1 / 26

Ramesh Chinta Program Manager (STU)

Kernel Mode Code Signing on Windows Vista TM and Windows Longhorn Server . Ramesh Chinta Program Manager (STU). Agenda. Motivation Kernel mode code signing policy means to you MSFT Programs for Code Signing What they are When to use them How to get a Software Publisher Certificate

bernad
Download Presentation

Ramesh Chinta Program Manager (STU)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Kernel Mode Code Signing on Windows VistaTM and Windows Longhorn Server Ramesh ChintaProgram Manager (STU)

  2. Agenda • Motivation • Kernel mode code signing policy means to you • MSFT Programs for Code Signing • What they are • When to use them • How to get a Software Publisher Certificate • Development & Test with SPC • Diagnostics and Troubleshooting

  3. Motivation • Trustworthy computing built on a trusted kernel • Windows Vista has an identifiable kernel state • Reduce platform vulnerability from unknown binaries • Identifiable kernel enables new scenarios • Access next generation premium content • Address growing threat of malicious rootkit attacks • Improve reliability by identifying and working with kernel mode software publishers

  4. Kernel Mode Code Signing policy • Signature checks by OS loader and kernel • On x64 64-bit platforms • Identity of all kernel mode binaries is verified • All kernel mode code must be signed in order to load • System audit events for integrity check failures • On x86 32-bit platforms • Administrator prompted and accepts to install unsigned kernel mode code • Load-time checks done on all kernel mode binaries, unsigned code allowed to load • Next generation premium content may not be accessible, depending on content protection policy

  5. Which Kernel Mode Signature to use?

  6. Outline of Development Workflow • Get Software Publisher Certificates (SPC) • Develop and test your kmod • Use enforcement work around for early development • Pre-release/testing • Use Makecert.exe or WHQL test signing • Release • Sign kmods using SPC or use WHQL signing • Installation

  7. Release signing • How and when do I get one? • Get a SPC from a CA who issue certs required for kernel mode code signing • Get a corresponding cross cert • http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx • Cross cert • System loader and kernel only trusts Microsoft root certificate • Cross certs provide a flexible way to establish trust to Commercial CA roots that issue SPCs

  8. Development Workflow Enforcement Work arounds • Enforcement work arounds for Vista RTM • Attach active kernel debugger and turn on debugging • Bcdedit –bootdebug ON • Bcdedit –debug ON • F8 one time option to disable enforcement for a boot cycle • For Vista Beta2 builds only: • To disable integrity checks in ntoskrnl.exe • bcdedit.exe /set nointegritychecks on • Re-enable integrity checks • bcdedit.exe /set nointegritychecks off *Other names and brands may be claimed as the property of others

  9. Signing Basics • Applies to both release and pre-release signing • Embedded signing • Signature contained in PE • Protects an individual file • Catalog signing • Contains hashes of files • Signing a catalog protects integrity of all files in the catalog • Better if you have to sign many files

  10. Development Workflow What Do I Sign? • All boot start kmods must be embedded signed using a SPC • Significant performance gain at boot • Don’t forget to embedded sign export drivers • INF based installs • Sign the driver package catalog • Non INF installs • Sign the catalog or embed sign the kmod

  11. Signing Boot Start Drivers • Boot start drivers are loaded by OS Loader • Start Type = 0, loaded by Winload • Boot start driver files must be embedded signed • Signature contained in the binary file • Avoids boot time degradation locating catalog file • Embedded sign before submitting to WHQL • Sign individual driver files, then submit package • This is a Logo requirement

  12. Development Workflow Release Signing for INF Based Installs • Driver package contains .inf, .sys, .cat files • Sign .cat with Signtool Example SignTool sign /v /ac MSCV-VSClass3.cer /s my /n contoso.com /t http://timestamp.verisign.com/scripts/timestamp.dll tstamd64.cat • If submitting to WHQL for Logo driver binaries signing program • WHQL will sign your catalog • Don’t forget to embedded sign boot start binaries with SPC before submitting to WHQL

  13. Release Signing for non-INF Installs • Two options available • Embedded signing • Embedded sign binaries directly • Works with no changes to current install mechanisms Example SignTool sign /v /acMSCV-VSClass3.cer /s my /n contoso.com /t http://timestamp.verisign.com/scripts/timestamp.dll toaster.sys • Catalog signing • Create a catalog and sign catalog using SPC • Install package contains other binaries whose integrity you want protected • Must install catalog as part of install process

  14. Test signing • Signing machine • Create a cert with makecert.exe • makecert -sr localMachine -ss PrivateCertStore -n CN=Contoso.com(Test) testcert.cer • Signing a catalog with the test certificate • SignTool sign /v /s PrivateCertStore /n contoso.com(Test) /t http://timestamp.verisign.com/scripts/timestamp.dll tstamd64.cat • Embedded signing with the test certificate • SignTool sign /v /s PrivateCertStore /n contoso.com /t http://timestamp.verisign.com/scripts/timestamp.dll toaster.sys • Test machine • Adding the test certficicate to the trusted publisher store and root store • certmgr /add /c /s /r localMachine CA /n “Root Agency” /s /r localMachine root • certmgr.exe -add testcert.cer -s -r localMachine trustedpublisher • Enable test signed code to load using the bcd option • bcdedit.exe /set TestSigning on

