In Windows Vista x64, drivers are required to be signed by someone holding a VeriSign code certificate or they won’t load. There is no way to (permanently) disable this signing even if you are Administrator. The F8 startup menu has an option to disable it, but you must select it every time you boot up. Microsoft’s claimed reason for this is that it prevents Trojans from installing kernel-mode rootkits. That is a load of crap.
First of all, kernel-mode rootkits are rare. The vast majority of Trojans are user-mode programs that install a keyboard hook, request an incoming port, and add themselves to the registry so they run at startup. Most of them are there to steal passwords, install adware, and/or become a spam-sending zombie. None of these require a kernel driver. Considering how many are written in Visual Basic, it seems unlikely that most Trojan authors would have the skill.
Second, if you’re running as Administrator, driver signing is not going to stop you. Although the DevicePhysicalMemory loophole (Windows’s /dev/mem) was blocked in NT 5.2 (2003 and XP64), there are still other ways to get around it:
- Administrators have raw sector access, meaning they can overwrite the MBR or boot sector with code that usurps the NT loader process and patches the kernel as it is loaded. A simpler but equally effective attack would simply set the flag saying you elected to disable the enforcement through the F8 menu. A Trojan running as Administrator can simply overwrite it then immediately reboot the system so the hack takes effect. It can even show a fake “The system has recovered from a serious error” after the restart to act like it was a kernel panic.
- If rebooting isn’t good enough, allocate a bunch of memory to force the kernel and/or drivers to page themselves to disk. Overwrite pagefile.sys using raw sector writes (the file is locked from normal writes), then do an uncommon operation that causes your now-hacked page to be paged in and executed.
- Administrators also have the ability to overwrite the loader and kernel at the file level without having to resort to raw sector writes.
Microsoft definitely knows about these problems, and is likely going to solve them through Trusted Computing. Vista’s “Bitlocker” does this, but is currently optional. We all know it won’t be optional in NT 6.1 or 7.0.
The driver signing serves as only security through obscurity against kernel rootkits, and most Trojans don’t even care about the kernel. Vista also has Mac OS-style authorization dialogs for any privileged operation, which hopefully will make you aware when something is wrong. That is the real feature against Trojans, not driver signing.
So why does Microsoft do this? Three-letter answer: DRM. Microsoft wants to prevent fake audio (and video) drivers from streaming decrypted audio to disk instead of to a sound card. Since they currently can’t get the “secure audio path” they want, they’ll settle for driver signing. By forcing driver signing, it’s no longer possible to anonymously write drivers. With the DMCA and similar laws around the world, nobody wants to attach their real name to a crack. Not to mention that VeriSign only certifies established companies, not individuals.
Microsoft has publicly said that the purpose of driver signing is not DRM. But their own statements contradict this. From http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx:
“When Windows Vista accepts test signed kernel mode binaries, some premium content that is protected may not be accessible on the system.”
In other words, when you use a test signing key (allowing you to get away with a non-fully signed driver), Windows Media DRM disallows playback of protected media. Clearly, the driver signing system is tied to DRM, contrary to Microsoft’s statements.