Wednesday, September 30, 2015

Deterministic Rebuild of Windows 10 Laptop



Yesterday, I attempted to rebuild a box while verifying SHA1 hashes and signatures at every point, with Secure Boot enabled from the start

It turns out to be surprisingly difficult to rebuild a Windows 10 machine in a deterministic way. Using the supplied Microsoft tools, generated ISO files are unique and cannot be verified out of band.

Here's the method I wound up using.

1. Acquire the official ISO for the Windows 10 version you are installing.

2. Sign in to a Microsoft account and browse to MSDN subscriber downloads: https://msdn.microsoft.com/subscriptions/securedownloads/

Locate the version you're installing and verify the SHA1 hash matches the one you're going to install. You can view this even if you don't have any MSDN subscription.

3. Copy the iso file to a USB key (you might need to format this as NTFS) and boot the laptop from a Linux USB stick (i used Kali).

4. Burn the ISO to a DVD using Brasero or another Linux burning tool with verification enabled. This turned out to be the only way this process would work. Using a USB key resulted in the Windows installer failing to find the hard disk, and there was no way to verify that the iso burned matched that on the Windows installer USB key.

5. Reset the laptop's bios to defaults, verify that secure boot is enabled.

6. Boot from the DVD and install Windows as normal, without any network connection. Disable all Microsoft telemetry except SmartScreen as you go through the install process.

7. Log in for the first time, attach a network cable, perform a Windows update.

8. Open Edge. Download the Sysinternals Suite from https://technet.microsoft.com/en-us/sysinternals/bb842062 and extract it to system32.

9. As you download and reinstall your applications, verify their integrity by using "sigcheck -h -v". Check that they do not have any reported infections on VirusTotal, and perform both Google and Bing searches for the sha1 hashes. Anything you typically install on a base OS should already be in VirusTotal. If it hasnt, and you can't verify the hash using google or bing, you may have a problem.

I ran into issues with the following apps:

Chrome 64 bit installer. The version that came from https://www.google.com/chrome/browser/desktop/index.html did not have a verifiable sha1 hash.

Google Drive installer. As above.

PuTTY from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. It aggravates me to no end that Simon Tatham refuses to deploy HTTPS with pinning. VirusTotal reported 2 infections in the versionof PuTTY currently being distributed from there. These are probably false positives, but nevertheless I downloaded a version of PuttyTray from https://puttytray.goeswhere.com/ and verified the SHA1 and GPG signature. This version reported 0 infections on VirusTotal.

Throughout the process above I've run on the following assumptions:

1. I have to trust the manufacturer of my hardware to ensure it's not been backdoored in the UEFI or somewhere else.
2. I have to trust Microsoft as the provider of my OS to not install any backdoors and patch any vulnerabilities in a timely fashion.
3. I have to trust that Google hasn't been compromised to the level where it will serve malicious executables.
4. I can't defend myself against nation state adversaries with the resources to plant binaries in a way that won't be detected using the methods above. I rely on the combined efforts of the community, Microsoft, Google, and all the vendors who participate in VirusTotal to offer me some basic level of assurance that I have done all I can to ensure I don't get compromised.
By documenting this process, anyone else can follow it and point out any flaws in my process and next time I do a rebuild I'll be able to do things better.

Beyond the steps above I've also configured AppLocker with the default file hash rules, and my day to day use is with an unprivileged account.



No comments:

Post a Comment