Microsoft

Vista kernel defenses defeated


MicrosoftIt appears that a security feature present in the 64-bit edition of Windows Vista can be easily circumvented. One of the security provision in this edition of Vista would be the fact that only digitally-signed code can be loaded into the kernel.

Well, until the arrival of a free utility from Australian developer LinchpinLabs, that is.

The idea behind allowing only digitally-signed code to run is that it would stymie rootkits, which involves loading driver code into the kernel to corrupt it from within and to cloak itself.

According to researchers at Symantec, however, LinchpinLabs' Atsiv renders this a moot point by using signed drivers to load other, unsigned code into the Vista kernel.

Excerpt from Network World:

"[Atsiv's] command line tool loads [its own] appropriate driver, which then in turn allows loading of unsigned drivers due to the implementation of their PE loader," said Whitehouse [an architect with Symantec's advanced threats research team]. "A side effect of using their own load is noted by the authors in their design documentation: 'Atsiv doesn't add the driver to the PsLoadedModuleslist so it is not visible in the standard drivers list.'

The counter-argument by LinchpinLabs' creators, identified only as "Dan" by the Network World article, is that Vista's signing requirement doesn't prevent malware but merely prohibits freedom to choose.

In fact, below is an excerpt from an article on rootkit.com titled Loading unsigned drivers on Vista. It pulls no punches:

A signed file uniquely identifies the company that developed that file but when companies can be created and registered in jurisdictions known for protecting the privacy of company founders and directors you have to ask what does driver signing actually represent? Signed drivers can be signed by an arbitrary legally registered company.
Absent any control over what the driver actually is or does, this provides no real additional security, other than removing author anonymity. So do the new Vista “features” improve system security or only impose limitations?

While driver signing certificates can be revoked new certificates, with enough money, can be created faster than it takes to change a files signature. If this is indeed the case then it is the hobbyists and home user that end up paying the cost.

I personally am of the view that Microsoft is really trying to improve its security record. Then again, if you are like me, you just ignore the warnings and install a driver anyway, even if it is not digitally-signed.

So the question is: Does digital signing of drivers create more problems than it solve?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

5 comments
The Scummy One
The Scummy One

To answer the articles questions "So do the new Vista ???features??? improve system security or only impose limitations?" Signed drivers really do not do much for security, but it can help to keep some (not all) bad apps from running amuck on ones system. But, as stated, this is not real world security. It hinders the ability to run other SW and/or install drivers for other devices. For most people, it is not totally a bad thing, but for many, it keeps them from being able to do as they wish with their computer. So, this question is totally dependant on the user in question. "Does digital signing of drivers create more problems than it solve?" yes and no. signed drivers with an easy way to disable it, should work just fine for majority of users. It is there to help protect a persons system, and if it can be disabled, and advanced user can still do as they wish, at their own risk. Just because someone can load a signed driver and it can load unsigned ones, does not mean that every company or even most is going to go this route. This is where the user needs to use their best judgement for installing SW. Real security needs to start from the users themselves, and to not 'trust' everything that they see on the Internet

Tony Hopkinson
Tony Hopkinson

Signed driver is not, was not and never will be security. By itself it's merely a trust relationship and one of obvious unreliability. No different to a signed activeX, why someone thought the same failure applied to drivers would suddenly morph into a success, is beyond my ability to comprehend. This 'reply' with the automatic subject sucks big style by the way.

melekali
melekali

While in principle driver signing might be a theoretically good idea, your quote points out the obvious - we are putting our trust in something that can easily be faked. Microsoft really doesn't get security yet. I hope one day they will join the rest of us in recognizing what really provides security and what only appears to provide security.

lelerew
lelerew

"join the rest of us in recognizing what really provides security " Please share with us these secrets of the universe.

paulmah
paulmah

Does digitally-signing of drivers create more problems than it solve?

Editor's Picks