The real reason for driver signing in Vista x64

In Windows Vista x64, drivers are required to be signed by someone holding a VeriSign code certificate or they won’t load. There is no way to (permanently) disable this signing even if you are Administrator. The F8 startup menu has an option to disable it, but you must select it every time you boot up. Microsoft’s claimed reason for this is that it prevents Trojans from installing kernel-mode rootkits. That is a load of crap.

First of all, kernel-mode rootkits are rare. The vast majority of Trojans are user-mode programs that install a keyboard hook, request an incoming port, and add themselves to the registry so they run at startup. Most of them are there to steal passwords, install adware, and/or become a spam-sending zombie. None of these require a kernel driver. Considering how many are written in Visual Basic, it seems unlikely that most Trojan authors would have the skill.

Second, if you’re running as Administrator, driver signing is not going to stop you. Although the DevicePhysicalMemory loophole (Windows’s /dev/mem) was blocked in NT 5.2 (2003 and XP64), there are still other ways to get around it:

  • Administrators have raw sector access, meaning they can overwrite the MBR or boot sector with code that usurps the NT loader process and patches the kernel as it is loaded. A simpler but equally effective attack would simply set the flag saying you elected to disable the enforcement through the F8 menu. A Trojan running as Administrator can simply overwrite it then immediately reboot the system so the hack takes effect. It can even show a fake “The system has recovered from a serious error” after the restart to act like it was a kernel panic.
  • If rebooting isn’t good enough, allocate a bunch of memory to force the kernel and/or drivers to page themselves to disk. Overwrite pagefile.sys using raw sector writes (the file is locked from normal writes), then do an uncommon operation that causes your now-hacked page to be paged in and executed.
  • Administrators also have the ability to overwrite the loader and kernel at the file level without having to resort to raw sector writes.

Microsoft definitely knows about these problems, and is likely going to solve them through Trusted Computing. Vista’s “Bitlocker” does this, but is currently optional. We all know it won’t be optional in NT 6.1 or 7.0.

The driver signing serves as only security through obscurity against kernel rootkits, and most Trojans don’t even care about the kernel. Vista also has Mac OS-style authorization dialogs for any privileged operation, which hopefully will make you aware when something is wrong. That is the real feature against Trojans, not driver signing.

So why does Microsoft do this? Three-letter answer: DRM. Microsoft wants to prevent fake audio (and video) drivers from streaming decrypted audio to disk instead of to a sound card. Since they currently can’t get the “secure audio path” they want, they’ll settle for driver signing. By forcing driver signing, it’s no longer possible to anonymously write drivers. With the DMCA and similar laws around the world, nobody wants to attach their real name to a crack. Not to mention that VeriSign only certifies established companies, not individuals.

Microsoft has publicly said that the purpose of driver signing is not DRM. But their own statements contradict this. From http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx:

“When Windows Vista accepts test signed kernel mode binaries, some premium content that is protected may not be accessible on the system.”

In other words, when you use a test signing key (allowing you to get away with a non-fully signed driver), Windows Media DRM disallows playback of protected media. Clearly, the driver signing system is tied to DRM, contrary to Microsoft’s statements.

myria

37 thoughts on “The real reason for driver signing in Vista x64”

  1. After I wrote this, I realized something. Trojans these days don’t even have to run as Administrator. Almost everything bad that a modern normal Trojan does can be done as non-Administrator. You can log keystrokes at a user-wide level without such access. You can open an outgoing connection to the Trojan author’s server. You can send spam. You can register yourself to be run every time your victim logs in. Who needs kernel mode but the most sophisticated attacks?

    Reply
  2. Myria, I am starting to think you were right.. Vista now added Page Table hashing as a new code integrity measured. It’s used inside things called “protected processes”, which are processes that not even an admin can
    1) debug
    2) remotely inject code.

    Touching a protected process yields an immediate bugcheck, because of code integrity, signatures, and, even if you get past that, page table hashes.
    Sound familiar?

    Reply
  3. That’s extremely annoying. So does this put out of business the small-time software writers who use drivers like the ones made by sysinternals to extend the capability of their utilities?

