Learn about Windows 10 Secure Kernel Microsoft 2016 5/7/2018 10:47 PM BRK4010 Learn about Windows 10 Secure Kernel Sami Laiho Technical Advisor – Applixure Senior Technical Fellow – Adminize.com/Names.fi PluralSight Author © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

WHOAMI /ALL

Sami Laiho Senior Technical Fellow adminize.com IT Admin since 1996 MVP in Windows OS since 2011 PluralSight Author Specializes in and trains: Troubleshooting and OS internals Security More info: https://ignite.applixure.com/ http://www.samilaiho.com/ http://www.win-fu.com/ Trophies: NIC 2016 - Best Speaker Ignite 2015 – Best male presenter ;) TechEd Europe 2014 – Best session TechEd North America 2014 - Best session, Best speaker TechEd Australia 2013 - Best session, Best speaker TechEd Europe 2013 - Best Session by an external speaker

Finnish Lesson Finnish is simple! English: Finnish: NUCLEAR POWER PLANT'S STEAM CONDENSATION COMPRESSOR'S GEAR BOX Finnish: YDINREAKTORIGENERAATTORILAUHDUTTAJATURBIINIRATASVAIHDE

Finnish are sometimes quiet Microsoft 2016 5/7/2018 10:47 PM Finnish are sometimes quiet Especially in the northern parts © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

I got Certs

2.6 pounds of them

5/7/2018 Housekeeping On my 75 minute breakout sessions I’ll exchange business cards for swag (BRK3295 and BRK4021) © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Modes and Rings Windows support to modes/rings Ring 3 – User Mode Ring 0 – Kernel Mode What happened to 1 and 2? What are -1 and -2?

Traditional Kernel Mode vs User Mode

Normal and Secure Mode NORMAL MODE SECURE MODE USER MODE ISOLATED USER MODE KERNEL SECURE KERNEL HYPERVISOR

How does it work technically? Hypervisor now associates a Virtual Trust Level (VTL) with each Virtual Processor (VP) Two VTLs defined today (higher  more privileged) – more are supported VTL 0, which is the Normal World VTL 1, which is the Secure World

How does it work technically? Hypervisor uses Enhanced Page Tables (EPT) which now have essentially a “VTL” associated with them VTL 0 access to VTL 1 pages can be controlled Blocking +R  allows hiding cryptographic secrets (Credential Guard) Blocking +RX (or +RWX)  allows preventing execution of code, or modification of code (Device Guard) Blocking +W  allows preventing modification of executable pages shared with VTL 1 With VSM, the hypervisor no longer implicitly trusts the root partition

Isolated User Mode User Mode that is protected from the code in the normal Kernel Mode Normally Kernel has full visibility to User Mode processes’ memory

Secure Kernel IUM is on top of Secure Kernel (Secure System) Known as SK, SKM, SMART (Secure Mode Application RunTime) Not a real Kernel but more a proxy that talks to the real Kernel but marshalls the transactions Does not implement stuff that the normal kernel already does 300KB compared to 8MB SECUREKERNEL.exe

Secure Kernel Secure Kernel cannot be extended like the normal Only accessible by Microsoft not 3rd party All Trustlets need to be signed by Microsoft with a certain kind of certificate All CryptoCode, Challenge/Response is here so it stays private to the Virtual Secure Mode To communicate with Other trustlets it uses Storage Blobs The Normal Mode (NTOSKERNEL) is uses Mailboxes

Traditional Kernel Mode vs User Mode ISOLATED USER MODE KERNEL MODE SECURE KERNEL SHARED BUFFER (Marshall) HYPERVISOR

How come the Kernel is not able to access the memory of the Secure Kernel?

Traditional Virtual memory Process 0 PAGETABLE PROCESS 0 V-Address P-Address ACCESSMASK xxxx yyyy z-z-z 6789 0x7777777 R-X Virtual Addres 6789? Process 1 PAGETABLE PROCESS 0 V-Address P-Address ACCESSMASK xxxx yyyy z-z-z 6789 0x7778888 RW- Virtual Addres 6789?

SLAT Hypervisors and VMs VM 1 VM 2 PAGETABLE VM 1 GPA SPA ACCESSMASK xxxx yyyy z-z-z 67890 0x7777777 R-X VIRTUAL RAM Physical Address? VIRTUAL RAM Physical Address? PAGETABLE VM 2 GPA SPA ACCESSMASK xxxx yyyy z-z-z 67890 0x7778888 R-X

Kernel and Secure Kernel have their own SLAT’s USER MODE ISOLATED USER MODE KERNEL MODE SECURE KERNEL SHARED BUFFER (Marshall) SLAT SLAT HYPERVISOR

Hypervisors and VMs SLAT SLAT KERNEL SECURE KERNEL (VSM) PAGETABLE GPA SPA ACCESSMASK 67890 0x7777777 - - - VIRTUAL RAM VIRTUAL RAM SLAT PAGETABLE VSM GPA SPA ACCESSMASK 67890 0x7777777 R - X

So what is VSM? Really? It’s not really a VM but a functionality possible because of virtualization technology

Trustlets Processes running in Virtual Secure Mode Currently not available for developers Require certain Process ID or a GUID In the future anything that needs Secrets to stay secret Currently four trustlets LSAISO = Credential Guard BIOISO = Biometrics information vTPM = Virtual TPM HVCI = Kernel Mode Code Integrity

To keep it secure We need to Be able to trust the Boot Loader and UEFI  Secure Boot Be able to block DMA from changing the memory  IO-MMU Be able to store secrets securely  TPM

IO-MMU I/O Memory Management Unit Known as: Intel VT-d / AMD-Vi MMU for devices, as opposed to processors Where an MMU translates virtual to physical addresses for a CPU accessing your system's memory, an IOMMU translates virtual to physical addresses for devices Hardware based protection against DMA-access Protects against buggy drivers and malicious code Works with SLAT Makes sure a device or VM won’t have access to physical memory addresses not meant for them Known as: Intel VT-d / AMD-Vi

Enabling Secure Kernel You need SLAT and should have SecureBoot, TPM and IO-MMU Before 1607 release you needed to change the BCDStore and add features called Isolated User Mode and Hyper-V Since 1607 you just enable Hyper-V

Secure Kernel Memory (in)accessibility Microsoft 2016 5/7/2018 10:47 PM Secure Kernel Memory (in)accessibility Sami Laiho © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Want to learn more? Microsoft 2016 5/7/2018 10:47 PM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session 5/7/2018 10:47 PM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5/7/2018 10:47 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.