Security

Windows 10 Device Guard: Microsoft's effort to keep malware off PCs

You'll need a machine with the right IOMMU tech

windows 10 microsoft one windows
Device Guard: In theory it could isolate anti-malware programs from the kernel

RSA 2015 On Wednesday, at the RSA conference in San Francisco, Microsoft veep Scott Charney outlined a new security mechanism in Windows 10 called Device Guard. We've taken a closer look.

The details are a little vague – more information will emerge at the Build event next week – but from what we can tell, Device Guard wraps an extra layer of defense around the operating system to prevent malware from permanently compromising a PC.

Device Guard, when enabled by an administrator, checks to see if each and every application is cryptographically signed by Microsoft as a trusted binary before it is allowed to run. Device Guard itself runs in its own pocket of memory with its own minimal instance of Windows, and is protected from the rest of the system by the IOMMU features in the PC's processor and motherboard chipset.

These IOMMU features (outlined here by the Minix project) wall off Device Guard from the computer's hardware, so it cannot be tampered with by other software, no matter how low level that software is.

If the Windows 10 kernel, which has control over the PC, is compromised, Device Guard will remain fire-walled off, and cannot be subverted into allowing unauthorized code to run. A hypervisor running beneath the kernel and Device Guard enforces this.

(In theory, that is – similar "secure execution environments" have been defeated in the past.)

Ultimately, the idea is to stop miscreants installing malware on a machine, thus limiting the amount of long-term damage the attacker can do.

"If you want to create a persistent threat on Windows you have to get code running in the kernel, because then you can get under apps, under a lot of safeguards, and change the behavior of the system," Dustin Ingalls, Microsoft's group program manager for operating system security, told The Register.

"With Device Guard, we take at least a similar sized step forward as the change for Windows 8 by making a bet on hypervisor-based security. With Windows 10, what will happen is that the hypervisor will be on all the time; you'll have your main OS, but what you'll also have is this very tiny, constrained version of Windows with no network or display stack. It's designed to be a very tiny, tightly controlled secure execution environment."

Ingalls told us Device Guard will approve trusted universal apps on Windows 10 desktops, tablets and phones. Applications available from the Windows Store will be signed off and ready to run via Device Guard. Enterprises with legacy apps can send hashes of the executables to Redmond to be signed within minutes, we're told.

"When apps are submitted to the Store, those apps go through vetting and all kinds of checks," Ingalls said.

"But if an enterprise is saying 'Hey, sign this for me,' it will be done with a key that only works for that company. If that enterprise wants to sign bad stuff, they are entitled to do that – we're not trying to say we'll only sign this or that. All we're doing is trying to make it easy for you to get an app signed so the new defenses will allow this piece of software to run."

There is, of course, a catch. To get Device Guard working, a supported IOMMU setup must be present in the PC or device. However, AMD and Intel processors, and even certain ARM and MIPS cores, have had IOMMU protection mechanisms built-in for a while now. Intel calls its IOMMU tech VT-d; AMD prefers AMD-Vi.

When Windows 10 comes out this summer, computer giants such as HP, Lenovo, Acer, and Toshiba, will tout their hardware as Device Guard-capable or Device Guard-ready.

Device Guard-ready systems will have the required IOMMU hardware present, kernel drivers optimized for Device Guard installed, and the security feature enabled. Device Guard-capable devices will have just the IOMMU hardware present, leaving the driver installation and configuration up to the user.

There may be an extra cost for Device Guard-ready systems over Device Guard-capable products, but that's up to the manufacturers, Microsoft said. In the longer term, it's hoped that cost will disappear.

"Device Guard has to be one of the most compelling security innovations we're shipped in Windows," Ingalls said. "But it doesn't signal an end to malware. It makes it much, much, much more difficult especially in the world where you're dealing with cybercriminals." ®

Sponsored: Global DDoS threat landscape report