Coffeehouse Thread

12 posts

MS Signature program needs this sort of certification pass

Back to Forum: Coffeehouse
  • User profile image
    androidi

    Well I acquired certain PC OEM's "Signature edition" PC. Some observations:

    1) Resetting the PC didn't remove the OEM stuff. There should be a way to reset in a way to either keep OEM stuff or get rid off it entirely and it should be worded that way. The reason is that I may not want to have stuff on the PC installed by OEM that didn't come through Windows update - because if they put some crap through Windows update then it becomes MS problem to deal with. If they put it directly on the restore image then it needs all these tasks and services etc to auto-update and who knows how secure the OEM's auto-update system is? (usually not very) Or it doesn't auto-update and may have undiscovered security issues.

    A better way would be ask on first start if I want to install the OEM apps and which of them and then deliver them through WU or Store or whatever. Now they're already running after "Reset this PC" the system which defeats the point of the cleaning.

    Implementation: Add new Reset option that after the reset checks that nothing was added pre/during install and shows a folder from which one can manually one-by-one or all at once install the OEM tools/gadgets if one wants to. One way to do this check is to look at all the Tasks and auto-runs etc for stuff that was not present in a clean Windows install. Then have the OEM have some "Signature edition certification tool" which fails if they put in some tasks or auto-runs during system recovery without letting user decide if they want them or not.

    2) Half of the reason to get rid of the OEM tools is that they use user-mode software to perform things that really should be configuration option in the UEFI/BIOS such as: controlling display backlight, what the power button does (this OEM overrides the Windows controls with a .NET app that launches from power button! Only "nice" thing about this is if you're testing which system is snappy with some .NET app (launching powershell), certainly one that already pre-loads .NET and keeps it in cache beats the rest. )

    Other half is some of these things start from task then do regular page faults which no doubt eat battery, cause context switching, l2 trash etc.

    3) 0.001% of a reason is that if there's yet another "OEM rootkit" (or security flaw in OEM tool auto-update etc) then it's more clearer where to aim the lawyers at if the system was somehow certified to be clean after doing a reset. I'm saying this because following executables running after "reset this pc" don't inspire great confidence:

    Bluetooth suite\adminservice.exe  (If I was writing some malware I'd give things such generic undescriptive bland names t00)

    QAAdminAgent

    ParameterService

    WatchDog (no doubt restarts the OEM "toolware")

     

    That's just the background stuff. Here's some scheduled tasks:

    LiveUpdateAgent (... can't you guys use WU ...)

    FubTool.exe

    UMDF\run2.bat (no comments inside the bat to even attempt to explain what this is for)

     

    ..

    Now the most amusing thing that I find both good and bad:

    The physical power button... pops up a .NET program asking what you want to do, so you have to use the mouse after pressing power button. "Good thing" here is that it's .NET so I know that I can reconfigure the power button to do what I want and since it keeps CLR in memory, when I was at the shop trying out various systems, this was fastest in many of my tests because it had pre-loaded .NET assemblies into l2 cache (the ePowerButton_NB does page faults every few seconds so no doubt that helps keep CLR in memory if not in cache).

    Preferred alternate solution: UEFI configuration for keyboard scancodes with ability to configure multiple options depending on if the key is pressed for x sec or tapped or comboed - this way you could re-purpose this power button that is next to Del-key to be Calculator-launch or play/pause and keep the power button behind the 3 second press even without the need for ePowerButton_NB.exe. User could then move things like where the power button is if it's on the keyboard, or placement of pageup/del keys etc without needing usermode apps or services or driver or registry hacks.

  • User profile image
    androidi

    About the "Signature edition certification pass" :

    Pass 1) checks that "Total Reset" indeed doesn't leave any OEM auto-starts/runs/tasks etc around by comparing the same locations as AutoRuns does to a true clean install

    Pass 2) "Regular Reset/Recovery" should have a 12 hour monitoring phase that checks which OEM-factory-installed tools/apps/drivers were causing (frequency+intensity) page faults, context switching, cache trashing, bringing system out of low power state etc.

     

  • User profile image
    cheong

    FYI, "Reset this PC" is to reset it to factory state, not to vanilla installation state. So yes, all the OEM installed "junk" along with the drivers will stay there after a reset.

