Vista DRM Prevents Kernel Tampering

mjdroner writes "A ZDNet blog reports on a new DRM feature for Vista that 'protects' the kernel from tampering. The blog quotes a Microsoft document: 'Code (CI) protects Windows Vista by verifying that system binaries haven't been tampered with by malicious code and by ensuring that there are no unsigned drivers running in kernel mode on the system.' The blog says that much of the DRM in Vista is simply a port from XP, but that this feature is new to the OS."

Coercion?

[P(0)(!P(k)+P(k+1))]

From a related article:

Vista driver developers must obtain a Publisher Identity Certificate (PIC) from Microsoft. [] This costs $500 [EUR 412] per year, and as the name implies, is only available to commercial entities.

Does this amount to indirect coercion? In XP, if I remember, unsigned drivers were allowed to run unhindered with loud information dialogs.

Re:Coercion?

[perlchild]

It does contribute to fighting open source, any way you look at it. I'm using a tap driver from the openvpn project, it isn't signed, and I don't know for sure, but I don't remember openvpn being a commercial entity. However, I'm not current enough in vista to know if they couldn't just get out of the kernel, and move to user-space for the required features.

Re:Coercion?

[geekoid]

Interesting.

Independant developers should sue. MS is completly locking them out of the platform.

Developers.Developers.developers. Indeed...

Re:Coercion?

[Tackhead]

> By allowing only signed drivers it will make it harder for root kit crackers. I don't think there are many voluntaires that write device drivers for Windows in the first place, so the requirement that only companies can get a Publisher Identity Certificate is not that big a loss. The cost of $500 a year is not much for a company, anyway.

The cost of $500 a year is also not much for the Russian mob, or any other bunch of fuckweasels that want to sponsor the creation of a rootkit.

Re:Coercion?

[Keith+Russell]

Nothing has changed for user-mode drivers. You'll still get the same old nagging wave-through dialog for unsigned drivers, now with added UAC screen flickering.

Signatures are only required for kernel-mode drivers. In 64-bit Vista, it's a hard limit: No signature, no load, period. In 32-bit, you'll get the same UAC/nag dialog as user-mode drivers. The only time you'll be affected by the lack of signatures in 32-bit Vista is when you try to play back all those awesome Blu-Ray and HD-DVD movies you've been clamoring for on your shiny new HDCP-compliant flat panel monitor. </sarcasm>

Reminder: Video drivers are user-mode in Vista.

Re:Coercion?

[Aladrin]

I totally disagree. You are assuming they have a commercial application in mind. What about someone who wants to write drivers for their new hardware they just built by hand? They shouldn't be required to go through this.

It doesn't matter, though, because if you make it too hard to write software for Windows, people will stop. They'll find another platform that is more enticing to them. It won't happen immediately, of course. But it'll happen.

Re:Coercion?

[AuMatar]

Bullshit and FUD. THere's plenty of reasons you'd need to write kernel level code. Just because you're writing a driver does not mean you are a hardware manufacturer- just doing a console controller conversion (like making an old NES controller hook up to a computer) requires a driver.

Re:Coercion?

[Aladrin]

It sounds to me like they've given hackers a reason to fake signing drivers, instead. They've never really had a reason to bother before.

Re:Coercion?

[mrchaotica]

By allowing only signed drivers it will make it harder for root kit crackers.

Yeah, but it will also make it harder for people making tools to preserve Fair Use (DVD and HD-disc ripping programs, no-CD cracks for games, etc.). This is a Bad Thing.

I'll keep my Fair Use and take my chances with the rootkits, thankyouverymuch!

Re:Coercion?

[mrchaotica]

Reminder: Video drivers are user-mode in Vista.

Ah, but what about "Trusted[sic]" Platform Module drivers?

Re:Coercion?

[RingDev]

Except for the fact that MS can revoke that certificate at any time. If any malicious code hits the web with your cert, they pull the cert and the malicious code is rendered worthless. Of course, so is any non-malicious code under that cert. I wonder what kind of protections go into that cert to prevent spoofing.

-Rick

Re:Coercion?

