Microsoft Is Defending x64 Windows Vista
section: windows, for your questions: KezNews forum, 3.8.2007
The 64-bit editions of Windows Vista have came under assault recently (read about it here and here), especially when it comes down to the kernel mode code signing security mitigation introduced in the x64 versions of the operating system.
Although Microsoft presented mandatory driver signing in 64-bit Vista as a breath of fresh air against rootkits, and a solution to prevent unsigned code from being loaded into the operating system's core, Scott Field, Windows Security Architect, revealed that the feature is incapable of ensuring the kernel's protection. Kernel Mode Code Signing is not too much of a security barrier. And there are two main scenarios for its bypassing. Malformed code can be injected into the x64 Vista kernel via a driver with a legitimate or a malicious certificate. Additionally, the operating system's core can be breached through faulty drivers.
"The Kernel Mode Code Signing is a not a security boundary, rather, it is only one aspect of a defense–in-depth approach to security. KMCS does not provide a means to determine the "intent" of the signed code (i.e., good or bad); indeed, signed code may contain bugs, be of poor quality, or may be malicious in nature," stated Field. "A primary benefit of KMCS is that it provides a means to identify the author of a piece of code, which helps enable follow-up with the author to address crashes that are observed through mechanisms such as Microsoft Online Crash Analysis. Identifying the source and ownership of code that is loaded by the kernel is a fundamental component of the operating system and overall ecosystem trust model. Furthermore, this also provides better transparency to the end user in terms of origin of code that is installed and running on a system."
Still, Microsoft is prepared to deal with any problems that will be associated with the unsigned code being loaded into the kernel via either faulty, legitimate or malicious drivers. This is why the Redmond company has built a flexible list of driver signing certificates, always opened to revocation. "Currently, the kernel mode revocation list is loaded into memory, from disk, once per system boot. The kernel revocation list is checked when the operating system kernel code loads a kernel driver/module. There are several reasons for keeping the logic for this simple in kernel space – for example, constraints in the kernel runtime environment, as well as limiting the attack surface associated with the kernel loader. There are also other practical factors to consider, such as kernel drivers that have already been loaded cannot always be unloaded or removed safely on a running system," Field added.
source:
news.softpedia.com
Send link 2 friend | Permalink
MORE RELATED ARTICLES:
Got Vista x64 questions? I've got answers || Dell No Longer Supports Vista x64...and Other Rants || All 35 official Vista Ultimate MUI Packs x32 & x64 || Neowin.net - Live Messenger 8.5 update no longer supported on XP x64 || Microsoft to Kill the Grace Timer and OEM BIOS Windows Vista Cracks with Vista SP1
Comments(5)
how many genuine 64 bit programs do you really use? most people will honestly answer
none. its a bloody nightmare trying to find drivers for 64 bit windows. its simply not
worth the hassle. plus, its not as backwards compatible with 32 bit programs as people
would like, in fact, 64 bit windows seems like a step backwards.
its true mate, i have a vista 64x but i have more problems with drivers then i have fun
with the system it self..
in vista x64, any driver that is not properly signed will not be able to enter the
kernel and will fail to load."
"think how many times you have ignored that warning
that a certain hardware driver is not properly signed. with vista x64, if your driver has
not been blessed by microsoft, it will not work. forget about it."
while whql
certified drivers are signed by microsoft and thus will install perfectly fine, your
driver does not need this in windows vista x64!
your driver does not need to "be
blessed by microsoft", at least not their hardware quality labs.
you can also just
get verisign "class 3 commercial software publisher certificate" and get a matching
"publisher identify certificate" from microsoft. the verisign certificate will 'only'
cost you $500 .00 a year.
so yes, unsigned drivers will not install and no open
source developer will be able to afford the money for the certificate, but you don't
really need microsoft's blessing, an expensive verisign certificate will do fine.
you can disable it...
http://www.tech-recipes.com/microsoft_vista_tips1429.html
turn off digital driver signing check in vista:
1. create a
shortcut on the desktop to cmd.exe
(this recipe explains how to create a shortcut if
you don't know how)
2. right-click on the shortcut and select run as
administrator
3. when the command window opens, type or paste the following
and press enter:
this will work, provided you are fortunate enough to even find hardware drivers for 64
bit windows.
ya, no kidding, if you aint on a pc built in the last 6 months, or have brandname parts
you should know better, same goes with any x64 os, and i naever had a driver or software
problem yet i ben on it since feb. and you can boot with f8, and choose disable
driversigning to temp disable it
No new comments are allowed for this article.
For your questions use our KezNews Forum
Windows 64 bit
By Jon Acord on 04.08.2007 - 03:08