Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista DRM Prevents Kernel Tampering

Posted by ryuzaki0 on from the in-theory-anyway dept.

mjdroner writes "A ZDNet blog reports on a new DRM feature for Vista that 'protects' the kernel from tampering. The blog quotes a Microsoft document: 'Code (CI) protects Windows Vista by verifying that system binaries haven't been tampered with by malicious code and by ensuring that there are no unsigned drivers running in kernel mode on the system.' The blog says that much of the DRM in Vista is simply a port from XP, but that this feature is new to the OS."

4 of 428 comments (clear)

  1. Re:Updates? by EvanED · · Score: 4, Informative

    Cryptographically secure signatures?

    You take a hash, and sign it with a private key. This is your signature. The loader then takes a hash of the file again. It also decrypts the signature with the public key. Compare the two. If they match, then the file hasn't been tampered with.

    Tampering with this requires:
    1. Tampering with the loader
    2. Tampering with the public key stored in the loader (really part of #1)
    3. Breaking MS's private key
    4. Producing another executable with the same hash

    1 and 2 are possible, but 3 and 4 are computationally hard. (The sun will have turned into a red giant long before the best-known alogrithms have found a solution, even if the hash is the relatively "weak" MD5.)

  2. Already broken by Blue Pill by TRS-80 · · Score: 5, Informative

    The kernel mode signed driver restriction has already been broken by Blue Pill. Full details are in the black hat presentation, but the basic gist is you force a driver (eg null.sys) to be swapped out to disk, overwrite a function in the copy in swap with your own code, then call that function. And now you're executing unsigned code in kernel space.

  3. Many classes of software are affected by yeremein · · Score: 5, Informative

    This isn't just about supporting hardware. Several types of programs require kernel-mode drivers. Off the top of my head...

    Installable file systems
    Loopback mounts
    Volume encryption
    Rootkit detection
    Packet sniffing
    VPN software

    I'm sure there are others. Vista's code signing requirement will make it difficult for any open-source program to do any of the things listed above. Large OSS projects backed by a company will probably be able to get a certificate from Microsoft and sign official builds, but third parties will be unable to modify and redistribute binaries, which is counter to the spirit of open source. I'm sure this is not an accident. Smaller OSS projects (such as installable file systems for ext3 or reiser) will most likely jsut disappear.

  4. Re:Coercion? by x_MeRLiN_x · · Score: 5, Informative

    Oh, but it will. You just have to press F8 during boot and select the appropriate option in order to install unsigned drivers as I found out when installing my Creative 5.1 drivers.