Slashdot Mirror

← Back to Stories (view on slashdot.org)

Device Drivers Filled with Flaws, Pose Risk

Posted by ryuzaki0 on from the enemy-within dept.

Gary W. Longsine writes "Security Focus describes device drivers as an untapped source of buffer overflows, posing substantial risk not typically considered as part of a standard risk assessment. The security risks of device drivers on both Windows and Linux, including network (remotely exploitable) and hardware drivers (typically only locally exploitable) are discussed in the article. I've noticed that software you wouldn't expect sometimes installs a device driver component. I can understand this as a component of an antivirus or host based firewall, but it seems to be an oddly common design pattern on Windows, which clearly poses substantial risk."

21 of 189 comments (clear)

  1. Design pattern by davidstrauss · · Score: 3, Interesting
    oddly common design pattern on Windows

    Could someone give me examples of this? Most software I use doesn't do this. It seems more of a design pattern for DRM stuff (like DVD audio).

    1. Re:Design pattern by Anonymous Coward · · Score: 5, Informative

      Games do this often for their copy-protection methods. The most common is Starforce, which installs a driver without which the program will not run.

    2. Re:Design pattern by nmb3000 · · Score: 4, Informative

      Could someone give me examples of this?

      I was thinking the same thing. Obviously some stuff will have a driver it installs because it is required for whatever it's doing. Examples of valid ones roll off easy enough: Daemon Tools (ISO emulation), UltraMon (multi-monitor manager), hardware-heavy optical disk apps like Alcohol 120% and Blindwrite, OpenVPN.

      I think often times the reasons behind device driver usage are linked very closely to efficiency and ease of implementation. If you need close hardware access and want to be fast and efficient doing it then a device driver is probably best. Even if it were possible doing it with some sort of hook and DLL system, it's going to be a lot slower and more of a kludge.

      I figure that while device drivers are another part of software that needs to be analyzed for security flaws, they really aren't that special. One of the simplest security flaws, a buffer overflow, can still be found in who knows how many programs? The fact that a driver runs near the kernel is something to watch for, but methods like DLL injection have enabled people to get kernel-privileged access before on Windows (remember getAdmin for Win2000?).

      --
      "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
      /)
    3. Re:Design pattern by moonbender · · Score: 5, Informative

      Look for yourself, if you are on Windows anyway. Open the device manager, check "show hidden devices" in the view menu and look at the new devices that appear. Especially the ones in the "Non-Plug and Play Drivers" category. Some examples from my system include "Creative AC3 software decoder" (along with half a dozen more drivers the Audigy installs), "StyleXP helper" (Window skinning), "mnmdd" (no clue). And this is a fairly clean system, apart from Style XP maybe. Most of these would make sense as services, but device drivers? Not that there is a shortage of services on a typical Win XP system!

      --
      Switch back to Slashdot's D1 system.
    4. Re:Design pattern by Anon+E.+Muss · · Score: 3, Informative

      Wrong! Installing drivers is not a major cause of reboots on Windows. The only time you absolutely need to reboot is if you update the boot disk driver. There is no different than Linux. Any properly written Windows driver can be installed or updated without a reboot -- if the driver writer didn't do their job, blame them, not the OS.

      The real cause of most reboots are attempts to replace active user-mode executables (EXE or DLL). Executable files cannot be replaced while they're running. This makes it practically impossible to update system DLL's without a reboot, since they're going to running in some process all the time.

      --
      The key sequence to access my Slashdot bookmark in Firefox is Alt-B-S. I don't believe this is a coincidence.
  2. One hardware driver one from way back. by Anonymous Coward · · Score: 5, Interesting

    Sending a modem user a ping with +++ATH0 embedded. As soon as it was returned, those modems with defective modem drivers that didn't filter anything would hang up. Quick simple DoS.

    Surprisingly it still works on some systems more than 18 years after I first tried it.

    1. Re:One hardware driver one from way back. by erlenic · · Score: 3, Informative

      Some ping programs let you specify the payload in the ping packet. It's usually just used to bloat the packet for MTU testing.

      +++ATH0 is the modem command to hangup.

