Scott Field: How secure is Vista, really? - Part II
- Posted: Nov 30, 2006 at 1:26 PM
- 42,798 Views
- 24 Comments
This is part two of our discussion with Scott Field, one of the minds behind Vista's security architecture (hint: he likes the way onions are constructed...). Jeremy Mazner helps conduct this interview, which contains explicit whiteboard scenes and frank
talk about security and the future of security in Windows. User discretion is advised. Tune in.
See part I here.
See part I here.
Comments Closed
Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation,
please create a new thread in our Forums,
or
Contact Us and let us know.
More episodes in this show
-
Scott Field: How secure is Vista, really? - Part I
-
Scott Field: How secure is Vista, really? - Part II
-
Mike Flasko and Anthony Jones: Winsock and .NET…
Follow the Discussion
Oops, something didn't work.
What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in. You need to be signed in to Channel 9 to use this feature.What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in and view them all on your notifications page.sign up for email notifications?
MS should have moved the WinKernel from Ring0 to Ring1 in that onion. PatchGuard can then secure Ring1 Code. This way you get rid of the impracticality of securing code with same priviliage level that exist in Vista.
Or, MS could introduce Zones within the Kernel layer, where one zone would have more previlage than the other. Kind of like the Throne and the King servents. Or the nucleous in a cell. Zone 0 Zone 1 Zone 2. Zone 0 Runs hyperviser and hurestics, Zone 1,2 run Kernel and other stuff.
Anyways, I look forward to seeing the cryptography in Windows Vista and Socket Security. Will certificate substitution work in vista (man -in middle attacks) as in before? or not?
What about the ASLR (Address Space Layout Randomization) which was intrudiced later in the dev cycle into Vista. This was already present in open-source OS , and linux. It was supposed to make the odds of a successful buffer overrun exploit 1/256 chances, because each time you restart winVista, the system resoruces that are loaded into memory are loaded in to randomal address space. It helped Linux be more secure than Windows in the past, and its a plus in terms of security. But in the Linux world, Crackers found a way around it with memory search tools and things like that. I dont know how MS implemented their ASLR but it would be cool to know more about it.
RootKits will still work in Win-32 Vista, although its much harder now. Even if people were not able to patch the kernel anymore with rootKits, they might patch process memory space with DLL injections and impersonation. Does Vista check at run time , if a process had changed? Suppose a DLL injection happened at Run Time for a process running in Windows Vista, would Vista block the injection or will allow the injection but crash the application or stop its execution?
What applications can access Raw Sockets? Does windows check?
Thanks for part 2. Its cool and I am looking to see the Crypto video (if will be done), on Vista and the new innovations as compared to prevista era.
Edit: Since we are in Security zone here, How secure is the Firewall in Vista? Will it prevent LAN attacks? like Arp poisioning, MAC Spoofing, things like that?
Just try to kill "winint.exe" from TaskManager...
PS: DON'T DO THIS ON YOUR MAIN/WORK PC!!!
No such file comes with windows?? And if you mean wininit then hard to kill as it's not running.
Isn't that what they're talking about introducing with the Hypervisor? Bumping the kernel up a ring and having the hypervisor sit in ring 0.
Nice idea, but it would have broken every bit of virtualisation software out there. It is the way they are going by introducing low-level virtualisation support and a hypervisor though.
Hey, it would be really nice if someone (probably from MS) would put together a detailed list of all these new innovations in Vista (i.e. security, network, new interesting apis, new tech, etc) Not a marketing document, but a real list that devs and IT Pros would like. I see stuff scattered around, but have not seen in one document. Maybe a wiki page on a Vista team updated by an evangelist. Does this already exist?
Yeah, it would be great to be able to link to something like that whenever someone says, "Vista is simply an eye-candy upgrade."
It's the product feature guide for Windows Vista. Loads of information on what's new in Vista. It's not very technical or deep, but it does provide useful descriptions of the new innovations in Vista.
