Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista DRM Prevents Kernel Tampering

Posted by ryuzaki0 on from the in-theory-anyway dept.

mjdroner writes "A ZDNet blog reports on a new DRM feature for Vista that 'protects' the kernel from tampering. The blog quotes a Microsoft document: 'Code (CI) protects Windows Vista by verifying that system binaries haven't been tampered with by malicious code and by ensuring that there are no unsigned drivers running in kernel mode on the system.' The blog says that much of the DRM in Vista is simply a port from XP, but that this feature is new to the OS."

16 of 428 comments (clear)

  1. Re:innovative by EvanED · · Score: 5, Insightful

    What makes Sony's legitimate but the ones from Rootkit.com not?

    If anything I would argue that rootkit.com is a more legit distribution mechanism than Sony.

  2. Updates? by phorm · · Score: 3, Insightful

    How exactly would it accomplish this properly though? Call home periodically to get a kernel hash? Have a built-in hash check? If you want to allow the kernel to be updatable (which at times, is necessary), then you are going to have to allow the kernel to be "tampered with" somehow. A crack, virus, or other program might just masquerade as a patch to allow the on-disk kernel to be modified.

  3. Would be anti-DRM in the case of the Sony Rootkit by Anonymous Coward · · Score: 3, Insightful

    MS can't win for losing. Clearly the subversion of the kernel through rootkitting is a growing problem. If MS doesn't fix it, they get knocked for having no security. If they fix it, it is called DRM. Myself, I find Vista less than compelling. 2003 works just fine, but it seems some of the haters in the Slashdot crowd will see anything MS does as bad. They are finally getting their act together on not running everything as root and they even get knocked for that.

  4. Re:Coercion? by perlchild · · Score: 5, Insightful

    It does contribute to fighting open source, any way you look at it. I'm using a tap driver from the openvpn project, it isn't signed, and I don't know for sure, but I don't remember openvpn being a commercial entity. However, I'm not current enough in vista to know if they couldn't just get out of the kernel, and move to user-space for the required features.

  5. Quis custodiet ipsos custodes by megaditto · · Score: 5, Insightful

    Cracking such a thing is trivial once you answer the question who watches the watchman?

    As Apple just learned with their TPM kernel extension, all that hackers need to do is replace the binary that verifies all other binaries, and the "goodies" are up for grabs.

    --
    Obama likes poor people so much, he wants to make more of them.
  6. Re:Coercion? by geekoid · · Score: 4, Insightful

    Interesting.

    Independant developers should sue. MS is completly locking them out of the platform.

    Developers.Developers.developers. Indeed...

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  7. Freedom is Slavery by orospakr · · Score: 3, Insightful

    The very idea of running software on my own equipment that considers me an enemy just doesn't sit at all well.

    That, and I really like the Free Software TUN/TAP driver for Windows.

  8. Re:innovative by ultranova · · Score: 4, Insightful

    Sony were just trying to protect their business assets from piracy - albeit is a rather misguided manner. Whereas most of the users of sites like rootkit.com are black hat hackers looking for something to put in their next spambot trojan.

    But aren't most spambot trojans business assets ? After all, spam makes money - that's why spammers bother - so rootkits are business assets for blackhat hackers, even more so than they are for Sony.

    No, these poor hackers are simply trying to protect their right to profit - just like Sony. And if that means taking the control of the computer away from its owner, well, surely you agree that that's a small price to pay to ensure that those damn users aren't depriving them of those profits, right ? Sony certainly seems to...

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  9. Re:Coercion? by Aladrin · · Score: 5, Insightful

    I totally disagree. You are assuming they have a commercial application in mind. What about someone who wants to write drivers for their new hardware they just built by hand? They shouldn't be required to go through this.

    It doesn't matter, though, because if you make it too hard to write software for Windows, people will stop. They'll find another platform that is more enticing to them. It won't happen immediately, of course. But it'll happen.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  10. Re:Coercion? by mrchaotica · · Score: 4, Insightful
    By allowing only signed drivers it will make it harder for root kit crackers.

