Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista DRM Prevents Kernel Tampering

Posted by ryuzaki0 on from the in-theory-anyway dept.

mjdroner writes "A ZDNet blog reports on a new DRM feature for Vista that 'protects' the kernel from tampering. The blog quotes a Microsoft document: 'Code (CI) protects Windows Vista by verifying that system binaries haven't been tampered with by malicious code and by ensuring that there are no unsigned drivers running in kernel mode on the system.' The blog says that much of the DRM in Vista is simply a port from XP, but that this feature is new to the OS."

35 of 428 comments (clear)

  1. Coercion? by P(0)(!P(k)+P(k+1)) · · Score: 5, Interesting
    From a related article:
    Vista driver developers must obtain a Publisher Identity Certificate (PIC) from Microsoft. [] This costs $500 [EUR 412] per year, and as the name implies, is only available to commercial entities.
    Does this amount to indirect coercion? In XP, if I remember, unsigned drivers were allowed to run unhindered with loud information dialogs.
    1. Re:Coercion? by perlchild · · Score: 5, Insightful

      It does contribute to fighting open source, any way you look at it. I'm using a tap driver from the openvpn project, it isn't signed, and I don't know for sure, but I don't remember openvpn being a commercial entity. However, I'm not current enough in vista to know if they couldn't just get out of the kernel, and move to user-space for the required features.

    2. Re:Coercion? by geekoid · · Score: 4, Insightful

      Interesting.

      Independant developers should sue. MS is completly locking them out of the platform.

      Developers.Developers.developers. Indeed...

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    3. Re:Coercion? by Tackhead · · Score: 5, Interesting
      > By allowing only signed drivers it will make it harder for root kit crackers. I don't think there are many voluntaires that write device drivers for Windows in the first place, so the requirement that only companies can get a Publisher Identity Certificate is not that big a loss. The cost of $500 a year is not much for a company, anyway.

      The cost of $500 a year is also not much for the Russian mob, or any other bunch of fuckweasels that want to sponsor the creation of a rootkit.

    4. Re:Coercion? by Keith+Russell · · Score: 4, Interesting

      Nothing has changed for user-mode drivers. You'll still get the same old nagging wave-through dialog for unsigned drivers, now with added UAC screen flickering.

      Signatures are only required for kernel-mode drivers. In 64-bit Vista, it's a hard limit: No signature, no load, period. In 32-bit, you'll get the same UAC/nag dialog as user-mode drivers. The only time you'll be affected by the lack of signatures in 32-bit Vista is when you try to play back all those awesome Blu-Ray and HD-DVD movies you've been clamoring for on your shiny new HDCP-compliant flat panel monitor. </sarcasm>

      Reminder: Video drivers are user-mode in Vista.

      --
      This sig intentionally left blank.
    5. Re:Coercion? by Aladrin · · Score: 5, Insightful

      I totally disagree. You are assuming they have a commercial application in mind. What about someone who wants to write drivers for their new hardware they just built by hand? They shouldn't be required to go through this.

      It doesn't matter, though, because if you make it too hard to write software for Windows, people will stop. They'll find another platform that is more enticing to them. It won't happen immediately, of course. But it'll happen.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    6. Re:Coercion? by mrchaotica · · Score: 4, Insightful
      By allowing only signed drivers it will make it harder for root kit crackers.

      Yeah, but it will also make it harder for people making tools to preserve Fair Use (DVD and HD-disc ripping programs, no-CD cracks for games, etc.). This is a Bad Thing.

      I'll keep my Fair Use and take my chances with the rootkits, thankyouverymuch!

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    7. Re:Coercion? by Anonymous Coward · · Score: 3, Informative

      Vista allows you to turn this protection off. The guy making his own hardware can turn it off while he's developing and then buy a license later if he wants to distribute it to others.

    8. Re:Coercion? by HiThere · · Score: 3, Insightful

      What *I* wonder is "How long 'til they 'inadvertently' disable some company's cert for a product that just happens to compete with one of theirs?"

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    9. Re:Coercion? by Jugalator · · Score: 3, Interesting

      If the OpenVPN drivers aren't signed, they may not install whatsoever on Windows Vista 64-bit. Vista 64 will simply not accept unsigned kernel-mode drivers at all anymore. I believe XP did, just after having displayed a dialog box with a lot of bolded text in it. I'm not sure what will happen as for Vista 32-bit.