    If you want a "clean install", you have to acquire OEM installation media from that vendor (possibly with extra cost).

    Also, note that some evaluation version of "junk" are actually requested by the software vendor to put in the installation as advertisement. Require user option for not to install them won't fit the current LOB. Although it's possible to require the vendor provide another version of install disk with just the drivers only, possibly at higher added cost.

    Btw, it seems the version you got is a heavily modified one. Please post the brand if you can so I can avoid it at all cost in future.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    androidi

    From OEM perspective I don't think they have any "junk" on the computer I got. They added "helpful tools" - tools which mostly do stuff Windows 10 already does if you know where to look, or to adjust some parameter specific to the hardware.

     

    Problem isn't "adware/junkware" it's more "janky OEM tools with bad update model or no update model".

    These "bad update models" are common with most Windows software (outside the Store). eg. Adobe Flash installed separately pops up notification that there's new Flash version. Yes I wanted that notificition from Flash instead of Auto-update but imagine if 100 different installed apps used services, tasks and stuff running as ME (my credentials) to pop-up notifications about updates being available? It'd be insanity and that's part of why the model is bad and yes MS recommended this model in Vista days and I thought it was horrible then and it still is horrible. The obvious (non-satisfactory) answer is to auto-update everything without notifications but % of developers will abuse that as seen in Android-OS ecosystem. So the only sane answer here is that MS provides some sort of platform for update notifications that cover everything that is installed after clean windows install, starting from the OEM factory stuff. So if there is update to OEM factory stuff that's eg. user mode driver, then update notifications to those come through a update notification center so that no OEM will be writing services or tasks related to updating or update notifications. Just like in BANKING, to have automatic payments of bills, you make a contract that allows that. Same with updates. If I want automatic updates (not just notifications of updates) I would have to make a contract as user that is separate from the app/software/driver installation. This relates to establishment of trust. I don't let vendors auto-bill or auto-update if no trust has been established. It's not "trust by default".

    If this sounds foreign it's because I'm not in US where "trust is by default". In my country trust is earned, it's not there by default. This also goes into why I should be able to download tiktooR.exe, run it and if I find it to be a bit suspect, maybe I won't let it auto-update but just notify about updates. And it should also run in a way that if I run it under my account, it can't go around reading info from other apps or read/writing to other process memory without elevating the trust for it. The current Windows trust model is still broken - a "hack" to fix it is to run every app with its own user credential such that My Documents are indeed My documents (no installed app has read access) and "shared documents" can be read by all apps. If I open Notepad and go to My documents, notepad does NOT have read access to any of the documents. Only once I click a specific document, notepad gains access to that single document. Atleast this is how it should be. As user I won't notice any difference to how it works now but if I was to replace or inject notepad.exe with malware, it would NOT be able to do whatever it wants in  My documents.

    How? Because of Video mixing. A feature I specified in another thread to support hardware acceleraetd Pencil. With Video mixing, the access control layer/UI is implemented entirely above Windows and its video output is mixed AFTER GPU output. This access control layer would receive info of where I would click to elevate app rights and show that doing so elevates the rights. Also, front-camera would have light next to it that can only be turned a specific color if the real access control was running. So if malware attempted to mimic the access control UI, you would know from the light that it's not real. So the Open File dialog would have highlights added in videomixing that indicate that clicking a file in My Documents causes that app to gain rights to it and the hardware light would confirm the highlights to be real. (+ the hardware could interrogate the screen for elements attempting to mimic highlight colors and XOR those out or something)

     

    The above is part of larger initiative to get Your Data in Your hands (eg. government medical agencies have been shown to be leaking medical data, something I warned about 15 years ago but I wasn't the first)... I should have no worry about Rootkit.exe getting to My documents because My documents would be all encrypted unless I allowed Rootkit.exe access to specific document through the secure overlay that runs at hardware level (ROM-based, proven-correct implementation).

    See this very interesting and still timely piece which motivates the need for the PC to be more secure than the ThreeLetterAgency's systems:

    http://www.imagocentre.com/images/145/1967_the_computer_and_invidual_privacy_568.png

  • User profile image
    cheong

    IMO that's why they're pushing the "marketplace model" that allows you to convert classic applications to store Apps.