    2. Re:One hardware driver one from way back. by AndroidCat · · Score: 5, Informative

      That should only work with modems that took the cheap route. +++ is supposed to be wrapped with a guard delay that would prevent that. (There's probably some vulture lawyers still charging licence fees for Hayes' patent on that.)

      --
      One line blog. I hear that they're called Twitters now.
    3. Re:One hardware driver one from way back. by Myria · · Score: 5, Informative

      REAL modem drivers would use ATS2=255, which disables the +++ string. Then, to hang up, you drop the Terminal Ready (TR) bit of the serial port. This way, there is no string that can hang up the modem.

      Melissa

      --
      "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
    4. Re:One hardware driver one from way back. by codegen · · Score: 3, Insightful

      That's sort of the point of the ancestor post. Some drivers do not do that and are succeptible to the attack.

      --
      Atlas stands on the earth and carries the celestial sphere on his shoulders.
    5. Re:One hardware driver one from way back. by Anon+E.+Muss · · Score: 4, Informative

      The delay after +++ was patented by Hayes. After the "Hayes AT standard" was firmly established in the market, Hayes started suing other modem manufacturers for patent infringement. Many decided to remove the delay requirement rather than pay royalties. There are a lot of modems that will hang up if they receive "+++ATH0\r" in a continuous stream.

      --
      The key sequence to access my Slashdot bookmark in Firefox is Alt-B-S. I don't believe this is a coincidence.
  3. there are many examples ... by tronicum · · Score: 5, Informative
    Most direct disc access (antivirus) or "personal firewall" products install theirself as driver between the physical and logical layer.

    This leads to many problems like stuff found recently in almost all Computer Associates eTrust Antivirus products. Because Zonealarm licenced the same software, they were affected, too.

    This is just one example of many :

    So many well known enterprice Antivurs/Firewall companys create drivers that lead to security flaws and it is not limited to Windows....

  4. Video games are the worst offenders by Myria · · Score: 5, Informative

    Video games' copy protection systems install device drivers like crazy to try to prevent CD-ROM emulators and such. Others install drivers to prevent cheating. When they do this, they often mess up the system involved and leave the system vulnerable to attack.

    For example, a few months ago, the nProtect anti-cheat system, which installs device drivers, had a buffer overflow in it that allowed local privilege escalation.

    Melissa

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  5. Multimedia Keyboards by Lucractius · · Score: 5, Interesting

    seems these are almost everywhere these days. and with all the odd keys a lot of them Do need their own custom drivers for the extra keys and knobs and dials etc.

    whatever happend to the good old days when an IBM model M was all you needed :)

    --
    XML - A clever joke would be here if /. didn't mangle tag brackets.
    1. Re:Multimedia Keyboards by AndroidCat · · Score: 4, Funny

      Old days?

      --
      One line blog. I hear that they're called Twitters now.
  6. duh. by Crimson+Dragon · · Score: 5, Informative

    To cite poor design as a source of security vulnerability is to state the obvious. We spend so many man hours fixing problems that didn't have to exist in the first place, that we cannot address the problems that came inevitably over the course of implementation of software packages and protocols.

    --
    The Crimson Dragon
  7. not that easy by roman_mir · · Score: 4, Insightful

    let's say there is a driver and it allows a buffer overrun to execute some attacker's code. Well to get to the driver the attacker has to first go through a user application. So there is a problem when the combination user application/device driver both have a problem validating the same input. I am not saying this is impossible, but it would be more unlikely - there must be a great coincidence at work here. Besides normally user applications do not pass user input directly to the device drivers. The user applications translate input from user form to some implementation specific device driver input. So more likely than not there is a layer of input transformation between the user and device driver.

    Now to go around this problem the attacker may need to get the user to execute some code on the machine and this could mean that if the code is executed - even on a Linux box for example, and the code exploits a device driver flaw, due to the monolythic kernel structure of Linux it is in principle possible to execute code that will say change user privileges to admin level. I guess this would be much more difficult with a microkernel approach like what Hurd is supposed to be, because even device drivers will run in managed memory mode.

