SiSyPHuS Win10: Analysis of Device Guard
The objective of this work package is the analysis of the DeviceGuard feature in Windows 10 and the relevant communication interfaces, logging- and configuration capabilities.
- Analysis of Device Guard (english document, german abstract) Analyse der Komponente "Device Guard" in Windows 10
Due to the long duration of this project, a differential analysis between the original version Windows 10, Build 1607 and Windows 10 Enterprise LTSC 2019 (Build 1809) was carried out for this work package. This version will be supported by Microsoft until 2029.
Beside others additions mainly occurred in the Windows Defender Application Control guideline. Additionally a new policy rule option was integrated to enforce code verification on code loaded by .NET.
Table of contents analysis document
1 Introduction
1.1 Executive Summary (german)
1.2 Executive Summary (english)
1.3 Concept and Terms
2 Technical Analysis of Functionalities
2.1 Non-configurable Code Integrity
2.1.1 Overview of Functionalities
2.2 WDAC: Configurable Code Integrity
2.2.1 WDAC Initialization
2.2.2 WDAC Verification
3 Configuration and Logging Capabilities
3.1 Configuration Capabilities
3.1.1 WDAC Policy Management Capabilities
3.1.2 WDAC Deployment Considerations
3.1.3 Recommendations on Constructing WDAC Policies
3.2 Logging Capabilities
Appendix
Reference Documentation
Keywords and Abbreviations
Summary:
The objective of this work package is the analysis of the Device Guard feature of Windows 10. The release of the Windows 10 system in focus is build 1607, 64-bit, long-term servicing branch (LTSB), German language.
The Device Guard component of Windows 10 implements a feature for preventing the execution of untrusted code. Untrusted code is program code whose integrity and authenticity cannot be verified. For example, this could be code that has been tampered with in an unauthorized manner, or which originates from untrusted sources. Device Guard implements a feature referred to as configurable code integrity, also known as Windows Defender Application Control (). In addition to configurable code integrity, Windows 10 implements code integrity functionalities that do not take user-defined criteria into account.
If the VSM feature HVCI is disabled, code integrity functionalities are executed in the context of the ci.dll library file. This file is loaded by the ntoskrnl.exe executable, which implements the normal kernel. The ci.dll library file exposes an interface of functions to the kernel for use. If HVCI is enabled, Windows routes code integrity functionalities to the secure environment, that is, to the virtual trust level (VTL) 1, for execution. Code integrity functionalities are then executed in the context of the skci.dll library file. This prevents attackers that have gained access to the normal environment to tamper with critical code integrity functionalities. skci.dll is loaded by the securekernel.exe executable, which implements the secure kernel.
The non-configurable and configurable (WDAC) code integrity functionalities successfully prevent the execution of untrusted code. By implementing the concept of policies in which users may set options and specify rules, WDAC is highly configurable and effective. It offers a wide range of granularities at which the trustworthiness of code may be verified. This makes WDAC suitable for protecting a variety of systems. However, the deployment of WDAC requires considerable preparation and policy management efforts. This is crucial for the operationally manageable, practically feasible, and security-efficient WDAC deployment. The security of the code integrity features of Device Guard and Windows 10 is solid. They are implemented as part of the boot manager, the Windows loader, the kernel, and external library files, whose integrity is verified. However, WDAC exposes many configuration points to system users, including points for configuring the criteria based on which the trustworthiness of images is verified. Examples are the policy options Enabled: Managed Installer and Enabled: Intelligent Security Graph Authorization. This opens possibilities for compromise WDAC, such as bypassing WDAC protections. Some of these policy options delegate verification of images to other entities, such as AppLocker or the Intelligent Security Graph. Therefore, the implementation of the user-configurable WDAC features, and the impact that these features have on image verification, are not part of this work package and remain to be analyzed in detail.
- Short URL:
- https://www.bsi.bund.de/dok/12818688