hasty Worldcon notes

Aug. 23rd, 2016 10:37 am
brainwane: My smiling face in front of a brick wall, May 2015. (Default)
[personal profile] brainwane
Several things I recommended during Worldcon just now:

I had a very good time at Worldcon and am recovering now.

Pain hits

Aug. 18th, 2016 06:48 pm
badgerbag: (Default)
[personal profile] badgerbag
Pain kicking in big time, ankles, knees mostly. I am definitely glad I stayed moving very gently in the pool and didn't get vigorous or go any longer than 30 min.

Anyway pain and I will lie still, do some cbd stuff, and put on ice packs.

I still feel invigorated on some level, and happy.

Worldcon

Aug. 16th, 2016 07:42 pm
brainwane: My smiling face in front of a brick wall, May 2015. (Default)
[personal profile] brainwane
Starting tomorrow I'll be at MidAmericon II, and participating in several sessions. Perhaps I'll see you there!

what to nominate for Yuletide?

Aug. 15th, 2016 05:52 pm
brainwane: My smiling face in front of a brick wall, May 2015. (Default)
[personal profile] brainwane
I participated in Yuletide last year and really enjoyed it, so I'll probably participate again this year. Nominations: Friday 9 September to Friday 16 September. Thinking about what to nominate...

* I am about 3/4 of the way through Neal Stephenson's Seveneves -- I see one work about it on AO3 and I'll probably read that and more after I finish the novel.
* "As Good As New" by Charlie Jane Anders
* Dear Mr. Henshaw by Beverly Cleary
* the miniseries Tanner '88

with more ideas to come, for sure.
[personal profile] mjg59
There's been a bunch of coverage of this attack on Microsoft's Secure Boot implementation, a lot of which has been somewhat confused or misleading. Here's my understanding of the situation.

Windows RT devices were shipped without the ability to disable Secure Boot. Secure Boot is the root of trust for Microsoft's User Mode Code Integrity (UMCI) feature, which is what restricts Windows RT devices to running applications signed by Microsoft. This restriction is somewhat inconvenient for developers, so Microsoft added support in the bootloader to disable UMCI. If you were a member of the appropriate developer program, you could give your device's unique ID to Microsoft and receive a signed blob that disabled image validation. The bootloader would execute a (Microsoft-signed) utility that verified that the blob was appropriately signed and matched the device in question, and would then insert it into an EFI Boot Services variable[1]. On reboot, the boot loader reads the blob from that variable and integrates that policy, telling later stages to disable code integrity validation.

The problem here is that the signed blob includes the entire policy, and so any policy change requires an entirely new signed blob. The Windows 10 Anniversary Update added a new feature to the boot loader, allowing it to load supplementary policies. These must also be signed, but aren't tied to a device id - the idea is that they'll be ignored unless a device-specific policy has also been loaded. This way you can get a single device-specific signed blob that allows you to set an arbitrary policy later by using a combination of supplementary policies.

This is all fine in the Anniversary Edition. Unfortunately older versions of the boot loader will happily load a supplementary policy as if it were a full policy, ignoring the fact that it doesn't include a device ID. The loaded policy replaces the built-in policy, so in the absence of a base policy a supplementary policy as simple as "Enable this feature" will effectively remove all other restrictions.

Unfortunately for Microsoft, such a supplementary policy leaked. Installing it as a base policy on pre-Anniversary Edition boot loaders will then allow you to disable all integrity verification, including in the boot loader. Which means you can ask the boot loader to chain to any other executable, in turn allowing you to boot a compromised copy of any operating system you want (not just Windows).

This does require you to be able to install the policy, though. The PoC released includes a signed copy of SecureBootDebug.efi for ARM, which is sufficient to install the policy on ARM systems. There doesn't (yet) appear to be a public equivalent for x86, which means it's not (yet) practical for arbitrary attackers to subvert the Secure Boot process on x86. I've been doing my testing on a setup where I've manually installed the policy, which isn't practical in an automated way.

How can this be prevented? Installing the policy requires the ability to run code in the firmware environment, and by default the boot loader will only load signed images. The number of signed applications that will copy the policy to the Boot Services variable is presumably limited, so if the Windows boot loader supported blacklisting second-stage bootloaders Microsoft could simply blacklist all policy installers that permit installation of a supplementary policy as a primary policy. If that's not possible, they'll have to blacklist of the vulnerable boot loaders themselves. That would mean all pre-Anniversary Edition install media would stop working, including recovery and deployment images. That's, well, a problem. Things are much easier if the first case is true.

