Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Another Attack on Code Signing



 By: Larry Seltzer
2007-08-02
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Opinion: It's all about trust decisions. Most things you do on a computer involve imperfect evaluations of trust. And now the evaluations of signed 64-bit Vista device drivers have become less perfect than they used to be.

I think it was around the introduction of Authenticode that Microsoft talked a lot about how security is all about trust: Who do you trust? Who do you not trust? This is a tautology of security: It has to be true in any environment that you have to trust someone—the operating system kernel, for example. And because theyre part of the kernel, some device drivers have to be trusted as well. This is a problem that is difficult to solve.

Authenticode addresses the problem by supporting digital signatures on executable files, including device drivers, and allowing users the opportunity to examine the signature and make a judgment about whether they trust the person or company who signed the file to run code on their system.

Because it requires all new device drivers and programming changes, Microsoft took the opportunity with 64-bit Windows Vista to require that device drivers be signed. Try to load an unsigned driver and you get a big, cant-miss error message.

Code-signing certificates have been abused in the past. Click here to read the story of VeriSign and a company named "CLICK YES TO CONTINUE."

There have been reports before of holes in the driver-signing requirements. But now theres a tool from Linchpin Labs named Atsiv that allows you to load unsigned drivers in 64-bit Vista. The two keys to how it does this are that it is, itself, a signed 64-bit device driver, and it uses a custom loader for other drivers it loads.

Resource Library:

At this point its worth giving a little more detail on the certificates used in driver code signing. Such drivers require their own code-signing certificates from a trusted certificate authority. These cost nontrivial money—at least a couple hundred dollars—and the CA is supposed to do some checks on the authenticity of the applicant, so you cant claim youre IBM and use a stolen credit card to pay for it. There have been some abuses in the past, but clearly you run some risks and encounter obstacles trying to skirt the system. And theres more: 64-bit drivers must be signed by a special cross certificate from Microsoft.

So back to Atsiv. I havent actually tested it myself because I dont have a 64-bit Vista system up. Normally, when you load a 64-bit driver, there is an informational dialog box typical of what users have seen from Authenticode for years. See the example, from a Microsoft white paper.

But there are ways to suppress these dialog boxes, and even if there werent, some users just reflexively say yes to such things. In other words, they are too trusting. So if you run Atsiv you may or may not get such a warning for the driver that is a component of the tool. But you will get a warning from User Account Control: Even if you are logged in as administrator, which is required in order to load drivers, you will get a warning that the operation you are attempting to perform requires elevated privileges. This is your chance—perhaps your last chance—to reflect on what you thought the program did and whether you want to trust it to do dangerous things.

Since certificates are involved, its possible for Microsoft or whoever issued Linchpin Labs certificates to revoke them. Im still trying to find out how often Vista 64 checks for certificate revocation. The worst case is at driver load time, which would be bad, since this system Im writing on hasnt been rebooted since last patch Tuesday. Ill get back to you when I have an answer.

If the cert were to be revoked, any malware installed in this way may be disabled, but its a moot point perhaps. The system is already 0wned, so you cant trust it. In fact, since drivers are kernel code, perhaps they can interfere with certificate revocation checks.

So digital signatures on code are about facilitating trust decisions. They arent a way to stop malicious code; they help you to decide what might be malicious code. Make a bad decision, and you shoot yourself in the foot.

The hole Atsiv abuses may be filled one day, but it shows that the driver signature requirement is one more imperfect mechanism for facilitating trust decisions. Atsiv doesnt fly through without warning. Nothing changes the fact that the most important security device is the one sitting at the keyboard.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers blog Cheap Hack.

More from Larry Seltzer



  Reader Comments: Another Attack on Code Signing
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


