“Microsoft claims that their telemetry shows that they have seen up to a 60% reduction in malware when TPM-enabled features like Windows Hello and BitLocker encryption are used on supported devices — it’s unclear why that would be at all true, unless it’s correlation and not causation” Steve Gibson (Security Now #825 Podcast)
I dare say it’s a terrible idea. I have been doing some major research into secure boot and TPM and everything I’m seeing is a little bit worrying to say the least. Even listening to others talk about what Windows 11 can do or can’t do seems quite obvious. Afterall, I’ve even had my son get information on how to get around the security requirements for Windows 11 and install Windows a boot logged copy of it onto a USB just to play around with it. I am quite concerned with this also because it seems Microsoft trying to force users onto a proprietary system. Microsoft is only doing the complete opposite of what they claim.
Scrutinizing the Boot Process
The goal of a hardware root of trust is to verify that the software installed in every component of the hardware is the software that was intended. — Jessie Frazelle
The problem with trust is that we should never trust anything and always question it. How can a system trust that the software wasn’t installed as intended? These are the basic problems with the premise of a TPM and even the Secure Boot process.
The goal of attestation is to prove to a third party that your operating system and application software are intact and trustworthy. — Jessie Frazelle
The problem with this is even more obvious to the security of a system. Attestation can’t always witness or even prove a program doesn’t have the right to be run or used in boot up. Unless Attestations can be programmed to boot Windows a certain everytime in hardware, we will always have the virus developers skirting around the boot process.
Some members of the technology industry have raised the concern that the well-documented, modern, high-level language interface provided by UEFI makes it easier to compromise a platform [12]; that the ability to add modules
and applications to the boot process could compromise security.
I wouldn’t call some being a small amount of people but a large amount. I’ve heard time and time again this idea and it seems to be a growing concern with UEFI and how virus writers / developers will overcome UEFI and be able to install viruses / Malware around the the Windows system to be able to do what they have always been able to do.
Security through Obscurity
Microsoft seems to have take this approach as their next step through the security door and it’s seems quite evident that they’ve not learned their lesson from others. I say that with the understanding that Apple tried this with their systems and they still have virus writers who can compromise their system. It’s not like the security community doesn’t want all operating system to be secure, in fact most would want it so badly because we wouldn’t have to worry as much about the viruses or malware to being on peoples systems. Let’s not forget we still have users who will do dumb things and that much will always be true. There is always going to be need to teach the company users, how to be secure while using the company’s computer(s) or laptop(s).
Return-Oriented Programming
Return-Oriented Programming is a security exploit technique used by attackers to execute code on their target system. By obtaining control of the call stack, the attacker can control the flow of existing trusted software running on the computer and manipulate it to their own ends. — Secureteam UK
The ROP(return-oriented programming) has been a constant problem for several years now and will probably grow even more. I say that not lightly because the Virus writers / Developers will have to start to use it more and more often and even find other exploits techniques to get around the Secure boot and UEFI protocols. This is often called the Blindside attack and is most often used with IOT(Internet of Things) devices but can be used with Windows operating systems and will become more and more useful to them in the future, I suspect.
Not unlike the previous tutorial we will be crafting [ROP] the parameters to Windows API calls on the stack and then executing them. — FuzzySecurity
As you can see, there is already programming that people can do with Windows 7 API and that’s been out for quite a while. I am unsure when someone did this little experient and talked about the vulnerability. This vulnerability is available on Windows 7. It could very well be used on Windows 10 or even Windows 11, I suspect.
Mitigation
I will say there has been talk about mitigating this and other attacks but it requires a constant updating of the operating system and CPU (Secureteam UK). As you know CPU manufacturers will take years to update a problem just because people will not want to go buy a new cpu or even a new computer until the old computer isn’t able to run or something actually breaks in the system. I know Virus writers / developers will always be having to be a head of Windows updates and that might be what they are already doing. Looking for vulnerabilities in the UEFI and Secure boot area. I suspect they are already doing that now. I can’t say if they’ll succeed but I know the virus writers make so much money on ransomware and getting those companies systems compromised. So who really wins? I would hazard a guess no one in the end, the security that Microsoft is trying to force will still fail miserably and I will be there saying “I told you so!”
