Evil Home Stereo

Most Windows related stuff takes a while to trickle through my filters (aka news sites). So only today I found out that last week Microsoft decided to block a driver hack called Atsiv. That stuff allows you to bypass the mandatory check for certified drivers in the 64-bit version of Vista by loading arbitrary code into kernel space. The whole story is here.

There are definitely some valid use cases for Atsiv as this comment points out. And (obviously) some threats as well. I don’t want to elaborate here on the arguments against Microsoft controlling what driver I am allowed to load on my machine. Much more interesting is the following paragraph:

The security team at Microsoft is investigating adding the revoked key to the kernel mode code signing revocation list, as an additional defense in depth measure.

So in Vista there is some kind of revocation list which can be updated via the web. I didn’t know that.
But it seems like any signature ending on that list will block the driver (or even any drivers created by some manufacturer?) from being loaded. Even if it ended there by accident only. Or mischief.

Well, how hard should it be to put some signature on that list? Quite hard probably if the people at Microsoft did their homework. But not so hard if we assume that the whole feature is designed to block out a malicious kernel driver. To install such a beast we need a high security level in the first place so assume we’ve got the super-administrator-power to install such a thing.

Just imagine someone writes a worm/virus to put all drivers issued by Microsoft or Intel or nVidia on that list. The obvious way to do this is to go and create another driver and get it certified. Or bypass the check in some other way. Not too expensive, but in the end just Atsiv reloaded. Will probably end on that list itself but might be able to survive until it did its fun.

Too expensive for you? Then why not fool Windows Update to install an update which does all the stuff? I assume here that the list is tamper-proof and only Windows Update can alter it. But Microsoft has a way to update it and the update is done by some part of user land software. Which is replacable. At least when you’ve already gained enough power to install a driver. Let’s say you replace the DLL which checks certificates with one which accepts all your certificates. Well… the kernel driver which checks the driver certificates probably uses the same DLL. So replacing that one should already “fix” the stuff without any update magic. Just wild guessing…

Anyway, what’s the point in this rant? That a feature in the kernel to block arbitrary drivers from loading is not only annoying but possibly dangerous (as in DoS). Because once you’ve got the power to install a driver you’ve most probably also have the power to dodge that functionality. And subvert and brainwash it.

On the other hand, there are probably easier ways to break Windows.