xr۸(;wh5He+RJDklR}JE1ErmeyO7t$dS%\FwQȅ5&>3)Nm}Qͥ}D{{^!d??id ڮNFF@ ;U[F-&|}@nsz,Y| tjOt0.Pc<c:&51Uԓo͍Q21XmK'(kNU7MP8&XKE!xiu7((>-_T| m߷"qcb_H0IIITb{@i4|>vlzN 5{a_70VKSikw@SV(v2%v6^ :72ș}5Qz$֩dc;3{$-,v2IB ӡm e8r ji08JeZH&tGu <$jIuPؖgT'=ç^bARxF3bIHHo*!1lpq+r Ӈ#v?wmE[Uֶ5]v7v홥kO|Yb!'l$R"ۆ@ظ70>}%jmhKG XU=34reͼQ(bT9RJGu뭨{0,~LÚ=8NNoFzJ%_((e:C| MպжG^U  eUc ^7D_"0Q9_i}ri#|g9̐V  2CT^1 zU5m{#r9m>3:tf~R|]kU[_lo!qj{z dPK9LóZ|$3o~EtAM)O%ތ!E\r/yzTB(&pHqb#'${_E1\fUK<8ytwެ.Uմ{]ӒKoߵqiuO^ S/3G#вnZ ÒcZ9LG*e(YKPQ9+߃*rMtf[ԒLPòÔNGs<ӁFS}N:On̦jY@%I}PѦ>|o61@ Lna 8 +KsݺzL ufo'AbC zS9LL@#wC۠h&]I-ۃ.7? { K`pl&{xk =r`D9+wKPbLTI=v@@XT꺶My2Gc 6GX[W S&x KF }t(~9-WR;C/0""D% P h4Af'E|ENNAw%w$]/Vp`(ݞH _.?KhF3aGe-n^ d6g2ILI'MV-&DvoK7], S l3-muk{TRQ4MhFff{@ZgޓaK0؂:>9S?e!s WQ'3: ?v\ g>ס!n~l9:f3,35g?0q}aY k9tݴyFSÂ&$tTDh.L˄|&6=gU4#TUKt;Ķ`|d*Nk'`6?>{@ \n\0ħ4<3rG6 @>|z[.z: $r%5kb$T`CL <<Gy%&++\=P9,(U_IVcX`Da zb0m/n)hOaࣇV|\vΖuVkͲF^ӛA|(, B[+C@xC lKkW(/Q|u$"! aY^`(tx GGqn Pyl {8`k=0 r1/+G&G,Mc9V.(j4%j<[`B]PeܠQ@?,lVCax=ZAеMW}0D\|f['X`3Q,C*"Q*ua3) Z>=ゆ|Oƅ/m%s;w9p/ms>u Z\/+]1&@0m"}qp4'Z>pd`/R3:¿sUgҵ2RXO%}8i/#Y X&T6M!0}UkN(-AVL. k l\irpn ZDj< đNTUbEaT(h];(y12qÝa&lGR)Ö1S{hbi';T'j/Tb< ֚p d6Ǟ$o':>#HE~H.+TNh| p\>_M]CN! MlW66pW;PV G0q;cOM Ӱ%Jt( yB\S %UޝﮫF#F a{0 X]Qxff}F; P}T9R\kBZC 7cqm8@{Y L QP؇`m/yzT+ks9k`7a-څHB&*GdH}>-`(1۩x>8t`l#Rq9k*yU䎥G6~zzi%[ŜPx` fzliUKKIuvb*j}Ur=+ n?ЯhL,5p B0_\G.^*GEbezI2/l-9@X^e1a^Y]s:ͥCvAi[?