Hi and welcome to the Microsoft Virtual Academy and

Hi and welcome to the Microsoft Virtual Academy and 2012 Microsoft Corporation 1

the start of the Windows 8 Security Insights training. My name is Milad Aslaner I m part of the Premier Field Engineering group and based in Germany. As a Premier Field Engineer I m an technical expert in delivering critical IT services to Microsoft customers. My focus area is Windows Reliability and Performance. This means that I m daily utilizing tools such as the Windows Performance Toolkit to troubleshoot at nanoseconds level performance issues and I m a regular speaker at Microsoft events around how Windows and how it all works under the hood. 2012 Microsoft Corporation 2

In this module we will talk about SecureBoot, ELAM (Early Launch Anti-Malware) and Measured Boot. So let s begin with SecureBoot. 2012 Microsoft Corporation 3

Secure Boot is a UEFI firmware-based feature which helps prevent unauthorized UEFI drivers also known as Option ROMs, firmware or DLLs to be loaded at boot time. This is done by maintaining databases of software signers and software images that are pre-approved to run on the computer. As I mentioned it s a UEFI feature but what is UEFI actually? In the past was BIOS (Basic Input and Output System) firmware which was written in assembly and use software interrupt for I/O (disk activity). Due to changes in the computer landscape their was a need for a modern firmware to start the next generation of devices. It allows a very modular firmware design which enables vendors a better flexibility. Whereas I/O was very limited by software interrupt, UEFI utilize the concept of architecture-neutral coding standards and is event-based. 2012 Microsoft Corporation 4

If we compare the legacy boot process with the modern boot process we can shortly identify that the change happens at OS Loader level. With the legacy boot process the biggest issue we had was that malware had the opportunity to launch before the OS Loader. Malware engineers/hackers could specifically build rootkits for it and try to get their code loaded before the boot manager. With the modern boot process we introduce the Secure Boot feature to part of Windows 8. With that the firmware feature is only starting an signed OS loader and boot components. If the boot process fails; immediately a remediation process is started. But how does it work really under the hood? When you turn on your computer it starts the process to execute kernel level code responsible for memory management, processing, hardware etcetera. this is all done in order to be prepared for the OS execution. Once the system is powered on and important BEFORE THE OS LOADER is started the firmware (UEF) is now checking for the signature of the firmware code that exists on hardware peripherals such as network cards, video cards or storage devices. After that it will continue and start checking for embedded signature inside the firmware module. These signatures are stored in databases in firmware. These databases are the Allowed and Disallowed lists that determine if the booting process can continue. 2012 Microsoft Corporation 5

To utilize Secure Boot the system must be UEFI 2.3.1 compliant and running in a native UEFI mode. UEFI+CSM implementations will need to disable CSM to get Secure Boot work. We got two databases; first the populated signature database which contains pre-approved signatures and images specified by the OEM for their UEFI drivers and the forbidden signature database which contains a list of signatures and images known to be malware. The private encryption key must be included in the UEFI database during system manufacturing process. Secure Boot also requires a public key which is stored in the firmware flash storage. Only the OEM partner owns this key with the private key guarded by Microsoft. The initial signature set stores as the name says the initial set of signatures which is stored in flash memory as well. Updates to the database can only be done by the OEM or an KEK (Key-Exchange Key) update. In any case it will require you physical access to the machine. 2012 Microsoft Corporation 6

Some notes about Secure Boot, it s a Kernel level security so it s not related to the user mode. Secure Boot is a required feature in order that OEMs get the Windows 8 logo on their devices. You can actually check if Secure Boot occurred correctly by accessing the registry. The registry for this is HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\State\UEFISecureBootEnabled you can check there if the registry value is set on 1. 1 indicate that the Secure Boot occurred correctly. Any kind of remediation work will be logged in the Windows event logs, specifically the System Event Logs. 2012 Microsoft Corporation 7

So what does really happen If a unauthorized boot DLL, firmware or OS loader is trying to be executed. Secure Boot triggers at that moment remediation work. This means that the system will boot in WindowsRE to replace the corrupted binary with a known good version from the Windows components store. In case the component store binary is also corrupt, the in-box corruption repair process is started. 2012 Microsoft Corporation 8

As a recap Secure Boot is there to prevent unauthorized firmware or DLLs to be loaded at boot time. It requires UEFI 2.3.1 firmware Any kind of remediation is documented in the System event logs and it s a kernel mode security feature. 2012 Microsoft Corporation 9