[Tod+DeBie]

Just because you're writing a driver does not mean you are a hardware manufacturer- just doing a console controller conversion (like making an old NES controller hook up to a computer) requires a driver.

I don't think you would need a kernel level driver for that. The idea of requring kernel level drivers to be signed does not seem like that bad an idea; this would likely stop most rootkits and would improve the general security of the os.

Re:Coercion?

Vista allows you to turn this protection off. The guy making his own hardware can turn it off while he's developing and then buy a license later if he wants to distribute it to others.

Re:Coercion?

[MioTheGreat]

You're especially right with Vista. Microsoft is pushing things away from the kernel with new driver models. They want more stuff to live in userland. Look at WDDM, for example. In XP, nearly all the components of video driver lived in the kernel. Now they can put less and less there, and more into user space.

Re:Coercion?

[HiThere]

What *I* wonder is "How long 'til they 'inadvertently' disable some company's cert for a product that just happens to compete with one of theirs?"

Re:Coercion?

[Jugalator]

If the OpenVPN drivers aren't signed, they may not install whatsoever on Windows Vista 64-bit. Vista 64 will simply not accept unsigned kernel-mode drivers at all anymore. I believe XP did, just after having displayed a dialog box with a lot of bolded text in it. I'm not sure what will happen as for Vista 32-bit.

The information here also tell that drivers that load at boot time must contain a digital signature (I'm talking regardless of 32/64-bit platform now). There's also other cases where a signature is required, and in all these cases it has to be from an authority "Windows trusts" (read: Microsoft).

While this "combats open source", it's really just the certification authority where "money = trustworthiness" stupidity applied all over. They made VeriSign et al. grow big, and now Microsoft will try to grow big(ger) using the same idea. Microsoft will defend themselves with that they can't let just about any authority without insight in how Windows works and lacking Microsoft's guidance to sign because then they could sign code that did harm to Windows. I guess both are kind of right.

Re:Coercion?

[thethibs]

In XP, Sony was able to install a rootkit without the user being any the wiser.

If Vista can ensure kernel integrity, this is a good thing, and anything that can bypass the safeguards in Vista is a threat. If you want to fiddle with the kernel—get linux or XP. I expect MS to do everything to keep my copy of Windows secure, and the best way to do that is Default: Deny.

It's sad to see how the /. community blasts MS every time someone finds a security flaw, and now is blasting MS for putting strong security in Vista. It could lead one to think that a lot of you people are only pretending to be hard-core linuchim; why the concern about not being able to hack the Windows kernel?

Symantec and McAfee's claim that they need kernel access is not convincing. It's too bad that their business model involves riding on Window's success (an opportunity, not a right). Maybe they can live off of the linux market ;)

Re:Coercion?

[Chosen+Reject]

In XP, Sony was able to install a rootkit without the user being any the wiser.

Now, for only the paltry sum of $500, Sony can have that rootkit certified.

Re:Coercion?

[TemporalBeing]

Vista allows you to turn this protection off. The guy making his own hardware can turn it off while he's developing and then buy a license later if he wants to distribute it to others.

As I said in another post, that may not always be an option - and won't be one for many in corporate, domain run environments especially if the ability to disable it could be controlled via domain policies, which I can see as very likely happening.

The end-user should always be in full control of the system. That doesn't mean that the system should let the end-user easily do stupid things, but if the end user wants to do it then they should be allowed to do it. This goes even more so for developers. And while one could easily argue that end-user's should have some limits - such as not being allowed to load unsigned drivers - that does not mean those same limits should be put in place in such a way that could potentially be to the detriment of developers.

Saying "oh you can turn this of by doing X" is not sufficient as that could still cut out a large number of small companies or start ups that are simply getting underway. How can they judge their true market if no one could run their drivers/software/etc? They can't. Putting in a "feature" <cough>bug</cough> like this is hurting developers. More over, what about a project - like OpenVPN, for example - that requires interaction in a certain level of the system but is not allowed to operate in that portion of the system because (a) the writer is not a "commercial entity" or (b) the writer is otherwise unable to get the appropriate key?

