| By Scott Dunn |
To back up its claims that Windows Vista is “the safest version of Windows ever,” Microsoft requires developers to use digital signatures on all 64-bit drivers for Vista.
This requirement, far from making the new operating system safer, actually does little to stop hackers but may be partially responsible for a shortage of drivers that are needed by Vista users.
Why digital signing matters to you
To create a driver for the 64-bit version of Vista, a software developer first obtains a Class 3 software-publishing certificate from an approved Microsoft certificate authority (such as VeriSign). That certificate is then used to digitally “sign” (apply identifying code) to the product. The certifying authority is supposed to require identification and do the necessary research to make sure the driver comes from a legitimate applicant.
Drivers often need to operate at what is called the kernel level — the very core of the operating system. The privileged nature of the kernel means that it needs special protection. Any compromise to the kernel can potentially bring down the entire system. Consequently, Microsoft is anxious to protect the kernel, especially since “rootkits” can use drivers and kernel-level software to hide from the operating system.
There’s another reason Microsoft is anxious to secure this key part of Vista, however. The company is promoting Digital Rights Management (DRM), which is used by copyright holders to restrict the use of content. Because Microsoft wants Vista positioned as a platform that is safe for protected content, it needs its operating system to stop hacker code from intercepting media streams. Software could, for example, redirect music from a PC’s sound card and send it to the hard disk instead.
How driver signing works
Digital signing seeks to make visible the source of kernel-mode software. If the 64-bit version of Vista determines that a 64-bit driver doesn’t have a signature from an accepted authority, the operating system will prevent it from loading.
But, of course, once a certificate is issued, it’s somewhat out of the hands of the trusted certificate authority. A vendor with a valid certificate could still produce buggy or malicious code using the certificate, or sell it to someone else who could. More likely, a stolen certificate could be published on the Web and used by hackers to produce their own brand of malware.
In theory, once such a compromise is discovered, Microsoft can revoke the certificate (which, in the case of a hardware driver, would disable all products from the certificate holder). This could be done via a Windows Update that tells Vista to block the signature in question.
The new world order of x64 Vista drivers
Microsoft has long encouraged the digital signing of software. Signed software is intended to let users know the source of a downloaded program. Users can then presumably decide whether it comes from a "trusted" source. Digital signing also lets Microsoft identify the developer of a program that has crashed, assuming users choose to send Microsoft an error report when the fault occurs.
With Windows Vista, Microsoft has taken advances in code-signing technology further, making digital signing a requirement in some cases. Here are just a few of the new driver-signing requirements (or "features," as Microsoft calls them) for Vista:
- Only administrators can install unsigned kernel-mode software.
- Kernel-mode software must be digitally signed in order to run in the 64-bit versions of Vista. Even administrators can’t load unsigned drivers in these versions.
- Driver software that loads at boot time must also have a digital signature.
- Software involved in the streaming of protected content also requires a digital signature.
- Hardware drivers must have digital signatures to pass Microsoft’s Windows Logo Program.
Digital signing does nothing to stop hackers
Unfortunately, driver signing, as it is currently implemented by Microsoft, appears to be creating more obstacles for developers and customers than it is for hackers. Even before the final beta of Vista was released, the Black Hat Briefings hacking conference demonstrated how easily the driver-signing security could be defeated, as described in an eWeek article.
Vista’s release candidates didn’t fare much better. Researches at India’s NV Labs were able to devise a product called Vbootkit that bypasses driver-signing protection in RC1 and RC2.
Finally, experts at Symantec’s Security Response Advanced Threat Research group recently announced in a PDF report that they had succeeded in disabling the new restrictions on 64-bit Vista after just one week of testing.
How digital signing burdens developers
If driver signing hasn’t been an impediment to serious hackers, it has been a roadblock for legitimate developers of Vista drivers. Obtaining the necessary certificate for digital signing reportedly costs US$500 per year (less if a developer signs a multi-year agreement). Once obtained, the certificate has to be kept secure, since a stolen and published certificate could be used by anyone to sign a driver.
Then there are the technical hurdles, such as those needed to meet Microsoft’s WHQL signing requirements. In a recent analysis of Windows’ content protection schemes, Peter Gutmann, researcher at the University of Auckland’s Department of Computer Science, writes, "The vast majority of drivers running on PCs today aren’t signed, not so much because the developers couldn’t be bothered, but because the WHQL process that produces the signed drivers is so slow that they’re obsolete by the time they’ve been approved by Microsoft (and even some of the WHQL-certified ones are still pretty flaky)."
Evidence of this situation isn’t hard to find. Complaints about the lack of sound, mouse, and video drivers for Vista — months after its Jan. 30 consumer release — are rife, including an APC Magazine article by James Bannan. One angry user, consultant Dan Goldman, has created a Web site advocating a class-action lawsuit against Nvidia and some of its partners for video drivers that claimed to be “Vista Ready Certified” and “Designed for Windows Vista.”
Similarly, the Techarp Web site reports that ATI shipped its Radeon X1950 GT graphics card with a "Windows Vista Certified" label on the box, despite the fact that it contained no Vista driver at all. The release notes admit that fact, in apparent contradiction to the box label.
Microsoft can do better than this
Microsoft cannot expect widespread adoption of its new operating system if users cannot depend on the availability of drivers to support the most popular hardware configurations. Nor will customers feel safe with Vista when experts continue to report how easy it is to poke holes in Microsoft’s new defenses. Users need to demand that Microsoft simply do its job better before releasing a new operating system, providing a stronger defense against hackers without placing undue burdens on developers.
Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.