Device Drivers Filled with Flaws, Pose Risk

Gary W. Longsine writes "Security Focus describes device drivers as an untapped source of buffer overflows, posing substantial risk not typically considered as part of a standard risk assessment. The security risks of device drivers on both Windows and Linux, including network (remotely exploitable) and hardware drivers (typically only locally exploitable) are discussed in the article. I've noticed that software you wouldn't expect sometimes installs a device driver component. I can understand this as a component of an antivirus or host based firewall, but it seems to be an oddly common design pattern on Windows, which clearly poses substantial risk."

Design pattern

[davidstrauss]

oddly common design pattern on Windows

Could someone give me examples of this? Most software I use doesn't do this. It seems more of a design pattern for DRM stuff (like DVD audio).

Re:Design pattern

Games do this often for their copy-protection methods. The most common is Starforce, which installs a driver without which the program will not run.

Re:Design pattern

[nmb3000]

Could someone give me examples of this?

I was thinking the same thing. Obviously some stuff will have a driver it installs because it is required for whatever it's doing. Examples of valid ones roll off easy enough: Daemon Tools (ISO emulation), UltraMon (multi-monitor manager), hardware-heavy optical disk apps like Alcohol 120% and Blindwrite, OpenVPN.

I think often times the reasons behind device driver usage are linked very closely to efficiency and ease of implementation. If you need close hardware access and want to be fast and efficient doing it then a device driver is probably best. Even if it were possible doing it with some sort of hook and DLL system, it's going to be a lot slower and more of a kludge.

I figure that while device drivers are another part of software that needs to be analyzed for security flaws, they really aren't that special. One of the simplest security flaws, a buffer overflow, can still be found in who knows how many programs? The fact that a driver runs near the kernel is something to watch for, but methods like DLL injection have enabled people to get kernel-privileged access before on Windows (remember getAdmin for Win2000?).

Re:Design pattern

[moonbender]

Look for yourself, if you are on Windows anyway. Open the device manager, check "show hidden devices" in the view menu and look at the new devices that appear. Especially the ones in the "Non-Plug and Play Drivers" category. Some examples from my system include "Creative AC3 software decoder" (along with half a dozen more drivers the Audigy installs), "StyleXP helper" (Window skinning), "mnmdd" (no clue). And this is a fairly clean system, apart from Style XP maybe. Most of these would make sense as services, but device drivers? Not that there is a shortage of services on a typical Win XP system!

Re:Design pattern

[Tim+Browse]

My favourite part of Starforce is that it installs a device driver without asking the user first - you run the game, it silently installs a device driver.

Nice.

Re:Design pattern

[Afrosheen]

Yeah but the dead giveaway with Starforce is that it requires a reboot after you install the game. We all know why Windows needs to reboot post-install: drivers.

Well, actually, Windows will reboot post install for a number of reasons, but for a game using Starforce, it makes sense.

Re:Design pattern

[Anon+E.+Muss]

Wrong! Installing drivers is not a major cause of reboots on Windows. The only time you absolutely need to reboot is if you update the boot disk driver. There is no different than Linux. Any properly written Windows driver can be installed or updated without a reboot -- if the driver writer didn't do their job, blame them, not the OS.

The real cause of most reboots are attempts to replace active user-mode executables (EXE or DLL). Executable files cannot be replaced while they're running. This makes it practically impossible to update system DLL's without a reboot, since they're going to running in some process all the time.

Re:Design pattern

[Afrosheen]

"Can you do it without shutting down X, and all running X applications? Is that really so different than than a reboot?"

It's very much different than a reboot. My system keeps running, but the 'paint job' stops. You could have other processes in the background doing their job (like copying files in another shell or whatever) while you do the update. You unload the old kernel driver, load the new one, start X back up.

One hardware driver one from way back.

Sending a modem user a ping with +++ATH0 embedded. As soon as it was returned, those modems with defective modem drivers that didn't filter anything would hang up. Quick simple DoS.

Surprisingly it still works on some systems more than 18 years after I first tried it.

Re:One hardware driver one from way back.

[erlenic]

Some ping programs let you specify the payload in the ping packet. It's usually just used to bloat the packet for MTU testing.