    Reply
  4. Apparently you can use bcdedit.exe to disable driver signing across boots, but it’s only for beta 2 and it will go away in release.

    Reply
  5. How hard do you think it would be to patch the windows kernel itself to bypass this kind of crap that nobody would want to have in his computer? Will only corporates have the right to create drivers to inspect the inner mechanism of this new “Frankestein-Vista” creation from Microsoft? 🙂

    Reply
  6. I just wanted to mention that there are plenty of kernel-mode rootkits running around as part of malware kits whose main purpose is to hide the existence of the main malware module (the one that steals the passwords and does the nasty stuff). Microsoft has been very criticized because so far it’s quite easy to load drivers in Windows. These are not far-fetched attacks, since the source code of rootkits is open-sourced and freely downloadable and attackers are adding rootkits to new malware in increasing numbers. Driver-signing is a step on the right direction to address the issue. Just my opinion.

    Reply
  7. With this and many more ‘security’ measures appearing in Vista – it’s probably going to a ‘required’ step for us to replace the vista kernel with out of our own. I’m not sure how difficult this will be but it looks like the way forward…

    Reply
  8. Hi, guys! I was looking around for electronics stuff and i saw computers that said “vista capable”. That got me thinking to whether or not my comp is “vista capable”. Can u guys tell me if my HP m7480n comp with an ATI X850xt platinum edition graphics card will run vista. Thank you for any tips.

    Reply
  9. I discredited this blog as a baised opinion due to this… “Microsoft’s claimed reason for this is that it prevents Trojans from installing kernel-mode rootkits. That is a load of crap.” Very convincing… not..

    Reply
  10. @fafhrd: well, if you had taken the time to read the post past the first paragraph, you could have found some more convincing arguments… Alas, this blog is going to stay discredited as “baised” by you forever.

    Reply
  11. as a tester, … i am going to tell you all now… that the author is totally 100% correct.

    this is not about security, its about DRM, and its about Profit.

    every driver that is submitted to WHQL,.. costs money,.. its unknown how much,.. but i’ve heard rumours of it being as much as 10,000 depending on the driver….

    Driver signing, in all rights, is useless, virus’s as the author stated, do not need to be run in an admin environment (anyone remember sasser) yes,.. thats right,.. i worked in an environment of about 150 networked computers,.. each having been installed to give the user only basic access.

    sasser wiped out 120 of those computers,..

    DRM is the Devil, and microsoft supporting DRM is not in the best interests of its customers.

    Boycott Vista, and save your consumer rights.

    Reply
  12. Like Jonny W said, it’s stability not security. Besides, if it was DRM and this is some conspiracy then why is there no requirement in x86 for driver signing, x86 which will be happen to be so much more popular then x64. I don’t buy it, DRM scarys me but your theory here has no legs. :S

    Reply
  13. Sorry Jason J, but the author is correct. It is all about DRM. x86 will be
    compromised in a different, and even more unsavory manner, but quite
    obviously to the same end. Look up the Protected Media Path on the Microsoft web site. Wecome to the brave new world of user space driver signing, in case you thought kernel space driver signing wasn’t fun enough.

    Reply
  14. For those of you who need proof of things, from basic mathematical principles to the present, I am offering none. Only some words from a restless old man.

    Vista is a small step towards total information lockdown.

    Wait until Google adds server-side DRM to all those free web apps and requires (in the US) the government’s Federal “RealID” to use their services at all. As Google is nothing more than an outsourced intelligence agency funded by the rulers, it will be no surprise at all. Remember, Google’s real funding is hidden ingeniously within ‘ad sales’. This mechanism is nothing more than a digital implementation of the mafia’s time-tested ‘marble business’. Google has the ability to raise infinite cash via criminal channels and no one can possibly know.

    When all the popular web apps (including WordPress) are RealID enabled as they will have to be by government edict, then you will see what ‘the rulers’ have in store for the populace. I use the term ‘the ‘rulers’ as shorthand for the global power elite, mostly bankers and old money. Remember that information, a shorthand itself for knowledge, is not something that the populace will hold for long. Any threat to the rulers must be eliminated.