    This won't solve updates problem for plugins and other DLLs though. I remember Microsoft had considered to allow 3rd parties to update their libraries though Windows Update but finally choose not to do it because of legal implications.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    androidi

    I'll address both points (a+b) and add some other things that could be improved (eg. the PC I got is otherwise nice but there's few things that even if you saw them in specs the specs might be rather inaccurate such as viewing angles or not stating that the SRGB gamut is not fully covered - both of these could be tested cheaply by anyone if MS provided a tool for their phones that I detail below)


    a) Update notifications with links to mfg site for download should not present legal issues (you might have to have additional checkbox that says "i understand this link takes me to 3rd party site and ms blah blah").

    However I do think the "oem tools" bundled on a Signature edition could be dealt with differently. At the very minimum, there should be some report on what the tools OEMs install in the Sig.edition do - the points I made earlier about the updates and "customer security concerns about update mechanisms" should be present when explaining why features that are common across a device class should not be implemented with some user mode app ....

    b) .... (such as display panel controls - in CRT's some of these were implemented with EDID but for LCDs some OEM's are providing tools to control typical LCD features like various blue-intensity or "color/white temperature" - things that relate to backlight or panel specific features and aren't adjustable from GPU control panels). If the panel is not some 10 bit panel then some of these panel-internal controls are very important. On the system I bought the white looks blue and if I use the OEM tool to reduce blue light, even with minimum setting it goes yellow. So it's totally useless. And


    Something other that came to mind for certification:

    Battery testing. Part of the problem here is that the Windows brightness control shows some blue bar that goes up and down. Imagine if your cars speedometer didn't show any (measured) numbers.

    1) first thing to fix is to make the brightness control query the measured max brightness from the LCD panel and show that at the top of the brightness control bar.

    2) have a standardized minimum brightness level that displays for Signature edition need to reach (for battery testing). The query done in 1) should also give back the brightness value that will give this standard brightness.

    3) Have a public tool that can be installed to Windows phones to measure the brightness. This is so that if manufacturers want to cheat on the battery tests, they already know they'll get caught immediately because everyone can measure the brightness during battery test with their phone. I doubt the mfgs get offended by this if you explain the alternative is a race to the bottom and non-sense specs - like how do you market proper viewing angles? Everyone says they have 178 degrees but I can sit STRAIGHT in front of my LCD's and I see the color temp and brightness/contrast affected as my eyes go futher away from the center. To me that tells the TRUE viewing angles are probably negative 10 (-10 vs panel vendors marketed 178 degrees). With CRT this true viewing angle was about 160 degrees - at that point the heavy large glass would start to show reflections from walls because I didn't have a hood on it.

    4) When the standardized brightness setting is sent back to the dispaly, the phone measurement (Done by placing a second Surface product running the measurement tool in "reference brightness mode" next to the device under test - since anyone can do this in a retail shop, if the oem is bullshitting their battery/viewingangle/brightness specs, this will be obvious to anyone with 2 phones and 30 seconds of time to run the test while accessing the battery test)

    5) battery test implementation: Have the CPU,GPU,display panel vendor assist on this one such that you can send a command that makes the device consume a known amount of power.

    6) brightness standard : Each panel should output ~270 cd/m2 on each corner of a red box (because Red is Hard for blue/white leds used in LCD's) that is 75% of the panel resolution at 50 degree angle from left side and top side (eg. a 255,0,0rgb small red box at 3000*0.75 and 2000*0.75 for Surface Book would give that 270 cd/m2 at 50 degree angle using one camera phone to measure and another to show reference brightness by being placed next to the DUT).

    7) keyboard, cable and foam-cover outgassing test: have 50 employees smell a paper towel. Place paper towel on top of keyboard and close the lid for 12 hours. Have same 50 employee smell the paper towel. If any of them report it smells like the keyboard (or cable, if wrapped around a cable) then fail the "Signature edition" test. Atleast I'm returning devices if they have smells coming from parts under my nose. Cables have large surfaces of plasticizer-laden areas so they don't even need to be under my nose to smell if they are poorly made (not all cables smell, cheap made in China/Taiwan ones seem to be pretty much the only ones that do)

    - Foam keyboard cover testing is critical as some of these foams can smell really bad (soft synthetic material - lots of low temp boiling/evaporating additive/softening chemicals) and I have found empirically that closing a non-smelly keyboard together with the shipping foam, saturates the keyboard plastic and rubbers with the foam outgassing products.