Now let s focus on Early Launch Anti Malware. ELAM is a new feature which provides a way that supported malware software will start as first third-party component. With that antimalware get the ability to control the initialization phase of boot drivers. Antimalware drivers must use existing tools for installation and registering a driver through typical INF processing routine. The drivers must advertise itself as a boot-start driver similar to other boot-start drivers. The boot drivers are initialized based on a classification system which is returned from ELAM driver according to initialization policy. System Administrators can specific custom policies through Group Policy which helps to prevent unknown drivers from initializing or can enable drivers that are critical to the boot process. 2012 Microsoft Corporation 10

If you compare between Windows 7 and Windows 8 what has actually changed? If we look at how the Windows 7 boot process was, we can identify that without Secure Boot the first attack surface was the OS loader phase. Then as next step the malware engineers or hackers had the opportunity to exploit their code as a boot-start driver. For the OS loader security we talked earlier already about Secure Boot and how we fight back with it. Now with Early Launch Anti-Malware (ELAM) we focus on the boot-start drivers. Specifically with Windows 8 we make sure that the first 3 rd -party driver will be the antimalware driver. Just like Secure Boot, if the system detects that it has been compromised remediation will be immediately executed. 2012 Microsoft Corporation 11

If a crash happens due to a compromised boot-start drivers a crash dump will be generated if the disk stack has been already started. If that is the case, you can use WindowsRE to determine the reason for the crash. The malware signature database so the place where the driver hashes are stored is provided by the antimalware vendor. Microsoft recommend that this malware signature has at minimum a whitelist of driver hashes. 2012 Microsoft Corporation 12

As a System Administrator you are able to configure ELAM depending on your needs. For this you can utilize group policies which are stored under Administrative Templates/System/Early Launch Antimalware. You have there 3 options; the first one is good only. This means that only drivers that are signed and have not been tampered will be allowed to be loaded. Second is good and unknown which means that drivers have to be signed and flagged as tampered or drivers that are not classified by ELAM are allowed to loaded. Last option is Good, unknown and bad critical. Which means that similar to good and unknown option but also give the ability that drivers that are known as malware are allowed to be loaded. Important to know is that if the antimalware driver does not include a boot-start component, the policy does not apply even if you configure it. 2012 Microsoft Corporation 13

To summarize it; with ELAM Windows 8 introduce a functionality to make sure that the first 3 rd -party driver loaded during the boot process is the antimalware driver. In case anything goes wrong and the disk stack is already started ELAM will generate a crash dump which can be analyzed to identify the root cause. The malware signature database is provided by the antimalware vendor and all functions are stored under HKLM\ELAM\ and the <vendor name> which utilize ELAM functionality. 2012 Microsoft Corporation 14

With Measured Boot Windows 8 introduce a feature which provides AntiMalware software the ability to have a log of all boot components that has been started before AM software. It can help to determine whether components that ran before are compromised or not. Supported AntiMalware software has the ability to send that log to a remote server so that the machine is able to prove that it is in a trustworthy state. 2012 Microsoft Corporation 15

When Measured Boot is enabled it will record the integrity of the Windows Kernel and all boot start drivers, including third-party. If AM software is starting as a boot start driver it will be flagged in the log so that its possible to determine when AM has been successfully started. 2012 Microsoft Corporation 16

So how does measured boot get provisioned? First of all TPM chip must exist and must be activated. Second, establishing an AIK the server associate with the client. Third, turning on Boot measurements Fourth, install AntiMalware solutions with a boot start driver and Fifth, install client component that can communicate with the remote server. 2012 Microsoft Corporation 17

As a recap; Measured Boot is a new feature in Windows 8 which gives AM software opportunity to get a log of the boot activities before AntiMalware software is started. This log can be extremely useful to validate whether there may be malware on the computer, or any kind of evidence of tampering with boot components. 2012 Microsoft Corporation 18

So lets look at the big picture at Windows 8 Boot Security. This graph illustrates how all those boot security components come together. The 1 st component is Secure Boot which prevents running a unknown OS loader. Then ELAM get started which make sure that the first third-party boot start driver is the AntiMalware software. 3 rd Measured Boot kicks in and records the entire boot activity and saves it to the TPM module. 4 th to prove the client is in a healthy state, AM has now the ability to query the Measured Boot log from the TPM module and perform a remote verification. 2012 Microsoft Corporation 19

In this module we have covered Secure Boot, Early Launch Anti Malware and Measured Boot, those are the top 3 boot security components which customers currently frequently ask Microsoft consultants or engineers are on site. Thank You. 2012 Microsoft Corporation 20

2012 Microsoft Corporation 21

2012 Microsoft Corporation 22

2012 Microsoft Corporation 23