Moreover, what happens if someone breaks the system and manages to put malicious code into a signed driver without having actually gotten the key to sign with? Crackers will be all over it, and the system will still install it without telling the user. This only creates a false sense of security - that is all that Microsoft has ever done with Windows for security.

Re:Coercion?

[x_MeRLiN_x]

Oh, but it will. You just have to press F8 during boot and select the appropriate option in order to install unsigned drivers as I found out when installing my Creative 5.1 drivers.

Re:Coercion?

[l33t_f33t]

This reeks of a anti-trust violation to me.

Re:Coercion?

[jedidiah]

Those statements are entirely consistent.

The OWNER of the system should have full control. Whomever has the root password should have full control of the entire system from top to bottom. Even with a corporate desktop,the ultimate user of the machine is the COMPANY and not the drone employee.

Re:Coercion?

[Z34107]

Except in Vista, 99% of drivers DON'T reside and CAN NO LONGER reside in kernel space. Other than very special and limited applications (videocard drivers), most drivers are FORCED to be loaded in userspace.

The system is more stable because a crappy printer driver won't blue-screen your system, and the printer driver (and others) achieve the same functionality they had in kernel space using the new Windows Driver Model.

Although signing drivers costs $money, only companies like nVidia actually have to. The new DRM only protects kernel space, and the new kernel FORCES 99% OF ALL DRIVERS to reside in userspace. Kernel protection isn't a problem because most people can't put drivers there anyway.

Re:Coercion?

[bruno.fatia]

It's not a hole, its a feature.

Re:Coercion?

[Jeremi]

While this "combats open source", it's really just the certification authority where "money = trustworthiness" stupidity applied all over.

Indeed. How long will it be before some company gets a driver signed that (intentionally or not) allows arbitrary code to be executed as a subroutine in its 'trusted' context? As soon as that happens, they're back to square one...

Re:Coercion?

[irc.goatse.cx+troll]

It all depends on if we'll be allowed to install other certs as trusted sources. If we can then that is a great change and will improve the security of the OS at only a minor ease of use hit for some users. If we can't, then it will certainly stand in the way of a lot of valid use.

Unfortunately this seems like it will also put an end to binary patching of system files, which means we'll be stuck with acceleration. In XP the only way to remove acceleration involves patching win32.sys to JMP past the acceleration code (the registry edit floating around just minimizes accel). It will be a shame to not be able to do that anymore, although maybe if we're allowed to add our own trusted sources we could patch it and resign. We'll see how its done.

Re:Coercion?

[Z34107]

So how do they access the hardware if they're not in ring 0?

The Windows Driver Model provides an interface to do this. The software calls kernel functions, and the KERNEL accesses the hardware.

This lets drivers reside in user mode, yet still talk to the hardware. Keeps things nice and stable, and DOESN'T require signing.

Not all drivers

[Tony+Hoyle]

Minifilter drivers don't have to be signed (at least in RC1 which is the last version I tried). That of course means you can get into ring 0 with a loadable driver - all that's needed is admin rights.

Modfying the kernel after that is just a matter of working out which bits (kill the code that checksums the binaries first, etc.)

Re:Not all drivers

[Viraptor]

*COUGH*pagefile attack*COUGH*
No info about rc2 yet, but if they didn't want to correct it in rc1, then... who knows...

Re:Not all drivers

[hotdiggitydawg]

That's a nasty cough you have there. I think you might've picked up a bug...

Installing lockout under the guise of security.

[rs232]

"if unsigned code is allowed to load you won't be able to play protected high-definition multimedia content"

Re:innovative

[EvanED]

What makes Sony's legitimate but the ones from Rootkit.com not?

If anything I would argue that rootkit.com is a more legit distribution mechanism than Sony.

Re:innovative

[smittyoneeach]

Yes. The sooner enough people get bent over and used by proprietary technology, the faster we can move on to something that doesn't suck like this.

is Vista that fabled 8th generation OS?

[192939495969798999]

"From: (Blair P. Houghton)

I predict that Eighth Generation computers
will compile no programs, run no applications,
and access no data. Instead they will be
designed and tuned to give a continuously
variable spectrum of elegant and precise
error messages describing your failure to
induce them to do so."

