Vista DRM Prevents Kernel Tampering

mjdroner writes "A ZDNet blog reports on a new DRM feature for Vista that 'protects' the kernel from tampering. The blog quotes a Microsoft document: 'Code (CI) protects Windows Vista by verifying that system binaries haven't been tampered with by malicious code and by ensuring that there are no unsigned drivers running in kernel mode on the system.' The blog says that much of the DRM in Vista is simply a port from XP, but that this feature is new to the OS."

Coercion?

[P(0)(!P(k)+P(k+1))]

From a related article [osnews.com]:

Vista driver developers must obtain a Publisher Identity Certificate (PIC) from Microsoft. [] This costs $500 [EUR 412] per year, and as the name implies, is only available to commercial entities.

Does this amount to indirect coercion? In XP, if I remember, unsigned drivers were allowed to run unhindered with loud information dialogs.

Not all drivers

[Tony Hoyle]

Minifilter drivers don't have to be signed (at least in RC1 which is the last version I tried). That of course means you can get into ring 0 with a loadable driver - all that's needed is admin rights.

Modfying the kernel after that is just a matter of working out which bits (kill the code that checksums the binaries first, etc.)

Installing lockout under the guise of security.

[rs232]

"if unsigned code is allowed to load you won't be able to play protected high-definition multimedia content"

How Wonderful

[the linux geek]

This unsigned driver "feature" is causing hell for those using the x64 version of Vista, which has abysmal driver compatibility. Nobody can now install 32-bit drivers.

Re:Not all drivers

[Viraptor]

*COUGH*pagefile attack [blogspot.com]*COUGH*
No info about rc2 yet, but if they didn't want to correct it in rc1, then... who knows...

Re:Updates?

[qbwiz]

Microsoft could sign patches with their private key, then include the public key in Windows to let them check that. AFAIK, they do that with the Xbox 360 and some other stuff already. The hard part will be making sure that the part that does the validation hasn't been cracked already - Apple is having problems doing that, and they even have a combined hardware/software solution.

Re:Coercion?

[Tackhead]

> By allowing only signed drivers it will make it harder for root kit crackers. I don't think there are many voluntaires that write device drivers for Windows in the first place, so the requirement that only companies can get a Publisher Identity Certificate is not that big a loss. The cost of $500 a year is not much for a company, anyway.

The cost of $500 a year is also not much for the Russian mob, or any other bunch of fuckweasels that want to sponsor the creation of a rootkit.

Re:Coercion?

[Keith Russell]

Nothing has changed for user-mode drivers. You'll still get the same old nagging wave-through dialog for unsigned drivers, now with added UAC screen flickering.

Signatures are only required for kernel-mode drivers. In 64-bit Vista, it's a hard limit: No signature, no load, period. In 32-bit, you'll get the same UAC/nag dialog as user-mode drivers. The only time you'll be affected by the lack of signatures in 32-bit Vista is when you try to play back all those awesome Blu-Ray and HD-DVD movies you've been clamoring for on your shiny new HDCP-compliant flat panel monitor. </sarcasm>

Reminder: Video drivers are user-mode in Vista.

Re:Coercion?

[RingDev]

Except for the fact that MS can revoke that certificate at any time. If any malicious code hits the web with your cert, they pull the cert and the malicious code is rendered worthless. Of course, so is any non-malicious code under that cert. I wonder what kind of protections go into that cert to prevent spoofing.

-Rick

Re:Optimism

[Tony Hoyle]

In the case of the xbox it was a fairly closed system with harcoded BIOS support for the DRM and custom hardware.

There are PCs with TPM chips that are at that level now but they're still fairly rare - in general a PC is still an open architecture.

Get real

[msobkow]

The only unsigned driver I have ever seen was for an old Voodoo board.

The last time I met anyone who was using custom hardware was around 1985-6, a sound board that plugged into a C-64.

If you can't use your old hardware with Vista, then don't run Vista. New hardware shipping with Vista will be able to run it.

As a security-conscious programmer with a lot of corporate development history, I support Vista's blocking of non-signed drivers 100%. It's actually the first time I've agreed with Microsoft's plans and features since suffering the pains of Windows 3.1 development and support.

Maybe it's time for the idealists to get real about security issues. They see DRM as preventing them from experimenting; the vast majority of government, corporate, and home users either don't care or see it as a benefit that provides more protection from crackers, viruses, rootkits, etc. Even OpenSuSE has a similar enforcement option for verifying binaries, and I doubt it'll be too long before bigger commercial OS vendors do the same.

Fight a battle you have a chance to win, and stop dreaming that unsigned platforms have a future. Without someone certifying that a platform is secure, businesses are going to stop using them. Eventually client nodes that aren't certified won't be able to do much useful, either.

I object more to the use of products like Entrust web sign-in that ignores the security provisions of products like Java sandboxing, artificially blocking clients unless they are running a paid-for commercial OS from Microsoft or Apple. (Try registering with http://www.gc.ca/main_e.html [www.gc.ca] for a "My Government Account" with Linux or even with Firefox under WinXP Pro.)

