Microsoft Takes Another Anti-Rootkit Step

By Larry Seltzer  |  Posted 2006-01-24 Print this article Print

Opinion: Writing kernel-mode Windows programs was never easy, but as of 64-bit Windows Vista, Microsoft won't even let just anyone do it. It will help stop some rootkits, but it's not a complete answer.

I remember sometime around 1996 or 1997 I was in a meeting with Bill Gates talking about the future of Windows. I dont recall the exact context, but he said that he thought eventually they would have to require device drivers to be digitally signed. They must take "eventually" seriously at Microsoft, even when the chief software architect believes in something. The company has been nudging device driver developers to sign their code for years, but it recently announced the first toehold of actual requirement: The 64-bit edition of Windows Vista and future versions of Windows will require that all kernel-mode drivers be digitally signed. There are other new requirements, but this is the important one.

So why would Microsoft require this? Code operating at kernel level is especially privileged. Other code operates in the privilege context of the user and its potential for damage can be limited by best practices. Device drivers are necessarily trusted because they necessarily have direct access to the hardware in the system.

A digital signature doesnt make a program safe and bug-free, but it creates accountability. You can know with a very, very, very high degree of certainty who is responsible for the program. At bottom, all security involves some element of trust, and security decisions are decisions about who you do and do not trust. Signatures facilitate the quality of these decisions.

A signature all on its own doesnt tell you everything you need to know, and in a way it doesnt even tell you who the person is. I could create and issue a certificate that says Im the Sultan of Brunei, but that wouldnt make it so, and the fact that the certificate was issued by Larry Seltzer wouldnt impress anyone. Thats why Microsoft is requiring that developers obtain a PIC (Publisher Identity Certificate), based on a VeriSign Class 3 Commercial Software Publisher Certificate. The PIC must be embedded in the actual binary, which should mitigate the performance issue of signature verification at boot time.

Security vendors were clueless over the rootkit invasion. Click here to read more.

One of the big reasons for this is to stop rootkits. True, a rootkit signed and issued by Sony might still get installed by a lot of people, but MRCHTZ0FDEF will have a much harder time getting a VeriSign Class 3 Commercial Software Publisher Certificate, and it will quickly lose it through violations of the agreement.

These requirements are already generating controversy. First of all, it costs $500 (less if you buy a multiyear contract). Second (essentially related to first), the documentation is clear that only a VeriSign certificate is acceptable. It seems unreasonable that other certificate authorities are not included in the program.

Next page: How big a deal is it?

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel