1 / 20

Kernel Mode Code Signing in x-64 Windows Vista

Kernel Mode Code Signing in x-64 Windows Vista. Agenda. Motivation Scope – what code is affected? Timeline Development Process Demo More information Contacts. Kernel mode malware. Malware is moving to kernel mode Represents a threat to the entire ecosystem

Sophia
Download Presentation

Kernel Mode Code Signing in x-64 Windows Vista

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kernel Mode Code Signing in x-64 Windows Vista

  2. Agenda • Motivation • Scope – what code is affected? • Timeline • Development Process • Demo • More information • Contacts

  3. Kernel mode malware • Malware is moving to kernel mode • Represents a threat to the entire ecosystem • A fundamental barrier to opportunity growth • This is our collective problem

  4. Malware threats Consumers Identity theft Enterprises Downtime Loss of productivity Lost data Median cost $40K per incident Hardware Industry Increased support costs Potential loss of revenues Impact to your reputation Mitigation Only signed code in kernel mode Revocation Benefits Hardware industry Better targeting of OCA and WER Reduce support cost Bits you ship are those that execute Consumers Defenses against malware Improved protected media experience 64-Bit – Mandatory Signing for Kernel Mode Code

  5. Who is Affected? • Anyone who has a kernel loadable module (kmod) on x-64 Windows Vista platforms • Device drivers • Filter drivers • Kernel services • WHQL signed drivers are considered signed • Including legacy (pre-Windows Vista RTM) drivers • Not Affected • User Mode code including user mode drivers • Sign your user mode code • Affected OS • X-64 Windows Vista platform and future OS versions • No enforcement yet for 32 bit platforms • Recommend signing your 32 bit code as well • Better Protected Media experience

  6. Timeline

  7. Development Workflow

  8. Overview of steps • Acquire a PIC signing credential • Requires a Verisign Class 3 Software Publisher Certificate • Usually done by Program Management/Release Management • Develop your kmod • Use workarounds to disable enforcement during development • Test your kmod • Use PIC signing in late test • Deploy your signed kmod

  9. Acquiring a Signing Credential: Publisher Identity Certificate (PIC) Workflow

  10. Early Code Development • RTM Options • Kd attach turns off enforcement • Kd needs to be attached and active • F8 one time option to disable enforcement for a boot cycle • Pre-RTM Bcdedit workaround • Bcdedit.exe –set nointegritychecks ON

  11. Overview of signing and install process

  12. Catalog Creation • INF based install via PnP • Catalog created using signability tool from WDK • Create a driver package directory • Create a Windows Vista specific INF • Run Signability.exe from the GUI or command line • Otherwise • Create a catalog definition file (CDF) • Run MakeCat.exe to create the catalog

  13. Signing and install • SignTool to sign • Use PIC for full functional qualification of the driver • Prior to WHQL submission • Prior to distribution if not going through WHQL • Note the special case of boot start drivers • You should embedded sign all boot start drivers for performance • PnP Signing and Install • Exactly like PnP catalog signing except that you use the PIC • Install is the same – use the INF to install • Non-PnP (kernel service) • Sign a catalog file that refers to the binary • Install signed catalog • Use catalog install API -CryptCATAdminAddCatalog • Catalog is installed in %systemroot\system32\CatRoot\F750E6C3-38EE-11D1-85E5-00C04FC295EE

  14. Signing Demo

  15. More Information

  16. Pre-RTM Enforcement • Temporary, until developers are educated: • RC0 – Signing enforcement turned off for winload (boot) drivers • RC1 – BCDedit option can be used to turn off driver signing enforcement • Stays for RTM: • Code Development - Kernel mode enforcement turns off in the presence of Kernel Debugger (Kd) • Diagnostics and troubleshooting – F8 advanced boot option to disable driver signing for current system boot

  17. Forthcoming Presentations *Recorded sessions will be available for viewing offline

  18. Vendor Contact Information Needed • If you know of a IHV/ISV developing kmods for x-64 Windows Vista, we need contact information • If already registered at Winqual • We have primary contact information • You should identify your legal contact in order to review PIC AUP agreement • Work with your TAM • If not, then we need your help in getting this information • Looking for • Primary contact at IHV/ISV • Email address • Phone • Legal Contact • MS TAP contact • Send mail to signsup@microsoft.com

  19. Contacts • signsup@microsoft.com • PIC specific questions • Kernel mode code signing questions • No WHQL questions

  20. White papers and detailed information • White Paper at WHDC on Jan 23 • http://www.microsoft.com/whdc/driver/kernel/64bit_chklist.mspx • CTP release of the WDK (build 5270) C:\WinDDK\5270\help\winwdk.col::GetStart_g.chm::/hh/GetStart_g/driver-signing_10cd3a3a-ce3a-4747-8476-c92aaaab24e2.xml.htm

More Related