tag:blogger.com,1999:blog-1328571454955435883.post3356139986393381463..comments2023-10-30T17:21:10.526+02:00Comments on Win-Fu Official Blog: The True Story of Windows 10 and the DMA-protectionSami Laihohttp://www.blogger.com/profile/16288541861736043371noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-1328571454955435883.post-60855556734630352832018-04-18T11:02:18.732+03:002018-04-18T11:02:18.732+03:00Looks like in RS4 everything is fixed now. Another...Looks like in RS4 everything is fixed now. Another question I have is how to turn on "Kernel DMA Protection", when you open MSINFO32 on Windows 10, for us it is turned off, allthough Device Guard is ON.Anonymoushttps://www.blogger.com/profile/00631987854164224114noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-67528967453453897422018-03-23T19:22:40.136+02:002018-03-23T19:22:40.136+02:00The GPO sets the same registry setting, and nothin...The GPO sets the same registry setting, and nothing else, so it should be the same result. Mine broke down when ever I set it via MDM, GPO or manually.Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-36010838028442747592018-03-21T18:22:03.944+02:002018-03-21T18:22:03.944+02:00Based on the wording of this response, is it safe ...Based on the wording of this response, is it safe to assume that while the GPo results in the devices breaking (machine bricking in my case), the registry key listed in this article does not? Anonymoushttps://www.blogger.com/profile/09403654602016499325noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-12117885955511341142017-12-18T21:42:11.901+02:002017-12-18T21:42:11.901+02:00Microsoft's official response to that:
https:/...Microsoft's official response to that:<br />https://support.microsoft.com/en-gb/help/4057300/devices-not-working-before-log-on-a-computer-running-windows-10-1709<br /><br />This is a big problem, as this setting is definitely an important one, but many companies will also need to upgrade to 1709, and don't want to wait on firmware updates that may never arrive.Nathan O'Mearahttps://www.blogger.com/profile/14512134852451338261noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-4997336352930232012017-11-15T13:13:40.703+02:002017-11-15T13:13:40.703+02:00Hi Sami,
I think MS messed up something in 1709 w...Hi Sami,<br /><br />I think MS messed up something in 1709 with this setting, please have a look at this Thread and my response..<br />https://social.technet.microsoft.com/Forums/en-US/8b03a659-93b3-4d72-b7fd-beca9b136474/win-10-enterprise-x64-fall-creators-update-1629915-no-lan-no-wireless-no-audio-on-lenovo?forum=win10itprohardware&prof=required<br /><br />THX<br />Paulpeyschehttps://www.blogger.com/profile/17158127650406109218noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-3957332441032232242017-10-30T16:30:55.057+02:002017-10-30T16:30:55.057+02:00Thanks, just did.Thanks, just did.Bernd Schwanenmeisterhttps://www.blogger.com/profile/17556589756866283892noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-57094499088243416292017-10-26T13:40:26.141+03:002017-10-26T13:40:26.141+03:00Microsoft asked for you to report this through the...Microsoft asked for you to report this through the Feedback Hub as well, so please do so.Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-33651960499874619032017-10-26T00:41:00.999+03:002017-10-26T00:41:00.999+03:00Thanks for the notice. I've forwarded this to ...Thanks for the notice. I've forwarded this to Microsoft.Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-36916428217373053782017-10-25T20:14:56.207+03:002017-10-25T20:14:56.207+03:00Sami, this will be of interest: since Win10 v1703,...Sami, this will be of interest: since Win10 v1703, there's the "Disable new DMA devices when this computer is locked"-GPO as you know. This GPO however produces weird results on win10 v1709 (RTM and 16299.19)! For me and several others that I read about, you need to disable the policy in order for other devices to work - for me it was the sound card, for other it included wifi ("code 10 - device cannot start")! This is reproducible and did not happen with v1703 on the same hardware. Please try it for yourself.<br /><br />->This needs be be reported to Microsoft - you have connections, will you tell the developers? If you need hardware to reproduce: for me it was an Asrock Motherboard H97 Pro4 with onboard soundcard by realtek.Bernd Schwanenmeisterhttps://www.blogger.com/profile/17556589756866283892noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-21852945056508326632017-10-10T00:14:42.058+03:002017-10-10T00:14:42.058+03:00You have shared the legal things about the windows...You have shared the legal things about the windows 10 and its dma protection, It is good for our knowledge. If you are looking for home and office based <a href="https://www.softwareempire.ca/product-category/microsoft-office/ms-office-2016/" rel="nofollow">MS Office Project 2016 Online</a>, visit on softwareempire.Anonymoushttps://www.blogger.com/profile/06797638886765400695noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-16892239475182874772017-09-25T08:16:29.721+03:002017-09-25T08:16:29.721+03:00"Great blog created by you. I read your blog,..."Great blog created by you. I read your blog, its best and useful information. You have done a great work. Super blogging and keep it up.<a href="" rel="nofollow">php jobs in hyderabad</a>.<br />"<br />Anonymoushttps://www.blogger.com/profile/05991518150961162659noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-55543995490572293472017-03-21T11:28:02.616+02:002017-03-21T11:28:02.616+02:00It is not an easy attack. You have to prepare, you...It is not an easy attack. You have to prepare, you only have one try and have to be careful to not write rubbish to the disk.<br /><br />I totally agree that the DMA issue that you are highlighting is much more relevant for most users, because it can be done with a stolen laptop without too much preparations.<br /><br />The original point was a different one: Microsoft experts were very critical of XTS cipher mode, yet they have chosen it as their default.Stephanhttps://www.blogger.com/profile/12018589324568930732noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-38436632887014967872017-03-21T11:00:31.402+02:002017-03-21T11:00:31.402+02:001. Yes, agreed.