=/PV#s9k,N~SBC5ەc_Dr1JH,E=U Q.I߾!OIW{ɏ$Q W]G1&\ 9Qz ACzoUvs|䌜3JwuكfCY FCSG4{s(eJكdXviamǡ8-0z^t,4P$|+tln({r9/sᔤd«ȄWN .HFXd17K0d&'zvA rG3KcȮ滪vG}{4.=C/7Xz,C]f+wR(?]f,-\*K\vQZhr;XE9(E^](䐽DH,fzkYXxlR־еfvÏ1"<,5 Rd7O}?zX 2gr[C3l8sH2s&8lPfp~n ֔I iCDHc42I3 _5dDN XW+OiƟ?&/&[qVL|{rx|[q$[+' g|o#&) ­oL_lZS|  \(W?Ѵg=.cAༀȼ2.m,zQĶo| ;d<:5,X=ɪ\Om_JYPζL\rAUcS M0k'"U693RIkJ]CS&Ξ~ A-n-X0>kU@Exc.9F)nKb_t8ͩgI0̃ȗ*JgO[,Y@~eGI<cy> yzH[mnQ }(a 9R(̶^>9D%ggvvZ{\茕 5 ,Q+"`N^.ozyrF(܍ ^ Esj4w;TC=bZC'|;^/j!ҠAgWM K}{HHkK @E-S) P8Myi`I겎0D|~,:OVE?,iGnΫb;#5 n7m7>d̃~&sUޮT{pgW +b90` QĥًD\Zd!c TuL2㱕㱙<6a"8SrkEtdsH5^GQԓU&98sX, O0qDJ8rlp p5Q9<7;>="įoc "^U`֓v!"=IGAI/eG dW6AFRAj[^|qynԙ:}O"-%< P܈VsS&)eI9ږ/zG=e>^,mYqcK=:)   0-mn]t'nHJ^*ҋsGX/hùt z)|*^*Qbm 2P~qf3ϗ:apjx+*|[584W8Z+_0C;uiJ҉Z e`-JIjߚ _dLu?[[~/0؆O5O\GMjt@S:3uq^Z40iU;mn|-rLx7o7KnN7GW;;;;cV.VjwlE[bo;['TPtB.C.&yqzl渶a&HRhaf o` [ A bQ@[X?יBBr/eKN,4'IsSUWpV`hb U\ VyJV-Ŝa^з# h|)XR& #J"X,6z+%;P&+ (mݝ*'Uے^iNHHԙ)9:QC(@{./SX>'*0D}v$X-nn]tKNxyMdkIRNԟxoR:7X6z-R")ʄC/cP$d]SKJNG=iʨN_ T%*U ,6ۡ`mJm9/fk:եjR(]*5WjXom0p JCa*1Ӿ̾̾̾̾qY5_8~.P`$K#-P,|4)ڏ.LCLu %A]~0_y&-kn.}P-mܙn{,T%*U- flq݈]scZ8"}j([k[T?&A-"j1 tڧq6`IǩDm|֒ԁ9lUkE"E*uITۓ- 02_sɞb!CEboު]DI`e~W9b#H$ H$C7/JS|r/@ #k!d\+F0ͥN?ff@|R׳S9| $ /䠗#D@oRkv߀*`K'h aPB;*بOV!ܥZ/Wpa?%vMi+_f'4һNzۃjPƷ 2䞽,cbş-olx%a)7<-pBB /|ϖ{[tp3ZFר1Dڠ>K°}lxvڀ"K3"3mB栎ŷiceql:` 480Ha}Bzm,ҩ}OB8:D!~!;gƽCoBM1If-2ĚH2A+qql2?ϧ3VH)<<rf&0%k`p7DTHȓsTuz]aֶϠ18+?b5/ r /үVBĥEi$d^

