Microsoft's Windows 8 security measures include secure boot. As demonstrated at BUILD, this means compromised systems can refuse to boot.
Microsoft is detailing some of its
security procedures for Windows 8.
Key to Windows 8's "platform integrity
architecture" is its Unified Extensible Firmware Interface (UEFI), a set of
specifications for how the operating system communicates with platform firmware
during the boot-up process. UEFI features a firmware validation process known
as "secure boot," which dictates how that firmware manages security
certificates, firmware validation and the like.
"Microsoft's platform integrity
architecture creates a root of trust with platform firmware using UEFI secure
boot and certificates stored in firmware," Tony Mangefeste, a member of the
Windows Ecosystem team, wrote in a Sept. 22 posting on the "Building Windows 8" blog. "With Windows 8's
secured boot architecture and its establishment of a root of trust, the
customer is protected from malicious code executing in the boot path by
ensuring that only signed, certified -known good' code and boot loaders can
execute before the operating system itself loads."
In theory, UEFI secure boot will allow
machines running Windows 8 to sidestep a current vulnerability in many PCs,
namely that the pre-operating system environment is vulnerable to malicious
loaders redirecting the boot loader handoff.
"For Windows customers, Microsoft is
using the Windows Certification program to ensure that systems shipping with
Windows 8 have secure boot enabled by default," Mangefeste said. Windows
Certification will also ensure "that firmware not allow programmatic control of
secure boot (to prevent malware from disabling security policies in firmware),
and that OEMs prevent unauthorized attempts at updating firmware that could
compromise system integrity."
During the BUILD conference earlier in
September, Windows and Windows Live division President Steven Sinofsky
demonstrated Windows 8's security measures by having a fellow executive plug a
USB with a rootkit virus into the port of a tablet running the operating
system. The device failed to boot up and compromise the system.
For the past few weeks, Microsoft has
unveiled aspects of its Windows 8 operating system, which is being designed to
run on both tablets and traditional PCs. It will do so by offering two distinct
user environments: the desktop, instantly familiar to anyone who's used
Windows, alongside a touch-enabled interface featuring colorful tiles that link
Microsoft executives have spent
considerable time over the past few weeks trumpeting Windows 8's "no
compromises" ability to provide both a lightweight mobility experience and the
sort of features desired by power users. Security, obviously, is a huge factor
in all of that.
Follow Nicholas Kolakowski on Twitter
Nicholas Kolakowski is a staff editor at eWEEK, covering Microsoft and other companies in the enterprise space, as well as evolving technology such as tablet PCs. His work has appeared in The Washington Post, Playboy, WebMD, AARP the Magazine, AutoWeek, Washington City Paper, Trader Monthly, and Private Air. He lives in Brooklyn, New York.