[Info-vax] Some interesting security-related work from Microsoft...

EVERHART at gce.name EVERHART at gce.name
Thu May 17 20:51:51 EDT 2018 

On Thursday, April 19, 2018 at 7:10:31 PM UTC-4, Stephen Hoffman wrote:
> Looks like you can now have (for instance) a GPG mail environment that 
> can be verified, but where an exploit running with Windows kernel 
> access cannot access the private keys.
> 
> https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/ 
> 
> 
> Looks like some descendent of the Palladium / NGSCB and the secure boot 
> work that started an aeon or three ago has finally started shipped...
> 
> https://en.wikipedia.org/wiki/Next-Generation_Secure_Computing_Base
> 
> Downsides?  Probably.  Wouldn't want to find malware lurking in one of 
> those enclaves.   DRM and anti-malware will soon be resident and 
> running in an enclave.  There'll be lurking bugs too, of course.
> 
> OpenVMS has nothing similar to this — there are a number of gaps in 
> what's currently available, such as sandboxing and other related 
> security work and that's all been mentioned once or twice before.
> 
> 
> 
> -- 
> Pure Personal Opinion | HoffmanLabs LLC

Some conceptual ancestors run in VMS, or used to.
I implemented a system with an encrypted virtual disk whose driver tested a number of things to be as sure as it could that it was being accessed by the startup process only, soon after hard boot, with some other limitations. Idea was this could be used to mount other crypto-disks or do other initialization. You'd keep a special unrestricted driver on removable media, take it out of the safe and use to set the thing up. It could have done whatever you like, including doing crypto hash of system images etc.
Not as useful for real paranoid environments, particularly since it was published in source code...but interesting for circa 1990.

Getting something that keeps secrets at boot time is harder...
Note though that the Microsoft stuff has its holes too; designers have mentioned there are ways to get the system to spill its guts and reveal keys. Maybe some of that is fixed now. (The issue exists with HSMs too, in that there are generally ways they can be commanded to re-key or export data and whatever is allowed to give them commands needs to be limited as well, so these kinds of things only occur where legitimately needed.) 

Just thought it won't hurt to mention what was done awhile back and would be easy now...
Glenn Everhart
everhart at gce.name
302 373 5382

More information about the Info-vax mailing list