Scott Field: How secure is Vista, really? - Part II

Posted By: Charles | Nov 30th, 2006 @ 1:26 PM | 42,090 Views | 24 Comments
This is part two of our discussion with Scott Field, one of the minds behind Vista's security architecture (hint: he likes the way onions are constructed...). Jeremy Mazner helps conduct this interview, which contains explicit whiteboard scenes and frank talk about security and the future of security in Windows. User discretion is advised. Tune in.

See part I here.
Media Downloads:
Rating:
0
0
#Nov 30th, 2006 @ 7:39 PM
SecretSoftware
SecretSoftware
Code to live, but Live to code.
Cool Video.

MS should have moved the WinKernel from Ring0 to Ring1 in that onion. PatchGuard can then secure Ring1 Code. This way you get rid of the impracticality of securing code with same priviliage level that exist in Vista.

Or, MS could introduce Zones within the Kernel layer, where one zone would have more previlage than the other. Kind of like the Throne and the King servents. Or the nucleous in a cell. Zone 0 Zone 1 Zone 2. Zone 0 Runs hyperviser and hurestics, Zone 1,2 run Kernel and other stuff.


Anyways, I look forward to seeing the cryptography in Windows Vista and Socket Security. Will certificate substitution work in vista (man -in middle attacks) as in before? or not?

What about the ASLR (Address Space Layout Randomization) which was intrudiced later in the dev cycle into Vista. This was already present in open-source OS , and linux. It was supposed to make the odds of a successful buffer overrun exploit 1/256 chances, because each time you restart winVista, the system resoruces that are loaded into memory are loaded in to randomal address space. It helped Linux be more secure than Windows in the past, and its a plus in terms of security. But in the Linux world, Crackers found a way around it with memory search tools and things like that. I dont know how MS implemented their ASLR but it would be cool to know more about it.

RootKits will still work in Win-32 Vista, although its much harder now. Even if people were not able to patch the kernel anymore with rootKits, they might patch process memory space with DLL injections and impersonation. Does Vista check at run time , if a process had changed? Suppose a DLL injection happened at Run Time for a process running in Windows Vista, would Vista block the injection or will allow the injection but crash the application or stop its execution?

What applications can access Raw Sockets? Does windows check?


Thanks for part 2. Its cool and I am looking to see the Crypto video (if will be done), on Vista and the new innovations as compared to prevista era.Big Smile


Edit: Since we are in Security zone here, How secure is the Firewall in Vista? Will it prevent LAN attacks? like Arp poisioning, MAC Spoofing, things like that?
#Nov 30th, 2006 @ 9:56 PM
BlackTiger
BlackTiger
If you stumbled and fell down, it doesn't mean yet, that you're going in the wrong direction.
Hmmm... Secure?...

Just try to kill "winint.exe" from TaskManager...

PS: DON'T DO THIS ON YOUR MAIN/WORK PC!!!
#Dec 1st, 2006 @ 12:21 AM
androidi
androidi
BlackTiger wrote:
Just try to kill "winint.exe" from TaskManager...


No such file comes with windows?? And if you mean wininit then hard to kill as it's not running.
#Dec 1st, 2006 @ 1:32 AM
Massif
Massif
aim stupidly high, expect to fail often.
SecretSoftware wrote:


MS should have moved the WinKernel from Ring0 to Ring1 in that onion. PatchGuard can then secure Ring1 Code. This way you get rid of the impracticality of securing code with same priviliage level that exist in Vista.



Isn't that what they're talking about introducing with the Hypervisor? Bumping the kernel up a ring and having the hypervisor sit in ring 0.
#Dec 1st, 2006 @ 5:03 AM
AndyC
AndyC
SecretSoftware wrote:

MS should have moved the WinKernel from Ring0 to Ring1 in that onion. PatchGuard can then secure Ring1 Code. This way you get rid of the impracticality of securing code with same priviliage level that exist in Vista.


Nice idea, but it would have broken every bit of virtualisation software out there. It is the way they are going by introducing low-level virtualisation support and a hypervisor though.
#Dec 1st, 2006 @ 11:22 AM
staceyw
staceyw
Before C# there was darkness...
Nice vid guys!

Hey, it would be really nice if someone (probably from MS) would put together a detailed list of all these new innovations in Vista (i.e. security, network, new interesting apis, new tech, etc)  Not a marketing document, but a real list that devs and IT Pros would like.  I see stuff scattered around, but have not seen in one document.  Maybe a wiki page on a Vista team updated by an evangelist.  Does this already exist? 
#Dec 1st, 2006 @ 11:47 AM
cwilliams1145
cwilliams1145
staceyw wrote:
Hey, it would be really nice if someone (probably from MS) would put together a detailed list of all these new innovations in Vista (i.e. security, network, new interesting apis, new tech, etc)  Not a marketing document, but a real list that devs and IT Pros would like.


Yeah, it would be great to be able to link to something like that whenever someone says, "Vista is simply an eye-candy upgrade."
#Dec 1st, 2006 @ 2:48 PM
Charles
Charles
Welcome Change
Jeremy Mazner pointed me to this document: http://download.microsoft.com/download/c/9/8/c988dce4-1971-4ad4-a1ef-df99e596a4cc/WVPG%20RTM.xps

It's the product feature guide for Windows Vista. Loads of information on what's new in Vista. It's not very technical or deep, but it does provide useful descriptions of the new innovations in Vista.

You can find Security-related white papers here: http://www.microsoft.com/security/windowsvista/default.mspx

Feel free to create a C9 wiki that lists all new features of Vista, broken up by OS layer Smiley We should do this!
C
#Dec 2nd, 2006 @ 1:31 AM
BlackTiger
BlackTiger
If you stumbled and fell down, it doesn't mean yet, that you're going in the wrong direction.
androidi wrote:

BlackTiger wrote:Just try to kill "winint.exe" from TaskManager...


No such file comes with windows?? And if you mean wininit then hard to kill as it's not running.


Yes, it's "wininit.exe". And this process is VERY running (check "Show all processes" in TaskMan). Killing of this process VERY crashes Vista. Smiley Sometimes(!!!) Vista can't even start after rebooting. It's very easy to write some virus/trojan to kill some process.
Microsoft Communities