EMB423EMB423

Creating A Trusted Creating A Trusted Environment For Environment For Windows CE 5.0Windows CE 5.0

Nat FramptonNat FramptonPresidentPresidentReal Time DevelopmentReal Time Developmentnat@realtimeonline.comnat@realtimeonline.com

MManagementanagementTToolsools

CCommunicationsommunications& & MMessagingessaging

Device Update Agent

Software Update Services

Live Communications Server

Exchange Server

Internet Security and Acceleration Server

Speech Server

Image Update

LLocation ocation SServiceservices

MMultimediaultimedia

MapPoint

DirectX

Windows Media

Visual Studio 2005DDevelopment evelopment TToolsools

MFC 8.0, ATL 8.0

Win32NNativeative

MManagedanaged

SServer erver SSideide

LLightweightightweight

RRelationalelationalSQL Server 2005 Express EditionEDB

DDa

taata

PPro

gra

mm

ing

ro

gra

mm

ing

MM

od

el

od

el

DDevice evice BBuilding uilding TToolsools

HHardware/ardware/DDriversrivers

Windows XP DDK

Windows Embedded Studio

Platform Builder

OEM/IHV SuppliedBSP

(ARM, SH4, MIPS)OEM Hardware and Standard Drivers

Standard PC Hardware and Drivers

SQL Server 2005SQL Server 2005 Mobile Edition

ASP.NET Mobile Controls ASP.NET

.NET Compact Framework .NET Framework

Microsoft Operations Manager

Systems Management Server

OverviewOverview

Inside Loader AuthenticationInside Loader Authentication

Implementation ExampleImplementation Example

Implementation SceneriosImplementation Scenerios

ConclusionsConclusions

Locking Down App Execution Locking Down App Execution Trusted ModelTrusted Model

Application execution control via Application execution control via Trusted ModelTrusted Model

OEM option to assign trust levels to processesOEM option to assign trust levels to processes

ProtectionsProtectionsPrevents unauthorized modules from being loadedPrevents unauthorized modules from being loaded

Restricts access to certain system APIsRestricts access to certain system APIs

Prevent registry WRITE access to certain root and sub-keys:Prevent registry WRITE access to certain root and sub-keys:HKEY_LOCAL_MACHINE\Comm, Drivers, Hardware, Init, HKEY_LOCAL_MACHINE\Comm, Drivers, Hardware, Init, Services, SYSTEM, WDMDrivers Services, SYSTEM, WDMDrivers

Prevents WRITE access to files with SYSTEM attributePrevents WRITE access to files with SYSTEM attributeREAD access granted, by default. Can be changed via READ access granted, by default. Can be changed via [HKLM\System\ObjectStore]\“AllowSystemAccess”[HKLM\System\ObjectStore]\“AllowSystemAccess”

Locking Down App Execution Locking Down App Execution When do I implement the Trusted Model?When do I implement the Trusted Model?

1-tier (all code runs as Trusted)1-tier (all code runs as Trusted)Prevent unknown code from executing on devicePrevent unknown code from executing on device

Trust all code running on device (to same extent)Trust all code running on device (to same extent)

2-tier (code can run as Trusted or Untrusted)2-tier (code can run as Trusted or Untrusted)End users can run any code on deviceEnd users can run any code on device

Protect from malicious code, such as worms, Protect from malicious code, such as worms, viruses, trojan attacks, etc.viruses, trojan attacks, etc.

Restrict capabilities of certain processes Restrict capabilities of certain processes

Locking Dow… Execution Locking Dow… Execution Trusted Model Trusted Model

Load Library

Trusted Model?

YN

YN

Load FailFail

Pass OEM Verification

Assign TrustLevel

TR

F

Lo

ad

Load

Locking Down App Execution Locking Down App Execution Trusted ModelTrusted Model

Implement Trusted Environment with two functionsImplement Trusted Environment with two functionsOEMCertifyModuleInitOEMCertifyModuleInit

Loader notifies OAL (OEM Adaptation Layer) code when Loader notifies OAL (OEM Adaptation Layer) code when launching new module launching new module

OEMCertifyModuleOEMCertifyModuleLoader passes module to OAL code for verificationLoader passes module to OAL code for verificationReturns one of three trust levels:Returns one of three trust levels:

OEM_CERTIFY_TRUST, OEM_CERTIFY_TRUST, OEM_CERTIFY_RUN, OEM_CERTIFY_RUN, OEM_CERTIFY_FALSEOEM_CERTIFY_FALSE

Samples available Samples available loadauth.lib – Sample implementation of loadauth.lib – Sample implementation of OEMCertifyModuleOEMCertifyModule and and OEMCertifyModuleInitOEMCertifyModuleInitsignfile.exe – Desktop application that signs CE binariessignfile.exe – Desktop application that signs CE binaries

OEM CertificationOEM CertificationFunction Description Return value

OEMCertifyModuleInit Enables the OS loader to notify the OEM that a new module is being loaded. Allows the OEM to decide whether to verify the module for safety.

TRUE or FALSE

OEMCertifyModule Allows the OS loader to pass the module code (for example, DLL, EXE, and OCX) to the OEM for verification that it is safe to run on the system.

