Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista DRM Prevents Kernel Tampering

Posted by ryuzaki0 on from the in-theory-anyway dept.

mjdroner writes "A ZDNet blog reports on a new DRM feature for Vista that 'protects' the kernel from tampering. The blog quotes a Microsoft document: 'Code (CI) protects Windows Vista by verifying that system binaries haven't been tampered with by malicious code and by ensuring that there are no unsigned drivers running in kernel mode on the system.' The blog says that much of the DRM in Vista is simply a port from XP, but that this feature is new to the OS."

19 of 428 comments (clear)

  1. Coercion? by P(0)(!P(k)+P(k+1)) · · Score: 5, Interesting
    From a related article:
    Vista driver developers must obtain a Publisher Identity Certificate (PIC) from Microsoft. [] This costs $500 [EUR 412] per year, and as the name implies, is only available to commercial entities.
    Does this amount to indirect coercion? In XP, if I remember, unsigned drivers were allowed to run unhindered with loud information dialogs.
    1. Re:Coercion? by perlchild · · Score: 5, Insightful

      It does contribute to fighting open source, any way you look at it. I'm using a tap driver from the openvpn project, it isn't signed, and I don't know for sure, but I don't remember openvpn being a commercial entity. However, I'm not current enough in vista to know if they couldn't just get out of the kernel, and move to user-space for the required features.

    2. Re:Coercion? by geekoid · · Score: 4, Insightful

      Interesting.

      Independant developers should sue. MS is completly locking them out of the platform.

      Developers.Developers.developers. Indeed...

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    3. Re:Coercion? by Tackhead · · Score: 5, Interesting
      > By allowing only signed drivers it will make it harder for root kit crackers. I don't think there are many voluntaires that write device drivers for Windows in the first place, so the requirement that only companies can get a Publisher Identity Certificate is not that big a loss. The cost of $500 a year is not much for a company, anyway.

      The cost of $500 a year is also not much for the Russian mob, or any other bunch of fuckweasels that want to sponsor the creation of a rootkit.

    4. Re:Coercion? by Keith+Russell · · Score: 4, Interesting

      Nothing has changed for user-mode drivers. You'll still get the same old nagging wave-through dialog for unsigned drivers, now with added UAC screen flickering.

      Signatures are only required for kernel-mode drivers. In 64-bit Vista, it's a hard limit: No signature, no load, period. In 32-bit, you'll get the same UAC/nag dialog as user-mode drivers. The only time you'll be affected by the lack of signatures in 32-bit Vista is when you try to play back all those awesome Blu-Ray and HD-DVD movies you've been clamoring for on your shiny new HDCP-compliant flat panel monitor. </sarcasm>

      Reminder: Video drivers are user-mode in Vista.

      --
      This sig intentionally left blank.
    5. Re:Coercion? by Aladrin · · Score: 5, Insightful

      I totally disagree. You are assuming they have a commercial application in mind. What about someone who wants to write drivers for their new hardware they just built by hand? They shouldn't be required to go through this.

      It doesn't matter, though, because if you make it too hard to write software for Windows, people will stop. They'll find another platform that is more enticing to them. It won't happen immediately, of course. But it'll happen.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    6. Re:Coercion? by mrchaotica · · Score: 4, Insightful
      By allowing only signed drivers it will make it harder for root kit crackers.

      Yeah, but it will also make it harder for people making tools to preserve Fair Use (DVD and HD-disc ripping programs, no-CD cracks for games, etc.). This is a Bad Thing.

      I'll keep my Fair Use and take my chances with the rootkits, thankyouverymuch!

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

    7. Re:Coercion? by x_MeRLiN_x · · Score: 5, Informative

      Oh, but it will. You just have to press F8 during boot and select the appropriate option in order to install unsigned drivers as I found out when installing my Creative 5.1 drivers.

  2. Not all drivers by Tony+Hoyle · · Score: 4, Interesting

    Minifilter drivers don't have to be signed (at least in RC1 which is the last version I tried). That of course means you can get into ring 0 with a loadable driver - all that's needed is admin rights.

    Modfying the kernel after that is just a matter of working out which bits (kill the code that checksums the binaries first, etc.)

  3. Re:innovative by EvanED · · Score: 5, Insightful

    What makes Sony's legitimate but the ones from Rootkit.com not?

    If anything I would argue that rootkit.com is a more legit distribution mechanism than Sony.

