Building security the right way

Sep 3, 2007 09:44 GMT  ·  By

With its 64-bit editions of Windows Vista, Microsoft introduced mandatory digital signatures for kernel modules. Essentially, the Redmond company aimed at delivering superior security and stability of the operating system via a mechanism designed to closely manage the code deployed in the core of the 64-bit editions of Vista and Windows Server 2008, formerly codenamed Longhorn. According to Microsoft, "kernel-mode software must have a digital signature before it will load on x64-based computer systems. Boot-start drivers should contain an embedded signature. And certain configurations of x86 systems require kernel-mode software to have digital signatures to access next-generation premium content depending on content protection policy."

But is Microsoft on the right track with code signing? The obvious downside to driver signing and the associated certificates is the fact that legacy drivers and any type of unsigned code for that matter, will not be able to load into the core of the operating system. Still, Russ Humphries, Microsoft senior product manager for Windows Vista security insisted that driver signing is not primarily a security feature. "Driver signing provides a method to better identify the author/creator of a piece of software or code so that the author/creator can be approached in the event a reliability issue, vulnerability, or malware is discovered. Signing is not designed to confirm the "intent" of signed code (i.e. good or bad), or whether exploitable bugs or malicious code is present. Malicious or exploitable kernel drivers can lead to system compromise beyond disabling of code signing controls, since kernel driver code has access to hardware as well as all programs running as the user," Humphries explained.

However, other members of the security industry claim that code signing is a simple and effective solution to delivering security, especially when the method is generalized to apply to executable files. "With digital signatures we can "detect" any kind of executable modifications, starting form the simplest and ending with those most complex, metamorphic EPO infectors as presented e.g. by Z0mbie. All we need to do (or more precisely the OS needs to do) is to verify the signature of an executable before executing it," revealed Joanna Rutkowska, CEO Invisible Things Lab.

Of course that digital signatures tied to executable files are not a silver bullet solution. There is in fact no panacea for security and x64 Windows Vista driver signing illustrated this point with the various workarounds that rendered the feature useless. "Does it mean we get a secure OS this way (with digital signatures for executable files)? Of course not! Digital signatures do not protect against malicious code execution, e.g. they can't stop an exploit from executing its shellcode. So why bother? Because certificates allow to verify that what we have is really what we should have (e.g. that nobody infected any of our executable files). It's the first step in ensuring integrity of an OS," Rutkowska added.

Rutkowska went even further to claim that polymorphic virus detection, heuristics and similar solutions are nothing but tricks and hacks, illustrative of how the security industry went on the wrong path instead of developing valid responses to the threat environment. "Security should not be built on tricks and hacks! Security should be built on simple and robust solutions. Oh, and we should always assume that the users are not stupid - building solutions to protect uneducated users will always fail," Rutkowska concluded.