Kernel mode code signing in x 64 windows vista l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Kernel Mode Code Signing in x-64 Windows Vista PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on
  • Presentation posted in: General

Kernel Mode Code Signing in x-64 Windows Vista. Agenda. Motivation Scope – what code is affected? Timeline Development Process Demo More information Contacts. Kernel mode malware. Malware is moving to kernel mode Represents a threat to the entire ecosystem

Download Presentation

Kernel Mode Code Signing in x-64 Windows Vista

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Kernel mode code signing in x 64 windows vista l.jpg

Kernel Mode Code Signing in x-64 Windows Vista


Agenda l.jpg

Agenda

  • Motivation

  • Scope – what code is affected?

  • Timeline

  • Development Process

  • Demo

  • More information

  • Contacts


Kernel mode malware l.jpg

Kernel mode malware

  • Malware is moving to kernel mode

    • Represents a threat to the entire ecosystem

    • A fundamental barrier to opportunity growth

    • This is our collective problem


64 bit mandatory signing for kernel mode code l.jpg

Malware threats

Consumers

Identity theft

Enterprises

Downtime

Loss of productivity

Lost data

Median cost $40K per incident

Hardware Industry

Increased support costs

Potential loss of revenues

Impact to your reputation

Mitigation

Only signed code in kernel mode

Revocation

Benefits

Hardware industry

Better targeting of OCA and WER

Reduce support cost

Bits you ship are those that execute

Consumers

Defenses against malware

Improved protected media experience

64-Bit – Mandatory Signing for Kernel Mode Code


Who is affected l.jpg

Who is Affected?

  • Anyone who has a kernel loadable module (kmod) on x-64 Windows Vista platforms

    • Device drivers

    • Filter drivers

    • Kernel services

  • WHQL signed drivers are considered signed

    • Including legacy (pre-Windows Vista RTM) drivers

  • Not Affected

    • User Mode code including user mode drivers

    • Sign your user mode code

  • Affected OS

    • X-64 Windows Vista platform and future OS versions

    • No enforcement yet for 32 bit platforms

    • Recommend signing your 32 bit code as well

      • Better Protected Media experience


Timeline l.jpg

Timeline


Development workflow l.jpg

Development Workflow


Overview of steps l.jpg

Overview of steps

  • Acquire a PIC signing credential

    • Requires a Verisign Class 3 Software Publisher Certificate

    • Usually done by Program Management/Release Management

  • Develop your kmod

    • Use workarounds to disable enforcement during development

  • Test your kmod

    • Use PIC signing in late test

  • Deploy your signed kmod


Acquiring a signing credential publisher identity certificate pic workflow l.jpg

Acquiring a Signing Credential: Publisher Identity Certificate (PIC) Workflow


Early code development l.jpg

Early Code Development

  • RTM Options

    • Kd attach turns off enforcement

      • Kd needs to be attached and active

    • F8 one time option to disable enforcement for a boot cycle

  • Pre-RTM Bcdedit workaround

    • Bcdedit.exe –set nointegritychecks ON


Overview of signing and install process l.jpg

Overview of signing and install process


Catalog creation l.jpg

Catalog Creation

  • INF based install via PnP

    • Catalog created using signability tool from WDK

      • Create a driver package directory

      • Create a Windows Vista specific INF

      • Run Signability.exe from the GUI or command line

  • Otherwise

    • Create a catalog definition file (CDF)

    • Run MakeCat.exe to create the catalog


Signing and install l.jpg

Signing and install

  • SignTool to sign

  • Use PIC for full functional qualification of the driver

    • Prior to WHQL submission

    • Prior to distribution if not going through WHQL

  • Note the special case of boot start drivers

    • You should embedded sign all boot start drivers for performance

  • PnP Signing and Install

    • Exactly like PnP catalog signing except that you use the PIC

    • Install is the same – use the INF to install

  • Non-PnP (kernel service)

    • Sign a catalog file that refers to the binary

    • Install signed catalog

      • Use catalog install API -CryptCATAdminAddCatalog

      • Catalog is installed in %systemroot\system32\CatRoot\F750E6C3-38EE-11D1-85E5-00C04FC295EE


Signing demo l.jpg

Signing Demo


More information l.jpg

More Information


Pre rtm enforcement l.jpg

Pre-RTM Enforcement

  • Temporary, until developers are educated:

    • RC0 – Signing enforcement turned off for winload (boot) drivers

    • RC1 – BCDedit option can be used to turn off driver signing enforcement

  • Stays for RTM:

    • Code Development - Kernel mode enforcement turns off in the presence of Kernel Debugger (Kd)

    • Diagnostics and troubleshooting – F8 advanced boot option to disable driver signing for current system boot


Forthcoming presentations l.jpg

Forthcoming Presentations

*Recorded sessions will be available for viewing offline


Vendor contact information needed l.jpg

Vendor Contact Information Needed

  • If you know of a IHV/ISV developing kmods for x-64 Windows Vista, we need contact information

  • If already registered at Winqual

    • We have primary contact information

    • You should identify your legal contact in order to review PIC AUP agreement

    • Work with your TAM

  • If not, then we need your help in getting this information

  • Looking for

    • Primary contact at IHV/ISV

    • Email address

    • Phone

    • Legal Contact

    • MS TAP contact

  • Send mail to [email protected]


Contacts l.jpg

Contacts

  • [email protected]

    • PIC specific questions

    • Kernel mode code signing questions

    • No WHQL questions


White papers and detailed information l.jpg

White papers and detailed information

  • White Paper at WHDC on Jan 23

    • http://www.microsoft.com/whdc/driver/kernel/64bit_chklist.mspx

  • CTP release of the WDK (build 5270) C:\WinDDK\5270\help\winwdk.col::GetStart_g.chm::/hh/GetStart_g/driver-signing_10cd3a3a-ce3a-4747-8476-c92aaaab24e2.xml.htm


  • Login