Thankfully, if you're not running Windows this doesn't have to be a issue. There are two commonly used Microsoft Secure Boot keys. The first is the one used to sign all third party code, including drivers in option ROMs and non-Windows operating systems. The second is used purely to sign Windows. If you delete the second from your system, Windows boot loaders (including all the vulnerable ones) will be rejected by your firmware, but non-Windows operating systems will still work fine.

From what we know so far, this isn't an absolute disaster. The ARM policy installer requires user intervention, so if the x86 one is similar it'd be difficult to use this as an automated attack vector[2]. If Microsoft are able to blacklist the policy installers without blacklisting the boot loader, it's also going to be minimally annoying. But if it's possible to install a policy without triggering any boot loader blacklists, this could end up being embarrassing.

Even outside the immediate harm, this is an interesting vulnerability. Presumably when the older boot loaders were written, Microsoft policy was that they would never sign policy files that didn't include a device ID. That policy changed when support for supplemental policies was added. without this policy change, the older boot loaders could still be considered secure. Adding new features can break old assumptions, and your design needs to take that into account.

[1] EFI variables come in two main forms - those accessible at runtime (Runtime Services variables) and those only accessible in the early boot environment (Boot Services variables). Boot Services variables can only be accessed before ExitBootServices() is called, and in Secure Boot environments all code executing before this point is (theoretically) signed. This means that Boot Services variables are nominally tamper-resistant.

[2] Shim has explicit support for allowing a physically present machine owner to disable signature validation - this is basically equivalent

A dream of fear and flying

Aug. 11th, 2016 11:19 am
brainwane: several colorful scribbles in the vague shape of a jellyfish (jellyfish)
[personal profile] brainwane
Last night I had a dream. I dreamt that I was one of four men (and a small dog?) in some kind of sporting event involving balance and strength. We arranged ourselves on the roof or the ledge of a really tall building, like, two of the guys got onto their hands and knees, and then the other two guys ... one was going to stand on those two backs, maybe, and then let the last one sit on the standing guy's shoulders? I'm not sure and also I'm not sure how the dog was involved.

I also had access to a harness and a bungee-type thing, and either to take a break or to do some kind of reconnaissance, I got into it and swung down off the building. What a rush! I was bouncing around excitedly in all three dimensions in a big built-up urban area, using my legs to spring off trees and buildings. Super exhilarating!

But then I realized that after all the bouncing calmed down, I would end this funtime, inevitably, on the ground, forty or more stories below the building's roof, and the team couldn't compete without me, and I wasn't sure how to get back onto that roof in a way that didn't disqualify me (and thus our team) from the competition. The elevator would be cheating. Maybe I had to hand-over-hand climb the exterior of the building, or maybe walking all the way up the stairs would be okay. I knew I needed to get back up there, but then I got sidetracked in a restaurant where I had trouble getting seated and I found myself sitting in someone else's seat and eating someone else's leftovers (and I think it was beef, which is strange since I don't eat beef). By the time I woke up I still hadn't figured out how to get back to my teammates on that roof.

Now that I'm awake I can see some of the immediate ingredients that went into the set dressing of this dream. I've watched some Olympics gymnastics, I was waiting for an elevator and considered walking up several flights of stairs instead, I was arranging a group dinner, I consistently had trouble hearing someone at an event. And I can guess at some of the underlying anxieties: that I'm letting down people who depend on me, that I've taken a leap of faith in starting this business and it won't work out, that I'm a copycat or too dependent on others' "leftovers" of various kinds.

The harness and cord were bright safety orange. And it was so much fun riding that energy, making split-second decisions and pushing off to fly in another direction. It was a novel and exciting mix -- like yeah, I couldn't change the laws of physics, but I could strip away the usual barriers we build up to insulate ourselves from the worst possible outcomes, and trust my autonomy and control and judgment would give me enough safety that I could have fun with the resulting possibilities, fun I couldn't have otherwise.

Most of my anxiety dreams don't have anything that joyous in them. I want to remember that joy and acknowledge the worry. They're both real.

Low impact living slack chat

Aug. 11th, 2016 11:13 am
[personal profile] alexbayleaf
A quickie: I started a Low Impact Living chatroom using Slack. You can invite yourself here if that sounds like your cup of tea.

(If I don't seem to be around when you arrive, just @ mention me (@alexbayleaf) and I'll pop in to chat.)
Page generated Aug. 24th, 2016 01:28 am
Powered by Dreamwidth Studios