OEM_CERTIFY_TRUST OEM_CERTIFY_RUN OEM_CERTIFY_FALSE

DLL And EXE Trust LevelsDLL And EXE Trust Levels

EXE trust DLL trust Final DLL trust

OEM_CERTIFY_RUN OEM_CERTIFY_RUN OEM_CERTIFY_RUN

OEM_CERTIFY_RUN OEM_CERTIFY_TRUST OEM_CERTIFY_RUN

OEM_CERTIFY_TRUST OEM_CERTIFY_RUN DLL fails to load

OEM_CERTIFY_TRUST OEM_CERTIFY_TRUST OEM_CERTIFY_TRUST

Loader LocationLoader Location

Appears in…Appears in…\WINCE500\Private\WINCEOS\COREOS\\WINCE500\Private\WINCEOS\COREOS\NK\KERNEL\Loader.cNK\KERNEL\Loader.c

Function VerifyBinaryFunction VerifyBinary

Define the following in OEMInit… Define the following in OEMInit… pOEMLoadInit = OEMCertifyModuleInitpOEMLoadInit = OEMCertifyModuleInit

pOEMLoadModule = OEMCertifyModulepOEMLoadModule = OEMCertifyModule

Implementation ExampleImplementation Example

Lockdown ArchitectureLockdown Architecture

Win32Win32

KernelKernel

OALOAL

Load Library

OEMCertify….

AllowableAllowableFilesFilesListList

KernelIOControl

AllowableAllowableFilesFiles

DatabaseDatabase

File Changes \WINCE500…File Changes \WINCE500…

\PLATFORM\COMMON\SRC\X86\COMMON\\PLATFORM\COMMON\SRC\X86\COMMON\STARTUP\OEMINIT.CSTARTUP\OEMINIT.C

Actual OEMCertification ModulesActual OEMCertification Modules

\PUBLIC\COMMON\OAK\INC\PkFuncs.h\PUBLIC\COMMON\OAK\INC\PkFuncs.hDefine IOCTL Codes into the KernelIOControlDefine IOCTL Codes into the KernelIOControl

\PLATFORM\COMMON\SRC\X86\INC\ioctl_tab.h\PLATFORM\COMMON\SRC\X86\INC\ioctl_tab.hAssociate our IOCTL Call handler with IOCTLsAssociate our IOCTL Call handler with IOCTLs

\PLATFORM\COMMON\SRC\X86\INC\x86ioctl.h\PLATFORM\COMMON\SRC\X86\INC\x86ioctl.hDeclare our interface to our IOCTL Call HandlerDeclare our interface to our IOCTL Call Handler

Implementation ScenariosImplementation Scenarios

OEM is free to choose trust levelOEM is free to choose trust level

Digital Certificates represent highest Digital Certificates represent highest trust leveltrust level

Digital Certificates require extra Digital Certificates require extra footprintfootprint

OEM can implement dynamic trustOEM can implement dynamic trustAllows for the device to change Allows for the device to change personalitypersonality

OEM can implement Name/ChecksumOEM can implement Name/Checksum

ConclusionsConclusions

Windows CE 5.0 Provides a robust Windows CE 5.0 Provides a robust Security ArchitectureSecurity ArchitectureLoader Certification provides a Loader Certification provides a mechanism tomechanism to

Create a Trusted EnvironmentCreate a Trusted EnvironmentDynamically define the devices personalityDynamically define the devices personality

Follow Best Practices at multiple levels Follow Best Practices at multiple levels for best defensefor best defense““Trusted Security is best achieved by having Trusted Security is best achieved by having a thorough understanding of the Windows CE a thorough understanding of the Windows CE 5.0’s Security Architecture and Trust Model!”5.0’s Security Architecture and Trust Model!”

While At MEDC 2005…While At MEDC 2005…Fill outFill out an evaluation for this session an evaluation for this session

Randomly selected instant Randomly selected instant WINWIN prizes! prizes!

Use Use real technology in a labreal technology in a lab Instructor led Instructor led Reef E/FReef E/F & & Breakers LBreakers L

Self-paced Self-paced Reef B/CReef B/C

VisitVisit the Microsoft Product Pavilion the Microsoft Product Pavilion

in the Exhibit Hall in the Exhibit Hall Shorelines BShorelines B

After The Conference…After The Conference…

DevelopDevelop

BuildBuild

InstallInstall

BuildBuild

JoinJoin

InstallInstall

EnterEnter

JoinJoin

Full-featured trial versions of Windows CE Full-featured trial versions of Windows CE and/or Windows XP Embeddedand/or Windows XP Embedded

Cool stuff & tell us about it: Cool stuff & tell us about it: msdn.microsoft.com/embedded/community

Windows Embedded Partner Program:Windows Embedded Partner Program:www.mswep.com

Windows Mobile 5.0 Eval Kit including Windows Mobile 5.0 Eval Kit including Visual Studio 2005 Beta 2Visual Studio 2005 Beta 2

Mobile2Market Contest and win up to $25000: Mobile2Market Contest and win up to $25000: mobile2marketcontest.com

Microsoft Solutions Partner Program:Microsoft Solutions Partner Program:partner.microsoft.com

Tools & ResourcesTools & Resources

msdn.microsoft.com/msdn.microsoft.com/ embeddedembedded

microsoft.public.microsoft.public. windowsxp.embeddedwindowsxp.embedded windowsce.platbuilderwindowsce.platbuilder windowsce.embedded.vcwindowsce.embedded.vc

blogs.msdn.com/blogs.msdn.com/ mikehallmikehall

Windows CE 5.0 Eval KitWindows CE 5.0 Eval KitWindows XP Embedded Eval KitWindows XP Embedded Eval Kit

msdn.microsoft.com/msdn.microsoft.com/ mobilitymobility

microsoft.public.microsoft.public. pocketpc.developer pocketpc.developer smartphone.developer smartphone.developer dotnet.framework.compactframeworkdotnet.framework.compactframework

blogs.msdn.com/blogs.msdn.com/ windowsmobilewindowsmobile vsdteamvsdteam netcfteamnetcfteam

Windows Mobile 5.0 Eval KitWindows Mobile 5.0 Eval Kit

WebsitesWebsites

NewsgroupsNewsgroups

BlogsBlogs

ToolsTools

BuildBuild DevelopDevelop