    Nice to haves I'll just mention but don't know how to test these:

    8) Carryability : 1-handed feel of edges/slipperiness. Depending on the OEM there's often issues in these. For true portability you should be able to close and open lid with 1 hand, pick it up with 1 hand and feel you can carry it securely without bag or case or whatever (not too slippery on top or bottom). 3:2 dimensions help to give stability.

    9) QA: Flex/bonding/seams. I saw a unit in shop that had display go blank if you touched it.

  • User profile image
    cheong

    If just update notifications... maybe. But that means you'll have to store the update URL in the driver information file, and the link can become a popular target for malwares because it'll enable the malware to show a malware download site to user as genuine update to drivers/softwares. And if that is driver / software update, I assume most users won't think twice before hitting the elevation button.

    Note that while software backlight adjustment is quite standard for mobile products, most desktop/laptop LCDs still rely on OSD buttons to adjust it (worse, I know some cheap LCD's does not connect that to anything - you always get the dimmest level of backlight).

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    androidi

    @cheong: "Obviously" the downloads need to be signed and the download link itself can be required to contain hash of the signature. In addition, when sending the update notification to MS, the notification can also contain hash of the file which is checked when download completes. So if r00tk1dd1e changes the file, even if they stole the keys to sign their malware properly (as seems to happen), it still fails.

    In addition, this entire update process could be stored inside vm or docker that the OEM uses and that vm or docker app is pre-configured to use SMS authentication that is tied to phone number - so even if the hacker managed to compromise keys and access the update process, they'd also need the phone of the staff responsible for handling updates.

     

    Now, "obviously" problems may arise if the vendor doing the updates is or becomes malicious. I would say that the problem here would be best handled if Windows changed its security model such that "My documents" are indeed my documents. eg. My Desktop should be my desktop and every app gets elevated for access by user action. (eg. if the pencil/touch hardware sat in the display/after gpu, there would be no way for malware to fake that user has granted access). This would still allow some type of malware but not encrypting your documents for ransom or stealing all IP at once, which are the most common threats in the news.

  • User profile image
    cheong

    @androidi: Unless it's a Microsoft (or other 3rd parties that practice tight control to the keys) signed one, please understand have code signing does not automagically mean it's safe. That's dangerous security misconception that needs be changed because I personally holds two sets of e-cert code signing keys for opensource community. If someday I want to use it for malicious things... :grin

    Also, this would mean Microsoft have to host the binaries, hence the legal implication.

    However if you request the binaries be signed by Microsoft, there will be even greater legal implication. (Note that even for driver signing that Microsoft introduce in WinXP, there was a long time battle that the driver manufacturers use flags or something to hide some code paths during the tests and enable it in production. You had better have each and every of them submit source code to Microsoft in order to do that... But wait, that's the marketplace model)

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • User profile image
    androidi

    So here's how MS does the notification & updater while 3rd party takes the legal implications (user needs to go through 4 steps which each make it clear none has anything to do with MS):

    MS could fund a non-profit under which an open source notification tool/task with incemental torrent tech for downloading updates is made. The non-profit signs the executable containing the source and MS signs the compiled executable and the download which contains the two (signed source.exe, compiled notification task and torrent client.exe).

    The torrents are hosted by non-profit in cloud server (and across peers) and the vendors use verified means (eg. SMS + escrow payment from verified paypal account) to tell the non-profits server to pull a file containing the info on new updates. The files in the torrent are hosted by the vendors. If the vendor does not use cloud provider, the update process does automatic trace to the vendor IP's so check they have a file stored in each continent. It also checks the download speed of the files.