2. Luckily you are like the others...1. Yes, agreed.<br />2. Luckily you are like the others I've askedSami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-81835028219753532212017-03-21T10:56:03.577+02:002017-03-21T10:56:03.577+02:00Sorry, I had not set up my Blogger account yet, th...Sorry, I had not set up my Blogger account yet, that's why my name was displayed as "Unknown".<br /><br />Second question first: The problem is not Bitlocker itself, but its default settings. I'm not using Windows, but if I did, I would switch it back to CBC mode and be aware that data is encrypted but not authenticated.<br /><br />Attack would take a lot of preparation, but it could look something like this:<br /><br />0. Perform some Windows installations in order to determine which disk blocks are probably used for interesting files (system executables, DLLs etc.).<br />1. When I have access to the victim's laptop, I copy the encrypted disk. At this point I cannot decrypt anything.<br />2. I wait for some time until some cricial security issues have been discovered and patched.<br />3. When I have access to the victim's laptop again, I surgically implant disk blocks from my image file in oder to reset particular binaries to the vulnerable versions. This is particularly easy with XTS because of the small size of unchained blocks.<br />4. When the victim is using his laptop again, I exploit the known vulnerability to take over.<br /><br />PS: You don't have to pay me, because I am not willing to invest the time for a proof of concept.Stephanhttps://www.blogger.com/profile/12018589324568930732noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-30417034585821097902017-03-21T10:35:08.189+02:002017-03-21T10:35:08.189+02:00Don't know who you are but I have two comments...Don't know who you are but I have two comments:<br />1. I'll pay you 100€ to show me how you would hack BitLocker.<br />2. What's your replacement for BitLocker? What do you use?Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-29356593517653970872017-03-21T10:04:14.182+02:002017-03-21T10:04:14.182+02:00There is a lot more wrong with Bitlocker:
2008: V...There is a lot more wrong with Bitlocker:<br /><br />2008: Vijay Bharadwaj and Neils Ferguson of Microsoft Corporation Comment on NIST standardization of XTS<br />> In our opinion, one serious shortcoming of the proposal is that it does not contain a clear statement of what application-level security goals XTS aims to achieve.<br />> The proposal appears to miss the effect of temporal effects on the security of XTS. It is possible for an attacker to observe a disk for a period of time and thereby gain a significant advantage in cryptanalysis.<br />> An attack on large data units [...] This shows that large data units significantly weaken the system.<br />> AES in XTS mode works with 16-byte blocks, and this allows for very fine-grained ciphertext manipulation attacks. We believe this is a significant problem in practice. <br />> In a code modification attack the attacker randomizes a block of code and tries to corrupt the code in such a way as to introduce a security hole in the system whilst keeping the system functional.<br />> The small block size of XTS-AES makes this attack rather easy. A larger block size makes it significantly harder.<br />> A modern operating system has thousands of settings that are important for the security of the system. <br />> Again, a larger block size significantly increases the security in two ways.<br />Complete comment here: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/collected_XTS_comments.pdf<br /><br />2016: XTS is default for Bitlocker in Windows 10<br />> no argument given why it would be "more secure"<br />> it saves you two percent of time when converting 10 GB of data<br />https://blogs.technet.microsoft.com/dubaisec/2016/03/04/bitlocker-aes-xts-new-encryption-type/<br /><br />Stephanhttps://www.blogger.com/profile/12018589324568930732noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-4685883013392359262017-03-14T15:32:04.679+02:002017-03-14T15:32:04.679+02:00Thanks SamiThanks SamiAnonymoushttps://www.blogger.com/profile/15145874261909678054noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-9765204394293677292017-03-13T20:42:13.013+02:002017-03-13T20:42:13.013+02:00This one is something that Windows has always real...This one is something that Windows has always really adheared to as Windows hasn't been able to use DMA-enabled devices for booting anyway. Mac OSX has supproted booting from FireWire or ThunderBolt but not Windows. The real trouble really starts when the OS is alive but this requirement is important to have. We need to protect more against DMA when the Computer is a the logon state rather than physically off. There is more of this in the documentation of MSDN: https://msdn.microsoft.com/en-us/ie/dn932805(v=vs.94)#system_fundamentals_firmware_noexternaldmaonbootSami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-83723547544051419432017-03-13T18:02:20.857+02:002017-03-13T18:02:20.857+02:00Sami.
Are you able to clarify how the Windows Hard...Sami.<br />Are you able to clarify how the Windows Hardware Compatibility Requirement System.Fundamentals.Firmware.NoExternalDMAOnBoot protects(or not) systems? Just for completeness sake.<br />Many thanks<br /><br />Anonymoushttps://www.blogger.com/profile/15145874261909678054noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-85148714590423578942017-02-18T14:31:48.342+02:002017-02-18T14:31:48.342+02:00Well in Security I'd say it's never for no...Well in Security I'd say it's never for nothing. It's always better to increase Security than not. But the #1 rule since 1993 has been that there can't be good Security in Windows unless you don't run admin rights.Sami Laihohttps://www.blogger.com/profile/16288541861736043371noreply@blogger.comtag:blogger.com,1999:blog-1328571454955435883.post-30666252301712645312017-02-18T00:14:32.666+02:002017-02-18T00:14:32.666+02:00Ok, so someone had to be first to ask so no throwi...Ok, so someone had to be first to ask so no throwing, but for a., how critical is the NoAdminRights part. If you do absolutely everything and the user still has admin rights, is it all for nothing?SCCM FTWhttps://www.blogger.com/profile/00567169813030151300noreply@blogger.com