Windows 8 Secure Boot – is the AV industry dead?

Windows Secure Boot (known as a ‘Trusted Boot Process’) is a process that loads anti-malware before the OS boots. It is designed to prevent rootkits, but can only work if the operating system is using UEFI (which stands for Unified Extensible Firmware Interface – this boots the relevant operating system). It’s important to note that Secure Boot will not work with current x86 machines running with BIOS.

Microsoft along with the laptop manufacturers (Ultrabooks will be using UEFI technology) are going to want to push UEFI (see bootnote), which is the BIOS replacement for both Windows 8 ultrabooks and tablets.

Secure Boot stops a computer from loading an operating system that hasn’t been signed by the publisher (in this case, Microsoft or an OEM), and its signature added to the computer’s firmware. On an x86 Windows 8 computer, you’ll be able to sign your own operating systems (custom builds for Linux, for example), or disable Secure Boot entirely. Now for the breaking bad news: On Windows 8 ARM only computers, neither of these options will be available: You’ll have official builds of Windows 8, and that’s that. Guess what Microsoft wants you to buy? Yes that’s right – ARM-based systems.

Windows itself ensures that its own executables (and, on 64-bit versions, all drivers) contain valid signatures, in an effort to ensure that malware and rootkits have not tampered with any critical system files. However, the weak link in this chain is the initial operating system loader. If this is modified so that it no longer validates digital signatures, it could load a modified operating system kernel. There are extant, real-world rootkits that do just this. They modify the Windows boot loader so that it no longer verifies the integrity of the files that it loads. This allows the rootkit to modify the Windows kernel so that it can evade detection. Secure boot stops this kind of attack in its tracks. 🙂

So what about the other security components of Windows 8? Well we have, Picture gesture login (which in my mind isn’t serious security and is vulnerable to screen smudge attack), Windows ID login (nothing new here) and Windows Defender see below, comes with some significant security improvements:

  • Windows Defender includes real-time protection from all categories of malware, and the use of URL and application reputation to help protect users against social engineering attacks.
  • Windows Defender provides real time malware protection and will interface with Secure Boot on UEFI only enabled hardware devices.
  • Extended Address Space Layout Randomization’s (ASLR) protection to more parts of Windows and introduced enhancements such as increased randomisation that will break many known techniques for circumventing ASLR.
  • Windows kernel improvements i.e. added integrity checks to the kernel pool memory allocator to mitigate kernel pool corruption attacks.
  • Windows heap improvements i.e. new integrity checks and randomising the order of Windows heap allocations.
  • Windows 8 will also still use SmartScreen for IE which provides application reputation and anti-phishing protection.

You can see from this post, just how many security improvements have been made to the up and coming Windows 8. Some in the media and security are claiming the antivirus (AV) industry will be more or less dead when Windows 8 arrives with these security enhancements. I’m not entirely sure this statement will be proved correct.

The main reason is people will not understand UEFI (the advantages Secure Boot and Windows Defender brings) and therefore will maintain loyalty and trust with the major antivirus brands. It will take years for people to buy into UEFI enabled ultrabooks/tablets and fully understand the Windows 8 inbuilt security feature sets. Most important of all is that people will also continue to instinctively look beyond Microsoft Windows inbuilt security features, just as they do now. User behaviour doesn’t change over night folks, otherwise we wouldn’t have a security industry!

*Bootnote: UEFI does also have a ‘BIOS mode’ which can be used for 32 and 64 bit Windows machines.

Safe surfing folks!

This entry was posted in anti-virus, mobile, privacy, windows and tagged , . Bookmark the permalink.

One Response to Windows 8 Secure Boot – is the AV industry dead?

  1. Pingback: Windows 8 Secure Boot – is the AV industry dead? | News | IT Security Magazine - Hakin9

Leave a Reply

Your email address will not be published. Required fields are marked *