You can find Security-related white papers here: http://www.microsoft.com/security/windowsvista/default.mspx
Feel free to create a C9 wiki that lists all new features of Vista, broken up by OS layer
C
Yes, it's "wininit.exe". And this process is VERY running (check "Show all processes" in TaskMan). Killing of this process VERY crashes Vista.
Killing system processes on Vista will invoke a privilege elevation prompt (assuming UAC is running). Admins can do stupid things, just like in XP. If some rogue process tries to do harm, then a user would be prompted by the system that a questionable action is taking place and will be given the option to stop it.
I don't see how killing processes in Admin security context is a Windows security issue. 100% user error.....
C
1. Believe me, UAC WILL BE disabled on many systems.
2. This IS bug in security. It's impossible to kill system by killing process in XP. Try to kill critical process in XP (SYSTEM, smss, svchost(s)).
Turning of UAC is a user-decided action and therefore a user-decided mistake. Yeah, a mistake. Do NOT turn off UAC unless you HAVE to on your dev machine (which is our fault, not yours - we will fix this)
You are wrong about not being able to compromise XP by doing stupid things as an admin.
C
Then if they get sick of the prompts or impatiant (like other programs) the user finds ways to turn off or disabling 'ABC' or should I say "UAC". They don't really read it or take patiants to look at, instead they just answer it. It is a tangent.
I think the big point here is that the *average* user does not speak geek.
So, they answer 'Yes' to the 'xyz,pdq' questions. Or they turn off 'ABC' regardless of the software trying to protect them. Or if enough FUD is applied the 'end-user' answers 'No'. Could you image all the things that can't be done if you answer 'no' to all UAC prompts. So, it is back to not reading and just answering 'yes' to all or disabling.
- guy
"Have a great day! You just unlocked the pick slip virus!."
I doubt UAC will the the solution to all problems, but it's a step to a good direction. User's should read the messages, you can't blame the creators for everything, user stupidity is to blame most of the time.
Ya, but if a user who is a brain surgen stupid because he does not know about a dialog box asking him to "xyz.pdq", when not knowing what it is going on?
I know I won't be doing any brain surgery, and I know that brain surgury is not for the average person, *user*. Am I considered stupid because I can't do brain surgery from there point of view. But should a computer require a Computer Degeree to use just as much as it would take a PHD to operate on a human.
I know that is apples and oranges but the point is that it should not be. Is the user is considered to have *user stupidity* because they can't operate a computre or a genesis becuase they can operate on the brain.
The real issue here is the hacker. Second is educating the user and how and at what cost if not free. And third would be the one who should supporting the complete package (from selling to educating) and not jsut providing a platform for chaos.
Don't forget the third party the malware creator who IMHO is the realy stupid person in this picture and not microsoft or the *average* user even if you think of them as doing something stupid.
Does buying Vista come with free training and education on all thes terms like UAC, MalWare, Prompts, etc... or Or is the user just left on there own.
Buyer beware!!! There are hackers out there that no one can stop but you and if you don't then don't blame the OS manufacturer or the hacker just blame yourself.
Sounds like smokey the bear "Only you can prevent Forest Fires."
So... is the root account Linux's way of making an insecure Linux system the user's fault instead of Linux's fault?
The UAC dialogs clearly say "This program is trying to run. If you started this program, please continue." or even "The source and purpose of this program are unknown. Don't run the program unless you used it before or know where it's from.", followed by "Cancel: I don't know where this program is from or what it is for."
If the user doesn't understand that message, or worse, doesn't -read- that message, then yes, it's the user's fault.
It's not an ideal system, but in my opinion, it's the best compromise between usability and security.
Some (very) critical processes (look at my exampe) MUST BE protected not by UAC or any other "user level" system, but by some internal "unstoppable" system. They must be protected even from SuperPuperAdministrator. Some kind of "core protection". UAC is just a "protection feature", not a "protection system".
