How Windows protects your PC

How Windows protect your  computer

Windows PC should, if you are sensitive, is already a great defense in the form of anti-malware technologies.

However, we are entering the era of cloud computing, full of downloadable applet, when we are fighting a race against an ever more powerful weapons, ingenious malware authors.

As a result, defenses have to do with the code from many sources, and still protect you from external threats.

How is it possible, and in what ways are the bad guys have already been found to prevent these efforts? The most important thing is how you can be sure your computer is just what you think is running?

Log in

Unlike applications purchased from reputable suppliers, to download free software or applets made by individuals, there is no way the average user (or even the security professional) you can be sure that the software they think is is not really running anything else.

With the arms race between the developers and hackers are now available, it may take more than the leading antivirus software to match the state of the art of malware. Fortunately, Windows has an ingenious way to protect themselves. This is the system of Microsoft Authenticode.

Have you seen evidence of Authenticode in action when you try to install software that has not been through a process called the signature. A warning window appears, explaining that the publisher of the installation program could not be verified, and gives you a chance to stop the operation.

Unique signature

The programs are signed using an RSA encryption algorithm. It uses a public encryption key code to create a unique signature that describes the program being checked. Be public, you can get the key used to sign the code.

The operating system it generates gets its own copy of the signature and compares it with the one supplied with the program. If they match, the code is what the supplier says it is and it can be allowed to operate.

These encryption keys are held by several security companies and trust (CA) in the form of digital certificates available to the public that contain the details of the company that issued the agenda of its operating system tries to check, and the only signature own program.

If you are a developer, with the CA generates a digital certificate that you can rely on the code, and is usually an expensive process and involved. To obtain a certificate for commercial means to demonstrate conclusively that it is telling you to be.

According to Microsoft, the physical presence of a representative of your company may be asked to verify your identity with photo identification. The undertaking is also suitable for the Dun and Bradstreet rating. The rating is a measure of financial stability of your company, and shows that, among other things, that the company is still on the market. This prevents hackers from simply posing as a company that has quietly ceased operations for a fake certificate for malicious purposes.

Finally, the applicant must also undertake not to distribute malicious code. This is the final measure in words is no longer a topic of discussion.

Developers can also get a personal certificate to sign their products. In this case, no Dun & Bradstreet credit rating required, but your references are checked against databases of consumers to ensure that you are who you say you are. In both cases, a certificate generally cost you a considerable amount of money.

Many CA, it's worth buying the best deal. A year of Microsoft Authenticode certificate from VeriSign, for example, pays $ 499 (about £ 250). If you expect people to be able to download and install the software on more than one year, you must renew the certificate or the code is an unsigned review.

The public keys

Eagle-eyed readers may have noticed that the use of public keys is the same general mechanism used in the encryption of email and SSH, which is used to prove that the server you are trying to create a safe, encrypted connection is the real deal and not a mannequin, which was set up to skim the user names and passwords.

The biggest problem with code signing is that the average user has no idea that the means associated popup that when the code is the publisher can not be confirmed. There is a tendency to take a chance of being infected and leave all antivirus software, but what if we fail to detect the malicious code?

Sandboxing explained

In the sand

One solution is to use a sandbox code that runs in quarantine so any attempt to make unauthorized changes to the system can be prevented before it was achieved. Some antivirus programs (even the free version) now offers the ability to automatically run suspicious programs or unsigned in a sandbox.

Perhaps more importantly, web browsers have also begun using Sandbox, which is another good reason to abandon the old version of Internet Explorer. Ability to malicious sites or diverted to silently install code on your computer just by surfing on them will be greatly reduced.

Sandbox is a bit 'as a virtual machine, as it provides a virtual environment that executes the code contains everything you need to believe that it is running on real hardware. However, the reality is carefully prepared in a simulation is difficult to restrictions imposed on it. Any changes to the current operating system should never be distributed over a sandbox.

The sandbox used in the browser Google Chrome is a good example of the concept into action. Instead of writing a full virtualization product, the developers have used the Windows security model itself to help achieve the speed of Chrome reputation.

Chrome is sandboxed, so that the malware has permission to write the parts of the RAM or hard drive to install itself, so it can run again after reboot. In Windows, this can only be done using the system call the kernel I / O functions, which are all options to control the process of calling them. Chrome sandbox is set so that the write operation is never the correct privileges and fail. Return codes are false to believe that the malware is installed, but never.

Chrome's sandbox for developers is particularly useful, because it is deep within your browser. Developers can use to test their programs and make no attempt to do something that should or could be interpreted as malicious.

Chrome tarnished

Chrome sandbox is among the safest. In the first three years since the release of the browser, resisted all attempts to subvert prestigious competition Pwn2Own hackers. Conference held during the annual CanSecWest security, competition is considered to IE8 and Firefox cracked wide open. However, Chrome sandbox has been violated, if the requirements of a French security company are true.

Researchers from VUPEN Security has recently issued a security advisory, providing information on what it claims to be a simple two-step process to exit Chrome sandbox and make unauthorized changes to the operating system. The new Chrome is "pwning" with its sandbox is cause for concern in the community of online security, especially as VUPEN Security has chosen not to share its results with Google, which would be more normal.

When a security expert finds an exploitable error, he or she is often in contact with the developer with the details and maybe a fix proposed. Only when the developer has implemented a fix and published a new code allows the researcher to exercise their bragging rights by publishing details of bugs online.

However, the compensation, VUPEN Security says that "We do not provide Google as we are in our vulnerability research with our government customers in a safe defensive and offensive." This attitude tips for marketing advantage of the so-called Zero Day '- have not been notified to the developers so they can be corrected, but to keep things private for the use or sale.

At a time when governments speak openly about their preparations for cyberwar, exploitable bugs, packaged and ready for use to take advantage of the code, can control money. However, several experts have questioned VUPEN Security notifications. If they ask, VUPEN plans to sell its customers can use Chrome to the government to use as a weapon, why make it public and put a guard against potential adversaries?

Take the blue pill

Take the concept of network virtualization is granted cheap or free path is one of the physical computer, but it is far from being a software technology. From mid 2000, the hardware virtualization of Intel and AMD are included within the chip.

The two companies expect the creation of virtual machine software easier, but technology has had an unexpected side effect. When you create and run a virtual machine in a package such as Oracle VirtualBox is free, for example, the simulation is run under the total control of a process known as a hypervisor.

Hypervisor (also called a virtual machine manager) ensures that all of the physical computer is apparently available for the virtual machine. It manages access to everything from BIOS for USB ports, and resolves all conflicts for access to resources with other virtual machines can be managed simultaneously.

But not long after the AMD and Intel chips released to the charge of virtualization, created the Polish security guru Joanna Rutkowska ingenious hacking technique that ensures that people can see how some chips, including everything you type in.

That is, Rutkowska created a simple hypervisor, which tells the CPU under its supervision. However, the same chip and the operating system is running has no way of knowing that is turned so ugly hypervisor. Simply continue as if nothing had happened.

Rutkowska called his approach the blue pill after the concept of the same name in the cult science fiction movie The Matrix. Execution of the Exploitation of the blue pill is the chip in a computer simulation, which is indistinguishable from reality. Once in this simulation, while the operating system is laid bare.

Because the simulation is indistinguishable from reality, malware using the same concept (such as a rootkit, for example) can be created, possibly not be detected. Other researchers have pointed out deficiencies in the approach to Rutkowska, but there is no doubt that the sheer convenience of virtualization may be the decline in measures to protect the processor, and lead to more defense mechanisms and more resourceful.