+++ATH0 is the modem command to hangup.

Re:One hardware driver one from way back.

[AndroidCat]

That should only work with modems that took the cheap route. +++ is supposed to be wrapped with a guard delay that would prevent that. (There's probably some vulture lawyers still charging licence fees for Hayes' patent on that.)

Re:One hardware driver one from way back.

[BurntNickel]

On the modems that I used it was required that there be a one second pause between the +++ and any following characters to get to command mode so I've never seen this actually work.

Re:One hardware driver one from way back.

[kernelfoobar]

I actually have done this and it does work on some modems, pretty cool actually. Think: someone might try to view comments and keep getting disconnected right at this moment.

Re:One hardware driver one from way back.

[Myria]

REAL modem drivers would use ATS2=255, which disables the +++ string. Then, to hang up, you drop the Terminal Ready (TR) bit of the serial port. This way, there is no string that can hang up the modem.

Melissa

Re:One hardware driver one from way back.

[codegen]

That's sort of the point of the ancestor post. Some drivers do not do that and are succeptible to the attack.

Re:One hardware driver one from way back.

All of these replies and no one remembers doind this to hapless IRC users?

/ctcp ping +++ATH0

You soon learnt the proper initialisation string to stop your modem hanging up. Something to do with setting the proper mask in one of the S registers, if I remember correctly.

Re:One hardware driver one from way back.

[Anon+E.+Muss]

The delay after +++ was patented by Hayes. After the "Hayes AT standard" was firmly established in the market, Hayes started suing other modem manufacturers for patent infringement. Many decided to remove the delay requirement rather than pay royalties. There are a lot of modems that will hang up if they receive "+++ATH0\r" in a continuous stream.

Re:One hardware driver one from way back.

[zerbot]

People put it in .sigs in order to nail the kinds of people who didn't trim before replying, including trimming the .sig.

there are many examples ...

[tronicum]

Most direct disc access (antivirus) or "personal firewall" products install theirself as driver between the physical and logical layer.

This leads to many problems like stuff found recently in almost all Computer Associates eTrust Antivirus products. Because Zonealarm licenced the same software, they were affected, too.

This is just one example of many :

• McAfee
• Trend Micro
• F-Secure
• Symantec

So many well known enterprice Antivurs/Firewall companys create drivers that lead to security flaws and it is not limited to Windows....

Video games are the worst offenders

[Myria]

Video games' copy protection systems install device drivers like crazy to try to prevent CD-ROM emulators and such. Others install drivers to prevent cheating. When they do this, they often mess up the system involved and leave the system vulnerable to attack.

For example, a few months ago, the nProtect anti-cheat system, which installs device drivers, had a buffer overflow in it that allowed local privilege escalation.

Melissa

Multimedia Keyboards

[Lucractius]

seems these are almost everywhere these days. and with all the odd keys a lot of them Do need their own custom drivers for the extra keys and knobs and dials etc.

whatever happend to the good old days when an IBM model M was all you needed :)

Re:Multimedia Keyboards

[AndroidCat]

Old days?

Re:Multimedia Keyboards

[rokzy]

the worst is logitech mouse (MX900). it wants you to install shockingly ugly control software which not only wastes resources but reduces functionality.

the box says it supports IE only (a mouse suporting a browser!? wtf!?) which refers to the forward and back butons. but if you don't install the crappy software, the buttons work fine in firefox.

I suspect the main purpose of the software is just to try to force a taskbar icon on users to act as a form of self-advertising. it certainly isn't to make the mouse better.

duh.

[Crimson+Dragon]

To cite poor design as a source of security vulnerability is to state the obvious. We spend so many man hours fixing problems that didn't have to exist in the first place, that we cannot address the problems that came inevitably over the course of implementation of software packages and protocols.

not that easy

[roman_mir]

let's say there is a driver and it allows a buffer overrun to execute some attacker's code. Well to get to the driver the attacker has to first go through a user application. So there is a problem when the combination user application/device driver both have a problem validating the same input. I am not saying this is impossible, but it would be more unlikely - there must be a great coincidence at work here. Besides normally user applications do not pass user input directly to the device drivers. The user applications translate input from user form to some implementation specific device driver input. So more likely than not there is a layer of input transformation between the user and device driver.