    Yeah, but it will also make it harder for people making tools to preserve Fair Use (DVD and HD-disc ripping programs, no-CD cracks for games, etc.). This is a Bad Thing.

    I'll keep my Fair Use and take my chances with the rootkits, thankyouverymuch!

    --

    "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  11. Ummm, hello? by finkployd · · Score: 4, Insightful

    This is not new (at least the concept) at all. We have been talking about this for years now. What do you think trusted computing (palladium) is? This has always been the "good" side of the TCPA coin, media DRM being the "bad" side.

    Finkployd

  12. Re:Coercion? by HiThere · · Score: 3, Insightful

    What *I* wonder is "How long 'til they 'inadvertently' disable some company's cert for a product that just happens to compete with one of theirs?"

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  13. Re:Get real by TemporalBeing · · Score: 3, Insightful
    Fight a battle you have a chance to win, and stop dreaming that unsigned platforms have a future. Without someone certifying that a platform is secure, businesses are going to stop using them. Eventually client nodes that aren't certified won't be able to do much useful, either.
    Unsigned platforms only have the kind of future you say if WE permit them to have that future. I, for one, will not allow that in my own house-hold, nor any company that I start. There are better ways to dealing with security and issues of such a nature.

    Why would such a hacker go through the pain of Win32 driver development instead of Linux drivers anyhow?
    Because the target systems - even if in minority - only run Windows. For example, a small company writing drivers for an in-house server set. If they were concerned with security and cared about driver signing and such, then (a) they may not be able to afford getting the stuff from MS, and (b) they may not be able to turn off driver signing for the systems that will actually be using the drivers.

    I wouldn't be surprised if domain policies were added to disable individual users from turning off driver signing - if that did happen, then there goes a lot of corporate R&D developers to the pot with not being able to develop drivers even for proof of concept stuff.

    And yes, a lot of corporate companies won't buy something like this without first having some kind of proof of concept that what they are trying to accomplish with it works first. If their corporate governance decides they can't turn off driver signing - perhaps they are in the wrong division/etc but still need to do it - then they could be screwed. And the project won't happen.

    Like it or not, there are valid reasons for removing this kind of DRM. It does cut out parties that could otherwise develop for you, and it can hurt pretty badly. This is undercutting a lot of the potential developers for MS. Now that might mean a greater groundswelling towards Linux, Mac, or something else, but it does hurt 3rd party developers and it does use their monopoly power in a wrong way that will disadvantage the industry.
    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  14. Re:Get real by LeBoomer · · Score: 4, Insightful

    No, an idiot is someone that thinks giving MS $500 and their rootkit-altering driver is a good way to make money. If MS doesn't find anything suspicious, your credit trail will certainly be easy enough to follow. Unless you think sending them $500 cash in an envelope with no return address will get the job done...

  15. Re:Get real by AcidLacedPenguiN · · Score: 3, Insightful
    The $500 does, however, ensure that there won't be any open source Windows drivers.
    Bullshit! I see small communities of gamers all pitching in to buy gaming servers. I see donation based internet radios http://soma.fm/ start and survive off community donations. In fact I think the last time I went to the Ubuntu site I saw a donate http://www.ubuntu.com/donations button. I highly doubt that the $500 signing pricetag is going to doom the open source communities. I think the only communities this will lock out is the open sores community, and I for one wouldn't mind that at all.
    --
    disclaimer: I've been known to store numbers in my ass for which to dig out when quantities are required.
  16. It isn't that hard by gillbates · · Score: 3, Insightful

    Compare the two. If they match, then the file hasn't been tampered with... Tampering with this requires...

    No, all that is required is to copy one key over the other in memory. Alternatively, one could modify a single comparison instruction in the loader. Then the match occurs, and the code will be allowed to load.

    This is well within the range of an experienced hacker:

    1. Disassemble the loader
    2. Modify the assembly code so that the comparison is always true (JNE -> NOP, or other suitable instruction)
    3. Reassemble the loader and replace it on the filesystem.
    4. Note that all of these could be done without Windows' consent if the filesystem is mounted using Linux, or other suitably advanced OS.
    --
    The society for a thought-free internet welcomes you.