I'm not against UAC. This is nice... feature. But far from perfect. Best scenario (imho): disable UAC during system setup/tuning, but enable after whole system installation including all software and settings.
But... What we will do between incompatibilities between UAC and Microsoft(!) software? This is weird problem. There was some solution. I don't know why MS not used it (did I misse something?). Application signatures. Exctly like antivirus software, but in opposite direction. Ok, MS can't collect all signatures from all ISV (at least in short time), but they CAN do it for own software! In this case you can run application without interaction with user even if application is "not quite right, but doing nothing harmful".
As Scott mentions in the video, all MS software components in Vista are digitally signed. It would be a compatibility nightmare to force all ISVs do do the same. That said, Vista is the beginning, not the end, of a much more strict system. You see, there's always been (and will contnue to be) a struggle between platform flexibility and system security. It's a very hard problem. Scott, for one, has been working on it for 12 years.
Vista is not perfect, but it contains a great deal of security innovation that will form the basis for future iterations of Windows while doing a great job of keeping users safe today.
C
Yes, but would your agree that by doing X and knowing I'm doing X I could answer the dialog box. But at some point would you agree that by doing X that not only X is being done but also Y and Z? If the user gets a dialog box for Z do they know for sure that they started Z or is it a rogue? Do they know what Z is? No, So, answer No, and now X does not work? So the user is back to answering Yes to all because if not then X will not work?
Fore example while doing an install the average user is asked to continue to run this program (installer). They would say yes. But then half way through the process they get a message Y.exe is trying to access the z.exe do you want to continue (was that the install or a rogue program)? Well they did not start Y.exe or Z.exe (the installer did which they gave access to).
Funny thing was when I did an install it did not work. I had to actually create a boot start bat file. And elevate security.(http://blogs.conchango.com/pauloreichert/archive/2006/11/21/Windows-Installer-MSI-packages-error-code-2869-on-Windows-Vista.aspx.
IMHO I think this is good and going in the right direction but should we cut off our nose to spite our face. We need to keep the average user in the loop as we go after the security issue. I think put technical systems in place to tackly the issues but the more and more dangerouse it becuase the more education is needed. I can't drive a car (even knowing how simple it is) with out education (legaly). Maybe we need license to use a computer (i'm not talking EULA)? Also as I pointed out Smokey says only you can prevent forest fires. How does he help, educates the campers. MS where is your Smokey The Bear "Only you can prevent hack attacks"? Where is your UAC commercial telling the average users for free what the hell that means?
Obviously if we would live in a platonic world there would be no security issues Malware, hacker, or the likes. The average user would use the computer like it was intended and would not need twenty dialog/prompts asking if they want to open an email. But if it is going to be this difficult than educate them. And I don't mean by giving them text in a dialog box in hopes that they will understand and answer the question with clearity.
I'm going to start up a survay in my local communtiy to see how many average users know what UAC means let allone what User Access Control is?
but if MS added heuristics to detect malicious software behavior, then this can be reduced by 60-70%.
hey being clothed is better than being naked. Prevista, the Kernel was naked, now, it has some clothes on.
Pretty much every "what's new in Vista" publication I've read mentioned UAC and explained what it did. I'm pretty sure it'll be covered in the tour on new installations, and that it'll be mentioned in the manuals. If companies train their personell on using Vista, no doubt UAC will be part of the training. I'm not sure how else Microsoft is supposed to educate people. By buying time for a commercial on TV that explains UAC to people during the Superbowl? Sounds a bit over the top, to me.
I don't know, it seems pretty simple to me. If people get a new installation of Vista on their PC, they should take the tour and learn about new features, or at least read the manual. If they get to use vista on their PC's at work, I'm pretty sure their employers will have given them some sort of training to work with Vista. Both will cover UAC and educate the user.
Remove this comment
Remove this thread
close