Linked by Thom Holwerda on Sat 21st Jan 2006 22:42 UTC, submitted by PlatformAgnostic
Windows "With little fanfare, Microsoft just announced that the x64 version of Windows Vista will require all kernel-mode code to be digitally signed. This is very different than the current WHQL program, where the user ultimately decides how they want to handle unsigned drivers. Vista driver developers must obtain a Publisher Identity Certificate (PIC) from Microsoft. Microsoft says they won't charge for it, but they require that you have a Class 3 Commercial Software Publisher Certificate from Verisign. This costs $500 [EUR 412] per year, and as the name implies, is only available to commercial entities."
Thread beginning with comment 88265
To view parent comment, click here.
To read all comments associated with this story, please click here.
by mikehearn on Sun 22nd Jan 2006 00:30 UTC in reply to "Good idea, but..."
Member since:

MS better be careful... One of the advantages Windows has over other OS's is the availability of drivers for just about anything.

OK people, please stop and read the headline here.

Windows Vista X64 to require signed drivers

ie, ONLY the amd64 version will have this restriction, the standard 32 bit version that most people will be using will continue to work as it did before. They can do this because Windows 64 cannot load 32 bit drivers, they have to be compiled specifically for the OS.

There is exactly one reason they're doing this, and it's because it's necessary for security. You simply cannot have a sane or secure operating system which allows anybody to load code into kernel mode: there is no point having the idea of low priviledge users, root users, restricting programs, or any security at all really if usermode code can control the kernel.

Viruses and worms are already using rootkits to stop virus scanners finding them, and soon the AV tools will also be loading rootkits to search out the first ones. In other words it's a total arms race and the result will be computers that make todays worst spyware infections look like a stroll through a grassy meadow.

If I was to design a new OS today, I'd absolutely make this a requirement from the start. No code - nothing - gets into kernel mode unless it's been verified as legit. Now Microsoft can't do this all themselves, and code auditing is generally a waste of time anyway, but what using the VeriSign infrastructure allows for is linking some piece of code running in kernel mode back to a real world corporate identity. So no, it won't stop a rerun of the Sony incident, but it will cut down on the flow of countless anonymous rootkit developers loading whatever crap they like into the kernel with no way to identify (read: sue) them.

Drivers on Vista 64 are also blocked from overwriting the syscall table or kernel code, and operate under a host of other restrictions that make writing rootkits difficult.

Unfortunately MS can't enforce this restriction for Vista 32 as there are too many legitimate applications like iTunes or popular games which rely on loading kernel-mode code to operate and which would break if this was done. But x64 is a clean break ....

Edited 2006-01-22 00:31

Reply Parent Score: 3

RE: Wow
by Celerate on Sun 22nd Jan 2006 01:54 in reply to "Wow"
Celerate Member since:

" You simply cannot have a sane or secure operating system which allows anybody to load code into kernel mode"

Someone already had a very good answer to that argument, you can see it further up, but for you're convenience I'll restate it. If MS wants to push this they should ideally also provide a cheap or free alternative to getting the $500 USD verisign certificate.

Reply Parent Score: 1

RE[2]: Wow
by CrLf on Sun 22nd Jan 2006 04:10 in reply to "Wow"
CrLf Member since:

"There is exactly one reason they're doing this, and it's because it's necessary for security."

Pff! That was exactly was they said about ActiveX signing and people's machines get stuffed with spyware every day. And they don't even need to exploit some hole in the system, because you can just get a certificate, and then sign all kinds of crap with it.

Better luck next time...

Reply Parent Score: 2

RE: Wow
by PlatformAgnostic on Sun 22nd Jan 2006 05:48 in reply to "Wow"
PlatformAgnostic Member since:

It's not necessary for security for knowledgeable users. Nothing in usermode can affect kernel-mode without the user's permission. If the user wants to install something, then he/she can do so securely by logging on as an admin and running the install task. Drivers can't just install themselves, especially if they're unsigned. Currently these unsigned drivers can be installed after a user prompt.

This is not a security measure. If anything it's a quality measure and a DRM-enforcement technique. It's probably not going to last, I predict, because all it will do is slow the adoption of X64. After a while Microsoft will probably decide to open it up again.

Reply Parent Score: 2