With just a few weeks remaining until general availability (“GA,” as we veteran beta-newsers would call it) of Microsoft Windows 10, many businesses are just now learning about the new features it brings to the table.
Monday at Microsoft’s last major conference before the rollout, Terry Myerson, its executive vice president for the newly spliced-together Windows and Devices Division, told attendees flat-out that Windows 10’s key feature will be security.
Put another way, businesses that don’t accept Windows 10’s more intense itinerary for updates, along with Win10 as an update in itself, are not really secure.
Better Reality Through Virtualization
It’s not the first shaky hyperbole about Windows security that a Microsoft executive tossed out at a major conference. And Virtual Secure Mode (VSM) is certainly not Windows’ first security feature with a poor choice of names. (Is it virtually secure? Or really secure?)
But VSM may, at last, put virtualization to work for Windows security in the proper way. The short-form explanation is this: The part of Windows that grants high-level privileges to executable files, including those whose authenticity or reliability may be suspect, is no longer directly connected to the Windows kernel.
It’s virtualized, which means a malicious file cannot spoof or otherwise attack this key component by attacking the kernel first.
“They actually have a copy of Hyper-V in Windows 10 that runs a mini, 1-gigabyte version of Windows that runs LSASS,” explained long-time independent security consultant Mark Minasi, before a packed audience at a recent Microsoft conference. “It’s sitting in a separate virtual machine that is running under Hyper-V.”
It’s not a fully-fledged version of Windows, of course, but rather a kind of container — not a Docker container, mind you, but an isolated, miniature virtual component running a scaled down operating system either similar or identical to Microsoft’s new Nano Server.
Trusted Platform Non-Module
For a decade, hardware manufacturers have been slowly, incrementally building features onto the Trusted Computing Platform, including the Trusted Platform Module intended to create impregnable roots of trust within computers and hard drives.
VSM takes one more step in leveraging TPM, creating perhaps the ultimate dichotomy in security technology: a virtual module that assures outside systems that it’s the part of the hardware that exclusively provides it with identity, when it’s not hardware at all.
Leave it to IBM to create software that assures the world it’s hardware, for the sake of security.
“It is obvious that a TPM is not a device that was designed to be accessed by multiple systems at the same time,” reads a 2011 IBM research note on the possibility of a mutually-assured white lie.
“Therefore, we extended the current TPM V1.2 command set with virtual TPM management commands that allow us to create and delete instances of TPMs, depending on the current configuration requirements of the platform. In our model, each created instance of a TPM holds an association with a virtual machine (VM) throughout its lifetime on the platform.”
In Windows 10’s case, the vTPM assists the virtual machine that runs the newly isolated process authenticator to declare itself as running on hardware, when it’s not. Usually a software-based authenticator can’t be trusted by design. So the vTPM extends a kind of voucher from the real TPM, running on the real hardware on the same machine. This makes the vTPM non-portable.
“It means if you’re spinning up a virtual Windows 10 box,” Minasi continued, “and you want to do stuff that involves a TPM, it will emulate one for you.”
What the vTPM also does is let Windows establish a completely encrypted barrier of separation between the machine running the authentication process, and the processor hosting that machine.
The Bell Tolls for the LSASS Exploit
All of which leads to the musical question, “So what?”
All of the security tokens necessary for any process to attain the higher privileges it needs to address critical system functions, will now accompany the authenticator process inside this isolated container.
This way, the operative component in charge of privilege for the entire system is like a little computer that is purposefully inaccessible for purposes other than the few for which it was designed. A typical operating system exploit attempts to get Windows to do something it was not designed to do so that parts of it will crash, and, during the interval where it tries to recover itself, to execute something way above the privilege level for that exploit.
The VSM container cannot be exploited in that way, because it does not do anything else besides handle authentication. Inevitably, some will attempt to exploit VSM in a different way.
But at the very least, one of the longest-standing exploit vectors in Windows’ history may have been rendered effectively impossible in Windows 10. Quite possibly, the last vestigial remnant of Windows’ reputation as a shrink-wrapped security hole, may finally be cast off.