      The information here also tell that drivers that load at boot time must contain a digital signature (I'm talking regardless of 32/64-bit platform now). There's also other cases where a signature is required, and in all these cases it has to be from an authority "Windows trusts" (read: Microsoft).

      While this "combats open source", it's really just the certification authority where "money = trustworthiness" stupidity applied all over. They made VeriSign et al. grow big, and now Microsoft will try to grow big(ger) using the same idea. Microsoft will defend themselves with that they can't let just about any authority without insight in how Windows works and lacking Microsoft's guidance to sign because then they could sign code that did harm to Windows. I guess both are kind of right.

      --
      Beware: In C++, your friends can see your privates!
    10. Re:Coercion? by x_MeRLiN_x · · Score: 5, Informative

      Oh, but it will. You just have to press F8 during boot and select the appropriate option in order to install unsigned drivers as I found out when installing my Creative 5.1 drivers.

    11. Re:Coercion? by Z34107 · · Score: 3, Informative

      Except in Vista, 99% of drivers DON'T reside and CAN NO LONGER reside in kernel space. Other than very special and limited applications (videocard drivers), most drivers are FORCED to be loaded in userspace.

      The system is more stable because a crappy printer driver won't blue-screen your system, and the printer driver (and others) achieve the same functionality they had in kernel space using the new Windows Driver Model.

      Although signing drivers costs $money, only companies like nVidia actually have to. The new DRM only protects kernel space, and the new kernel FORCES 99% OF ALL DRIVERS to reside in userspace. Kernel protection isn't a problem because most people can't put drivers there anyway.

      --
      DATABASE WOW WOW
  2. Not all drivers by Tony+Hoyle · · Score: 4, Interesting

    Minifilter drivers don't have to be signed (at least in RC1 which is the last version I tried). That of course means you can get into ring 0 with a loadable driver - all that's needed is admin rights.

    Modfying the kernel after that is just a matter of working out which bits (kill the code that checksums the binaries first, etc.)

    1. Re:Not all drivers by Viraptor · · Score: 3, Interesting

      *COUGH*pagefile attack*COUGH*
      No info about rc2 yet, but if they didn't want to correct it in rc1, then... who knows...

    2. Re:Not all drivers by hotdiggitydawg · · Score: 3, Funny

      That's a nasty cough you have there. I think you might've picked up a bug...

  3. Re:innovative by EvanED · · Score: 5, Insightful

    What makes Sony's legitimate but the ones from Rootkit.com not?

    If anything I would argue that rootkit.com is a more legit distribution mechanism than Sony.

  4. is Vista that fabled 8th generation OS? by 192939495969798999 · · Score: 5, Funny

    "From: (Blair P. Houghton)

    I predict that Eighth Generation computers
    will compile no programs, run no applications,
    and access no data. Instead they will be
    designed and tuned to give a continuously
    variable spectrum of elegant and precise
    error messages describing your failure to
    induce them to do so."

    Yay Vista!

    --
    stuff |
    1. Re:is Vista that fabled 8th generation OS? by ggalvao · · Score: 3, Funny

      Yay! One more barrier for open source free non-propietary drivers to jump over!

  5. Updates? by phorm · · Score: 3, Insightful

    How exactly would it accomplish this properly though? Call home periodically to get a kernel hash? Have a built-in hash check? If you want to allow the kernel to be updatable (which at times, is necessary), then you are going to have to allow the kernel to be "tampered with" somehow. A crack, virus, or other program might just masquerade as a patch to allow the on-disk kernel to be modified.

    1. Re:Updates? by EvanED · · Score: 4, Informative

      Cryptographically secure signatures?

      You take a hash, and sign it with a private key. This is your signature. The loader then takes a hash of the file again. It also decrypts the signature with the public key. Compare the two. If they match, then the file hasn't been tampered with.

      Tampering with this requires:
      1. Tampering with the loader
      2. Tampering with the public key stored in the loader (really part of #1)
      3. Breaking MS's private key
      4. Producing another executable with the same hash

      1 and 2 are possible, but 3 and 4 are computationally hard. (The sun will have turned into a red giant long before the best-known alogrithms have found a solution, even if the hash is the relatively "weak" MD5.)

  6. Would be anti-DRM in the case of the Sony Rootkit by Anonymous Coward · · Score: 3, Insightful

    MS can't win for losing. Clearly the subversion of the kernel through rootkitting is a growing problem. If MS doesn't fix it, they get knocked for having no security. If they fix it, it is called DRM. Myself, I find Vista less than compelling. 2003 works just fine, but it seems some of the haters in the Slashdot crowd will see anything MS does as bad. They are finally getting their act together on not running everything as root and they even get knocked for that.