    Ironically, DRM is not something Bill Gates is a fan of. However, it is something the rulers told him to do. And unless he wants to lose all the money he’s ever made, he has to go along with it. For Bill Gates is a rich man, but his wealth is very small compared to the rulers, less than 1/10000 of the wealthiest family, if even that.

    So think of Vista and driver signing as merely a small taste of things to come. If you think Skype uploading your BIOS is a big deal, it is nothing compared to the evils that will be possible in the near future as Vista’s installed base expands.

    The demise of Net Neutrality will be another building block for total information lockdown. The telecoms (who already are a global spy network) will legally have the right to disallow all data streams that they do not specifically authorize. This means the end of all Internet software that is not government-enabled with RealID, data capture, etc. You will need a VeriSign RealID enhancement for every Internet application that you want to run. This business of digital information/access rights will be the cornerstone of VeriSign’s business in the future. Remember VeriSign is for business, but the government will issue RealID certificates for individuals.

    We are a few small steps away from total information lockdown. My guess is that it will be complete in 5 years. There will be a few more terrorist attacks, notably one or two massive Internet outages that will be blamed on so-called ‘cyber-terrorists’, that will enable the ‘reform’ of the Internet, massive application of RealID, etc. All these ‘thefts’ of personal information from banks, companies, the veteran admin, etc., are important building blocks for RealID. Many people will need new identities and the government will be there to help, of course. You can trade in your SSN for a new RealID code and certificate. Of course, the government will require a DNA sample, retina scan, etc.

    Remember, as a Skype user, you are beta testing the future! But keep in mind what kind of future you are helping to build.

    Reply
  15. To AM Dawn:

    The most saddest thing about all you say is that its TRUE. The second most saddest thing is that people ALLOW IT. Microsoft has been on a clandestine course sinces its inception. Because people are nieve, myoptic to the big picture, and see no warm in a private company forcing their own financially motivated monopolistic computing policies onto the masses, Microsoft’s clandestine course is insured. When it happens everyone will be looking at each other like a bunch of stupid fools screaming out loud “how did this happen!”

    You Lucky Sons of Free Will:
    To those lucky people not involved in the rigorous process of driver signing, people – you do not have one effing clue what we go through to get even a simplistic driver to be certified by Microsoft.
    You do not understand how M$’s mentallity is that we, the lower beings, must walk on hands and knees to not only prove but continuously ask permission from the big all mighty Micro$oft for our software and hardware to be included in their elitist list of Accepted Minions.
    You do not understand how much time is exhausted to figuring out how to actualy perform the correct set and sequence of test for a driver to be signed. You can follow the instructions as you think a reasonable person would or even an obscenly instructions loving follower would and still be way off to the proper sequency of rediculous rules.
    You do not understand how the instructions themselves are incorrect forcing you to perform extra steps outside the normal testing just to make sure you pass all the test. Also, test that ought to be included do not show up. This guarantees the failure for first 1,2 and 3 timers companies and most importantly makes MegaSoft huge tons of cash because RE-SUBMITTING the same test cost the same dollars.
    You do not understand how this process as a whole can easily be more time and resource intensive than that to develope the driver under test. There was a long period of time when testers had to actually ship their devices to Microsoft! Yes, we had to forfit are intellectual property, never to be returned again, to those Hitler wanna-be Hitler actually succeeding totalitarian computing science stifling mewhthir fewhccers.
    You do not understand the true cost for driver maintenance. Not only do testers pay from $250 for each driver SUBMITTAL, (use to be $2500 for a long time) we pay the same price for each operating system. Now multiply this for each time a driver is updated. Multiply this for each time a driver has to be re-deployed into the field and technical cost. Now multiply this times the cost of lost customers because they will not wait for you to get an updated driver signed even if its a few days away.

