Symantec has released a report outlining some weaknesses in the kernel protection mechanisms built into a beta version of Windows Live. The report found several potential weaknesses — among them the tight integration of content copy protection (known as digital rights management, or DRM) into the operating system.
The report, “Assessment of Windows Vista Kernel-Mode Security,” is the third and final report by Symantec on Vista’s security methods, the previous two having covered user-mode security and networking features. The paper focuses on the 64-bit edition of Vista, since most of the new security features are only available in that version, Symantec said.
“The kernel mode security enhancements in Windows Vista are quite substantial, resulting in a dramatic reduction of its overall attack surface,” wrote the report’s author, Matthew Conover, principal security researcher with Symantec. “However, we have identified certain weaknesses in the kernel enhancements that may be leveraged by malicious code to undermine these improvements.”
The kernel-mode security improvements include mandatory driver signing; PatchGuard, which aims to prevent kernel patching; kernel-mode integrity checks; support for secure boot with TPM (Trusted Platform Module) chips; and restrictions on user-mode access to certain areas of the operating system, according to Conover.
“These changes may secure the kernel of Windows Vista 64-bit Edition significantly, even when compared to that of Linux or Mac OS X,” he wrote.
However, Symantec researchers were able to disable both the driver signing and code integrity systems by patching WINLOAD.EXE and CI.DLL, something Conover described as “straightforward”. “Once the driver signing checks have been disabled, a malicious unsigned driver can now be loaded,” he said in the report. Such a malicious driver could conceal the modifications from user-mode tools, he said.
Another potential problem is that there isn’t yet a mechanism for revoking certificates — something that would be useful if a legitimate certificate were stolen or otherwise compromised. However, such a mechanism is on the way, Microsoft has said.
Symantec noted that Code Integrity — CI.DLL — is described as a security tool, but in fact is part of Microsoft’s DRM platform. “CI.DLL is made by Microsoft’s DRM team,” Conover wrote. “In effect, the Microsoft DRM is hard-coded into Windows Vista.”
One implication of this is that users cannot run Windows Vista without DRM unless they also switch off Vista’s integrity checks. “As a result, one must choose between having the DRM enabled or else risk attack from malicious, unsigned drivers,” Conover wrote.
Microsoft welcomed the report, but said it was out of date. The report studies Windows Vista Community Technical Preview (CTP) Build 5365, released in April, and Microsoft said it has fixed “the majority” of the issues outlined in the report since then.