Microsoft Takes Another Anti-Rootkit Step

Opinion: Writing kernel-mode Windows programs was never easy, but as of 64-bit Windows Vista, Microsoft won't even let just anyone do it. It will help stop some rootkits, but it's not a complete answer.

I remember sometime around 1996 or 1997 I was in a meeting with Bill Gates talking about the future of Windows. I dont recall the exact context, but he said that he thought eventually they would have to require device drivers to be digitally signed.

They must take "eventually" seriously at Microsoft, even when the chief software architect believes in something. The company has been nudging device driver developers to sign their code for years, but it recently announced the first toehold of actual requirement: The 64-bit edition of Windows Vista and future versions of Windows will require that all kernel-mode drivers be digitally signed. There are other new requirements, but this is the important one.

So why would Microsoft require this? Code operating at kernel level is especially privileged. Other code operates in the privilege context of the user and its potential for damage can be limited by best practices. Device drivers are necessarily trusted because they necessarily have direct access to the hardware in the system.

A digital signature doesnt make a program safe and bug-free, but it creates accountability. You can know with a very, very, very high degree of certainty who is responsible for the program. At bottom, all security involves some element of trust, and security decisions are decisions about who you do and do not trust. Signatures facilitate the quality of these decisions.

A signature all on its own doesnt tell you everything you need to know, and in a way it doesnt even tell you who the person is. I could create and issue a certificate that says Im the Sultan of Brunei, but that wouldnt make it so, and the fact that the certificate was issued by Larry Seltzer wouldnt impress anyone. Thats why Microsoft is requiring that developers obtain a PIC (Publisher Identity Certificate), based on a VeriSign Class 3 Commercial Software Publisher Certificate. The PIC must be embedded in the actual binary, which should mitigate the performance issue of signature verification at boot time.

/zimages/1/28571.gifSecurity vendors were clueless over the rootkit invasion. Click here to read more.

One of the big reasons for this is to stop rootkits. True, a rootkit signed and issued by Sony might still get installed by a lot of people, but MRCHTZ0FDEF will have a much harder time getting a VeriSign Class 3 Commercial Software Publisher Certificate, and it will quickly lose it through violations of the agreement.

These requirements are already generating controversy. First of all, it costs $500 (less if you buy a multiyear contract). Second (essentially related to first), the documentation is clear that only a VeriSign certificate is acceptable. It seems unreasonable that other certificate authorities are not included in the program.

Next page: How big a deal is it?