kernel mode code signing in x 64 windows vista l.
Skip this Video
Loading SlideShow in 5 Seconds..
Kernel Mode Code Signing in x-64 Windows Vista PowerPoint Presentation
Download Presentation
Kernel Mode Code Signing in x-64 Windows Vista

Loading in 2 Seconds...

play fullscreen
1 / 20

Kernel Mode Code Signing in x-64 Windows Vista - PowerPoint PPT Presentation

  • Uploaded on

Kernel Mode Code Signing in x-64 Windows Vista. Agenda. Motivation Scope – what code is affected? Timeline Development Process Demo More information Contacts. Kernel mode malware. Malware is moving to kernel mode Represents a threat to the entire ecosystem

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Kernel Mode Code Signing in x-64 Windows Vista' - Sophia

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Motivation
  • Scope – what code is affected?
  • Timeline
  • Development Process
  • Demo
  • More information
  • Contacts
kernel mode malware
Kernel mode malware
  • Malware is moving to kernel mode
    • Represents a threat to the entire ecosystem
    • A fundamental barrier to opportunity growth
    • This is our collective problem
64 bit mandatory signing for kernel mode code
Malware threats


Identity theft



Loss of productivity

Lost data

Median cost $40K per incident

Hardware Industry

Increased support costs

Potential loss of revenues

Impact to your reputation


Only signed code in kernel mode



Hardware industry

Better targeting of OCA and WER

Reduce support cost

Bits you ship are those that execute


Defenses against malware

Improved protected media experience

64-Bit – Mandatory Signing for Kernel Mode Code
who is affected
Who is Affected?
  • Anyone who has a kernel loadable module (kmod) on x-64 Windows Vista platforms
    • Device drivers
    • Filter drivers
    • Kernel services
  • WHQL signed drivers are considered signed
    • Including legacy (pre-Windows Vista RTM) drivers
  • Not Affected
    • User Mode code including user mode drivers
    • Sign your user mode code
  • Affected OS
    • X-64 Windows Vista platform and future OS versions
    • No enforcement yet for 32 bit platforms
    • Recommend signing your 32 bit code as well
      • Better Protected Media experience
overview of steps
Overview of steps
  • Acquire a PIC signing credential
    • Requires a Verisign Class 3 Software Publisher Certificate
    • Usually done by Program Management/Release Management
  • Develop your kmod
    • Use workarounds to disable enforcement during development
  • Test your kmod
    • Use PIC signing in late test
  • Deploy your signed kmod
early code development
Early Code Development
  • RTM Options
    • Kd attach turns off enforcement
      • Kd needs to be attached and active
    • F8 one time option to disable enforcement for a boot cycle
  • Pre-RTM Bcdedit workaround
    • Bcdedit.exe –set nointegritychecks ON
catalog creation
Catalog Creation
  • INF based install via PnP
    • Catalog created using signability tool from WDK
      • Create a driver package directory
      • Create a Windows Vista specific INF
      • Run Signability.exe from the GUI or command line
  • Otherwise
    • Create a catalog definition file (CDF)
    • Run MakeCat.exe to create the catalog
signing and install
Signing and install
  • SignTool to sign
  • Use PIC for full functional qualification of the driver
    • Prior to WHQL submission
    • Prior to distribution if not going through WHQL
  • Note the special case of boot start drivers
    • You should embedded sign all boot start drivers for performance
  • PnP Signing and Install
    • Exactly like PnP catalog signing except that you use the PIC
    • Install is the same – use the INF to install
  • Non-PnP (kernel service)
    • Sign a catalog file that refers to the binary
    • Install signed catalog
      • Use catalog install API -CryptCATAdminAddCatalog
      • Catalog is installed in %systemroot\system32\CatRoot\F750E6C3-38EE-11D1-85E5-00C04FC295EE
pre rtm enforcement
Pre-RTM Enforcement
  • Temporary, until developers are educated:
    • RC0 – Signing enforcement turned off for winload (boot) drivers
    • RC1 – BCDedit option can be used to turn off driver signing enforcement
  • Stays for RTM:
    • Code Development - Kernel mode enforcement turns off in the presence of Kernel Debugger (Kd)
    • Diagnostics and troubleshooting – F8 advanced boot option to disable driver signing for current system boot
forthcoming presentations
Forthcoming Presentations

*Recorded sessions will be available for viewing offline

vendor contact information needed
Vendor Contact Information Needed
  • If you know of a IHV/ISV developing kmods for x-64 Windows Vista, we need contact information
  • If already registered at Winqual
    • We have primary contact information
    • You should identify your legal contact in order to review PIC AUP agreement
    • Work with your TAM
  • If not, then we need your help in getting this information
  • Looking for
    • Primary contact at IHV/ISV
    • Email address
    • Phone
    • Legal Contact
    • MS TAP contact
  • Send mail to
    • PIC specific questions
    • Kernel mode code signing questions
    • No WHQL questions
white papers and detailed information
White papers and detailed information
  • White Paper at WHDC on Jan 23
  • CTP release of the WDK (build 5270) C:\WinDDK\5270\help\winwdk.col::GetStart_g.chm::/hh/GetStart_g/driver-signing_10cd3a3a-ce3a-4747-8476-c92aaaab24e2.xml.htm