  15. Verifying the Signature • Is the kmod signed to the right root? • Catalog signing • SignTool verify /kp /v /c tstamd64.cat toaster.sys • Embedded signing • SignTool verify /kp /v toaster.sys

  16. Installation • PnP Install • Install is the same – use the INF to install • Non-PnP Install • Embedded signature for the kernel module • No change to the installation process • Catalog signature • Catalogs must be installed

  17. Diagnosis Steps • Common symptom • Installed the driver through PnP • Driver will not load – error code 39 • Diagnosis steps • Is it mandatory signing that is causing the problem? • Is the kmod signed correctly?

  18. Is it mandatory signing that is causing the problem? • Check the audit log and event log for image verification failures • Run eventvwr.exe • Audit log • Event Viewer -> Global Logs -> Security • Event ID = 5038 • Event log • Event Viewer -> Application Logs -> Microsoft -> Windows -> CodeIntegrity • Event ID = 3004

  19. Sample event log entry

  20. Resources • Windows Logo Programhttp://www.microsoft.com/whdc/winlogo • WHQL Test Signature Programhttps://winqual.microsoft.com/help/use_help/testsignusersguide_help.aspx • Windows Platform SDK download sitehttp://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5&displaylang=en • Windows Quality Online Services (Winqual)https://winqual.microsoft.com • Code Signing Best Practiceshttp://www.microsoft.com/whdc/winlogo/drvsign/best_practices.mspx • Driver Package Integrity during Plug and Play Device Installations in Windows Vistahttp://www.microsoft.com/whdc/winlogo/drvsign/pnp-driver.mspx

  21. Additional Resources • Code-signing for Protected Media Components in Windows Vistahttp://www.microsoft.com/whdc/winlogo/drvsign/Pmp-sign.mspx • “Microsoft Cross-certificates for Windows Vista Kernel Mode Code Signing”http://go.microsoft.com/fwlink/?LinkId=66583 • “Boot Configuration Data Editor Frequently Asked Questions”http://www.microsoft.com/technet/windowsvista/library/85cd5efe-c349-427c-b035-c2719d4af778.mspx • “CryptCATAdminAddCatalog in the SDK documentation on MSDN”http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptcatadminaddcatalog.asp • “Deploying Authenticode with Cryptographic Hardware for Secure Software Publishing”http://www.microsoft.com/technet/security/topics/cryptographyetc/authenticodets.mspx

  22. Additional Resources • Certmgrhttp://msdn2.microsoft.com/en-us/library/e78byta0.aspx • MakeCat http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/using_makecat.asp • Makecert http://msdn2.microsoft.com/en-us/library/bfsktky3.aspx • SignTool http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/signtool.asp • Windows Driver Kit (WDK)http://www.microsoft.com/whdc/driver/WDK/aboutWDK.mspx • Debugging Tools for Windows http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx

  23. Code Signing Glossary • Code Signing - Digitally signing software to ensure its integrity and provide assurance of its origin • Code Sign with cross-certificate – Digitally sign software and include a cross-certificate issued by Microsoft for the issuing CA in the signature • Signed by Microsoft – The certificate used to code sign the product is issued to Microsoft. Products signed by Microsoft can include: • Windows Vista Inbox drivers, Drivers approved by WHQL • Premium logo program, Basic logo program, Unclassified products • Self-signed – The certificate used to sign the cod e is generated by makecert.exe and not thru a commercial CA • Catalog signed - Code signing method which applies the certificate to a catalog file, rather than directly to the binary • Embedded signed - Code signing method which applies the certificate directly to a binary file • Certificate - A digitally signed statement, typically an X.509 format, that contains information about an entity and the entity's public key, thus binding these two pieces of information together. A certificate is issued by a trusted organization (or entity) called a certification authority (CA).

  24. Signing Infrastructure General Principles (part 1) • Secure Private Key • Smart Card or Hardware Security Module (HSM) • Floppy / USB storage is not recommended • Physical Security for signing environment • Security cameras, vault / safe, etc… • Limit access to small set of trusted employees • Accountability in code signing approval process • Need a quorum (>2) before signing code • Maintain audit trail for 3 years • Log Date, Binaries, Signer, Approver(s), etc…

  25. Signing Infrastructure General Principles (part 2) • Release SPC for public releases only • For Kernel mode drivers only • Test signing during development phase • Test certificates available to project team • Allows testing of private binaries • Exercises relevant code paths • Automated processes must be secured • Access to automation = ability to sign code • Requires Authentication, Access control, Auditing *Other names and brands may be claimed as the property of others

More Related