Yay Vista!

Re:is Vista that fabled 8th generation OS?

[ggalvao]

Yay! One more barrier for open source free non-propietary drivers to jump over!

Updates?

[phorm]

How exactly would it accomplish this properly though? Call home periodically to get a kernel hash? Have a built-in hash check? If you want to allow the kernel to be updatable (which at times, is necessary), then you are going to have to allow the kernel to be "tampered with" somehow. A crack, virus, or other program might just masquerade as a patch to allow the on-disk kernel to be modified.

Re:Updates?

[EvanED]

Cryptographically secure signatures?

You take a hash, and sign it with a private key. This is your signature. The loader then takes a hash of the file again. It also decrypts the signature with the public key. Compare the two. If they match, then the file hasn't been tampered with.

Tampering with this requires:
1. Tampering with the loader
2. Tampering with the public key stored in the loader (really part of #1)
3. Breaking MS's private key
4. Producing another executable with the same hash

1 and 2 are possible, but 3 and 4 are computationally hard. (The sun will have turned into a red giant long before the best-known alogrithms have found a solution, even if the hash is the relatively "weak" MD5.)

Re:Updates?

[qbwiz]

Microsoft could sign patches with their private key, then include the public key in Windows to let them check that. AFAIK, they do that with the Xbox 360 and some other stuff already. The hard part will be making sure that the part that does the validation hasn't been cracked already - Apple is having problems doing that, and they even have a combined hardware/software solution.

Re:How Wonderful

[alienfluid]

Hmm, so you were hoping to use 32-bit drivers on a 64-bit OS? You shouldn't even be here. Go home.

Would be anti-DRM in the case of the Sony Rootkit

MS can't win for losing. Clearly the subversion of the kernel through rootkitting is a growing problem. If MS doesn't fix it, they get knocked for having no security. If they fix it, it is called DRM. Myself, I find Vista less than compelling. 2003 works just fine, but it seems some of the haters in the Slashdot crowd will see anything MS does as bad. They are finally getting their act together on not running everything as root and they even get knocked for that.

Quis custodiet ipsos custodes

[megaditto]

Cracking such a thing is trivial once you answer the question who watches the watchman?

As Apple just learned with their TPM kernel extension, all that hackers need to do is replace the binary that verifies all other binaries, and the "goodies" are up for grabs.

Re:Quis custodiet ipsos custodes

[ZachPruckowski]

As Apple just learned with their TPM kernel extension, all that hackers need to do is replace the binary that verifies all other binaries, and the "goodies" are up for grabs.

Apple however, had distributed unprotected versions of 10.4.1 prior to that. And a large amount of the kernel is open-source. There's no assurance you can do that with Windows.

Re:Quis custodiet ipsos custodes

[nine-times]

The project is sometimes referred to as OSX86, I think. They release updates just about every time Apple has a major update, and at least very recently you could get a version of OSX that could run on generic x86 hardware, at the same version as what's available on Macs.

From what I understand, the difficulty of all this really isn't replacing the kernel, but more like ensuring there are good drivers for non-Apple hardware. In any event, the situation seems very different to me, between Apple locking OSX to Apple hardware and Microsoft locking the kernel in general.

Re:Quis custodiet ipsos custodes

[Doctor+Memory]

Funny how much better your searching goes when you know the right keywords! Not only do they talk about running recent builds on non-Apple hardware, they tell you how to do the same!

Re:Quis custodiet ipsos custodes

[dreamlax]

At some time during execution of the validation process, the CPU computates a yes or no answer based on a number of bytes of input. Whether or not there is a validator for the validator is not known, but you can simply disassemble both of them, NOP out the entire validating sub-routine (or figure out which result is 'yes'), and voila. Well, it won't be this simple, the validation will probably be deliberately complicated, but the result os always the same, "no, not valid", or "yes, run it in kernel mode".

Disassembling binaries isn't the nicest thing to do. I've done it once or twice to bypass software registration, it took me a long while (days). There are professionals out there, though, that do this sort of stuff as a hobby. For them, it may not be so difficult.

