Azure IoT automatic device management helps deploying firmware updates at scale

Automatic device management in Azure IoT Hub automates many of the repetitive and complex tasks of managing large device fleets over the entirety of their lifecycles. Since the feature shipped in June 2018, there has been a lot of interest in the firmware update use case. This blog article highlights some of the ways you can kickstart your own implementation.

hdk – (unofficial) Hyper-V® Development Kit

The HDK is an updated version of the HvGdk.h header file published under MSR-LA as part of the Singularity Research Kernel. It has been updated to add the latest definitions, structures and definitions as described in the Microsoft Hypervisor Top-Level Functional Specification (TLFS) 5.0c published June 2018.

Introducing the Windows Internals Series: One Windows Kernel

Microsoft: Component Firmware Update (CFU)

October 17, 2018 4:02 pm
Introducing Component Firmware Update
By Microsoft Devices Team

The Microsoft Devices Team is excited to announce the release of an open-source model for Component Firmware Update for Windows system developers – Component Firmware Update (CFU). With CFU, you can easily deliver firmware updates for through Windows Update by using CFU drivers.[…]

Microsoft Project Mu: adaptation of TianoCore’s EDK2

6 repos:

Project Mu is a modular adaptation of TianoCore’s edk2 tuned for building modern devices using a scalable, maintainable, and reusable pattern. Mu is built around the idea that shipping and maintaining a UEFI product is an ongoing collaboration between numerous partners. For too long the industry has built products using a “forking” model combined with copy/paste/rename and with each new product the maintenance burden grows to such a level that updates are near impossible due to cost and risk.

Project Mu also tries to address the complex business relationships and legal challenges facing partners today. To build most products it often requires both closed-source, proprietary assets as well as open source and industry standard code. The distributed build system and multi-repository design allow product teams to keep code separate and connected to their original source while respecting legal and business boundaries.

Project Mu originated from building modern Windows PCs but its patterns and design allow it to be scaled down or up for whatever the final product’s intent. IoT, Server, PC, or any other form factor should be able to leverage the content.

Microsoft Open Enclave SDK

What is Open Enclave SDK?
Confidential computing is an ongoing effort to protect data throughout its lifecycle at rest, in transit and now in use. With the use of Trust Execution Environments, customers can build applications that protect data from outside access while in use. Open Enclave SDK is an open source SDK targeted at creating a single unified enclaving abstraction for developer to be build Trusted Execution Environment (TEEs) based applications. As TEE technology matures and as different implementations arise, the Open Enclave SDK is committed to supporting an API set that allows developers to build once and deploy on multiple technology platforms, different environments from cloud to hybrid to edge, and for both Linux and Windows.

Microsoft Ephemeral OS: limited public preview

Last week at Microsoft Ignite, we launched Ultra SSD, a new industry leading high-performance disk type for IO intensive workloads. Adding to that, today we are delighted to share the limited preview of Ephemeral OS Disk, a new type of OS disk created directly on the host node, providing local disk performance and faster boot/reset time. Ephemeral OS Disk is supported for all virtual machines (VM) and virtual machine scale sets (VMSS). This offering is based on your feedback to provide a lower cost, higher performant OS disk for stateless applications, which enable them to quickly deploy the VMs and reset them to its original state.[…]


Microsoft Bitlocker countermeasures and Thunderbolt DMA protection

SpeculationControl: PowerShell script

SpeculationControl is a PowerShell script that summarizes the state of configurable Windows mitigations for various speculative execution side channel vulnerabilities, such as CVE-2017-5715 (Spectre variant 2) and CVE-2017-5754 (Meltdown). For an explanation on how to interpret the output of this tool, please see Understanding Get-SpeculationControlSettings PowerShell script output.[…]

ChromeBook CampFire?

Everything we know about Campfire, Google’s secretive project to get Windows 10 running on Chromebooks.[…]


Microsoft Blackhat speculative execution slides posted

Microsoft announces the public preview of Windows 10 IoT Core Services

Microsoft Surface Pro 2 TPM firmware update issues

Windows: new feature using IOMMU to block DMA access for Thunderbolt devices when machine is locked

The latest version of Windows apparently has new protections against PCILeech and related attacks:

An ice-cold Boot to break BitLocker

An ice-cold Boot to break BitLocker
By Olle Segerdahl & Pasi Saarinen

A decade ago, academic researchers demonstrated how computer memory remanence could be used to defeat popular disk encryption systems. Not much has happened since, and most seem to believe that these attacks are too impractical for real world use. Even Microsoft have even started to play down the threat of memory remanence attacks against BitLocker, using words such as “they are not possible using published techniques”. We will publish techniques that allow recovery of BitLocker encryption keys from RAM on most, if not all, currently available devices. While BitLocker is called out in the title, the same attacks are also valid against other platforms and operating systems.

Olle is a veteran of the IT-security industry, having worked with both “breaking” and “building” security solutions for almost 20 years. During that time, he has worked on securing classified systems, critical infrastructure and cryptographic products as well as building software whitelisting solutions used by industrial robots and medical equipment. He is currently the Swedish Principal Security Consultant with F-Secure’s technical security consulting practice.

Pasi is an experienced security researcher with a background in both software and network security. In previous employment he has worked on a modern framework for white-box fuzz testing of binaries and security standardization of the 5G mobile network. While he has a very Finnish name, he plays for team Sweden in F-Secure’s technical security consulting practice.


Microsoft Research 2017: The Seven Properties of Highly Secure Devices

The Seven Properties of Highly Secure Devices
March 31, 2017

Industry largely underestimates the critical societal need to embody the highest levels of security in every network-connected device—every child’s toy, every household’s appliances, and every industry’s equipment. High development and maintenance costs have limited strong security to high-cost or highmargin devices. Our group has begun a research agenda to bring high-value security to low-cost devices. We are especially concerned with the tens of billions of devices powered by microcontrollers. This class of devices is particularly ill-prepared for the security challenges of internet connectivity. Insufficient investments in the security needs of these and other price-sensitive devices have left consumers and society critically exposed to device security and privacy failures. This paper makes two contributions to the field of device security. First, we identify seven properties we assert are required in all highly secure devices. Second, we describe our experiment working with a silicon partner to revise one of their microcontrollers to create a prototype, highly secure microcontroller. Our experimental results suggest that in the near future even the most price-sensitive devices should be redesigned to achieve the high levels of device security critical to society’s safety. While our first experimental results are promising, more ongoing research remains and we seek to enlist the broader security community in a dialog on device security.


Virtualization-based security (VBS) memory enclaves: Data protection through isolation

I’m glad that Virtualization-Based Security has replaced VisualBasic Script as the new acronym for VBS. 🙂

The escalating sophistication of cyberattacks is marked by the increased use of kernel-level exploits that attempt to run malware with the highest privileges and evade security solutions and software sandboxes. Kernel exploits famously gave the WannaCry and Petya ransomware remote code execution capability, resulting in widescale global outbreaks. Windows 10 remained resilient to these attacks, with Microsoft constantly raising the bar in platform security to stay ahead of threat actors. Virtualization-based security (VBS) hardens Windows 10 against attacks by using the Windows hypervisor to create an environment that isolates a secure region of memory known as secure memory enclaves.[…]