Secure Boot in Windows 8 Worries Researchers

Windows 8, like Windows 7 and Vista before it, is being touted as the most secure version of Windows ever. In past releases, many of the security improvements have come through exploit mitigations such as ASLR and DEP and better software security practices during development. In Windows 8, however, one of the major changes is the addition of UEFI, a BIOS replacement that will include a secure boot sequence to help prevent low-level malware infections. That change, however, is not sitting well with everyone.

Windows 8Windows 8, like Windows 7 and Vista before it, is being touted as the most secure version of Windows ever. In past releases, many of the security improvements have come through exploit mitigations such as ASLR and DEP and better software security practices during development. In Windows 8, however, one of the major changes is the addition of UEFI, a BIOS replacement that will include a secure boot sequence to help prevent low-level malware infections. That change, however, is not sitting well with everyone.

The way that Windows 8 client machines will boot is going to be quite different from the way that current Windows PCs do. Instead of a BIOS, Windows 8 PCs will include an implementation of UEFI (Unified Extensible Firmware Interface), which is more flexible and programmable than BIOS is. UEFI will sit between the firmware and the Windows operating system and Microsoft is reportedly going to require that any client machine that runs Windows 8 have a secure boot sequence enabled by default. That sequence will require that whatever software is loaded during boot be signed by one of the keys included in the firmware. If the firmware or software isn’t signed by a trusted certificate authority, Windows 8 will not load it.

The impetus for this change in the boot process is that attackers have become proficient in recent years at finding methods to load malware into the BIOS and firmware that underlie the OS. In some cases, rootkits, bootkits and malware that infects the master boot record can not be removed from the machine without re-installing the operating system. Microsoft and security vendors have been trying to find ways defeat these attacks for several years now, and the move to UEFI and secure boot is one of the results of that effort.

It’s been a long journey for Microsoft to arrive at this destination. The company has been pushing various versions of a hardware-based security system for nearly a decade now. An early version, originally known as the Windows Next Generation Secure Computing Base and later Palladium, generated quite a bit of controversy when it was first discussed. Many of the elements of the Palladium system are now included as part of some laptops and the Windows 8 UEFI implementation: hardware security modules, secure boot, signing of software, encrypted storage of files. While some portions of what Microsoft has implemented in Windows 8 won’t require the use of a TPM (Trusted Platform Module), others will, including support for encrypted hard drives.

These security additions to Windows 8 have some benefits, but there also are some potential drawbacks that worry security and privacy advocates. Ross Anderson of the University of Cambridge worries that there is the potential for hardware-based lock-in included with the Windows 8 changes.

“The extension of Microsoft’s OS monopoly to hardware would be a disaster, with increased lock-in, decreased consumer choice and lack of space to innovate. It is clearly unlawful and must not succeed,” Anderson said in a blog post.

There also has been concern in the open-source community that the changes in Windows 8 will prevent users from loading alternate operating systems on Windows-based PCs. There may be some ways for users to circumvent the UEFI implementation and find a method for loading a separate OS, but it would likely be difficult.

“There’s no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code. However, experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market. It’s almost certainly the case that some systems will ship with the option of disabling this. Equally, it’s almost certainly the case that some systems won’t. It’s probably not worth panicking yet. But it is worth being concerned,” wrote Matthew Garrett, a developer at Red Hat, in a blog post on the Windows 8 changes.

Suggested articles

Discussion

  • asmiller-ke6seh on

    This is Microsoft, doing to consumers (personal and business) in the marketplace what the Bushies did when they rushed Congress to judgement and into war in Iraq -- using fear to get what they want. And what they want, in this case, is to shut out competitors, and especially competition from GNU/Linux.

    The people at Microsoft are masters of FUD - FEAR, UNCERTAINTY, and DOUBT.

    We will not allow Micro$oft to FUD us up.

    Are you listening, U.S. Justice Department. Do you hear us, European Union courts?

  • Anonymous on

    Is there a reason that Linux could not be signed? 

  • Shane Ponting on

    Remember that video about trusted computing? It predicted that this would come about, where you don't get to decide what runs on YOUR computer but some other outfit. It was hosted on the againsttcpa site but is on youtube nowadays.
  • Anonymous on

    I think this opens a wider door for the Linux market personally. When you go to buy a system, there will be a wider option of purchasing the Windows distro or Linux flavors. With the release of Windows 7 I lost interest and faith in the company to build anything remotely reliable. It is just as unstable on many platforms as Linux was a couple years back.

    Microsoft is simply doing what Apple has done for years, locking you into hardware. I think it is a bad idea on Microsoft's part, but it will be their mistake. They will be operating much like Apple does, however they have a system with less reliability and quite frankly legacy applications. Their inability to innovate is coming out in this move through an attempt to lock users into their OS. I have helped multiple organizations transition to Linux-based environments because of the Windows Vista and 7 fiasco and I think this move will push more to do the same.

  • Anonymous on

    Well, I could just not purchase a computer that had the secret key boot system.  I'm sure lots of other Mfgrs. will make computers available to boot Linux.

    This will only work for MS if people play along with this.

  • Luke on

    Let's consider a worst-case scenario for us Linux users: locked boot and no option to disable. European courts ban this, US courts do not-so computer makers ship locked systems in the US. OK, you just bought a computer that has to be rooted like a phone.  Real worst-case scenario, you might need a mod chip like on a video game console. To prohibit the manufacture or importation mod chips would require new legislation that would be very unlikely to pass. The US copyright authorities, with their decision that jailbreaking phones is legal, have removed any serious legal threat to PC mod chip makers if it comes to this. The only reason they can screw with the video game mod chip users is the claim (a false one) that the consoles have no purpose except to run copyrighted software. In the case of PC's, Linux has been around too long for that argument to fly.

    Putting mod chips aside, to root your PC, you would exploit a vulnerable program (there always are several) so as to be able to run arbitrary code. If all binaries have to be signed to load, this might mean using a vulnerability in one binary (probably through a script) to edit or replace another binary AFTER loading, directly in ram. The purpose of this attack would be to allow reflashing the UEFI with unlocked booting code. If the flash fails and the board dies, you go to a computer store and buy a $90 bottom-rung enthusiest board, certain to have unlocked booting as it is sold without an OS, to people who also demand things like a full set of overclocking utilities. 

    Come to think of it, a good unlocked board will always be cheaper that Windoze 8, so at least Linux users won't be limited to older computers. This might, however, generate a lot of E-waste from users not up to rooting the board or when the boards brick as phones occasionaly do from a failed rooting attempt. At least motherboards are a lot cheaper than smartphones at the entry level!

    Of course, Microsoft, by regarding the user as a hostile hacker, will be forcing people who don't even WANT to run their patented and copyrighted crap to act as exactly that. It's a lot easier to root someone else's computer when you learned how rooting your own!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.