Uncategorized

Microsoft: C++ Developer Guidance for Speculative Execution Side Channels

C++ Developer Guidance for Speculative Execution Side Channels
05/03/2018
Matt Miller Colin Robertson Mike B

This article contains guidance for developers to assist with identifying and mitigating speculative execution side channel hardware vulnerabilities in C++ software. These vulnerabilities can disclose sensitive information across trust boundaries and can affect software that runs on processors that support speculative, out-of-order execution of instructions. This class of vulnerabilities was first described in January, 2018 and additional background and guidance can be found in Microsoft’s security advisory. The guidance provided by this article is related to the class of vulnerabilities represented by CVE-2017-5753, also known as Spectre variant 1. This hardware vulnerability class is related to side channels that can arise due to speculative execution that occurs as a result of a conditional branch misprediction. The Visual C++ compiler in Visual Studio 2017 (starting with version 15.5.5) includes support for the /Qspectre switch provides a compile-time mitigation for a limited set of potentially vulnerable coding patterns related to CVE-2017-5753. The documentation for the /Qspectre flag provides more information on its effects and usage.[…]

https://docs.microsoft.com/en-us/cpp/security/developer-guidance-speculative-execution

[…]An accessible introduction to speculative execution side channel vulnerabilities can be found in the presentation titled The Case of Spectre and Meltdown by one of the research teams that discovered these issues.[…]

 

Standard
Uncategorized

VMWare and Microsoft Virtualization Based Security (VBS)

Introducing support for Virtualization Based Security and Credential Guard in vSphere 6.7
Mike Foley

Microsoft virtualization-based security, also known as “VBS”, is a feature of the Windows 10 and Windows Server 2016 operating systems. It uses hardware and software virtualization to enhance Windows system security by creating an isolated, hypervisor-restricted, specialized subsystem. Starting with vSphere 6.7, you can now enable Microsoft (VBS) on supported Windows guest operating systems. You may or may not be familiar with these new Windows features. Based on conversations I have with security teams, you might want to become familiar! What you will hear first and foremost is the requirement for “Credential Guard” which is why I added that to the title. In order to level set the conversation in this blog I will go over the features as they related to a bare metal installation of Windows and then a Windows VM on ESXi.[…]

https://blogs.vmware.com/vsphere/2018/05/introducing-support-virtualization-based-security-credential-guard-vsphere-6-7.html

Standard
Uncategorized

Microsoft introduces Trusted Cyber Physical Systems (TCPS)

Trusted Cyber Physical Systems looks to protect your critical infrastructure from modern threats in the world of IoT
Thomas Pfenning / Director Software Engineering
April 24, 2018

This week at Hannover Messe 2018 in Germany, we are excited to demonstrate how Microsoft is utilizing its more than 25 years of embedded and hardware security experience with a new project codenamed Trusted Cyber Physical Systems (TCPS). This solution seeks to provide end-to-end security that is resilient to today’s cyber-attacks so our industrial customers can operate their critical infrastructures with confidence and with no negative impact to their intellectual property and customer experience.[…]

https://blogs.windows.com/business/2018/04/24/trusted-cyber-physical-systems-looks-to-protect-your-critical-infrastructure-from-modern-threats-in-the-world-of-iot/

https://az835927.vo.msecnd.net/sites/iot/Resources/documents/TCPS-WP.pdf
https://az835927.vo.msecnd.net/sites/iot/Resources/documents/Protecting-Critical-Infrastructure.pdf

Standard
Uncategorized

Microsoft Azure Sphere

https://www.microsoft.com/en-us/azure-sphere/
https://www.microsoft.com/en-us/azure-sphere/about/
https://ms-device-contact.com/
https://azure.microsoft.com/en-us/blog/introducing-microsoft-azure-sphere-secure-and-power-the-intelligent-edge/
https://www.microsoft.com/en-us/azure-sphere/details/
https://www.mediatek.com/products/azureSphere/mt3620

A diagram that shows the MCU architecture. It includes sections for: Microsoft Pluton Security Subsystem, flash, Connectivity, application processor, SRAM, real-time processor, and firewalls.

Standard
Uncategorized

WinMagic on Microsoft Pre-Boot Full Disk Encryption Authentication

WinMagic makes full-disk encryption products, including a UEFI one, which the UEFI CA (Microsoft) signs, AFAIK.

Is Microsoft really claiming Pre-Boot Authentication for Full Disk Encryption is not necessary?[…]To summarize, Microsoft has got this one wrong. The fault in their logic is thinking that PBA is limited to protection against memory attacks AFTER automatically unlocking the drive. They missed the whole point of PBA, which is to prevent anything being read from the drive, such as the operating system BEFORE the user has confirmed they have the correct password or other credentials. PBA is a necessary component of a FDE solution in order to fully achieve the confidentiality (and compliance) that full disk encryption is capable of providing.

https://www.winmagic.com/blog/2018/03/27/microsoft-really-claiming-pre-boot-authentication-full-disk-encryption-not-necessary/

Standard