By TODD BISHOP
July 31, 2006
Microsoft engineers will detail new security approaches in Windows Vista
at an important tech conference later this week. But when it comes to
grabbing attention, it won't be easy for them to top another session at
Its title: "Subverting Vista Kernel For Fun And Profit."
No, this is not your ordinary industry confab. In a first for Microsoft,
the company will present at the Black Hat Briefings -- an annual gathering
in Las Vegas where hackers, researchers, government officials and
corporate technology specialists unveil and analyze emerging computer
Microsoft's full day of sessions on Windows Vista reflects its effort to
improve security in the upcoming operating system and cut down on the bugs
that have made previous versions of its flagship program notoriously
vulnerable to online attacks.
The company will be showing the audience some of the key changes it has
made in Windows Vista security, and seeking feedback from researchers on
where it could still improve, said Stephen Toulouse, security program
manager with Microsoft's Security Response Center.
Toulouse called it an extension of Microsoft's ongoing interaction with
security researchers. Among other things, the company has held a series of
its own events with researchers.
"We want people to look at our assumptions and challenge them if they
think they're wrong," he said.
"At the same time, we want to show them that we've listened to the
feedback they've provided us over the past several years. That's really
what the presentations focus on."
For conference organizers, one original appeal was the timeliness, with
Windows Vista scheduled to come out in the fall, said Black Hat Briefings
Director Jeff Moss, the Seattle-based security expert who founded the
conference. Microsoft has since delayed Windows Vista's retail debut until
early next year.
"It doesn't have quite the impact that it was going to have if it was
right before the release," Moss said. "But I still think it's really
important, because this is the next generation, and these are the people
who helped design it."
The conference is expected to draw about 3,000 people. It doesn't promise
to be an easy crowd for the company, but Moss said Microsoft's efforts to
improve security in recent years have improved its standing.
"I think in the past they would have been more ridiculed, but they seem to
be following through on their statements" about security, Moss said. "They
made some pretty bold statements, but they've been backing it up with a
lot of money and a lot of effort, a lot of energy."
Windows Vista is the first version of the PC operating system to be
developed entirely under the "Trustworthy Computing" initiative that Bill
Gates launched in early 2002, after a series of high-profile
vulnerabilities in Microsoft programs.
The company says it has overhauled its process of developing software to
In addition, Windows Vista will come with a series of new technical
approaches and designs to protect against malicious programs such as
viruses and spyware, which can otherwise install and run on a computer
"We want it to be the most secure version of Windows ever, and the
security researchers are going to help us do that," Microsoft's Toulouse
Microsoft cautions that it won't be possible to completely thwart online
threats, given the complexity of software development and the changing
tactics of attackers. And other experts say that the level of security in
Vista won't be clear until it's released and widely used.
"You won't know until it's out there," said Bruce Schneier, chief
technical officer at Counterpane Internet Security. "Is the code better
quality? Will there be fewer vulnerabilities? Who knows? ... They're
doing this, they're doing that. Did they do it right? Who knows?"
Schneier described Black Hat as "a very hostile Microsoft audience." But
he said it's critical for Microsoft to take part in such events, to get
feedback that can help secure its products.
"They have to engage the hacker community -- they can't ignore them,"
"I think they deserve a lot of credit for it, because it's hard."
Black Hat is commonly called a hacker convention, but that word often
doesn't have the negative connotations in technology circles that it does
in popular culture -- instead referring to someone who modifies a system
or finds ways to infiltrate computer programs, but not necessarily with
The phrase "black hat" describes a criminal or malevolent hacker, but its
use in the conference name refers to the subject of the sessions, not the
attendees or speakers. "We're briefing on what the black hats are up to,"
Many of the researchers who attend Black Hat practice what's known as
responsible disclosure, giving companies such as Microsoft a chance to
patch flaws before details of the problem are public.
The "Subverting Vista Kernel For Fun And Profit" session is about a
technology called Blue Pill, developed by security researcher Joanna
Rutkowska of Singapore-based security firm COSEINC.
Rutkowska says she has come up with a way to insert "undetectable"
malicious code into the Vista kernel -- the place that controls the
interaction between hardware and software -- by taking advantage of
technology that essentially divides a computer system so it can run
multiple operating systems.
Despite the title of the session, Rutkowska said in an e-mail that she
won't be providing the level of detail that would let someone subvert the
Vista kernel on their own, if they weren't already able to figure it out.
She said she hopes to spur the industry and processor vendors to try to
mitigate the threat, and she noted that nothing about Windows Vista makes
it more susceptible than other operating systems to a Blue Pill attack.
But past Black Hat Briefings haven't been without controversy. Last year,
Cisco Systems went to court seeking an injunction after a researcher, over
its objections, gave a presentation at Black Hat on a way to exploit a
flaw in Cisco's router software.
At the same time, in the world of hacker conventions, Black Hat
traditionally has more corporate involvement and a less renegade
reputation than Def Con -- a gathering in Las Vegas immediately after
Black Hat that accepts only cash for admission, to avoid having any
records that could be subpoenaed.
Moss, who sold Black Hat to CMP Media last year, runs Def Con
independently. Microsoft isn't scheduled to present at Def Con, although
Toulouse said people from the company will attend.
BLACK HAT BRIEFINGS
Microsoft will be putting Windows Vista under the scrutiny of hackers,
researchers and other computer security experts Thursday at the Black Hat
Briefings in Las Vegas. Coming up this week in the Seattle P-I:
Wednesday: A detailed look at Microsoft's new security initiatives in
Windows Vista, and its remaining challenges, on the eve of the company's
Black Hat presentations.
Friday: From Las Vegas, coverage of Microsoft's Black Hat appearance.
SeattlePI.com: Follow the news from Black Hat starting Wednesday at Todd
Bishop's Microsoft Blog.
Software Notebook is a Monday feature by P-I reporter Todd Bishop. He can
be reached at 206-448-8221 or toddbishop [at] seattlepi.com
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.