1
00:00:01,400 --> 00:00:06,920
Another solution which is often considered a security boundary or a security technology is kernel mode

2
00:00:06,920 --> 00:00:07,840
code signing

3
00:00:11,200 --> 00:00:17,050
this technology disables loading a driver that hasn't been digitally signed in 64 bit Windows systems.

4
00:00:19,680 --> 00:00:23,950
This constituted a rather serious vulnerability from the beginnings of the system.

5
00:00:24,180 --> 00:00:32,100
Ever since Windows 95 the problem was that the majority of critical errors loose screens were a result

6
00:00:32,100 --> 00:00:35,520
of an unstable driver.

7
00:00:35,560 --> 00:00:40,350
Drivers usually operate in the kernel mode and so have direct control over devices

8
00:00:43,470 --> 00:00:49,200
driver bug causes the entire system to hold from a user's perspective.

9
00:00:49,260 --> 00:00:53,100
It seems like a question of Windows malfunctioning.

10
00:00:53,160 --> 00:00:54,940
This had to be fixed somehow.

11
00:00:57,080 --> 00:01:04,010
While moving to a 64 bit environment servers today are all exclusively 64 bit as Will client systems

12
00:01:04,010 --> 00:01:05,350
be in the future.

13
00:01:05,750 --> 00:01:08,120
Microsoft decided to sort the situation

14
00:01:12,610 --> 00:01:18,790
effective troubleshooting requires identifying a drivers manufacturer first the manufacturer can then

15
00:01:18,790 --> 00:01:24,050
be told how to fix the bugs reprogram is not signed.

16
00:01:24,060 --> 00:01:25,740
Contact is nearly impossible

17
00:01:28,500 --> 00:01:33,560
many modules in the program's code don't contain any fingerprinting or contact information.

18
00:01:34,400 --> 00:01:41,900
And even if they do the information is arbitrary a digital signature using a certificate allows a clear

19
00:01:41,900 --> 00:01:45,270
identification of a software creator.

20
00:01:45,280 --> 00:01:47,680
How does kernel mode code signing work.

21
00:01:51,510 --> 00:01:55,490
At the systems start a list of revoked and block drivers is loaded.

22
00:01:57,450 --> 00:02:01,560
This is something along the lines of an exclusion list.

23
00:02:01,660 --> 00:02:05,280
If a driver can be found on a list and attempt to load it will be blocked.

24
00:02:06,610 --> 00:02:08,880
This solution is an interesting idea.

25
00:02:10,790 --> 00:02:16,370
The future of operating systems will probably involve granting explicit permissions to launch some programs

26
00:02:17,780 --> 00:02:20,120
all applications will be blocked by default.

27
00:02:21,850 --> 00:02:32,150
The history of firewalls was much like this firewalls used to explicitly allow all traffic Microsoft

28
00:02:32,150 --> 00:02:37,310
would release for example a security bulletin on dealing with the Slammer worm that advised users to

29
00:02:37,310 --> 00:02:45,750
block port 1 3 7 in parameter firewalls and people would do this.

30
00:02:45,770 --> 00:02:51,210
It seemed that 10 to 15 years ago all ports rope and by default and only selected ports were blocked

31
00:02:53,170 --> 00:02:54,960
day it's the other way around.

32
00:02:55,160 --> 00:03:02,330
All ports are closed and only selected ports are open the same solution could be employed for software

33
00:03:03,480 --> 00:03:05,660
let's return the kernel mode code signing

34
00:03:12,650 --> 00:03:16,300
before a driver is launched its signature is verified.

35
00:03:17,540 --> 00:03:20,510
The signature has to be valid.

36
00:03:20,650 --> 00:03:26,250
The procedure also verifies whether a certificate was used for the signing of the driver has been issued

37
00:03:26,250 --> 00:03:33,630
by an appropriate certification center certificate cost about $100.

38
00:03:33,660 --> 00:03:36,380
It's not about entering a loyalty rewards scheme.

39
00:03:37,340 --> 00:03:40,610
The goal is to uniquely identify our programs manufacturer

40
00:03:46,730 --> 00:03:53,680
kernel code signing has also been a target for attackers in attack that got a lot of attention was one

41
00:03:53,680 --> 00:03:57,640
that was run by Joanna Rutkowski who became quite well known after that

42
00:04:01,050 --> 00:04:08,500
kernel mode code signing is not a rogue driver proof technology to run an attack of this type.

43
00:04:08,500 --> 00:04:13,190
It's enough to purchase an appropriate certificate.

44
00:04:13,230 --> 00:04:17,350
The technology doesn't offer a future for blocking modification of disk files either

45
00:04:21,730 --> 00:04:27,460
another solution that is often seen as a security technology and which was initially marketed by Microsoft

46
00:04:27,460 --> 00:04:34,170
as such is User Account Control will dedicate one of the next modules to it.

47
00:04:34,360 --> 00:04:39,250
Well let's now try to find out if this technology really defines a system security boundary.

48
00:04:42,650 --> 00:04:47,530
User Account Control aims to ensure that programs aren't run with escalated permissions.

49
00:04:47,810 --> 00:04:49,190
Administrator privileges

50
00:04:52,580 --> 00:04:58,990
even the programs launched by an administrator shouldn't be excluded from this rule just had to explicitly

51
00:04:58,990 --> 00:05:06,380
allow a program to gain administrator privileges attempting to launch a process will display a pop up

52
00:05:06,380 --> 00:05:11,360
box asking if you really want to run it and the whole screen will be greyed out.

53
00:05:12,420 --> 00:05:18,730
If you wait long enough you'll see for example that the system clock has stopped background image as

54
00:05:18,730 --> 00:05:20,650
a bitmap of the current screen.

55
00:05:22,030 --> 00:05:26,590
All these operations are there to make you take notice of a security critical question.

56
00:05:29,390 --> 00:05:34,440
Do return to your work need to react in some way to the displayed message.

57
00:05:34,640 --> 00:05:41,700
Since you haven't press control alt delete the problem could have been displayed by any process.

58
00:05:41,720 --> 00:05:46,380
It's easy to create a program that will display a question that looks like a legitimate system morning.

59
00:05:49,210 --> 00:05:56,430
If another process displays the window the standard user will be asked to submit administrator credentials.

60
00:05:56,680 --> 00:06:01,830
In this way a user gives administrator credentials to a malicious process.

61
00:06:02,070 --> 00:06:05,910
That's my User Account Control is not a security boundary.

62
00:06:06,170 --> 00:06:10,370
It's simply an additional feature that can be worked into the structured protection model we've mentioned

63
00:06:10,370 --> 00:06:11,060
earlier.

64
00:06:12,590 --> 00:06:18,230
Its goal is to disable or hinder the automatic infecting of computers by programs that require administrator

65
00:06:18,230 --> 00:06:19,270
credentials.