Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare
CybercriminalsState sponsored actions; Unlimited resources Attacks
on fortune 500All sectors and even suppliers getting targeted
Software solutionsHardware rooted trust the only way Secure the
perimeterAssume breach. Protect at all levels Hoping I dont get
hacked You will be hacked. Did I successfully mitigate?
FamiliarModern Company owned and tightly managed devicesBring your
own device, varied management
Slide 4
Attestation UEFI Secure BootTPM 2.0 Only signed binaries Single
source updates OS Services Trusted Boot App Platform Network
security Microsoft Passport Two Factor authentication Windows Hello
Mobile Device Management Enterprise Data Protection Device
encryption IRM & S/MIME Browser security Store Apps Business
Store Portal Cloud Services 01011 01101
Slide 5
http://www.uefi.org/specs/
Slide 6
Firmware boot loaders OEM UEFI applications Windows boot
manager Power On Windows OS boot Windows update OS boot Boot to
flashing mode SoC Vendor OEM MSFT
Slide 7
Slide 8
Slide 9
Attestation UEFI Secure BootTPM 2.0 Only signed binaries Single
source updates OS Services Trusted Boot App Platform Network
security Microsoft Passport Two Factor authentication Windows Hello
Mobile Device Management Enterprise Data Protection Device
encryption IRM & S/MIME Browser security Store Apps Business
Store Portal Cloud Services 01011 01101
Slide 10
Least Privilege Chamber (LPC) Trusted Computing Base (TCB)
Dynamic Permissions (LPC) Fixed Permissions Chamber Central
repository of rules 3-tuple {Principal, Right, Resource} Chamber
boundary is security boundary Chambers defined using policy rules
Expressed in application manifest Disclosed in Windows Store
Defines apps security boundary on device