  7. Quis custodiet ipsos custodes by megaditto · · Score: 5, Insightful

    Cracking such a thing is trivial once you answer the question who watches the watchman?

    As Apple just learned with their TPM kernel extension, all that hackers need to do is replace the binary that verifies all other binaries, and the "goodies" are up for grabs.

    --
    Obama likes poor people so much, he wants to make more of them.
    1. Re:Quis custodiet ipsos custodes by nine-times · · Score: 3, Informative

      The project is sometimes referred to as OSX86, I think. They release updates just about every time Apple has a major update, and at least very recently you could get a version of OSX that could run on generic x86 hardware, at the same version as what's available on Macs.

      From what I understand, the difficulty of all this really isn't replacing the kernel, but more like ensuring there are good drivers for non-Apple hardware. In any event, the situation seems very different to me, between Apple locking OSX to Apple hardware and Microsoft locking the kernel in general.

    2. Re:Quis custodiet ipsos custodes by dreamlax · · Score: 3, Interesting

      At some time during execution of the validation process, the CPU computates a yes or no answer based on a number of bytes of input. Whether or not there is a validator for the validator is not known, but you can simply disassemble both of them, NOP out the entire validating sub-routine (or figure out which result is 'yes'), and voila. Well, it won't be this simple, the validation will probably be deliberately complicated, but the result os always the same, "no, not valid", or "yes, run it in kernel mode".

      Disassembling binaries isn't the nicest thing to do. I've done it once or twice to bypass software registration, it took me a long while (days). There are professionals out there, though, that do this sort of stuff as a hobby. For them, it may not be so difficult.

  8. Already broken by Blue Pill by TRS-80 · · Score: 5, Informative

    The kernel mode signed driver restriction has already been broken by Blue Pill. Full details are in the black hat presentation, but the basic gist is you force a driver (eg null.sys) to be swapped out to disk, overwrite a function in the copy in swap with your own code, then call that function. And now you're executing unsigned code in kernel space.

  9. Freedom is Slavery by orospakr · · Score: 3, Insightful

    The very idea of running software on my own equipment that considers me an enemy just doesn't sit at all well.

    That, and I really like the Free Software TUN/TAP driver for Windows.

  10. Re:innovative by ultranova · · Score: 4, Insightful

    Sony were just trying to protect their business assets from piracy - albeit is a rather misguided manner. Whereas most of the users of sites like rootkit.com are black hat hackers looking for something to put in their next spambot trojan.

    But aren't most spambot trojans business assets ? After all, spam makes money - that's why spammers bother - so rootkits are business assets for blackhat hackers, even more so than they are for Sony.

    No, these poor hackers are simply trying to protect their right to profit - just like Sony. And if that means taking the control of the computer away from its owner, well, surely you agree that that's a small price to pay to ensure that those damn users aren't depriving them of those profits, right ? Sony certainly seems to...

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  11. Ummm, hello? by finkployd · · Score: 4, Insightful

    This is not new (at least the concept) at all. We have been talking about this for years now. What do you think trusted computing (palladium) is? This has always been the "good" side of the TCPA coin, media DRM being the "bad" side.

    Finkployd

  12. Many classes of software are affected by yeremein · · Score: 5, Informative

    This isn't just about supporting hardware. Several types of programs require kernel-mode drivers. Off the top of my head...

    Installable file systems
    Loopback mounts
    Volume encryption
    Rootkit detection
    Packet sniffing
    VPN software

    I'm sure there are others. Vista's code signing requirement will make it difficult for any open-source program to do any of the things listed above. Large OSS projects backed by a company will probably be able to get a certificate from Microsoft and sign official builds, but third parties will be unable to modify and redistribute binaries, which is counter to the spirit of open source. I'm sure this is not an accident. Smaller OSS projects (such as installable file systems for ext3 or reiser) will most likely jsut disappear.

    1. Re:Many classes of software are affected by shmlco · · Score: 4, Interesting

      So? Half the things you mention are also things viruses and trojans do for a living, and unfortunately users tend to approve any message generated by the system, "Are you sure you want to install the game you just downloaded?"

      It's easy to shit on an idea, but the core components of a system need to be protected somehow, and while I hear a lot of whinning what I DON'T hear is anyone offering a better solution to the problem.