    The tool vendor, on first 3rd party tool install, asks "do you want notifications of updates". If so, a link is opened to the eg. github containing the "torrent-like notifier and update downloader"-source. A verified source and release build of the notifier/update downloader is hosted in Windows update, the github page contains an english sentence that you need to paste in the Windows update that says "Ask me to enable 3rd party code update notications on next boot". This causes on next boot that to be asked and the secure boot process to download a build of the update notifier (signed with non-profit's key but this signing could be at MS after changes to the code are audited) and "incremental torrent client" from WU and set it up to run on its own account and get access to update the files and add new files to folder of where the file requesting update notifications was. (so if I have oemtool.exe in My Documents, the update process will only be able to add files there or modify the existing file being updated, not read other files in My Documents)

    The torrent can be incrementally updated as long as update sizes(diffs) below certain % of the target file:

    GUID-PortableTool.torrent:

    PortableTool.exe\signatureCRC\PortableTool.exe (torrent contains block hashes of this)

    PortableTool.exe\update1#-signatureCRC\PortableTool.exe (DIFF to PortableTool.exe)

    PortableTool.exe\update1#-signatureCRC\PortableTool.diffmap (The downloader downloads this first...)

    PortableTool.exe\update2#-signatureCRC\PortableTool.exe (DIFF to PortableTool.exe)

    PortableTool.exe\update2#-signatureCRC\PortableTool.diffmap (The downloader downloads this first, then uses these maps to download parts of full PortableTool.exe if the local file if found to containt blocks that don't match the original file and apply the diff's in memory during the download. The server tracks the complexity of applying the diffs and creates entirely new non-diff'd exe if the update time grows too much - this can be regulated by limiting diff sizes because security updates don't usually change everything in the file. )

    -.diffmap is created as a step after release build. By using EDRAM cpu, the process should be pretty fast as everything is in cache for even quite large exe's.

    - The ".torrent" file is cloud hosted by non-profit.

    - Company queues xml files to the non-profit ran service (containing hash of each updated file). The service pulls the a.dll from the url specified by the company and creates a torrent. If the torrent exists, it creates a diff. This diff is pulled by client. The client has a task which looks at "update event source". When PortableTool runs, it creates event with its GUID. The notification task takes the GUID and creates a web page run locally. This local web page contain javascript that uses the GUID to pull the .torrent. When new update is available, the .torrent file itself gets updated incrementally (update#-signatureCRC folder added to each added DIFF-file). The block hashes of PortableTool are compared against the local file. During application a new file is created before swapping the new and old file (allow to rollback the update completely).

     

    To reiterate the 4 steps were:

    1. User had to download 3rd party app "PortableTool.exe" (if it was factory installed, then the factory installed tool would need a checkbox to go to next step) and specify they want update notifications instead of auto-update.

    2. User had to reboot system after "checkbox" and acknowledge legal copy that explains the thing above and where the source can be found (local link to the non-profit signed exe and github). After this it gets setup.

    3. When update was released to the incremental .torrent and the app specific notification time/schedule of the user (daily, weekly, monthly) is met, user gets the local web page that doesn't say anything about MS - since the update tool has write new access and modify existing to the PortableTool.exe folder, the URL of the web page can be like file://c:/Windows/PortableOEMTool.exe:NTFSAlternateDataStreamForUpdateToolCreatedWebPageWithTorrentLinks

    4. On that page shows up the OEM's company name and download link. The torrent links point to the non-profit server and it shows the domains for the PortableOEMTool.exe inside the torrent (incase no peers, that domain is used as alternate dl-source). Once the download starts, the download process shows again that the files aren't coming from MS.

     

    At no point in the process was MS or Windows mentioned but the security of the download process, download/notifier tool and the checksum/code sign stuff was audited by MS and since it was open source you can audit all the related stuff yourself.

  • User profile image
    androidi

    Now for the problems I see in the above system is that since there's steps from user and vendor side, adoption could be an issue. No one would know about it until one installed a 3rd party app using it. And no carrot or stick to tool/app/soft vendors. Though if all the Signature PC's had their OEM tool updates handled through it, that would raise awareness a bit. 

    Minor issue is that if there's multiple updates, should there be a way to batch multiple updates at once. If so, the tool should first go to generic local page from which there's links to each executables local update page and checkboxes to download all the torrents at once. This way it would still be clear which exes/dll's are the source of notification (which you had to allow at some earlier point with the checkbox).

  • User profile image
    cheong

    FYI, there are already Ninite that people keep using all the time. If you only install free tools and don't want thousands of updater, you're recommended to use it too.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified

Add your 2¢

Sign In