Friday, August 3, 2007

Vista kernel defenses defeated

It appears that a security feature present in the 64-bit edition of Windows Vista can be easily circumvented. One of the security provision in this edition of Vista would be the fact that only digitally-signed code can be loaded into the kernel.

Well, until the arrival of a free utility from Australian developer LinchpinLabs, that is.

The idea behind allowing only digitally-signed code to run is that it would stymie rootkits, which involves loading driver code into the kernel to corrupt it from within and to cloak itself.

According to researchers at Symantec, however, LinchpinLabs’ Atsiv renders this a moot point by using signed drivers to load other, unsigned code into the Vista kernel.

Excerpt from Network World:

[Atsiv’s] command line tool loads [its own] appropriate driver, which then in turn allows loading of unsigned drivers due to the implementation of their PE loader,” said Whitehouse [an architect with Symantec’s advanced threats research team]. “A side effect of using their own load is noted by the authors in their design documentation: ‘Atsiv doesn’t add the driver to the PsLoadedModuleslist so it is not visible in the standard drivers list.’

The counter-argument by LinchpinLabs’ creators, identified only as “Dan” by the Network World article, is that Vista’s signing requirement doesn’t prevent malware but merely prohibits freedom to choose.

In fact, below is an excerpt from an article on rootkit.com titled Loading unsigned drivers on Vista. It pulls no punches:

A signed file uniquely identifies the company that developed that file but when companies can be created and registered in jurisdictions known for protecting the privacy of company founders and directors you have to ask what does driver signing actually represent? Signed drivers can be signed by an arbitrary legally registered company.

Absent any control over what the driver actually is or does, this provides no real additional security, other than removing author anonymity. So do the new Vista “features” improve system security or only impose limitations?

While driver signing certificates can be revoked new certificates, with enough money, can be created faster than it takes to change a files signature. If this is indeed the case then it is the hobbyists and home user that end up paying the cost.

I personally am of the view that Microsoft is really trying to improve its security record. Then again, if you are like me, you just ignore the warnings and install a driver anyway, even if it is not digitally-signed.

No comments: