14 DAY TRIAL // We are now at the prologue of the 64-bit Windows Vista kernel onslaught saga. And Microsoft is facing hard time ahead with the mandatory driver signing security mitigation introduced into the x64 editions of its latest operating system. Joanna Rutkowska, CEO of Invisible Things Labs in her recent session at Black Hat 2007 in Las Vegas entitled a part of her presentation: "Vista kernel protection, and why it doesn't work..."
"Digital signatures for kernel-mode software are an important way to ensure security on computer systems. Windows Vista relies on digital signatures on kernel mode code to increase the safety and stability of the Microsoft Windows platform. Even users with administrator privileges cannot load unsigned kernel-mode code on x64-based systems," Microsoft claims in the documentation associated with the digital signatures for kernel modules on systems running Windows Vista.
Rutkowska in turn presented her own perspective over mandatory driver signing: "Vista, like any other general purpose OS, contains hundreds of kernel drivers! Many of them are 3rd party drivers (e.g. graphics card). Many of them are poorly written?" She then proved that the x64 Vista kernel was vulnerable to loading unsigned drivers, and even malicious code, via ATI and Nvidia graphics drivers.
Coming on the heels of the Atsiv tool, a utility designed to enable developers to load unsigned code into the 64-bit Vista kernel, as a method to support legacy drivers, yet another program was made public, also capable of breaking Vista's core.
The Purple Pill "had embedded in it an ATI signed driver that would be dropped to disk and loaded (a similar approach to Atsiv). However it would appear that this signed driver contained a design error which allows you to use it to load any arbitrary driver even if they are not signed (similar functionality to Atsiv). You can imagine this came about due to a requirement to extend this core driver with arbitrary modules in ATI's design. However this has now come back and bitten them, and more so Microsoft, quite badly," explained Ollie Whitehouse, Architect, Symantec Advanced Threat Research Team.
The Purple Pill was subsequently taken down by Alex Ionescu, kernel developer, reverse engineer and Microsoft Student Ambassador. But unlike Atsiv which used a proprietary driver certificate exclusively associated with the tool, the Purple Pill leverages an ATI driver. Microsoft has set up a driver certificate revocation infrastructure, but in this particular scenario, the process would impact an extensive number of customers.
"Purple Pill doesn't use any certificate of mine or driver that I've written (or any other particular). In fact, Purple Pill uses a driver is signed with a key that perhaps more then 50% of Vista users are currently depending on for their laptop to boot. If this key gets blacklisted, all those customers would end up with largely unusable systems," Ionescu stated.
"What should Microsoft do? Revoke a signing certificate for a hardware driver that's in 50 percent of laptops? Do nothing? Cry? Go to the pub? This will truly be like watching a mini soap opera slowly unfold. What ATI is probably going to have to do is get a new certificate, sign fixed versions of all their affected drivers, and release them via Windows Update. Only then can Microsoft get VeriSign to revoke the signing certificate," Whitehouse stated.