    --
    You can't handle the truth.
    1. Re:not that easy by TwistedSpring · · Score: 4, Informative

      Not necessarily. In the case of network drivers, drivers installed by firewall software, and so on, the attacks can easily be performed remotely by sending stuff over the network. However, I think that any case where a network driver will contain a flaw exploitable by stuff sent over the network will be quite rare.

      Drivers on Windows NT are reasonably well protected. If a driver attempts to do something it's not supposed to (like access an address outside of its assigned address space) this will be trapped by the kernel and you'll get a STOP error (BSOD). That's what the STOP errors are for, any event where a device driver has performed an action that could compromise the data in the system if the system were allowed to go on running. It's also why STOP errors drop you out to standard VGA text - to avoid using the graphics drivers anymore.

      Probably the greatest security flaw you could acheive in a driver is a denial of service, although they run at the kernel level, they still don't have system-wide access. There may be some way to gain that, but I doubt it. They certainly don't have access to user mode, and to access disks and e-mail clients and so on they'd have to go up to user mode level. Due to the lockdown on their address space drivers cannot communicate with oneanother, and in order to access the disk or network they'd need to do so through another driver which they can't "see".

      So the most you'd get is a BSOD, which is annoying, but you can always head into safe mode and disable the driver to fix that. If the exploit was in a disk driver or something, you could be very, very fucked though.

  8. ATI by sabernet · · Score: 4, Informative

    Well, ATI's drivers have always been nasty. Now I can call them "viral"? :)

  9. Re:Why is this a bigger risk on windows? by Gary+W.+Longsine · · Score: 4, Insightful

    An individual instance of a given buffer overflow exploit in a device driver in and of itself is not really a bigger risk on Windows. It just seems to be a more common design pattern on Windows systems, thus creating more opportunities for exploit. (Several fine examples of questionable use of device drivers, and some associated known vulnerabilities are discussed by others here).

    The referenced article at Security Focus points out that inspection of device drivers in Linux revealed similar defects in device drivers.

    Device drivers are more interesting than user land software because they run in kernel space, allowing the exploit to be immediately useful to perform nasty things like install rootkits and trojans, log keystrokes, etc.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
  10. Windows design flaws by typical · · Score: 3, Interesting

    The real cause of most reboots are attempts to replace active user-mode executables (EXE or DLL). Executable files cannot be replaced while they're running. This makes it practically impossible to update system DLL's without a reboot, since they're going to running in some process all the time.

    Yup. This is a major design flaw in the Windows kernel that dates way back. It's a significant part of the reason that you don't have to reboot Linux for anything other than a new kernel, but Windows frequently needs to be rebooted for user-level application installations.

    It's on my list of "stupid design decisions made in Windows" (where "Windows" == NT family, not 9x family).

    Other goodies are:

    * "pageable kernel memory pools" (sounds like a good idea, but significantly increases complexity of writing kernel code and ease of introducing lockup bugs) over Linux's approach of just unloading modules

    * Microsoft's decision to not support "real" links, just shortcuts, in their user-mode software.

    * Allowing application software to "block" a shutdown.

    * Not allowing Windows to run without VM.

    * Not designing Windows to be able to run off of read-only media.

    * Godawful shell (not fundamental to the OS, and hopefully will fixed in Longhorn) and virtual terminal, to the point where most Windows users hate the terminal.

    * Bad VM algorithms. I don't know what they use, but try running low on memory on a Windows box and the system becomes bloody unusable.

    (From a developer standpoint)

    * Poor sockets implementation (which is still the only reasonably portable networking API under Windows -- even IOCP lacks a IOCP-able connect() up until WinXP) with no way to kick select() awake, no local-domain sockets and lots of other flaws and irritations that have to be worked around by the Windows sockets programmer.

    * Never precisely specifying API behavior -- MSDN is more of a tutorial or basic user guide to the API than a true specification. Look at a Linux man page and you generally have pretty strong guarantees on the behavior of the function provided, and that isn't even the specification (those which the function conforms to are listed and you can read a hard specification of guaranteed behavior).

    --
    Any program relying on (nontrivial) preemptive multithreading will be buggy.