Optimism

[regular_gonzalez]

I'm an optimist by nature, so I'll say it'll take hackers 3 months to crack the kernel DRM.

Re:Optimism

[Tony+Hoyle]

In the case of the xbox it was a fairly closed system with harcoded BIOS support for the DRM and custom hardware.

There are PCs with TPM chips that are at that level now but they're still fairly rare - in general a PC is still an open architecture.

Already broken by Blue Pill

[TRS-80]

The kernel mode signed driver restriction has already been broken by Blue Pill. Full details are in the black hat presentation, but the basic gist is you force a driver (eg null.sys) to be swapped out to disk, overwrite a function in the copy in swap with your own code, then call that function. And now you're executing unsigned code in kernel space.

Freedom is Slavery

[orospakr]

The very idea of running software on my own equipment that considers me an enemy just doesn't sit at all well.

That, and I really like the Free Software TUN/TAP driver for Windows.

Re:innovative

[ultranova]

Sony were just trying to protect their business assets from piracy - albeit is a rather misguided manner. Whereas most of the users of sites like rootkit.com are black hat hackers looking for something to put in their next spambot trojan.

But aren't most spambot trojans business assets ? After all, spam makes money - that's why spammers bother - so rootkits are business assets for blackhat hackers, even more so than they are for Sony.

No, these poor hackers are simply trying to protect their right to profit - just like Sony. And if that means taking the control of the computer away from its owner, well, surely you agree that that's a small price to pay to ensure that those damn users aren't depriving them of those profits, right ? Sony certainly seems to...

Ummm, hello?

[finkployd]

This is not new (at least the concept) at all. We have been talking about this for years now. What do you think trusted computing (palladium) is? This has always been the "good" side of the TCPA coin, media DRM being the "bad" side.

Finkployd

Many classes of software are affected

[yeremein]

This isn't just about supporting hardware. Several types of programs require kernel-mode drivers. Off the top of my head...

Installable file systems
Loopback mounts
Volume encryption
Rootkit detection
Packet sniffing
VPN software

I'm sure there are others. Vista's code signing requirement will make it difficult for any open-source program to do any of the things listed above. Large OSS projects backed by a company will probably be able to get a certificate from Microsoft and sign official builds, but third parties will be unable to modify and redistribute binaries, which is counter to the spirit of open source. I'm sure this is not an accident. Smaller OSS projects (such as installable file systems for ext3 or reiser) will most likely jsut disappear.

Re:Many classes of software are affected

[shmlco]

So? Half the things you mention are also things viruses and trojans do for a living, and unfortunately users tend to approve any message generated by the system, "Are you sure you want to install the game you just downloaded?"

It's easy to shit on an idea, but the core components of a system need to be protected somehow, and while I hear a lot of whinning what I DON'T hear is anyone offering a better solution to the problem.

If someone really wants to build one of the things you mention then they'll pay the frieght. And Vista isn't open source.

Why don't they get it?

[BlueCoder]

DRM is impossiable without chip level hardware security. There is going to be a whole new product field of new software that disables and replaces windows code security. Programs which actually give control of your computer back to you. But while it's won't stop computer infection (where there is a bug hole there is a way) it certainly raises the security bar for the basic default windows setup I install on (non nerd) family and friends computers.

Even with chip level security I'd be drilling into chips and hot wiring them if needed or purchase pre hot wired hardware if the modification equipment was beyond my means. I will never stop striving for control of my own property even if control is an illusion.

No Colinux on Vista

[Laur]

I beleive CoLinux is another FOSS program (and a very useful one at that) that is affected by this.

Get real

[msobkow]

The only unsigned driver I have ever seen was for an old Voodoo board.

The last time I met anyone who was using custom hardware was around 1985-6, a sound board that plugged into a C-64.

If you can't use your old hardware with Vista, then don't run Vista. New hardware shipping with Vista will be able to run it.