      If someone really wants to build one of the things you mention then they'll pay the frieght. And Vista isn't open source.

      --
      Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
  13. Re:Get real by TemporalBeing · · Score: 3, Insightful
    Fight a battle you have a chance to win, and stop dreaming that unsigned platforms have a future. Without someone certifying that a platform is secure, businesses are going to stop using them. Eventually client nodes that aren't certified won't be able to do much useful, either.
    Unsigned platforms only have the kind of future you say if WE permit them to have that future. I, for one, will not allow that in my own house-hold, nor any company that I start. There are better ways to dealing with security and issues of such a nature.

    Why would such a hacker go through the pain of Win32 driver development instead of Linux drivers anyhow?
    Because the target systems - even if in minority - only run Windows. For example, a small company writing drivers for an in-house server set. If they were concerned with security and cared about driver signing and such, then (a) they may not be able to afford getting the stuff from MS, and (b) they may not be able to turn off driver signing for the systems that will actually be using the drivers.

    I wouldn't be surprised if domain policies were added to disable individual users from turning off driver signing - if that did happen, then there goes a lot of corporate R&D developers to the pot with not being able to develop drivers even for proof of concept stuff.

    And yes, a lot of corporate companies won't buy something like this without first having some kind of proof of concept that what they are trying to accomplish with it works first. If their corporate governance decides they can't turn off driver signing - perhaps they are in the wrong division/etc but still need to do it - then they could be screwed. And the project won't happen.

    Like it or not, there are valid reasons for removing this kind of DRM. It does cut out parties that could otherwise develop for you, and it can hurt pretty badly. This is undercutting a lot of the potential developers for MS. Now that might mean a greater groundswelling towards Linux, Mac, or something else, but it does hurt 3rd party developers and it does use their monopoly power in a wrong way that will disadvantage the industry.
    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  14. Re:HMmmmm by I'm+Don+Giovanni · · Score: 3, Informative

    What is too keep microsoft or whoever from just saying nope your driver isn't good enough?

    Nothing. Go to another signing-company, then.
    I don't know about Vista, but XP has multiple root-certs from well-known signing companies pre-installed (verisign, etc). Pick one of them. If they all think that your driver "isn't good enough", then it probably isn't. BTW, "not good enough" usually means that they think the code in question is malware (win which case it's *good* that it be rejected) or piracy-ware (which would piss off the "information wants to be free" types) of some sort.

    The other main reason for sigs is to ensure that a driver that you obtain wasn't mucked with. For example, if you download an ATI driver from some site and that driver has malware inserted into it, it likely won't have a digital sig, or at least not one that matches the driver or is valid, so it won't run.

    --
    -- "I never gave these stories much credence." - HAL 9000
  15. Re:Get real by LeBoomer · · Score: 4, Insightful

    No, an idiot is someone that thinks giving MS $500 and their rootkit-altering driver is a good way to make money. If MS doesn't find anything suspicious, your credit trail will certainly be easy enough to follow. Unless you think sending them $500 cash in an envelope with no return address will get the job done...

  16. Re:Get real by AcidLacedPenguiN · · Score: 3, Insightful
    The $500 does, however, ensure that there won't be any open source Windows drivers.
    Bullshit! I see small communities of gamers all pitching in to buy gaming servers. I see donation based internet radios http://soma.fm/ start and survive off community donations. In fact I think the last time I went to the Ubuntu site I saw a donate http://www.ubuntu.com/donations button. I highly doubt that the $500 signing pricetag is going to doom the open source communities. I think the only communities this will lock out is the open sores community, and I for one wouldn't mind that at all.
    --
    disclaimer: I've been known to store numbers in my ass for which to dig out when quantities are required.
  17. It isn't that hard by gillbates · · Score: 3, Insightful

    Compare the two. If they match, then the file hasn't been tampered with... Tampering with this requires...

    No, all that is required is to copy one key over the other in memory. Alternatively, one could modify a single comparison instruction in the loader. Then the match occurs, and the code will be allowed to load.

    This is well within the range of an experienced hacker:

    1. Disassemble the loader
    2. Modify the assembly code so that the comparison is always true (JNE -> NOP, or other suitable instruction)
    3. Reassemble the loader and replace it on the filesystem.
    4. Note that all of these could be done without Windows' consent if the filesystem is mounted using Linux, or other suitably advanced OS.
    --
    The society for a thought-free internet welcomes you.