through obscurity well. They employ the best cryptographers and system designers around, but they are also not about to tell anyone how those systems work. If you did know exactly what they were doing, though, you would still find them to be some of the most secure systems anywhere.
Microsoft, on the other hand, has a history of using obscurity as a method of covering up embarassing security flaws. They do not have a history of having the best security. Do I think that Microsoft intends to hide the internals of their kernel as part of a comprehensive security regime in which obscurity is only the last layer thus making Vista an impregnable fortress, or is this an attempt by Microsoft to squelch competition from other AV vendors under the guise of fixing their tarnished security image? Well, it's obvious what I think. Which do you think it is?
* The fundamental problem with security through obscurity is that you can't count on it. Either a clever hacker will figure it out, or an insider will leak or exploit information about the system. Your system must be as secure as you know how to make it assuming that your enemy has full knowledge of the system. Only then does layering obscurity on top of that make sense as an additional mechanism. Otherwise it's a false sense of security.
Re:It's a matter of trust (Score:1, Insightful)
Re:Sounds like the right plan (Score:5, Insightful)
No, Zeinfelds world view is entirely sane and very defensible. I agree with him.
Let's review a few facts:
The foundation of any security system is the kernel. If the kernel is not running in a known state, you have no security system - period.
There is absolutely zero point in having user accounts, authentication, file permissions and so on if programs can load code into the kernel ... which they can, because for historical reasons Windows programs require admin rights, and even if they didn't, ultimately any program can ask the user to do something on its behalf and most will.
The solution is clear - forbid any unknown code from loading into the kernel. Only then can you have a sane system built on solid foundations. It is not a "right to read" scenario, because you can still mark individual drivers as loadable in Vista IIRC if you put it into developer mode (which makes it clear that you are in a special mode), but even if it wasn't, it'd be a price worth paying to help fix the internet.
Re:Sounds like the right plan (Score:3, Insightful)
Having kernel hooks wouldn't help AV programs detect this if the malware was well written and had already attached itself - you often need to get out of the environment to detect such problems, as with a live CD. After it was infected, anything the kernel reported would be suspect.
The trick to catching malware is covering the vectors through which it enters the system. No more, no less. The grandparent is spot on as far as I'm concerned.
It's not about security it's about compliance (Score:3, Insightful)
Let's remember that the reason Windows is in the server room in the first place is because MS sold it on the premise that's easier to run. Not faster, not with less hardware, not even with fewer people but with a lower skill set. Cheaper. So embedded security is not about security, it's about skill sets. Set it, forget it, hope for the best. If it smashes on the rocks then everyone did their best anyway and no one can be held accountable.
Re:Sounds like the right plan (Score:2, Insightful)
Re:Sounds like the right plan (Score:3, Insightful)
Unfortunately that's not the solution Microsoft chose. What they did is make a kernel that will only load code that has been approved by and paid a toll to Microsoft the amount of which is determined by Microsoft. That's vastly different than what you presented as the solution. On my Linux box unknown code is not permitted to load in the kernel but I'm the one who determines what is loaded into the kernel not Microsoft and there is no required payoff to allow code to load into the kernel.
Re:Sounds like the right plan (Score:3, Insightful)
Re:Sounds like the right plan (Score:2, Insightful)
And by "malicious" we mean "Disney doesn't like it".
After all, it's not the user who's being protected here, it's the media corporations Microsoft is trying to sell Windows as a distribution channel to.
Alternatively, it could be "Provides good native OpenGL acceleration". After all, portable applications would be the death of Windows.
Re:Why is Microsoft even bothering.. (Score:3, Insightful)
Re:Sounds like the right plan (Score:3, Insightful)
Device drivers must, at some level, have a kernel component; because nothing in userland is allowed to talk to I/O ports. Only the kernel can do that. At the very least there must be a kernel component which accepts an instruction to read or write an I/O address and returns a result, via some method which is available to userland software. Of course, if you have a totally generic kernel driver which allows any userland program arbitrary access to any I/O ports without checking, then you have just knocked down the fence altogether. So a kernel driver needs to have at least some sanity-checking built into it.
Re:Sounds like the right plan (Score:2, Insightful)
The problem is that a black box is always running in an unknown state - it's entirely a trust issue between you and the vendor, regarding the solidity of their authentication methods, security protocols and limitations on execution privileges. If a key is compromised, a way is found to bypass the authentication process or there's a suitably buggy driver, all bets are off again.
Of course, proclaiming "no unknown code may run in kernel mode" does make security a much simpler issue; you can bet the farm on how the gate holds, instead of putting locks on doors.
Re:Sounds like the right plan (Score:3, Insightful)
I don't need to run code in kernel space either, but I need to have the right to do so in order not to be held hostage by one particular company that decides what I can and cannot do with my own computer.
Re:Sounds like the right plan (Score:3, Insightful)
Re:Sounds like the right plan (Score:3, Insightful)
A compromised kernel allows you neither: dir contents are inaccurate, malware has its processes hidden from the taskmanager, its files from the explorer and whatever deletion requests your antivirus software issues, they're not going to be carried out at all. As long as you can't trust the kernel, everything you try is moot and converse, if you can trust the kernel, you can start repairing the system from secure sources (cdrom, intranet etc.). And since nothing can wedge itself too deep anywhere, repairing and cleaning should be feasible, at least.