64-bit Driver Signing on Windows Vista – ‘Computer Says No’

So Friday before last, I blogged about the Atsiv tool.As a quick refresh this was a tool which implemented its own PE loaderwithin a kernel driver. The authors had gone through the process ofobtaining a signing key for both the 32-bit and 64-bit versions ofWindows Vista for their kernel driver. The result was that it could beused to load arbitrary unsigned driver code including rootkits into theVista kernel.

In the same blog, I stated it would be interesting to see how longit would take for Microsoft to get the certificate revoked. Well theclock officially stopped running last Thursdaywhen Microsoft started shipping a signature in Defender (Symantec alsodetects Atsiv as SecurityRisk.Atsiv) while also asking for thecertificate to be revoked.

While this seems all rosy at face value, it does highlight a fewinteresting problems. First, that Microsoft felt revoking thecertificate alone wouldn’t be enough to mitigate the risk (hence theyadded a signature to Defender). Second,, that a reboot has to takeplace for the revocation to take effect if they added it to kernel moderevocation mechanism. In the comments in the blog Microsoft say this isfor security reasons. While not a huge problem on the desktop, as weall shutdown a PCs at some point on a semi-regular basis, it doeshighlight an interesting issue for Longhorn (Windows Server 2008).Imagine a world where the “bad guys” have got 40 - no make that 400, noactually make that 4,000 - signing keys. They then decide over thecourse of 10 years to release a slightly different obfuscated versionof their malicious code with a different signing key every day. Do youreally want to be rebooting your mission critical server everyday for10 years to ensure that those signing keys are revoked?

This is going to be an interesting game of cat and mouse to watch, Ialso believe Microsoft may have to revisit the subject of dynamicrevocation. It should be noted that signing keys on other platforms such as Symbian are obtained also for software with what can only be considered dubious functionality.