    You do not understand what its like to read through the enourmously large 80+ pages of a legal aggreement to have a driver signed. The agreements are bloated with references to how nothing can touch Microsoft and you are to take all blames. The agreements, yes that is a plural reference because there are many legal aggreements to sign off on, make references as to how you must be within Microsoft’s rules and regulations, how you must conform to Microsoft’s whims and constant changes to even the agreements themselves. Microsoft puts on an perfectionist attitude. Its as if they believe their platform is without blemish and cannot be simply bothered with our lower food chained drivers. It is one big “DO AS WE SAY” pile of tree or digital storage space waster depending on how you choose to print it, read it, be belittled by it. Stephen King, move aside, this here is the real scare stuff.
    You do not understand how the driver signing for Windows Vista especially 64-bit has dramatically changed. This forces all testers to relearn and rewaste time all over again. Typical MiniSoft tactic, turn things upside down and inside out just when the public catches on and becomes capable. WHCT for Viista 64-bit, Windows Hardware Compatibility Test for you lucky non-invovled, is not documented on a dedicated website like its predecessor for Win 2K and XP. Not only is it obfuscated, it litterally requires a DVD media to download onto (forces you to with an .iso disk image) and the size of the package is 2.4 GigaBytes. The prior version was only 240 MegaBytes.
    The actual act of SIGNING is just a file with a certificate that flags your files as signed and nothing else. This takes Microsoft a few minutes and its automated, the submission is automated yet you pay tons of money to support and promote Microsoft’s OS with your products. Proof that is all about the money.

    DRM, PMP, and all that other mumbo jumbo is just a facade.
    The act of creating (cut and post code from win95 to present) an operating system that mandates driver signing mandates is the same act to increase corporate profit. Signing is about money people, stability second if at all.

    Reply
  16. I think another important point is the fact that signing a driver costs a lot of money. How are we supposed to deal with this when we release new drivers quite often? Is each new release the equivalent of another delta$ in Microsoft’s pocket?

    Reply
  17. Screw this, i’m going back to drawing with a pencil and a piece of paper. Who the hell needs anything else, anyway…

    Reply
  18. Hmmm… I am very happy to be a Linux user! I refuse to use Microsoft for a variety of reasons – this blog has supplied one more.
    (Naturally this is my personal opinion. If there are people out there who are happy with Microsoft, it is certainly not within my rights to criticise their choice.)

    Reply
  19. bcdedit.exe /set advancedoptions on This command allows you to disable driver signing in vista 64 bit without having to remember or wait around to hit F8 when you power up your system. During boot, it waits for YOU to select the option to disable driver signing.

    Reply
  20. AM Dawn, conspiracy theory much? I agree that Microsoft is shooting itself in the foot with DRM, but come on. “The Rulers” ? Needs more tinfoil hats!

    Reply
  21. I am a Microsoft fan. I know there are not many folks out there who can say that.

    Kernel patching may not work, as Vista has PatchGaurd. The kernel uses a bunch of DPC routines to invoke functions to verify the integrity of the kernel image. Although there are ways of bypassing Patchgaurd, what it mainly acheives is security with obsfuscation. A point to note is there is no fool proof way of implementing a PatchGaurd without support from the processor.

    Anyway, regarding DRM, Microsoft gets most of its revenues from OEMs and just like any other company, all its business decisions are based on customers satisfaction and profit. Since OEM tends to be the biggest buyers, it is their requirements that are being addressed.

    And regarding driver signing is not just about security. It is about servicing costs and the end user experience as a whole. If you see most number of crashes (BSOD’s) are because of faulty third party drivers. In W2k/XP, there have been numerous new and cheap devices/hardware in the market, with all sorts of crappy drivers written for them. And a BSOD caused because of these drivers does tarnish the W2k/XP image.

    By making sure all drivers go through the WHQL and signing, Microsoft wants to set a standard for drivers on Vista. Since its a new OS with good features, it wants to make the slate clean from the beginning itself.

    Reply
  22. I heard about driver signing when Vista was still coming out “any day now” and shuddered in horror. The fact is that this is only the beginning. Already there are rumors that Windows 7 will sandbox any unsigned binaries it executes. It’s now only a matter of time before that “Right to Read” thing seems quaint by comparison.

    I would like to think that alternate operating systems will be immune to this meddling, but how long is it before the hardware itself requires signed kernel code?