As a security-conscious programmer with a lot of corporate development history, I support Vista's blocking of non-signed drivers 100%. It's actually the first time I've agreed with Microsoft's plans and features since suffering the pains of Windows 3.1 development and support.

Maybe it's time for the idealists to get real about security issues. They see DRM as preventing them from experimenting; the vast majority of government, corporate, and home users either don't care or see it as a benefit that provides more protection from crackers, viruses, rootkits, etc. Even OpenSuSE has a similar enforcement option for verifying binaries, and I doubt it'll be too long before bigger commercial OS vendors do the same.

Fight a battle you have a chance to win, and stop dreaming that unsigned platforms have a future. Without someone certifying that a platform is secure, businesses are going to stop using them. Eventually client nodes that aren't certified won't be able to do much useful, either.

I object more to the use of products like Entrust web sign-in that ignores the security provisions of products like Java sandboxing, artificially blocking clients unless they are running a paid-for commercial OS from Microsoft or Apple. (Try registering with http://www.gc.ca/main_e.html for a "My Government Account" with Linux or even with Firefox under WinXP Pro.)

There is no reason for such an artificial blockage of client access, and that worries me a hell of a lot more than whether a couple dozen hackers can run custom drivers for their own hardware. Why would such a hacker go through the pain of Win32 driver development instead of Linux drivers anyhow?

Re:Get real

[TemporalBeing]

Fight a battle you have a chance to win, and stop dreaming that unsigned platforms have a future. Without someone certifying that a platform is secure, businesses are going to stop using them. Eventually client nodes that aren't certified won't be able to do much useful, either.

Unsigned platforms only have the kind of future you say if WE permit them to have that future. I, for one, will not allow that in my own house-hold, nor any company that I start. There are better ways to dealing with security and issues of such a nature.

Why would such a hacker go through the pain of Win32 driver development instead of Linux drivers anyhow?

Because the target systems - even if in minority - only run Windows. For example, a small company writing drivers for an in-house server set. If they were concerned with security and cared about driver signing and such, then (a) they may not be able to afford getting the stuff from MS, and (b) they may not be able to turn off driver signing for the systems that will actually be using the drivers.

I wouldn't be surprised if domain policies were added to disable individual users from turning off driver signing - if that did happen, then there goes a lot of corporate R&D developers to the pot with not being able to develop drivers even for proof of concept stuff.

And yes, a lot of corporate companies won't buy something like this without first having some kind of proof of concept that what they are trying to accomplish with it works first. If their corporate governance decides they can't turn off driver signing - perhaps they are in the wrong division/etc but still need to do it - then they could be screwed. And the project won't happen.

Like it or not, there are valid reasons for removing this kind of DRM. It does cut out parties that could otherwise develop for you, and it can hurt pretty badly. This is undercutting a lot of the potential developers for MS. Now that might mean a greater groundswelling towards Linux, Mac, or something else, but it does hurt 3rd party developers and it does use their monopoly power in a wrong way that will disadvantage the industry.

Re:Get real

[Spad]

Rubbish.

I'd say 50% of the drivers I install under XP warn me that they're unsigned. The ones from larger companies like nVidia are usually later updated to include said signing, but the others remain unsigned indefinitely - especially for older or more obscure hardware.

You can probably say goodbye to projects like the Omega Drivers unless they can summon up the requisite fee every year to get their modified drivers signed.

Re:Get real

[LeBoomer]

No, an idiot is someone that thinks giving MS $500 and their rootkit-altering driver is a good way to make money. If MS doesn't find anything suspicious, your credit trail will certainly be easy enough to follow. Unless you think sending them $500 cash in an envelope with no return address will get the job done...

Re:Get real

[AcidLacedPenguiN]

The $500 does, however, ensure that there won't be any open source Windows drivers.

Bullshit! I see small communities of gamers all pitching in to buy gaming servers. I see donation based internet radios http://soma.fm/ start and survive off community donations. In fact I think the last time I went to the Ubuntu site I saw a donate http://www.ubuntu.com/donations button. I highly doubt that the $500 signing pricetag is going to doom the open source communities. I think the only communities this will lock out is the open sores community, and I for one wouldn't mind that at all.

