EMB423 Creating A Trusted Environment For Windows CE 5.0
Download
Report
Transcript EMB423 Creating A Trusted Environment For Windows CE 5.0
EMB423
Creating A Trusted
Environment For
Windows CE 5.0
Nat Frampton
President
Real Time Development
[email protected]
Hardware/Drivers
OEM/IHV Supplied
Programming
Model
Data
Device Building
Tools
BSP
(ARM, SH4, MIPS)
EDB
SQL Server 2005 Mobile Edition
Relational
Native
Server Side
Standard PC
Hardware and Drivers
Windows XP DDK
Windows Embedded
Studio
Platform Builder
Lightweight
Managed
OEM Hardware and
Standard Drivers
SQL Server 2005 Express Edition
SQL Server 2005
Win32
MFC 8.0, ATL 8.0
.NET Compact Framework
ASP.NET Mobile Controls
.NET Framework
ASP.NET
Windows Media
DirectX
Multimedia
Location Services
MapPoint
Development Tools
Visual Studio 2005
Internet Security and Acceleration Server
Exchange Server
Live Communications Server
Speech Server
Communications
& Messaging
Device Update Agent
Management
Tools
Image Update
Software Update Services
Systems Management Server
Microsoft Operations Manager
Overview
Inside Loader Authentication
Implementation Example
Implementation Scenerios
Conclusions
Locking Down App Execution
Trusted Model
Application execution control via
Trusted Model
OEM option to assign trust levels to processes
Protections
Prevents unauthorized modules from being loaded
Restricts access to certain system APIs
Prevent registry WRITE access to certain root and sub-keys:
HKEY_LOCAL_MACHINE\Comm, Drivers, Hardware, Init,
Services, SYSTEM, WDMDrivers
Prevents WRITE access to files with SYSTEM attribute
READ access granted, by default. Can be changed via
[HKLM\System\ObjectStore]\“AllowSystemAccess”
Locking Down App Execution
When do I implement the Trusted Model?
1-tier (all code runs as Trusted)
Prevent unknown code from executing on device
Trust all code running on device (to same extent)
2-tier (code can run as Trusted or Untrusted)
End users can run any code on device
Protect from malicious code, such as worms,
viruses, trojan attacks, etc.
Restrict capabilities of certain processes
Locking Dow… Execution
Trusted Model
Load Library
Load
Trusted Model?
Y
N
Load
Y
Pass OEM
Verification
N
Fail
R
Assign Trust
Level
F
Fail
Load
T
Locking Down App Execution
Trusted Model
Implement Trusted Environment with two functions
OEMCertifyModuleInit
Loader notifies OAL (OEM Adaptation Layer) code when
launching new module
OEMCertifyModule
Loader passes module to OAL code for verification
Returns one of three trust levels:
OEM_CERTIFY_TRUST,
OEM_CERTIFY_RUN,
OEM_CERTIFY_FALSE
Samples available
loadauth.lib – Sample implementation of OEMCertifyModule
and OEMCertifyModuleInit
signfile.exe – Desktop application that signs CE binaries
OEM Certification
Function
Description
Return value
OEMCertifyModuleInit
Enables the OS loader to notify the
OEM that a new module is being
loaded. Allows the OEM to decide
whether to verify the module for
safety.
TRUE or FALSE
OEMCertifyModule
Allows the OS loader to pass the
module code (for example, DLL, EXE,
and OCX) to the OEM for verification
that it is safe to run on the system.
OEM_CERTIFY_TRUST
OEM_CERTIFY_RUN
OEM_CERTIFY_FALSE
DLL And EXE Trust Levels
EXE trust
DLL trust
Final DLL trust
OEM_CERTIFY_RUN
OEM_CERTIFY_RUN
OEM_CERTIFY_RUN
OEM_CERTIFY_RUN
OEM_CERTIFY_TRUST
OEM_CERTIFY_RUN
OEM_CERTIFY_TRUST
OEM_CERTIFY_RUN
DLL fails to load
OEM_CERTIFY_TRUST
OEM_CERTIFY_TRUST
OEM_CERTIFY_TRUST
Loader Location
Appears in…
\WINCE500\Private\WINCEOS\COREOS\N
K\KERNEL\Loader.c
Function VerifyBinary
Define the following in OEMInit…
pOEMLoadInit = OEMCertifyModuleInit
pOEMLoadModule = OEMCertifyModule
Implementation Example
Lockdown Architecture
Win32
Allowable
Files
Database
Load Library
Kernel
KernelIOControl
OAL
OEMCertify….
Allowable
Files
List
File Changes \WINCE500…
\PLATFORM\COMMON\SRC\X86\COMMON\STARTUP
\OEMINIT.C
Actual OEMCertification Modules
\PUBLIC\COMMON\OAK\INC\PkFuncs.h
Define IOCTL Codes into the KernelIOControl
\PLATFORM\COMMON\SRC\X86\INC\ioctl_tab.h
Associate our IOCTL Call handler with IOCTLs
\PLATFORM\COMMON\SRC\X86\INC\x86ioctl.h
Declare our interface to our IOCTL Call Handler
Implementation Scenarios
OEM is free to choose trust level
Digital Certificates represent highest
trust level
Digital Certificates require extra
footprint
OEM can implement dynamic trust
Allows for the device to change
personality
OEM can implement Name/Checksum
Conclusions
Windows CE 5.0 Provides a robust
Security Architecture
Loader Certification provides a
mechanism to
Create a Trusted Environment
Dynamically define the devices personality
Follow Best Practices at multiple levels
for best defense
“Trusted Security is best achieved by having
a thorough understanding of the Windows CE
5.0’s Security Architecture and Trust Model!”
While At MEDC 2005…
Fill out an evaluation for this session
Randomly selected instant WIN prizes!
Visit the Microsoft Product Pavilion
in the Exhibit Hall
Shorelines B
Use real technology in a lab
Instructor led
Reef E/F & Breakers L
Self-paced
Reef B/C
After The Conference…
Build
Install
Full-featured trial versions of Windows CE
and/or Windows XP Embedded
Build
Cool stuff & tell us about it:
msdn.microsoft.com/embedded/community
Join
Windows Embedded Partner Program:
www.mswep.com
Develop
Install
Windows Mobile 5.0 Eval Kit including
Visual Studio 2005 Beta 2
Enter
Mobile2Market Contest and win up to $25000:
mobile2marketcontest.com
Join
Microsoft Solutions Partner Program:
partner.microsoft.com
Tools & Resources
Build
Develop
msdn.microsoft.com/
embedded
msdn.microsoft.com/
mobility
microsoft.public.
windowsxp.embedded
windowsce.platbuilder
windowsce.embedded.vc
microsoft.public.
pocketpc.developer
smartphone.developer
dotnet.framework.compactframework
Blogs
blogs.msdn.com/
mikehall
blogs.msdn.com/
windowsmobile
vsdteam
netcfteam
Tools
Windows CE 5.0 Eval Kit
Windows XP Embedded Eval Kit
Windows Mobile 5.0 Eval Kit
Websites
Newsgroups