EMB423EMB423Creating A Trusted Creating A Trusted Environment For Environment For Windows CE 5.0Windows CE 5.0

Nat FramptonNat FramptonPresidentPresidentReal Time DevelopmentReal Time Developmentnat@realtimeonline.comnat@realtimeonline.com

MManagementanagementTToolsools

CCommunicationsommunications& & MMessagingessaging

Device Update AgentSoftware Update Services

Live Communications ServerExchange Server

Internet Security and Acceleration Server

Speech Server

Image Update

LLocation ocation SServiceservices

MMultimediaultimedia

MapPoint

DirectXWindows Media

Visual Studio 2005DDevelopment evelopment TToolsools

MFC 8.0, ATL 8.0Win32NNativeative

MManagedanagedSServer erver SSideide

LLightweightightweightRRelationalelational

SQL Server 2005 Express EditionEDB

DDat

aat

aPP r

ogra

mm

ing

rogr

amm

ing

MMod

elod

el

DDevice evice BBuilding uilding TToolsools

HHardware/ardware/DDriversrivers

Windows XP DDKWindows Embedded

StudioPlatform Builder

OEM/IHV Supplied BSP(ARM, SH4, MIPS)

OEM Hardware and Standard Drivers

Standard PC Hardware and Drivers

SQL Server 2005SQL Server 2005 Mobile Edition

ASP.NET Mobile Controls ASP.NET.NET Compact Framework .NET Framework

Microsoft Operations ManagerSystems Management Server

OverviewOverviewInside Loader AuthenticationInside Loader AuthenticationImplementation ExampleImplementation ExampleImplementation SceneriosImplementation SceneriosConclusionsConclusions

Locking Down App Execution Locking Down App Execution Trusted ModelTrusted Model

Application execution control via Application execution control via Trusted ModelTrusted ModelOEM option to assign trust levels to processesOEM option to assign trust levels to processesProtectionsProtections

Prevents unauthorized modules from being loadedPrevents unauthorized modules from being loadedRestricts access to certain system APIsRestricts access to certain system APIsPrevent registry WRITE access to certain root and sub-keys:Prevent registry WRITE access to certain root and sub-keys:

HKEY_LOCAL_MACHINE\Comm, Drivers, Hardware, Init, HKEY_LOCAL_MACHINE\Comm, Drivers, Hardware, Init, Services, SYSTEM, WDMDrivers Services, SYSTEM, WDMDrivers

Prevents WRITE access to files with SYSTEM attributePrevents WRITE access to files with SYSTEM attributeREAD access granted, by default. Can be changed via READ access granted, by default. Can be changed via [HKLM\System\ObjectStore]\“AllowSystemAccess”[HKLM\System\ObjectStore]\“AllowSystemAccess”

Locking Down App Execution Locking Down App Execution When do I implement the Trusted Model?When do I implement the Trusted Model?

1-tier (all code runs as Trusted)1-tier (all code runs as Trusted)Prevent unknown code from executing on devicePrevent unknown code from executing on deviceTrust all code running on device (to same extent)Trust all code running on device (to same extent)

2-tier (code can run as Trusted or Untrusted)2-tier (code can run as Trusted or Untrusted)End users can run any code on deviceEnd users can run any code on deviceProtect from malicious code, such as worms, Protect from malicious code, such as worms, viruses, trojan attacks, etc.viruses, trojan attacks, etc.Restrict capabilities of certain processes Restrict capabilities of certain processes

Locking Dow… Execution Locking Dow… Execution Trusted Model Trusted Model

Load Library

Trusted Model?

YN

YN

Load FailFail

Pass OEM Verification

Assign TrustLevel

TR

F

Load

Load

Locking Down App Execution Locking Down App Execution Trusted ModelTrusted Model

Implement Trusted Environment with two functionsImplement Trusted Environment with two functionsOEMCertifyModuleInitOEMCertifyModuleInit

Loader notifies OAL (OEM Adaptation Layer) code when Loader notifies OAL (OEM Adaptation Layer) code when launching new module launching new module

OEMCertifyModuleOEMCertifyModuleLoader passes module to OAL code for verificationLoader passes module to OAL code for verificationReturns one of three trust levels:Returns one of three trust levels:

OEM_CERTIFY_TRUST, OEM_CERTIFY_TRUST, OEM_CERTIFY_RUN, OEM_CERTIFY_RUN, OEM_CERTIFY_FALSEOEM_CERTIFY_FALSE

Samples available Samples available loadauth.lib – Sample implementation of loadauth.lib – Sample implementation of OEMCertifyModuleOEMCertifyModule and and OEMCertifyModuleInitOEMCertifyModuleInitsignfile.exe – Desktop application that signs CE binariessignfile.exe – Desktop application that signs CE binaries

OEM CertificationOEM CertificationFunction Description Return value

OEMCertifyModuleInit Enables the OS loader to notify the OEM that a new module is being loaded. Allows the OEM to decide whether to verify the module for safety.

TRUE or FALSE

OEMCertifyModule Allows the OS loader to pass the module code (for example, DLL, EXE, and OCX) to the OEM for verification that it is safe to run on the system.

