Kernel Mustard

Microsoft is one of the most engaged companies in the tech industry when it comes to interacting well with the development community. So where have they been on this issue?

Craig has had a couple of posts on the topic, with some interesting comments from the community. He points out that, like any policy, the Verisign monopoly is subject to change, particularly based on community feedback.

Doron Holan said on NTDEV that he is summarizing the feedback and sending it on to the appropriate places. Henry Gabryjelski said the following:

Has anyone considered that malware, spyware, and rootkits are
increasingly loading in the kernel and becoming harder to detect? No
more kernel-based rootkits that aren’t trackable back to a corporation?
It just seems to me that having all kernel-mode bits signed seems like
it could greatly reduce this attack vector.

I sympathize with him, but fundamentally, I agree with the majority here: there is a point at which liberty outweighs security. As the great Ben Franklin once said, “Those who would sacrifice liberty in favor of security deserve neither.”

After a fast trip to Denver and back, I sat down and spent some more time with the driver signing documents and reading up on the NTDEV thread. Mea culpa; I didn’t wrap my brain around the key change here: only Verisign certs are allowed.

In my meager defense, I was led to that impression by my friends at Microsoft. During the last MVP summit (October… not long ago…), we had a long discussion on just this point. The people in charge of implementing this area of policy explained the authenticode path and said that it would be supported in Vista. This is quite a departure.

A couple of us at the summit sketched out the abuse path I talked about in my last post; Microsoft didn’t really have a response to it at the time. I guess they do now!

Don Burn suggested writing a letter to Microsoft to voice concerns. I’m thinking about taking him up on that suggestion. Regardless, there is a serious cultural problem in play here: DRM is going to make everyone’s life worse if something isn’t done about it. I fear that it may be only a matter of time until DRM-related technologies are legislated into our computers and our software (witness: v-chip, DMCA, HDTV, and other government fiats to this purpose).

Go support the EFF. Fast!

There has been a debate raging on NTDEV about x64 driver signing. The statement from Microsoft is that there will be no way to install an unsigned driver on x64 Windows going forward, but that Authenticode signing with a Verisign cert will be accepted by the OS.

I think this idea is only half-baked myself, although I totally understand their motivations for doing this. Don Burn suggested the following:

To see if we can get Microsoft to initiate a discussion, I urge everyone to
go read the paper at
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx. At the
end of the paper is the feedback email address for this stuff. If enough of
us make rational comments to that address, Microsoft may realize there is a
problem.

The thing I don’t understand is this: Authenticode is taken to be an acceptable signature for a driver. Administrators can install signing certificates into the system. Programs can do whatever administrators can do. And so on.

Now, am I missing something here? I haven’t actually tried this yet, but it’s getting to be a more and more interesting discussion.