Windows Ce 6 is designed to deliver a hard-time, small-footprint operating system for the creation of device software. In this context, Windows CE 6 is both a portfolio of tools and of operating system features offering interoperability with industry standards and the desktop and server technologies produced by the Redmond Company.

The Windows Mobile Group still has to make a final decision over the adoption of Windows CE 6. In this article you will be able to read about a variety of enhancements introduced into Windows CE 6 in comparison with Windows CE 5. The points presented herein are extracted from a variety of presentations related to Windows Vista.

The Windows CE 6 Overview by David Kelly & Tim Kiesow of Microsoft, Inside The Windows CE Kernel by John Hatch & Bor-Ming Hsieh of Microsoft, Developing Bootloaders for Windows CE by Glen Langer of Microsoft and Steve Maillet of Embedded Fusion and Porting Drivers to the Next Version of Windows CE by Juggs Ravalia of Microsoft have served as sources for the Windows CE 6 features. Additionally, I would like to thank Ollie Whitehouse, a member of Symantec Security Response's Advanced Threat Research team, for making these available.

- It supports safe SEH for security compliance (/GS)
- Secure C Run-Time Libraries
- PREfast support for ARM, MIPS, and SH
- Increase from 32 to 32,000 processes on the device
- Instead of a single 2GB VM for all processes now 2GB per process
- Separation of user and kernel mode space
- File system can support data encryption
- Added 802.11i support for WPA2 compliance
- Windows Media DRM 10 PD and ND
- Graphic windowing and events subsystem (GWES)
- Networking (TCP/IP, IPv6)
- Expanded file system
- More device drivers
- Critical OS components moved into kernel space (critical drivers, file system, and graphical window manager into the kernel)
- New shared heap (R/W for kernel R/O for user land)
- 1GB per process space
- New operating system layout
- In-depth security review of: System calls, Handles, Exception Handling, Memory Allocation, Loader,
- Improved parameter validation for system calls
- Per-Process page and handle tables - greatly improves process isolation, Improves code robustness
- System calls run on special kernel side stacks
- Safeguards system calls from stack tampering
- Heap control structures separated from heap data
- Safe Remote Heaps for OS components
- OS servers can open heaps in user process
- R/W for servers, R/only for user
- Performance optimization and safety from tampering
- Support for secure boot loaders
- Public / private key based
- Based around file signing
- Features supported in hardware (partial list)
- On-chip, tamper-resistant boot ROM
- On-chip RAM (secure key storage)
- Cryptographic support
- JTAG can be disabled
- Fusible or one-time programmable elements
- They acknowledge if JTAG is enabled, it all "falls apart"
- There are more complex attack scenarios that require secure PCB design to mitigate
- Embedded (nested) pointers and how they can be used for attack, such as:
- Pass an embedded pointer to some kernel address space and ask the driver to read/write to the addressed buffer, thereby potentially modifying the kernel
- There is a lot of emphasis around validation to mitigate this
- The kernel will perform parameter pointer validation
- It's down to the API to perform embedded pointer validation
- The thread permissions model has changed in drivers
- There is strong emphasis on copying the "callers buffer" and then using that copy, as opposed to using the callers buffer itself