Archive for March, 2007

How to learn a foreign language

Thursday, March 29th, 2007

Lots of people around the world spend a good chunk of time learning languages, but in the US, it’s rare to find someone who grew up speaking English who can speak anything else. I have long enjoyed studying languages, and I think the best courses ever made for development of actual fluency in the language were the ones made by the US Foreign Service Institute several decades ago.

These courses are not subject to copyright, being works made by the US government, so they should be free for download. Well, now they are, thanks to the Glen D. Fellows and the rest of the wonderful people at www.fsi-language-courses.com. These courses are very long, very hard, and ridiculously repetitive, but they really do work well.

Anyway, if you’re interested in languages, this is an amazingly valuable resource.

Posted in General nonsense | No Comments »

The death of WFP

Tuesday, March 27th, 2007

One of the nicer little changes to Vista is the re-engineering of Windows File Protection into Windows Resource Protection (WRP). As everyone who’s ever tried to construct a partial checked build knows, replacing a file like ndis.sys in older OSes was a pain – you had to edit the registry and boot with the debugger to keep windows from silently clobbering your replaced file.

Windows Vista takes a much more intelligent approach to the problem: it prevents users from deleting these files in the first place, using the built-in security mechanisms of the OS. Protected resources get an ACL that prevents writes/deletes/etc, and the files are owned by a special user.

Now, if you want to replace a file for testing purposes, life is a lot easier – just take ownership of the file, give yourself full control, and re-name the old file. Drop in the new file and you’re done – no need to worry about the watchdog thread any more.

WRP also protects registry keys now using the same mechanism. More info is available at http://msdn2.microsoft.com/en-us/library/aa382503.aspx

Posted in Microsoft, Vista, WDK | No Comments »

Driver signing whiteboarding

Monday, March 26th, 2007

Jennifer Stepler spent some time whiteboarding at the MVP summit about signing. She was explaining that there are two different kinds of signing in the Windows world: Device Installer signing and Code Security Signing. Here are her notes:

Whiteboard 2

In search-engine-findable text:

  • DMI [device management & installation] -> .cat file
  • Install Time
  • 32 & 64-bit
  • Unsigned Driver pop-up
    • Unsigned
    • Signed by untrusted cert
  • Signed-by pop-up – signed by trusted cert
  • Just [silently] install
    • Built in Windows build lab
    • WHQL logo signature
    • Trusted cert from trusted publisher

Example of trusted cert path: MS root -> Verisign -> ATI

Whiteboard 1
Kernel Mode Security Signing

  • 64-bit
  • Untrusted binary will not load
  • Signed with cert that roots to MS root authority
  • MS signs:
    • Windows build lab
    • WHQL
    • MS products
  • Cross-sign with trusted cert & MS cross-cert
  • CAT file (signed & loaded in CatDB) or the binaries

These notes resulted from about an hour of discussion, so they’re missing a lot of detail.

Posted in WDK | No Comments »

Kernel-mode code signing and the boot loader

Friday, March 23rd, 2007

A common misconception in the driver-signing world is that boot-start drivers must have a signature embedded in the driver binary itself. This is not strictly true, although it’s still the right thing to do.

To re-cap, x64 systems check every kernel-mode binary on load for a digital signature. The signature can be an Authenticode signature or a Microsoft-supplied signature, as I discussed in my last post.

There are actually two ways that the OS can tell if a driver is signed:

  1. The driver binary can be signed, as a resource embedded right in the PE file
  2. The driver’s .cat file can be signed

The boot loader can, in fact, handle either type of signature, but for important performance reasons, signing the binary itself is the recommended practice. Peter Brundrett from Microsoft was kind enough to provide this explanation:

The loader does have code to find .cat files for boot start drivers. However, the loader depends on a simple I/O subsystem that is not very high performance. If a boot start driver is catalog signed, the loader has to locate (seek and read) through potentially hundreds of small catalog files to find the catalog that signed the particular boot start driver. There is mechanism in code integrity in the loader to be smarter about how it locates the catalog that did sign the boot start driver on the next boot. But using embedded signatures is much better, and over time as more update catalogs are installed, makes for more consistently faster boot times that do not have catalog dependencies.

So, again, the best practice is simply to sign every binary you produce. It’s easy to integrate into the build system and will keep you from having to ever think about this stuff again.

Posted in WDK | 2 Comments »

Some notes on signing

Thursday, March 22nd, 2007

We had some extended discussion at the MVP summit on the topic of driver signing. Jennifer Stepler from the WDK team spent a couple of hours talking through the various kinds of signing and clearing up the confusion.

To recap, there are two kinds of signing used in the [Windows] world today: code signing and device installation signing. Code signing means embedding a digital signature in your compiled binary, such as a .sys file. These signatures are checked by the loader and (on x64) your driver will not load if it’s not signed in this way. Notice that this happens at load time, which is every time PnP decides to fire up your driver (i.e. every boot, plus immediately after install time).

The other type of signing is device installation signing. The device manager checks for signatures in .cat files that go with your driver package. To sign a .cat file, you first have to generate one, and then sign it with signtool. This signature allows the device to be installed without the big nasty unsigned driver warning. There are two kinds of signatures that you can put on a driver package: you can get your driver signed by WHQL, or you can sign your driver package with your own code signing certificate, similar to other code (called an Authenticode signature). If you use an Authenticode signature, the user will get a friendly “Do you want to install software from XYZ Corp?” prompt, with an option to always trust this publisher from now on. If you use a WHQL signature, the installation is totally silent.