Re:Get real

[Borland]

This is the beginning of the end, finally. In a few years, Microsoft will be irrelevant.

to which I reply

Then you're an idiot.

I swear, it's like listening to Christian zealots waiting for the rapture. "This time, by God, the world will end...nope this time...nope this time. Face it my friend, evil will always triumph because good is FOSS.

Re:Get real

[jrockway]

People are donating to open source projects so that the developers can buy hardware (or coffee), not so they can fork that cash over to Microsoft.

Besides, can you really call it open source software when some magic third party has to "approve" your software. No, you can't.

OSS on Windows is gone.

Re:Get real

[cortana]

Hear, hear. Just look at WHQL. The whole thing is a joke. It is common practice to submit drivers for testing that detect they are being run in a test environment and enable one code path in order to pass the tests; when they are run on an end-user's system they enable another code path which increases performance.

Re:Get real

[vertinox]

No, an idiot is someone that thinks giving MS $500 and their rootkit-altering driver is a good way to make money.

Hasn't stopped Sony.

But seriously, $500 is chump change to organized spammers, phishers, and malware authors and I'm sure they would spending an extra few bucks set up fake Last Vegas Limited Liability Corporations just to get access.

Re:Get real

[sowth]

It is not just money (but the $500 goes to verisign, not MS). They have to be a commercial entity with a Class 3 Commercial Software Publisher Certificate from Verisign--read the article pointed to by the ancestor poster.

Re:HMmmmm

[I'm+Don+Giovanni]

What is too keep microsoft or whoever from just saying nope your driver isn't good enough?

Nothing. Go to another signing-company, then.
I don't know about Vista, but XP has multiple root-certs from well-known signing companies pre-installed (verisign, etc). Pick one of them. If they all think that your driver "isn't good enough", then it probably isn't. BTW, "not good enough" usually means that they think the code in question is malware (win which case it's *good* that it be rejected) or piracy-ware (which would piss off the "information wants to be free" types) of some sort.

The other main reason for sigs is to ensure that a driver that you obtain wasn't mucked with. For example, if you download an ATI driver from some site and that driver has malware inserted into it, it likely won't have a digital sig, or at least not one that matches the driver or is valid, so it won't run.

Cost of WinVista Kernel DRM?

[WillAffleckUW]

Cost of WinVista Kernel DRM - part of the $300 price of WinVista
Cost of hair torn out by DRM refusing to let you do what the Constitution explicity permits - $1000 for hair plugs
Cost of WinVista hack to "fix" Kernal DRM - priceless

The real reason for the kernel DRM

[QuietLagoon]

The real reason for the kernel DRM is to lock down the media content as much as possible. Microsoft doesn't care about its users getting infected by adware and viruses, Microsoft cares about the media content providers forking over royalty payments for using Windows Media.

When the Windows DRM was cracked, how long did it take for Microsoft to issue a fix? A couple of days.

When there is an IE security issue, how long does it take for Microsoft to issue a fix? Weeks, months, sometimes not at all.

What happens if your hardware manufacturer dies?

[psmears]

The thing that worries me the most (well, actually, a number of things do, but this one is pretty bad) is about what happens if the company that wrote the driver ceases to exist. This could be a problem, as follows:

• The fee for the certificate is, apparently, $500/yr
• Presumably the certificate issued to the company expires or is revoked if they don't cough up next year (otherwise a cunning manufacturer could just buy one certificate, and then use that forever)
• Therefore, if your manufacturer goes belly-up, it's likely that your (100% genuine, legitimately-purchased) driver software—and the hardware that goes with it—will cease to work.

Either that, or MS will leave the certificate valid (to avoid annoying a huge number of customers), and the company's receivers will find that the certificate has a large value on the black market...

It isn't that hard

[gillbates]

Compare the two. If they match, then the file hasn't been tampered with... Tampering with this requires...

No, all that is required is to copy one key over the other in memory. Alternatively, one could modify a single comparison instruction in the loader. Then the match occurs, and the code will be allowed to load.