  4. is Vista that fabled 8th generation OS? by 192939495969798999 · · Score: 5, Funny

    "From: (Blair P. Houghton)

    I predict that Eighth Generation computers
    will compile no programs, run no applications,
    and access no data. Instead they will be
    designed and tuned to give a continuously
    variable spectrum of elegant and precise
    error messages describing your failure to
    induce them to do so."

    Yay Vista!

    --
    stuff |
  5. Quis custodiet ipsos custodes by megaditto · · Score: 5, Insightful

    Cracking such a thing is trivial once you answer the question who watches the watchman?

    As Apple just learned with their TPM kernel extension, all that hackers need to do is replace the binary that verifies all other binaries, and the "goodies" are up for grabs.

    --
    Obama likes poor people so much, he wants to make more of them.
  6. Re:Updates? by EvanED · · Score: 4, Informative

    Cryptographically secure signatures?

    You take a hash, and sign it with a private key. This is your signature. The loader then takes a hash of the file again. It also decrypts the signature with the public key. Compare the two. If they match, then the file hasn't been tampered with.

    Tampering with this requires:
    1. Tampering with the loader
    2. Tampering with the public key stored in the loader (really part of #1)
    3. Breaking MS's private key
    4. Producing another executable with the same hash

    1 and 2 are possible, but 3 and 4 are computationally hard. (The sun will have turned into a red giant long before the best-known alogrithms have found a solution, even if the hash is the relatively "weak" MD5.)

  7. Already broken by Blue Pill by TRS-80 · · Score: 5, Informative

    The kernel mode signed driver restriction has already been broken by Blue Pill. Full details are in the black hat presentation, but the basic gist is you force a driver (eg null.sys) to be swapped out to disk, overwrite a function in the copy in swap with your own code, then call that function. And now you're executing unsigned code in kernel space.

  8. Re:innovative by ultranova · · Score: 4, Insightful

    Sony were just trying to protect their business assets from piracy - albeit is a rather misguided manner. Whereas most of the users of sites like rootkit.com are black hat hackers looking for something to put in their next spambot trojan.

    But aren't most spambot trojans business assets ? After all, spam makes money - that's why spammers bother - so rootkits are business assets for blackhat hackers, even more so than they are for Sony.

    No, these poor hackers are simply trying to protect their right to profit - just like Sony. And if that means taking the control of the computer away from its owner, well, surely you agree that that's a small price to pay to ensure that those damn users aren't depriving them of those profits, right ? Sony certainly seems to...

    --

    Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

  9. Ummm, hello? by finkployd · · Score: 4, Insightful

    This is not new (at least the concept) at all. We have been talking about this for years now. What do you think trusted computing (palladium) is? This has always been the "good" side of the TCPA coin, media DRM being the "bad" side.

    Finkployd

  10. Many classes of software are affected by yeremein · · Score: 5, Informative

    This isn't just about supporting hardware. Several types of programs require kernel-mode drivers. Off the top of my head...

    Installable file systems
    Loopback mounts
    Volume encryption
    Rootkit detection
    Packet sniffing
    VPN software

    I'm sure there are others. Vista's code signing requirement will make it difficult for any open-source program to do any of the things listed above. Large OSS projects backed by a company will probably be able to get a certificate from Microsoft and sign official builds, but third parties will be unable to modify and redistribute binaries, which is counter to the spirit of open source. I'm sure this is not an accident. Smaller OSS projects (such as installable file systems for ext3 or reiser) will most likely jsut disappear.

    1. Re:Many classes of software are affected by shmlco · · Score: 4, Interesting

      So? Half the things you mention are also things viruses and trojans do for a living, and unfortunately users tend to approve any message generated by the system, "Are you sure you want to install the game you just downloaded?"

      It's easy to shit on an idea, but the core components of a system need to be protected somehow, and while I hear a lot of whinning what I DON'T hear is anyone offering a better solution to the problem.

      If someone really wants to build one of the things you mention then they'll pay the frieght. And Vista isn't open source.

      --
      Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
  11. Re:Get real by LeBoomer · · Score: 4, Insightful

    No, an idiot is someone that thinks giving MS $500 and their rootkit-altering driver is a good way to make money. If MS doesn't find anything suspicious, your credit trail will certainly be easy enough to follow. Unless you think sending them $500 cash in an envelope with no return address will get the job done...