Vista DRM Prevents Kernel Tampering 428
mjdroner writes "A ZDNet blog reports on a new DRM feature for Vista that 'protects' the kernel from tampering. The blog quotes a Microsoft document: 'Code (CI) protects Windows Vista by verifying that system binaries haven't been tampered with by malicious code and by ensuring that there are no unsigned drivers running in kernel mode on the system.' The blog says that much of the DRM in Vista is simply a port from XP, but that this feature is new to the OS."
Coercion? (Score:5, Interesting)
Not all drivers (Score:5, Interesting)
Modfying the kernel after that is just a matter of working out which bits (kill the code that checksums the binaries first, etc.)
Installing lockout under the guise of security. (Score:3, Interesting)
How Wonderful (Score:2, Interesting)
Re:Not all drivers (Score:3, Interesting)
No info about rc2 yet, but if they didn't want to correct it in rc1, then... who knows...
Re:Updates? (Score:3, Interesting)
Re:Coercion? (Score:5, Interesting)
The cost of $500 a year is also not much for the Russian mob, or any other bunch of fuckweasels that want to sponsor the creation of a rootkit.
Re:Coercion? (Score:5, Interesting)
Nothing has changed for user-mode drivers. You'll still get the same old nagging wave-through dialog for unsigned drivers, now with added UAC screen flickering.
Signatures are only required for kernel-mode drivers. In 64-bit Vista, it's a hard limit: No signature, no load, period. In 32-bit, you'll get the same UAC/nag dialog as user-mode drivers. The only time you'll be affected by the lack of signatures in 32-bit Vista is when you try to play back all those awesome Blu-Ray and HD-DVD movies you've been clamoring for on your shiny new HDCP-compliant flat panel monitor. </sarcasm>
Reminder: Video drivers are user-mode in Vista.
Re:Coercion? (Score:3, Interesting)
-Rick
Re:Optimism (Score:3, Interesting)
There are PCs with TPM chips that are at that level now but they're still fairly rare - in general a PC is still an open architecture.
Get real (Score:2, Interesting)
The only unsigned driver I have ever seen was for an old Voodoo board.
The last time I met anyone who was using custom hardware was around 1985-6, a sound board that plugged into a C-64.
If you can't use your old hardware with Vista, then don't run Vista. New hardware shipping with Vista will be able to run it.
As a security-conscious programmer with a lot of corporate development history, I support Vista's blocking of non-signed drivers 100%. It's actually the first time I've agreed with Microsoft's plans and features since suffering the pains of Windows 3.1 development and support.
Maybe it's time for the idealists to get real about security issues. They see DRM as preventing them from experimenting; the vast majority of government, corporate, and home users either don't care or see it as a benefit that provides more protection from crackers, viruses, rootkits, etc. Even OpenSuSE has a similar enforcement option for verifying binaries, and I doubt it'll be too long before bigger commercial OS vendors do the same.
Fight a battle you have a chance to win, and stop dreaming that unsigned platforms have a future. Without someone certifying that a platform is secure, businesses are going to stop using them. Eventually client nodes that aren't certified won't be able to do much useful, either.
I object more to the use of products like Entrust web sign-in that ignores the security provisions of products like Java sandboxing, artificially blocking clients unless they are running a paid-for commercial OS from Microsoft or Apple. (Try registering with http://www.gc.ca/main_e.html [www.gc.ca] for a "My Government Account" with Linux or even with Firefox under WinXP Pro.)
There is no reason for such an artificial blockage of client access, and that worries me a hell of a lot more than whether a couple dozen hackers can run custom drivers for their own hardware. Why would such a hacker go through the pain of Win32 driver development instead of Linux drivers anyhow?
Re:Coercion? (Score:4, Interesting)
The information here [microsoft.com] also tell that drivers that load at boot time must contain a digital signature (I'm talking regardless of 32/64-bit platform now). There's also other cases where a signature is required, and in all these cases it has to be from an authority "Windows trusts" (read: Microsoft).
While this "combats open source", it's really just the certification authority where "money = trustworthiness" stupidity applied all over. They made VeriSign et al. grow big, and now Microsoft will try to grow big(ger) using the same idea. Microsoft will defend themselves with that they can't let just about any authority without insight in how Windows works and lacking Microsoft's guidance to sign because then they could sign code that did harm to Windows. I guess both are kind of right.
Re:Many classes of software are affected (Score:5, Interesting)
It's easy to shit on an idea, but the core components of a system need to be protected somehow, and while I hear a lot of whinning what I DON'T hear is anyone offering a better solution to the problem.
If someone really wants to build one of the things you mention then they'll pay the frieght. And Vista isn't open source.
Re:Quis custodiet ipsos custodes (Score:3, Interesting)
Re:Coercion? (Score:2, Interesting)
Re:Get real (Score:1, Interesting)
Re: I agree (Score:1, Interesting)
Along those lines, I wonder what would happen if Microsoft started making back versions of it's OS free? So, Windows95/98 would be free now, and Windows2000/XP would be free once Vista came out. Sure it would slow adoption to some degree... but I've never seen numbers about the number of sales that Microsoft gets for its OS straight out of retail boxes in the stores compared to pre-installs on Dell/HP, etc. If they have enough clout (which they do) to force Dell and the rest to sell new computers with Vista, they'd STILL have a huge base of Vista installs out there soon (since some people WILL pay for Vista anyway), and then everyone else using Windows could upgrade (should they choose) to 2K/XP for free. This would help them end support for older versions and it would expand their market share even more.
Aside from the fact that I'm guessing the odds of that ever happening are approximately nil, what do people think about it, conceptually?
Re:Quis custodiet ipsos custodes (Score:3, Interesting)
At some time during execution of the validation process, the CPU computates a yes or no answer based on a number of bytes of input. Whether or not there is a validator for the validator is not known, but you can simply disassemble both of them, NOP out the entire validating sub-routine (or figure out which result is 'yes'), and voila. Well, it won't be this simple, the validation will probably be deliberately complicated, but the result os always the same, "no, not valid", or "yes, run it in kernel mode".
Disassembling binaries isn't the nicest thing to do. I've done it once or twice to bypass software registration, it took me a long while (days). There are professionals out there, though, that do this sort of stuff as a hobby. For them, it may not be so difficult.
Meh. (Score:3, Interesting)
(I personally don't grok x86 ASM well enough to do this. But some people do.)
As with privacy, the question is "who watches the watchers?"
Re:Coercion? (Score:3, Interesting)
Indeed. How long will it be before some company gets a driver signed that (intentionally or not) allows arbitrary code to be executed as a subroutine in its 'trusted' context? As soon as that happens, they're back to square one...