Now to go around this problem the attacker may need to get the user to execute some code on the machine and this could mean that if the code is executed - even on a Linux box for example, and the code exploits a device driver flaw, due to the monolythic kernel structure of Linux it is in principle possible to execute code that will say change user privileges to admin level. I guess this would be much more difficult with a microkernel approach like what Hurd is supposed to be, because even device drivers will run in managed memory mode.

Re:not that easy

[Gary+W.+Longsine]

Good point. However, it doesn't need to be easy, it just needs to be easy enough for one sharp cracker to figure it out.

Today there are literally thousands of variants different worms exploiting dozens of different buffer overflows. Most of them are derivative, relying on published source code produced by one person, and sometimes on a toolkit. If there are dozens or hundreds of buffer overflows in commonly used device drivers, they will get discovered and some of them will be exploited. Some of them might be exploited already by crackers with goals other than using worms to create fleets of botnets.

Re:not that easy

[TwistedSpring]

Not necessarily. In the case of network drivers, drivers installed by firewall software, and so on, the attacks can easily be performed remotely by sending stuff over the network. However, I think that any case where a network driver will contain a flaw exploitable by stuff sent over the network will be quite rare.

Drivers on Windows NT are reasonably well protected. If a driver attempts to do something it's not supposed to (like access an address outside of its assigned address space) this will be trapped by the kernel and you'll get a STOP error (BSOD). That's what the STOP errors are for, any event where a device driver has performed an action that could compromise the data in the system if the system were allowed to go on running. It's also why STOP errors drop you out to standard VGA text - to avoid using the graphics drivers anymore.

Probably the greatest security flaw you could acheive in a driver is a denial of service, although they run at the kernel level, they still don't have system-wide access. There may be some way to gain that, but I doubt it. They certainly don't have access to user mode, and to access disks and e-mail clients and so on they'd have to go up to user mode level. Due to the lockdown on their address space drivers cannot communicate with oneanother, and in order to access the disk or network they'd need to do so through another driver which they can't "see".

So the most you'd get is a BSOD, which is annoying, but you can always head into safe mode and disable the driver to fix that. If the exploit was in a disk driver or something, you could be very, very fucked though.

Re:not that easy

[Foolhardy]

All drivers run in the same kernel mode virtual address space (usually the top 2GB) plus the current process's virtual address space. Drivers are free to call the native Zw* functions, the ones that don't do security checks or validation. Drivers can access the same Object Manager namespace as everyone else so there aren't any 'hidden' drivers.

There's nothing stopping a driver running malicious code from connecting to the \Device\Tcp device to open a socket, using ZwCreateFile to copy a malware app into the Windows directory and using ZwCreateKey to install it as a new service.

There's also nothing stopping a driver from posting a kernel APC onto a thread from a user-mode victim process so that the driver can load malicious code into the process. After that, it's as simple as changing the thread's thread environment block to return into the new code's address. The next time the thread is scheduled, the malicious code will be running. All with zero access checks.

STOP errors do in fact occur when a driver tries to access certain read-only memory sections. These are sections that were setup at boot time and should never be changed. You're right about the purpose of STOP errors (die if there's any chance of corruption) and why the video drivers are avoided.

Re:Easy solution

[maxwell+demon]

Not only device drivers! :-)

ATI

[sabernet]

Well, ATI's drivers have always been nasty. Now I can call them "viral"? :)

ugh

[Mr.+Underbridge]

As Linus once said, "Given enough eyeballs, all bugs are shallow." If board makers would GPL there drivers or even send one free of charge to a kernel developer, we would not have this problem.

1. Linus didn't say that, Raymond did. 2. By your own analysis, all famous open-source projects should be bug-free, right? Like Firefox, right?

Stop drinking the kool-aid. Open source is not a panacea for all software development problems, and Raymond made a lot of sweeping generalities in the book you're quoting, many which make for great sound bites but are absolutely irrelevant.

Re:ugh

[Nimrangul]

While it is true that open sourcing something doesn't necessarily help with security issues simply by being open, it does give a better chance of finding those issues in a timely manner.

