BlueHat: Malware, Isolation and Security Boundaries: It’s Harder than it Looks

Mark Russinovich here from BlueHat.

This is the first time that Microsoft has used internal speakers at its BlueHat security conference and I’m excited to be one of them. When I was approached with the invitation to present a session, I immediately thought of all the fun topics I’d like to talk about. For example, the current state of insecurity in off-the-shelf software and even security software, something I blogged about a while ago. Another topic I felt people would like to hear about is the state of rootkits and how I think they’ll evolve. “Hyperkits”, rootkits based on hypervisors, and the overblown hype they’ve gotten are a hot button of mine and were on my list.

In the end, though, I settled on something with less sizzle, but that I feel is much more important. That’s talking about what real security boundaries in Windows are and how hard they are to implement. It’s easy for a third-party to release a product that they say places a sandbox around Internet Explorer and sell it to the niche audience wanting the extra assurance of a secure browsing experience. However, these solutions derive their security from their niche status. Without being integrated into the operating system they cannot create a fool-proof sandbox, but malware authors target the masses, and the masses won’t be running these solutions.

Windows, on the other hand, is by definition on every Windows user’s desktop, so any technology billed as a security solution must be held to the highest standards. Unless we can guarantee that malware can’t escape based on a cookbook approach, we can’t say that we’ve created a security sandbox. Further, while third-parties can design a user-experience targeted at the “prosumer” who’s an active participant in their security management, Windows has to strive to provide security that’s as transparent as possible. Finally, Windows is committed to application compatibility, and any security boundary must have benefits that far outweigh the cost they cause by breaking compatibility. Again, third-parties can get away with breaking applications because their customers might willingly sign up for that cost.

The bottom line is that there are many technologies in Windows that people perceive to be security boundaries, but that are not. In my talk I cover the real Windows security boundaries and then review the technologies, like Kernel Patch Protection, Kernel Mode Code Signing, and others, explaining why application compatibility, user experience, or fundamental architectural issues prevent them from achieving the status of a security boundary. It should be fun!