In this four-part blog series, I briefly review some of the myths we’ve heard about Windows 8 security improvements and point out where deficiencies lie. We believe security should still very much be a concern for anyone running the new Windows 8 OS.
Visit this earlier post to learn more about the series.
Myth #3: Changes to the Windows 8 boot sequence make it secure.
In previous releases of Windows, the boot sequence has been an area ripe for sophisticated attacks against the operating system. During the early phases of loading the Windows OS, there were a number of holes that could be exploited due to the fact that there was very little validity checking. Threats such as TidServ and Mebroot took advantage of these holes and were able to get persistent low level access to a machine.
To close the holes that these threats were taking advantage of this, Windows 8 introduces a new boot sequence called Secure Boot. Effectively this is made up of three separate technologies. Let’s take a look at each:
1. Unified Extensible Firmware Interface (UEFI). This is a pre-existing standard that replaces the traditional BIOS architecture which has been in use for the last few decades. While the traditional BIOS architecture will start any OS loader, even if malware replaced the original OS loader, UEFI will verify the OS loader to ensure that it has not been tampered with or replaced. There’s a wrinkle however. UEFI requires hardware support and although Microsoft requires that new hardware built for Windows 8 supports UEFI, Windows 8 will still install on older machines that do not have UEFI support. So it’s important to remember that simply installing Windows 8 on an old machine will not guarantee that you will get the benefits provided by secured boot.
2. Early Load Anti-Malware (ELAM) driver. In Windows 8, once control of the machine has been securely handed over to the OS, the OS will look for a registered ELAM driver, and ensure that it is loaded before any other third party software. In earlier versions of Windows, there was essentially a race to be the first driver loaded. If malware was able to load earlier than anti-malware software, then the malware would most likely be able to hide. The ELAM driver attempts to close this hole. This is a new class of driver that can only be delivered by security vendors who have worked with Microsoft and built their ELAM driver to tight specifications. Once the ELAM driver is loaded, the OS will pass it information about every other boot driver as it is being loaded. The ELAM driver can compare that information against a small list of known drivers and publishers to determine if the driver should be allowed to load.
However, while the ELAM driver does technically close a hole and, as such, adds value to boot time protection, there are severe limits on the range of visibility that the ELAM driver has. This likely limits its real world effectiveness, in many cases perhaps restricting it to hash and signature comparisons – not really an effective weapon against today’s highly polymorphic malware. Furthermore, the risks associated with denying a boot driver the right to load could be catastrophic for the user. Imagine that a user has added a new piece of hardware which requires the addition of a boot driver. It is entirely possible that the ELAM driver will have no knowledge of this hardware or even the hardware vendor. If the ELAM driver allows drivers with unknown hashes or signatures to load, then it may also allow malware drivers to load. On the other hand, if the ELAM driver blocks such drivers then a user’s hardware may stop functioning.
3. Measured boot. The final addition to the improved boot security is called measured boot. This technology “measures” the events that occur during boot (what OS loader was used, what drivers are loaded, did antimalware software start, etc.). These measurements are gathered by a trusted platform module (TPM) and then sent to a remote server to ensure that the machine has not been tampered with. In other words, if you know what a healthy boot sequence should look like and this doesn’t match it, then something is wrong. For this to work though a robust attestation service (which does not come with Windows 8), is needed.
So to conclude, Secure Boot introduce some new tools and techniques that together will help to improve the security of the boot process in certain situation, but there is still more work needed to protect systems in the real world.
Gerry Egan is Senior Director of Product Management, Norton by Symantec.