Now, I'm not saying that hackers will go and start fixing open source drivers just cause they're there, some will, but it is not something to count on. I am saying that crackers will go into that code and find the problems and start using them.

Once the bad guys see how something works exactly they can set up exploits much more rapidly - causing the code's maintainers and architects to fix these flaws both minor and major.

Do you not think that if drivers were open sourced we'd see a much more rapid developement of exploits and subsequent fixes?

This increased rate of reaction would in the end lead to a more mature and secure driver set; although for a time it would likely be hell for system administrators and home users.

Re:ugh

[forkazoo]

1. Linus didn't say that, Raymond did. 2. By your own analysis, all famous open-source projects should be bug-free, right? Like Firefox, right?

Stop drinking the kool-aid. Open source is not a panacea for all software development problems, and Raymond made a lot of sweeping generalities in the book you're quoting, many which make for great sound bites but are absolutely irrelevant.

Certainly, no reasonable person will suggest that if you make some horrible software, putting the source on an ftp server will magically cause it to work perfectly, or all the bugs to be instantly found. Open source software does, however have some merits.

Suppose a team is trying to track down a bug in some software they wrote, but they can't find it. Everything looks right. Well, then that's pretty much it. They just keep looking. With open source, you have a chance that some random stranger will approach a problem with a fresh set of eye balls, and ask, "What the hell were you smoking!!??!!" I know I have been immensely helped by having a friend looking at my code, and he has been immensely helped by having me look at his. Whenever some 3rd party can look things over, he isn't emotionally attached to early design decisions, and he hasn't already convinced himself that something is correct. The only was to do that with proprietary software is to bring in a consultant. That's usually expensive, and it would be embarassing to the devs if he found major problems.

Another advantage to OSS is that knowing your code will be seen by others forces you to be a bit less likely to name your variables bob and fish, and freddybob. Obviously, no proprietary developer should do anything like that, but we have all gotten caught up in trying to make a prototype, knowing about the weaknesses of the prototype, realising the schedule is short, and declaring the prototype "good enough." You try to convince your boss you need more time to do a proper rewrite, with an extensible architecture that will better accommodate growth. He says tough banannas. Then, you wind up trying to bolt on the features for version 2 and 3, onto what was supposed to be just a prototype. Madness ensues. Whereas, doing a public release from day 1 means you would be embarrassed if people saw your prototype, so you are a little more likely to try to do it right.

So, yeah, I agree with you that zealots have to much faith in OSS, and probably unjustified criticism of proprietary software, but on even footing, with competant developers on both sides, the ability of OSS to leverage more "outside proofreaders" does suggest that it has the potential to be a bit higher quality on the average. Not perfect. Not always better. But, still, not a bad idea.

Re:Is this another reason to buy a Mac?

Fool.
Drivers that come with the OS are still drivers.

Re:Is this another reason to buy a Mac?

[afd8856]

Who told the god damn noobies about slashdot?

"Built For Windows"

[CdBee]

I've always tried to buy hardware which is supported by default in Windows - since XP-SP2 added a bunch of new drivers this has got a lot easier.

My reasons were so that a reinstall is a simpler affair, but it appears I may have been reaping security benefits too...

Re:Why is this a bigger risk on windows?

[Gary+W.+Longsine]

An individual instance of a given buffer overflow exploit in a device driver in and of itself is not really a bigger risk on Windows. It just seems to be a more common design pattern on Windows systems, thus creating more opportunities for exploit. (Several fine examples of questionable use of device drivers, and some associated known vulnerabilities are discussed by others here).

The referenced article at Security Focus points out that inspection of device drivers in Linux revealed similar defects in device drivers.

Device drivers are more interesting than user land software because they run in kernel space, allowing the exploit to be immediately useful to perform nasty things like install rootkits and trojans, log keystrokes, etc.

Re:Is this another reason to buy a Mac?

[rokzy]

oh god no!

I tried that once. it suggested an update for my network card and pretty much fucked my system.

never again. never.

Open Documentation == Safe & Reliable Drivers

[shking]

One more reason to help groups trying to get documentation in order write their own drivers. Manufacturers seem more concerned with slowing down their rivals than with growing their customer base (for free!). Consider OpenBSD's recent problems with Adaptec.

