With the threat from kernel-mode rootkits on the rise, Microsoft plans to make a significant policy change to block uncertified drivers from loading on x64 versions of Windows Vista.
Starting with Windows Vista and Windows Server (Longhorn), kernel-mode software must have a digital signature to load on x64-based computer systems.
The decision to block unsigned drivers from loading is a direct attempt to restrict the spread of powerful rootkits that intercept the native API in kernel-mode and directly manipulate Windows data structures.
A Microsoft spokesperson said the far-reaching policy change was part of the companys SDL (Security Development Lifecycle), the mandatory software creation process used by Redmond engineers to bake security into all Internet-facing products.
“By requiring digital signatures on all kernel mode software running Windows Vista on x64-based computer systems, this allows the administrator or end user who is installing Windows-based software to know whether a legitimate publisher has provided the software package helping limit the impact of kernel malware on customers systems,” she said.
A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on a computer. The technology has been used heavily in malicious spyware programs and in identity theft schemes.
In one case, researchers discovered a spyware program called Apropos using a very sophisticated kernel-mode rootkit that allows the program to hide files, directories, registry keys and processes.
The rootkit fitted into Apropos is implemented by a kernel-mode driver that starts automatically early in the boot process.
When the files and registry keys have been hidden, no user-mode process is allowed to access them.
With the new Vista policy change, Microsofts mission is to block untrusted drivers from loading unless legitimate software publishers obtain a PIC (Publisher Identity Certificate) from Microsoft.
Microsoft will give away the PIC for free, but software publishers are required to purchase a VeriSign Class 3 Commercial Software Publisher Certificate.
The change effectively means that:
- Users who are not administrators cannot install unsigned device drivers.
- Drivers must be signed for devices that stream protected content. This includes audio drivers that use PUMA (Protected User Mode Audio) and PAP (Protected Audio Path), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands.
- Unsigned kernel-mode software will not load and will not run on x64-based systems. To optimize the performance of driver verification at boot time, boot-driver binaries must have an embedded PIC (Publisher Identity Certificate) in addition to the signed .cat file for the package.
Microsoft also noted that the policy change will help diagnose system crashes better.
When users choose to send Windows Error Reporting data to Microsoft after a fault or other error occurs, Microsoft can analyze the data to know which publishers software was running on the system at the time of the error.
Software publishers can then use the information provided by Microsoft to find and fix problems in their software, the company said in a white paper announcing the change.