=q9PAgt~:e/op?x0} QCu&_G[O?$H~RN^ј:뫖_a/x jnh!<:%dT( $|:BdauDD`f'NHh5g⟎'j6Z' Nb+6\C,¶I Ⱦ,bTVcmx>QBԙoﺐ|\`/0h+A#샒=%p+*?!,qx$DεD`҇da$>b Rh#dBc )p.8ޘEParCc8(ĒN5{wm͸.," O:Tga^06`^.JZ%y[u9iSx+FbWw}]o%5D`#NgV|FD ]%Br9͌t 6@Ppm _`yZ~\`{aeYhN 6ǶWcn5Jۅ]aIJ"%0Ij jt~RL?o%uT߈fVܞTk}ہcx0]taLĈVbR>fD9m1 R#-Dxj,0W<0Ո0t+PJjNT]OpY]XC3 bg/?VHX)كzl+;Y75 U@X+q,;ⶭI,=cotI`(8ND|x_T+||@B?{hpn3l@1"62?"q:Na~eur/ǟT\qx{&\VH;- `Oh$LKl1$IP46/!:nIAV\o{~}C+@M=C}m8%Xȝ}N@SAׅ3Cb)vaY sy{n0Gs.mblкdo6zS rբCHSv_~{5ڷ\#ԝ8 `8.gj@K+2&Bs869w=|tv,&< ,ium!Qlųq)mDRTnF I8% K3glFN[@;cB!\31Fqŷ^ l;b21#\.Gk%v7 tX"t]\V*@J>S|6XP؟b?pkŦH0\|8jfRbxIUe'(k:?\epyuwe^; :R/L C.%g;ς o98tԨ*ʡ |{Cag;Ǟ8Ķn?8ZiPh$bzs3jkúޙ'(}` s3fW iv>No:N/xM Zѷ`+d;u{{sվ\3sÅO;'m^+JYeAίZmf(T}45\h^DqIw]$;飱8/S(/6PJَ/!İ~Kab01xS:;iztjEN_NǗ%o2ZO75 >r:ڵtT9iz47alnqhO!u{itڙf`RZl"%%%7-%o矶0@J~)g@vJ)䟮?]J}w2Ls3|'2_z) fe\)_4@^}.Ss _ yŸ)2zGߧ  )0W){s"?W0~W)ׅwSM?]/r qP: M ^ =_!>G}L#c n!6-6o۔onS/>IR<9k]K$%iK"~)-PW)G* ~2:Εb+@^W~ [{_W+\aO[/dmOU\k8FV۸/6h}0*"yeo18 ^AQyE#BhtoD.s$&}:=ϯ1پWߕ\~SnE+tžjq2O,|qt#K=*wND6K~f`pR1'٥,N ;H_<xĽMF߃|n7=f n|xL|Ń3Ok|>d"[~t_<\Y몮,5WlNA6KƐER>]xxBbi3ay\=l{$4x\·jX=A/k܌Xڧn:O,w`oZֻ6KfF}2չȳ9(b$x FZg9Cq`FPStOW}5o7\1"ض`@3 <@ g6*B|ZV2$2 q2h.f$_?8`ϴBE9*EPP%B4|O۰W ]7Tc ya8an["Dk( |D@ |o"`}+cAV7/4n,^v3:m#(2SJ9X8[\F%؞6 YNx'P70/~} _:@oY:=0De,|Ŷ/^B);{y 0;'SrCD!i`_EFb+M;Vj*v9w I3l,Nd=:Ech,<QHaA" ,\3S:Bݹ&=ۜ VGY~l'PUE0P=Cf r#bzƠC)eHAa-ăW n,='DπjUMDf@gQl)VxS&g1=vbbļl[n &R,HIN/@r3Obx`#(}k,XoOT*L[ |iK:Frd{Go>kR}L%^ϐ Wݞ햯 Xo} 8ho.t2=p6g!(߆ђ[0Fu:hY 96x3-  `썈mKMzژDR*,JMbX,8. kd;kw:G}d ȉ l}h/f)+gt%(%x0+|s7sfC&+_<ҵEnBVBrX}P7):OOgsZ4_Hv >,/{ QFbVC85JѪ v7"60wxn,D@c6v)E=bh농\VѨ6pKUD'<NTWuv{dC7* A1Xq!k @;ۄy&  ,&jxBi6e1}t0yp XBLcok1slt*2XBIՏ3P LpX|9ׯ,p 3_Y~w7s5Ye +|ScA(Ϣ QZCUHu#C~lSAۉZ;JhX)=/ s4R0y0z1fǒFC ru矣OA>Lpg_ťF#KTq5 Eh4D9k%j@ (oL)_`0N( /3$Nm;+,HCYаdxC2o^ÒqT*v\A3R-(:(+SS++GTn:#|G32^cq xC{V?Egq^Q=ijl<x%Wr572LP `"8u_d5jOpLϛ4\DkA*+wPU,-fDX ʎyƫO z/t7X%v߈ ^&KI:﮺7m;^\苍 GYľOwj1*7xx9^cf1:q}<iQ\䗑z Ex ZNWLŻ1άK*9Xe4􁬉n[0Ch&($_|f#3SG¥[foA{k˧zlPMXG/ 1FLGWXs LftH,5+ے:m.Y/@BDJ&O&VI8īk>7/~m*'sç&Ѳz>ز@,ZXd[ulI0i-[la=JK1< =Gx,sL R9_B͞[md+,긬\x ɼ1~<5LN`4n H妍i1r0dcxov!BȠ!m*~ &:DCo5za #@PjehôlD?,X-zPH;p"GtN>i?:0Iگ):NPdm,BA„r<ϽZ :?󈤌B $Ɓ\\Stv?D*DM^Է$kPɯol [4F9\ Cen0=k.m>$J{u)X`68>FS޹;]x^rH[:^nQVɮ}ZյOv _yM_ R1T C\2y`_/m?_-9ȥMAe Wlm*RQ46Y2=XC۞X,GWudWkIo2"_^pM0Şv'BR+r7=nw ϳJAjl=ɱiU3y_PGQθ"(#{4!h@/>bS&Bh&C>/*+ɻ kp+|v7`U ixA=vֲѿ!8\gZ9(&#xI 0#Q)+u8*ԊB(w 8*W+Ռq u`1a.u!NMۣLö#쐡xq T&ށ\<ʞL`rv>![%t^2>_wysXcJh^^F[84J+Ll4Gٷλ٧݋q x:Mՙ4GhEY; A}]:WtP3od.i"a?Wy. o 0_h"$r4AZ3&cx|H)Պ`mXvmؾ^f6%}Bo?!VnD!-nS.Ur,3u&fV&';=͆[l?GWXh/x!K5: