Researchers Chris Valasek (Senior Security Researcher at Coverity) and Tarjei Mandt (senior vulnerability researcher at Azimuth Security) spend their days seeking ways to compromise security in Windows. They're good guys; if they find a problem they report it, rather than exploiting it for illicit gain. At the Black Hat conference they reported on their analysis of new low-level security features in Windows 8.
The precise details of what they discovered were barely within the realm of my comprehension. Apparently many doubly-linked lists within Windows 8 are now protected by "pool cookies." To avoid exploits that involve forcing arbitrary code or data into places it doesn't belong, Windows 8 randomizes locations for memory allocation and adds "guard pages" as needed. That sort of thing.
In between slides filled with code and intense details, Valasek and Mandt displayed a couple that anybody could understand. The column for Windows Vista was all red, meaning not secure. Windows 7 was close, with just a few green checkmarks. And of course Windows 8 displayed a column of solid green checkmarks. Expert or not, we know that green is good.
After the talk I checked in with Valasek.
Rubenking: Back in the day I would write TSR (Terminate and Stay Resident) programs in DOS, and they were great, and useful. But the malware writers used the same DOS features to write bad stuff. Microsoft could have shut them down, but they would have shut me down too. It seems from your talk like they don't plan to shut anybody down. They're doing fine-tuning, working really hard to ensure that everything still works while they crank up security. Do you think it's conceivable you could write an operating system that just wouldn't be vulnerable to attack?
Valasek: No, that doesn't exist. Not as long as humans are writing the code. Once Skynet takes over and humans don't write code any more that might be possible. They have to have a certain amount of data and algorithms and structures that are needed, so there's always a potential to use this stuff for exploitation purposes. Here's the thing. If you don't make it impossible, but you make it severely difficult so only a tenth of one percent of the population can do it, you've effectively lowered the threat to decent levels.
Rubenking: And if you hire that one tenth of one percent…
Valasek: That's just what Google and Microsoft have done. Hire that one tenth of one percent, then you're good.
Rubenking: Thank you Chris!
Indeed, Windows 8 isn't perfect. Valasek and Mandt laid out a number of possible avenues that hackers might conceivably exploit. But as Valasek said, it will be severely difficult, and only the most adept will come close to exploiting the tiny vulnerabilities that remain.