OEM_CERTIFY_TRUST OEM_CERTIFY_RUN OEM_CERTIFY_FALSE

DLL And EXE Trust LevelsDLL And EXE Trust Levels

EXE trust DLL trust Final DLL trust

OEM_CERTIFY_RUN OEM_CERTIFY_RUN OEM_CERTIFY_RUN

OEM_CERTIFY_RUN OEM_CERTIFY_TRUST OEM_CERTIFY_RUN

OEM_CERTIFY_TRUST OEM_CERTIFY_RUN DLL fails to load

OEM_CERTIFY_TRUST OEM_CERTIFY_TRUST OEM_CERTIFY_TRUST

Loader LocationLoader LocationAppears in…Appears in…

\WINCE500\Private\WINCEOS\COREOS\\WINCE500\Private\WINCEOS\COREOS\NK\KERNEL\Loader.cNK\KERNEL\Loader.c

Function VerifyBinaryFunction VerifyBinaryDefine the following in OEMInit… Define the following in OEMInit…

pOEMLoadInit = OEMCertifyModuleInitpOEMLoadInit = OEMCertifyModuleInitpOEMLoadModule = OEMCertifyModulepOEMLoadModule = OEMCertifyModule

Implementation ExampleImplementation Example

Lockdown ArchitectureLockdown Architecture

Win32Win32

KernelKernel

OALOAL

Load Library

OEMCertify….AllowableAllowable

FilesFilesListList

KernelIOControl

AllowableAllowableFilesFiles

DatabaseDatabase

File Changes \WINCE500…File Changes \WINCE500…\PLATFORM\COMMON\SRC\X86\COMMON\\PLATFORM\COMMON\SRC\X86\COMMON\STARTUP\OEMINIT.CSTARTUP\OEMINIT.C

Actual OEMCertification ModulesActual OEMCertification Modules\PUBLIC\COMMON\OAK\INC\PkFuncs.h\PUBLIC\COMMON\OAK\INC\PkFuncs.h

Define IOCTL Codes into the KernelIOControlDefine IOCTL Codes into the KernelIOControl\PLATFORM\COMMON\SRC\X86\INC\ioctl_tab.h\PLATFORM\COMMON\SRC\X86\INC\ioctl_tab.h

Associate our IOCTL Call handler with IOCTLsAssociate our IOCTL Call handler with IOCTLs\PLATFORM\COMMON\SRC\X86\INC\x86ioctl.h\PLATFORM\COMMON\SRC\X86\INC\x86ioctl.h

Declare our interface to our IOCTL Call HandlerDeclare our interface to our IOCTL Call Handler

Implementation ScenariosImplementation ScenariosOEM is free to choose trust levelOEM is free to choose trust levelDigital Certificates represent highest Digital Certificates represent highest trust leveltrust levelDigital Certificates require extra Digital Certificates require extra footprintfootprintOEM can implement dynamic trustOEM can implement dynamic trust

Allows for the device to change Allows for the device to change personalitypersonality

OEM can implement Name/ChecksumOEM can implement Name/Checksum

ConclusionsConclusionsWindows CE 5.0 Provides a robust Windows CE 5.0 Provides a robust Security ArchitectureSecurity ArchitectureLoader Certification provides a Loader Certification provides a mechanism tomechanism to

Create a Trusted EnvironmentCreate a Trusted EnvironmentDynamically define the devices personalityDynamically define the devices personality

Follow Best Practices at multiple levels Follow Best Practices at multiple levels for best defensefor best defense““Trusted Security is best achieved by having Trusted Security is best achieved by having a thorough understanding of the Windows CE a thorough understanding of the Windows CE 5.0’s Security Architecture and Trust Model!”5.0’s Security Architecture and Trust Model!”

While At MEDC 2005…While At MEDC 2005…Fill outFill out an evaluation for this session an evaluation for this session

Randomly selected instant Randomly selected instant WINWIN prizes! prizes!

Use Use real technology in a labreal technology in a lab Instructor led Instructor led Reef E/FReef E/F & & Breakers LBreakers L Self-paced Self-paced Reef B/CReef B/C

VisitVisit the Microsoft Product Pavilion the Microsoft Product Pavilion in the Exhibit Hall in the Exhibit Hall Shorelines BShorelines B

After The Conference…After The Conference…

DevelopDevelop

BuildBuildInstallInstall

BuildBuild

JoinJoin

InstallInstall

EnterEnter JoinJoin

Full-featured trial versions of Windows CE Full-featured trial versions of Windows CE and/or Windows XP Embeddedand/or Windows XP EmbeddedCool stuff & tell us about it: Cool stuff & tell us about it: msdn.microsoft.com/embedded/community Windows Embedded Partner Program:Windows Embedded Partner Program:www.mswep.com

Windows Mobile 5.0 Eval Kit including Windows Mobile 5.0 Eval Kit including Visual Studio 2005 Beta 2Visual Studio 2005 Beta 2Mobile2Market Contest and win up to $25000: Mobile2Market Contest and win up to $25000: mobile2marketcontest.com Microsoft Solutions Partner Program:Microsoft Solutions Partner Program:partner.microsoft.com

Tools & ResourcesTools & Resources

msdn.microsoft.com/msdn.microsoft.com/ embeddedembedded

microsoft.public.microsoft.public. windowsxp.embeddedwindowsxp.embedded windowsce.platbuilderwindowsce.platbuilder windowsce.embedded.vcwindowsce.embedded.vc

blogs.msdn.com/blogs.msdn.com/ mikehallmikehall

Windows CE 5.0 Eval KitWindows CE 5.0 Eval KitWindows XP Embedded Eval KitWindows XP Embedded Eval Kit

msdn.microsoft.com/msdn.microsoft.com/ mobilitymobility

microsoft.public.microsoft.public. pocketpc.developer pocketpc.developer smartphone.developer smartphone.developer dotnet.framework.compactframeworkdotnet.framework.compactframework

blogs.msdn.com/blogs.msdn.com/ windowsmobilewindowsmobile vsdteamvsdteam netcfteamnetcfteam

Windows Mobile 5.0 Eval KitWindows Mobile 5.0 Eval Kit

WebsitesWebsites

NewsgroupsNewsgroups

BlogsBlogs

ToolsTools

BuildBuild DevelopDevelop