    Reply
  23. @Sara: How does requiring driver signing effectively help OEMs? They can just choose to only deal in hardware that has signed drivers at the time of sale. These are also supplied on the recovery disk and anything the user decides to do with his system is his own choice. That’s the point here, limiting the user’s choice to further the monetary goals of MS (never write M$, it’s stupid and makes normal people like me not read your reply) itself or other companies such as content providers is wrong. Wouldn’t it be awesome to have an OS that actually just does what YOU want it to do, instead of what MS and allies think that it should? The freedom of choice (already stomped out by MS in the past) is something we should be fighting for. Why does Vista business have to use insane amounts of resources protecting intellectual copyright on content while no business with a half-decent manager would allow the playback of such content? It’s these weird choices that never seem to benefit the customer that annoy me to no end.

    Reply
  24. sara: u said “Since OEM tends to be the biggest buyers, it is their requirements that are being addressed.”
    im sorry but that statement is laughable! if that were the case then why is there so much general disatisfaction with vista? show me a forum ,tech site,gaming site, etc etc were people are posting postive messages about vista? i havnt seen any ! at all!
    from what ive read and the general opinion of vista users , techs , gamers especially, etc etc is that vista has failed. like joost says. there is no contol in vista . everything we want vista to do it wont do and what we dont want it to do it does really damn well.
    if microsoft thinks its looking after what users want in a o.s then they have alot to learn. microsoft is arrogant , deceptive, and most of all incapable of giving there customers what they want for there money.
    open ur eyes sara.

    Reply
  25. As far as I am concerned as a power user who uses, different flavors of Linux, & Windows. There is no need for driver signing at all.

    Driver signing… Why?
    If you go to a porn site, expect to get crap on your system when you are finished…

    If you are going to install something that is cracked, hacked, or questionable, you either have enough knowledge to to know what you are installing or you are learning.

    Maybe at the most, they should put signed drivers into 7 Starter, bearing in mind you can only run three [3] apps at any one time… Again why? I think anyone using 7 Starter will be a layman, who might need to be kept “secure”. & even then…

    I feel we all lived happily before driver signing, meaning that we can all live happily without it.

    I have been playing with 32bit & 64bit computing & if you want to move to 64bits… Linux!

    If you do move to Linux, make a leap, & don’t look back.
    If you are not familiar with Linux, UBUNTU, is a good point to start at.
    just remember apt-get & you’re good to go!

    If not, then stick to 32bit as you can then do what you were before!

    Sorry it’s long, the driver signing thing gets me vex.
    Not that anyone cares to hear that lol.

    So, Ah done talk bout dis. Ah gone!

    Peace.

    Reply
  26. Dont use microsofts shinny windows oporating system then, thats what all this is about. they made it, you want to play with it, you play by there rules. the isnt any diffrent from going and buying a new car and expecting it to fly to the moon. If you dont want to pay microsoft to sign your drivers use linux or unix. What do you think?

    Reply
  27. Insom::you’re saying “i want my car to fly me to the moon?”.
    Well, That’s real nice.
    Most people just want to drive to work, the movies, or a waterfall.

    So, much like that really bizarre care on-the-moon comment, I merely wish to be able to flip on the PC, open a browser and check my email. Lately I’ve noticed that XP and Ubuntu are quick. I tried Vista, but its so stupid. Even after turning off UAC and killing driver signing, its a pathetic slow crawling muck. I even adjusted visual effects to NULL and things are slightly better. Jesus. Driver signing started a decade ago, so I’m surprised its an issue now. Hardware solutions and software solutions exists to turn Vista into the putty you want to play with. Its just too bad you have too tweak the bastard for about a week, just to get bored and return to XPee.

    I alternate between picturing the M$oft suits being absolutely mentally “special” and imagining them with their nuts cut off. I can’t tell, but someone hit me on my cellulose fone when delldo-com and hewpakard quit buying bwindows and supporting them in their severely misguided plot or path.

