http://www.businessinsider.com/expert-builds-secure-version-of-windows-2015-8?r=UK&IR=T
The security of memory randomization is nothing new. However, elements of this system were added to standard varieties of Windows since Vista, so it’s not an unknown technique. I’d most certainly run Israeli Windows, given half a chance, but I see a handful of problems. First, our friend Backwards Compatibility. Want your older versions of your programs to work? They may not fare well with randomized memory. Even modern applications aren’t guaranteed to work properly with randomized memory. Next, memory randomization is all well and good if you’re sure you’ve got access to the bare metal, something that Blue Pill and other virtualization-based rootkits make challenging to confirm. We also need to discuss the concept of being “secure” in this context. Most people have a “do what I mean” mentality when it comes to using a computer, which is perfectly reasonable. However, computers themselves run on a “do what I say” ideology. Memory randomization isn’t going to help prevent ad-serving software that was “opted in by the user, pinky promise…”, which most people tend not to want running on their computers.
Finally, there’s the question of what Microsoft’s response to this is. In software development circles, “randomize your memory” is somewhat similar to “use a 15-character password that uses letters, numbers, capitalization, and symbols, and use a different one for every website, and don’t write them anywhere, just remember them all.” A great idea for people who don’t have annoying things like “deadlines” and “imperfect memory” and “actual work to do”. Microsoft is clearly aware that it is a more secure method of writing software, so the fact that this guy was able to do it is not like someone at Microsoft said, “hark! nobody has ever thought of this before!!”. On the contrary, Microsoft’s own software development environment has had this since 2008. If this guy made it work in such a way that doesn’t cause compatibility or stability issues, then he may well have something. The more concerning thing, especially for Microsoft, is that either he accomplished this without the source code to Windows, or he, in fact, has the source code. Either way, Business Insider is accurate in that Microsoft is very likely to have their eye on him.
Either way, if this ever gets released, and it’s actually compatible with the software I use, I’m most certainly in favor of using this over the usual stuff that comes out of Redmond.