There is no reason for such an artificial blockage of client access, and that worries me a hell of a lot more than whether a couple dozen hackers can run custom drivers for their own hardware. Why would such a hacker go through the pain of Win32 driver development instead of Linux drivers anyhow?

Re:Coercion?

[Jugalator]

If the OpenVPN drivers aren't signed, they may not install whatsoever on Windows Vista 64-bit. Vista 64 will simply not accept unsigned kernel-mode drivers at all anymore. I believe XP did, just after having displayed a dialog box with a lot of bolded text in it. I'm not sure what will happen as for Vista 32-bit.

The information here [microsoft.com] also tell that drivers that load at boot time must contain a digital signature (I'm talking regardless of 32/64-bit platform now). There's also other cases where a signature is required, and in all these cases it has to be from an authority "Windows trusts" (read: Microsoft).

While this "combats open source", it's really just the certification authority where "money = trustworthiness" stupidity applied all over. They made VeriSign et al. grow big, and now Microsoft will try to grow big(ger) using the same idea. Microsoft will defend themselves with that they can't let just about any authority without insight in how Windows works and lacking Microsoft's guidance to sign because then they could sign code that did harm to Windows. I guess both are kind of right.

Re:Many classes of software are affected

[shmlco]

So? Half the things you mention are also things viruses and trojans do for a living, and unfortunately users tend to approve any message generated by the system, "Are you sure you want to install the game you just downloaded?"

It's easy to shit on an idea, but the core components of a system need to be protected somehow, and while I hear a lot of whinning what I DON'T hear is anyone offering a better solution to the problem.

If someone really wants to build one of the things you mention then they'll pay the frieght. And Vista isn't open source.

Re:Quis custodiet ipsos custodes

[Doctor Memory]

Funny how much better your searching goes when you know the right keywords! Not only do they talk about running recent builds on non-Apple hardware, they tell you how to do the same [insanelymac.com]!

Re:Coercion?

[l33t_f33t]

This reeks of a anti-trust violation to me.

Re:Get real

[Anonymous Coward]

If you think that for $500 Microsoft will decompile your kernel driver and check it for well-hidden backdoors, then you're the fool. There's likely to be so many ways to game this "system" with social engineering, starting at setting up dummy companies and up to compromising programmers at existing companies. There's big money in compromising systems these days and this, at most, may slow down the occasional script kiddie but won't stop the guys who are really dangerous.

Re: I agree

[Anonymous Coward]

Hell no I'm not taking that bet! :) I'm with you on this. Microsoft would have to be retarded to do that. There's more money to be made from ensuring that everyone HAS a Microsoft OS than ensuring that everyone who has it has paid for it.

Along those lines, I wonder what would happen if Microsoft started making back versions of it's OS free? So, Windows95/98 would be free now, and Windows2000/XP would be free once Vista came out. Sure it would slow adoption to some degree... but I've never seen numbers about the number of sales that Microsoft gets for its OS straight out of retail boxes in the stores compared to pre-installs on Dell/HP, etc. If they have enough clout (which they do) to force Dell and the rest to sell new computers with Vista, they'd STILL have a huge base of Vista installs out there soon (since some people WILL pay for Vista anyway), and then everyone else using Windows could upgrade (should they choose) to 2K/XP for free. This would help them end support for older versions and it would expand their market share even more.

Aside from the fact that I'm guessing the odds of that ever happening are approximately nil, what do people think about it, conceptually?

Re:Quis custodiet ipsos custodes

[dreamlax]

At some time during execution of the validation process, the CPU computates a yes or no answer based on a number of bytes of input. Whether or not there is a validator for the validator is not known, but you can simply disassemble both of them, NOP out the entire validating sub-routine (or figure out which result is 'yes'), and voila. Well, it won't be this simple, the validation will probably be deliberately complicated, but the result os always the same, "no, not valid", or "yes, run it in kernel mode".

Disassembling binaries isn't the nicest thing to do. I've done it once or twice to bypass software registration, it took me a long while (days). There are professionals out there, though, that do this sort of stuff as a hobby. For them, it may not be so difficult.

Meh.

[Money for Nothin']

What about the module that performs the verifcations (probably just a hash comparison, like Tripwire on *nix)? Suppose somebody conveniently inserts a JMP instruction to the location of the code following a successful verification, allowing the comparison binary to otherwise behave as if the check had succeeded (probably either terminating at that point or trying to perform another verification if a binary hash exists)?

(I personally don't grok x86 ASM well enough to do this. But some people do.)

As with privacy, the question is "who watches the watchers?"

Re:Coercion?

[Jeremi]

While this "combats open source", it's really just the certification authority where "money = trustworthiness" stupidity applied all over.

Indeed. How long will it be before some company gets a driver signed that (intentionally or not) allows arbitrary code to be executed as a subroutine in its 'trusted' context? As soon as that happens, they're back to square one...