Windows 8, like Windows 7 and Vista before it, is being touted as the most secure version of Windows ever. In past releases, many of the security improvements have come through exploit mitigations such as ASLR and DEP and better software security practices during development. In Windows 8, however, one of the major changes is the addition of UEFI, a BIOS replacement that will include a secure boot sequence to help prevent low-level malware infections. That change, however, is not sitting well with everyone.
The way that Windows 8 client machines will boot is going to be quite different from the way that current Windows PCs do. Instead of a BIOS, Windows 8 PCs will include an implementation of UEFI (Unified Extensible Firmware Interface), which is more flexible and programmable than BIOS is. UEFI will sit between the firmware and the Windows operating system and Microsoft is reportedly going to require that any client machine that runs Windows 8 have a secure boot sequence enabled by default. That sequence will require that whatever software is loaded during boot be signed by one of the keys included in the firmware. If the firmware or software isn’t signed by a trusted certificate authority, Windows 8 will not load it.
The impetus for this change in the boot process is that attackers have become proficient in recent years at finding methods to load malware into the BIOS and firmware that underlie the OS. In some cases, rootkits, bootkits and malware that infects the master boot record can not be removed from the machine without re-installing the operating system. Microsoft and security vendors have been trying to find ways defeat these attacks for several years now, and the move to UEFI and secure boot is one of the results of that effort.
It’s been a long journey for Microsoft to arrive at this destination. The company has been pushing various versions of a hardware-based security system for nearly a decade now. An early version, originally known as the Windows Next Generation Secure Computing Base and later Palladium, generated quite a bit of controversy when it was first discussed. Many of the elements of the Palladium system are now included as part of some laptops and the Windows 8 UEFI implementation: hardware security modules, secure boot, signing of software, encrypted storage of files. While some portions of what Microsoft has implemented in Windows 8 won’t require the use of a TPM (Trusted Platform Module), others will, including support for encrypted hard drives.
These security additions to Windows 8 have some benefits, but there also are some potential drawbacks that worry security and privacy advocates. Ross Anderson of the University of Cambridge worries that there is the potential for hardware-based lock-in included with the Windows 8 changes.
“The extension of Microsoft’s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate. It is clearly unlawful and must not succeed,” Anderson said in a blog post.
There also has been concern in the open-source community that the changes in Windows 8 will prevent users from loading alternate operating systems on Windows-based PCs. There may be some ways for users to circumvent the UEFI implementation and find a method for loading a separate OS, but it would likely be difficult.
“There’s no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code. However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market. It’s almost certainly the case that some systems will ship with the option of disabling this. Equally, it’s almost certainly the case that some systems won’t. It’s probably not worth panicking yet. But it is worth being concerned,” wrote Matthew Garrett, a developer at Red Hat, in a blog post on the Windows 8 changes.