Windows design flaws

[typical]

The real cause of most reboots are attempts to replace active user-mode executables (EXE or DLL). Executable files cannot be replaced while they're running. This makes it practically impossible to update system DLL's without a reboot, since they're going to running in some process all the time.

Yup. This is a major design flaw in the Windows kernel that dates way back. It's a significant part of the reason that you don't have to reboot Linux for anything other than a new kernel, but Windows frequently needs to be rebooted for user-level application installations.

It's on my list of "stupid design decisions made in Windows" (where "Windows" == NT family, not 9x family).

Other goodies are:

* "pageable kernel memory pools" (sounds like a good idea, but significantly increases complexity of writing kernel code and ease of introducing lockup bugs) over Linux's approach of just unloading modules

* Microsoft's decision to not support "real" links, just shortcuts, in their user-mode software.

* Allowing application software to "block" a shutdown.

* Not allowing Windows to run without VM.

* Not designing Windows to be able to run off of read-only media.

* Godawful shell (not fundamental to the OS, and hopefully will fixed in Longhorn) and virtual terminal, to the point where most Windows users hate the terminal.

* Bad VM algorithms. I don't know what they use, but try running low on memory on a Windows box and the system becomes bloody unusable.

(From a developer standpoint)

* Poor sockets implementation (which is still the only reasonably portable networking API under Windows -- even IOCP lacks a IOCP-able connect() up until WinXP) with no way to kick select() awake, no local-domain sockets and lots of other flaws and irritations that have to be worked around by the Windows sockets programmer.

* Never precisely specifying API behavior -- MSDN is more of a tutorial or basic user guide to the API than a true specification. Look at a Linux man page and you generally have pretty strong guarantees on the behavior of the function provided, and that isn't even the specification (those which the function conforms to are listed and you can read a hard specification of guaranteed behavior).

Why do we even need device drivers at all?

[Skapare]

Why do we even need device drivers at all? I've worked on (used, administered) two different kinds of major operating systems (and a couple more smaller ones) that did not use device drivers at all. The answer to thise question reflects a condition that those two major OSes did not have to deal with: lack of standardized hardware.

The original IBM System 360, released in the 1960s, effectively had relatively standardized hardware. That was because IBM made all the hardware. When other manufacturers eventually made their own hardware, they were forced to make that hardware compatible. A manufacturer of a disk drive had to make it accept every hardware command that IBM's own models accepted, or it would not work. No provision existed in the operating systems for these machine to install or load a special device driver, short of modifying the source directly (which was all in assembly code for the mainframe CPU architecture).

I/O operations in the original System 360, and to a great extend in the 370 and 390 that followed, is quite uniform compared to the PC architecture. Although IBM popularized this architecture, it was actually the design of the 8088 CPU that caused things to be quite non-uniform due to it's lack of any I/O architecture (it only had a simplistic in/out CPU instruction set, which effectively functioned like fetch/store instructions in a private address space). This meant every peripheral (like a serial port) had to operate its own way. Microsoft's DOS operating system furthered the dependency on device drivers being added by making it relatively easy to do. So by combining an architecture that was very poor at I/O, absent of an I/O standard, and an OS that made discrete device drivers easy, we have this become dependent on this.

A computer architecture could still be built that includes a standardized I/O infrastructure (e.g. all devices interface the same way) and standardized I/O command set (e.g. all operations of the same class operate identically), and would not need individual device drivers. Each different class of device (e.g. a hard drive is an example of one class) would have its own I/O handling code in the OS which can be referred to as the device driver, but it would be one set of code that handles every device of that class. A command from the "hard drive handler" code in the OS to read a specific sector of storage would be exactly identical regardless of the size of the drive (if it accesses a non-existant sector, it always gets a standard error), the maker of the drive, and whether or not there is a gateway controller to interconnect legacy hardware (e.g. SCSI, IDE, SATA, etc). The same principle would be applied for all other classes of devices. All random accessible devices could then be bootable with merely the issuance of a basic "read a sector from offset N" command generated by a very simple firmware system ... for some standardized value of N for booting purposes.