EMB423 Creating A Trusted Environment For Windows CE 5.0 Nat Frampton President Real Time Development

M anagement T ools C ommunications & M essaging Device Update Agent Software Update Services Live Communications Server Exchange Server Internet Security and Acceleration Server Speech Server Image Update L ocation S ervices M ultimedia MapPoint DirectX Windows Media Visual Studio 2005 D evelopment T ools MFC 8.0, ATL 8.0 Win32 N ative M anaged S erver S ide L ightweight R elational SQL Server 2005 Express EditionEDB D ata P rogramming M odel D evice B uilding T ools D evice B uilding T ools H ardware/ D rivers Windows XP DDK Windows Embedded Studio Platform Builder OEM/IHV Supplied BSP (ARM, SH4, MIPS) OEM Hardware and Standard Drivers Standard PC Hardware and Drivers SQL Server 2005SQL Server 2005 Mobile Edition ASP.NET Mobile ControlsASP.NET.NET Compact Framework.NET Framework Microsoft Operations Manager Systems Management Server

Overview Inside Loader Authentication Implementation Example Implementation Scenerios Conclusions

Locking Down App Execution Trusted Model Application execution control via Trusted Model OEM option to assign trust levels to processes Protections Prevents unauthorized modules from being loaded Restricts access to certain system APIs Prevent registry WRITE access to certain root and sub-keys: HKEY_LOCAL_MACHINE\Comm, Drivers, Hardware, Init, Services, SYSTEM, WDMDrivers Prevents WRITE access to files with SYSTEM attribute READ access granted, by default. Can be changed via [HKLM\System\ObjectStore]\“AllowSystemAccess”

Locking Down App Execution When do I implement the Trusted Model? 1-tier (all code runs as Trusted) Prevent unknown code from executing on device Trust all code running on device (to same extent) 2-tier (code can run as Trusted or Untrusted) End users can run any code on device Protect from malicious code, such as worms, viruses, trojan attacks, etc. Restrict capabilities of certain processes

Locking Dow… Execution Trusted Model Load Library Trusted Model? Y N Y N Load Fail Pass OEM Verification Assign Trust Level T R F L o a d Load

Locking Down App Execution Trusted Model Implement Trusted Environment with two functions OEMCertifyModuleInit Loader notifies OAL (OEM Adaptation Layer) code when launching new module OEMCertifyModule Loader passes module to OAL code for verification Returns one of three trust levels: OEM_CERTIFY_TRUST,OEM_CERTIFY_RUN,OEM_CERTIFY_FALSE Samples available loadauth.lib – Sample implementation of OEMCertifyModule and OEMCertifyModuleInit signfile.exe – Desktop application that signs CE binaries

OEM Certification FunctionDescriptionReturn value OEMCertifyModuleInitEnables the OS loader to notify the OEM that a new module is being loaded. Allows the OEM to decide whether to verify the module for safety. TRUE or FALSE OEMCertifyModuleAllows the OS loader to pass the module code (for example, DLL, EXE, and OCX) to the OEM for verification that it is safe to run on the system. OEM_CERTIFY_TRUST OEM_CERTIFY_RUN OEM_CERTIFY_FALSE

DLL And EXE Trust Levels EXE trustDLL trustFinal DLL trust OEM_CERTIFY_RUN OEM_CERTIFY_TRUSTOEM_CERTIFY_RUN OEM_CERTIFY_TRUSTOEM_CERTIFY_RUNDLL fails to load OEM_CERTIFY_TRUST

Loader Location Appears in… \WINCE500\Private\WINCEOS\COREOS\N K\KERNEL\Loader.c Function VerifyBinary Define the following in OEMInit… pOEMLoadInit = OEMCertifyModuleInit pOEMLoadModule = OEMCertifyModule

Implementation Example

Lockdown Architecture Win32 Kernel OAL Load Library OEMCertify…. AllowableFilesList KernelIOControl AllowableFilesDatabase

File Changes \WINCE500… \PLATFORM\COMMON\SRC\X86\COMMON\STARTU P\OEMINIT.C Actual OEMCertification Modules \PUBLIC\COMMON\OAK\INC\PkFuncs.h Define IOCTL Codes into the KernelIOControl \PLATFORM\COMMON\SRC\X86\INC\ioctl_tab.h Associate our IOCTL Call handler with IOCTLs \PLATFORM\COMMON\SRC\X86\INC\x86ioctl.h Declare our interface to our IOCTL Call Handler

Implementation Scenarios OEM is free to choose trust level Digital Certificates represent highest trust level Digital Certificates require extra footprint OEM can implement dynamic trust Allows for the device to change personality OEM can implement Name/Checksum

Conclusions Windows CE 5.0 Provides a robust Security Architecture Loader Certification provides a mechanism to Create a Trusted Environment Dynamically define the devices personality Follow Best Practices at multiple levels for best defense “Trusted Security is best achieved by having a thorough understanding of the Windows CE 5.0’s Security Architecture and Trust Model!”

While At MEDC 2005… Fill out an evaluation for this session Randomly selected instant WIN prizes! Randomly selected instant WIN prizes! Use real technology in a lab Instructor led Reef E/F & Breakers L Self-paced Reef B/C Self-paced Reef B/C Visit the Microsoft Product Pavilion in the Exhibit Hall Shorelines B in the Exhibit Hall Shorelines B

After The Conference… Develop Build InstallBuildJoin Install Enter Enter Join Full-featured trial versions of Windows CE and/or Windows XP Embedded Cool stuff & tell us about it: msdn.microsoft.com/embedded/community msdn.microsoft.com/embedded/community Windows Embedded Partner Program: Windows Mobile 5.0 Eval Kit including Visual Studio 2005 Beta 2 Mobile2Market Contest and win up to $25000: mobile2marketcontest.com mobile2marketcontest.com Microsoft Solutions Partner Program: partner.microsoft.com partner.microsoft.com

Tools & Resources msdn.microsoft.com/ embedded microsoft.public. windowsxp.embedded windowsce.platbuilder windowsce.platbuilder windowsce.embedded.vc windowsce.embedded.vc blogs.msdn.com/ mikehall Windows CE 5.0 Eval Kit Windows XP Embedded Eval Kit msdn.microsoft.com/ mobility microsoft.public. pocketpc.developer smartphone.developer dotnet.framework.compactframework blogs.msdn.com/ windowsmobile vsdteam netcfteam Windows Mobile 5.0 Eval Kit Websites Newsgroups Blogs Tools Build Develop