    Reply
  28. My first visit today, and it’s odd. Loads of heated comment through 2007, then two post in 2008, June and Sept., and it’s 2009 already. I wonder about it though. In 2007 there were some doom’s day post that read as they had a crystal ball for most of 2009. All about the power of companies or the government. I thought they had it about right.
    The only thing that seemed left out to me was the root cause. I’ve lost it seems like half of my brains, really! I got slapped in the back of the head with a piece of armor plate that was harder than my head, and silly me, I was grateful for it. Why???? Well, if the armor plate had not been there it would have been left to my skull to stop the stuffff!!1 ‘Nuf on that. My point is I’ve lost maybe half of my brains (actually, aside from loss of sight and sound, my main dificulty (spelling included) is short term memory loss. I never thought about long term and short term memory, but it’s true!
    It’s like I’m going to copy something (thank God for touch typing) and I will read it and turn to write, and I can’t remember what it was I read. True.
    I’ve got pretty good (perhaps even better) long term memory. Those who predicted that we’re headed for a 1984 were right. And, it not because of the companies. Not MS, nor is the fault of the government. Now, what I’m going to write now many people will think it is stupid. And it may seem so. The problems are because of the people who run the companies and the government. Does that seem dumb to you. These people today, in the main, are different than the people as recent of the late 1920’s, 1940’s and 1950’s. And stories I have been told by people long gone of the 1860’s through the 1920’s affirms my belief that we were a different America in those past decades. I think many of those people would not live in America as it is today.
    How many of you have read a history of one of the main founders of this country (I credit him with being one of the main founders because he stubbornly fought like hell for it. He was amazing!) Many, or most, I hope, know I’m writing about George Washington. In the late ’20s and 30’s I think most children bedroom had a picture of Washington on the wall or dresser or something. I never knew a home that didn’t prominently have a Bible displayed. Washington’s father died when he was 11 and his mother gave him the task (he was the oldest) of conducting religious services at supper/diner time. Later when he commanded the VA. defense forces to protect the outliving areas, he had to be chaplain for his forces for three years because the VA government couldn’t find real chaplains willing to take the risk.
    If any of you study the life of Jefferson you may know now, or might be surprised to learn that when President he ordered that every classroom be equipped with a Bible! Yeah! Old mister separation-of-church-and-state himself. Well, how can that be? Simple, the Supreme Court lied (at least 5 of them did!) And speaking of that, if any of you have studied the Constitution, or even the 1st Amendment you know that the S-C-S in not only NOT in the 1st, there is a dictate that Government cannot mess with the people’s religious rights, and that includes little Mary Jane, and Johnnie’s right to carry a Bible to School, and all the other religious freedoms we used to have.
    Now, this is supposed to be about computers etc., but some have noted that there is a growing tendency, both in companies and government to control …. well, control EVERYTHING. More than one founding fathers, Jefferson specifically included, have said that people cannot be governed without (some said religion, others said God) … but one or the other. Napoleon said that a man who didn’t believe in God could not be controlled and should be shot.
    I’ll leave you with this, read your history, read your Constitution. Raise your families to believe in something more than the buck, the dollar!!! And, if you happen to believe in God, tremble. Tremble because your country is murdering millions of babies and the God you believe in probably doesn’t like that.
    Cheers to all

    Reply
  29. to be honest with you all, microsoft are trying to secure windows, and stop malwares. but for its own preservations, if you look at the structure of all windows (even 1.01 to 3.11) it has been built on trojanous software – it sends home reports and images of whats on system, the driver signing addition was drm in origin, but is gathering a bit of a pest-like form.
    i have been looking at operating systems for a while now, and have seen some scary things put forward – ammounting to privacy being just a word not the given right of anyone whom uses a system on the www.

    lets not be quick to fall foul of microsoft’s “sob stories” and look at the heart of the matter, they didnt invent windows, its a collection of software added to their dos that they borrowed from ibm, why do you think companies like amd are being squeezed out of producing hardware, independant software developers like skyos team, even my own company is being attacked by microsoft. just look at the evidence and judge whats what!

    Reply
  30. 2014 – no major internet outage, no RealID everywhere

    Driver signing -> still there are apps what you can use to “grab” content from the audio channel to store it as a file (wav, or mp3) -> so DRM issue fixed? not really.

    This post is great, like a timetravel 🙂

    We have two major windows versions sice (7,8) one major update for the last one (8.1)

    Vista was a huge mistake, windows 7 as rev2 solved most of the problems.

    Let’s see what we’re adding here 8 years from now on 🙂

    Reply

Leave a Comment