It is Microsoft’s recommendation to use both kinds of signatures on all drivers, x86 or x64.

Posted in WDK | 7 Comments »

Always use the latest WDK

Monday, March 19th, 2007

One of the first topics that came up at the MVP summit with the kit team was which DDK/WDK to use for which target OSes. The answer is simple: always use the latest released dev kit. You can build drivers for any supported OS with the latest WDK.

This is at variance with advice seen in various places (NTDEV, the release notes themselves (!), USENET), and there are people who even advocate adding the kit to source control so that it can be re-built at any time in the future in an identical configuration. Obviously, this has to work, since it was once the only way to do things. There are other concerns and problems with this approach, and we discussed several of them with the team.

But, for all that, the use of downlevel kits is now officially deprecated by Microsoft, so at this point, I think it makes sense to bite the bullet and upgrade kits for released drivers. There are good reasons to use newer kits as well, and regardless, I expect PSS will soon insist on troubleshooting against current kits.

Posted in Programming, WDK | No Comments »

MVP Summit wrap-up

Friday, March 16th, 2007

I had an awesome time at the MVP summit in Seattle and Redmond this week. The executive briefings were about what you’d expect – roadmaps, technology overviews, etc. The Gates keynote was good, particularly once he got to the 45-minute question-and-answer part.

But, once again, the highlight of the week was the time spent with the product teams. Big thanks to Johan Marien from the WDK team for organizing a great day and a half of presentations and discussions with the various teams. We got to spend time with the WDF teams, the WDK team, and lots of others with whom I was less familiar.

I learned a lot and got a lot of clarification on topics I thought I understood (i.e. signing, DTM, etc.). I’ll see if I can write up a few posts on some of the high points.

Anyway, thanks again to everyone at Microsoft for putting together such a great event!

Posted in Microsoft, WDK | No Comments »

New DTM newsgroup

Tuesday, March 13th, 2007

Don Burn pointed out on NTDEV today that there is a new DTM newsgroup: microsoft.public.development.device.drivers.dtm. Microsoft had gotten some negative feedback from the driver dev community, myself included, over DTM-related communications. Hopefully this will be a useful new forum.

Someone recently referred to Driver Test Manager as A lunatic’s nightmare on NTDEV. Not many people like it, it seems. That’s really too bad; a lot of work went into it, and when I first saw it a couple of years ago at the last MVP summit, I was really impressed – it looked like something we could really use in automating our QA, beyond simply testing for WHQL. Alas, that vision hasn’t come to life for us yet, but consider me an optimist – I still have hope for DTM as something more than just a pain in driver devs’ necks.

Posted in WDK | 2 Comments »

Hi from the MVP summit

Tuesday, March 13th, 2007

I’m at the 2007 MVP Global Summit this week. It looks like it’s going to be a lot of fun – executive briefings, product team discussions, and an interesting-looking party are on tap for the next two days. Wi-Fi has been spotty and my Verizon data service has been only marginally more reliable.

An amazing thing just happened, though – I was waiting in line to get into the Bill Gates keynote, and when the doors opened, an entire crowd of people ran – ran – into the auditorium, cheering the whole way. It looked like a sports event. Nobody was trampled, to my knowledge, but a bunch of people in the first three rows keep doing the wave. Amazing.

Posted in Microsoft | No Comments »

Incompetence makes security harder

Thursday, March 1st, 2007

I just finished a series on how hard security is. Here’s another little anecdote that Matt just sent my way.

It turns out that the National Tap Ensemble, which bills itself as America’s national tap dance company, has been had. Question #6 from their FAQ contains the following nice quote:

This is a professional, highly-respected organization so if we state that you can safely send an online transaction, you can. This site is secure. For your safety (and our peace of mind) we do not use “standard” security procedures such as SSL- which only secures PART of the process – but proprietary protocols which we won’t disclose in detail here but permit immediate transfer of any data you submit to a completely secure location. In other words the data never stays on a server “floating in cyberspace” which allows us to keep potential malfeasants in the dark. One of the TRUE signs of a secure and/or encrypted transaction is NOT just a SSL “certificate” on a web page (those can just be bought, some are actually completely fake) or whatever your browser says to make you THINK that a site is “secure” (these schemes only enrich the Verisigns of the world) but the “shtml” part of a URL, which if fact you DO see in the URL immediately after you click “register” or “submit” on this site. For the record we have processed thousands of registrations and purchases over the years and I have never had one problem. However if you still have any doubt, you always have the option of printing a form and faxing it. That will delay its processing but the job will eventually get done.

This is entirely incorrect. Whoever wrote this is incompetent. The whole site may be a hoax; I don’t know. But I *do* know that there is a blank for your credit card number, and it does NOT use SSL for the form post. (In fact, it seems to use the FrontPage extensions, if you remember that far back).

Suzanne and I have had a series of conversations going on recently about why you cannot trust your intuition any longer. This page is more evidence. Hopefully people will recognize that this is not a site they should type their credit card numbers into, but if we as an industry learned nothing else from the rise of phishing, we’ve certainly learned that’s not the case.

Posted in Security | No Comments »