This is well within the range of an experienced hacker:

1. Disassemble the loader
2. Modify the assembly code so that the comparison is always true (JNE -> NOP, or other suitable instruction)
3. Reassemble the loader and replace it on the filesystem.
4. Note that all of these could be done without Windows' consent if the filesystem is mounted using Linux, or other suitably advanced OS.

Input drivers cannot run in user mode

[tepples]

just doing a console controller conversion (like making an old NES controller hook up to a computer) requires a driver.

I don't think you would need a kernel level driver for that

Yes you would. A console controller conversion requires a way to talk directly to a parallel port to send first-button and next-button request signals and receive button state signals. Input device drivers have additional restrictions; Microsoft's user-mode driver framework FAQ states the following:

Q: What are the constraints on user-mode drivers?
A user-mode driver cannot directly access hardware or use kernel-mode resources.
[...]
A user-mode driver cannot have kernel-mode clients because Windows does not allow calls from kernel mode to user mode. The majority of drivers for input, display, and most network and storage devices cannot be migrated to user mode because they have kernel-mode clients.

This will have negative ramifications for the disability community, as it will become harder for hobbyists to develop novel assistive devices

Input drivers are still kernel mode

[tepples]

What drivers are still kernel mode?

Input device drivers are still kernel mode. If you have a disability, and you want to build an assistive input device, and you can't afford $500 a year for a cert from VeriSign plus whatever your state charges to form and maintain a corporation to receive the cert (VeriSign does not sell code signing certs to sole proprietorships), tough copulating manure.

Not that hard to do.

[Kadin2048]

Nah you just send them the $500 from somebody's credit card that you got via your phishing scheme.

They'll "follow the money" for sure, but to where?

Just the facts, maam

[cookd]

1. This is not news. Driver writers have known about this for years. This is how XP-64 and Server2003-64 work already. And this has been posted on Slashdot at least twice before.

2. Win64 (whether Vista, 2003, and XP) requires signed drivers unless you boot up in "debug" mode. Win32 does not, although it will warn you.

3. If you have any unsigned drivers running (Win64 OR Win32), certain "trusted path" applications (i.e. DRM-enabled video players) will not run. Basically, the content author says "I only give permission to watch this video if your system is trusted" (for some definition of trusted, as defined by the content author). Microsoft is providing a way to certify your system as trusted. Without this certification, you don't have permission of the content author to view the content. (Workarounds will be found, I am sure, but legally, that's how it works.)

4. Microsoft will issue a PIC (driver signing certificate) to pretty much anybody with a valid code publishing certificate from an accepted certification authority. Currently, "accepted certification authority" means Verisign, but MS claims to be willing to entertain other applicants. It is the certification authority that gets the $500, not Microsoft.

5. The point of the signature is identification, not security. Basically, Microsoft wants to be able to identify the author of any kernel-mode code running on Win64. Stable? Well written? That is a completely separate matter covered by a different process. The idea is that if a kernel-mode driver does something stupid/illegal like sniff for passwords, Microsoft wants to be able to track down the author and possibly blacklist/revoke the driver signing certificate if flagrant violations are found.

Yes, this presents some inconvenience for small or not-for-profit organizations that want to write drivers. In most cases (something like WinPCap), I suspect they'll be able to find a "sponsor" organization willing to sign the driver. Other drivers can really never be trusted (CoLinux, for example) because the driver loads arbitrary externally supplied code into the kernel, so sponsors might be more hesitant to sign them (their certificate would probably be blacklisted).

On the other hand, it means that any rootkit/sniffer/malicious driver will have a name and address associated with it -- very handy for picking up the trail of the author (or at least shutting him/her down via certificate revocation).

Meh.

[Money+for+Nothin']

What about the module that performs the verifcations (probably just a hash comparison, like Tripwire on *nix)? Suppose somebody conveniently inserts a JMP instruction to the location of the code following a successful verification, allowing the comparison binary to otherwise behave as if the check had succeeded (probably either terminating at that point or trying to perform another verification if a binary hash exists)?

(I personally don't grok x86 ASM well enough to do this. But some people do.)

As with privacy, the question is "who watches the watchers?"