Mandatory Kernel Module and Driver Signing for x64 RRS feed

  • Question

  • To give users visibility into the source of drivers and other software running in the operating system kernel, Microsoft introduced the concept of “signed drivers” beginning with Windows 2000. Although it was possible to prevent unsigned drivers from installing, the default configuration only warned users if they were about to install an unsigned driver. IT administrators could also block installation of unsigned drivers via Group Policy, but the large installed base of unsigned drivers made this impractical in most situations. Malicious kernel software typically tries to install silently, with no user consent — and because no kernel load-time check existed before Windows Vista, malicious kernel software was likely to run successfully, assuming these actions were performed by a user with administrative privileges.


    With Windows Vista on 64-bit systems, security at the kernel level has been greatly enhanced by requiring that all kernel-mode drivers be digitally signed. Digital signing provides identity as well as integrity for code. A kernel module that is corrupt or has been subject to tampering will not load. Any driver that is not properly signed cannot enter the kernel space and will fail to load.


    Although a signed driver is not a guarantee of security, it does help identify and prevent many malicious attacks, while allowing Microsoft to help developers improve the overall quality of drivers and reduce the number of driver-related crashes.


    Mandatory driver signing also helps improve the reliability of Windows Vista because many system crashes result from vulnerabilities in kernel-mode drivers. Requiring the authors of these drivers to identify themselves makes it easier for Microsoft to determine the cause of system crashes and work with the responsible vendor to resolve the issue. System administrators also benefit from digitally signed and identified drivers because they get additional visibility into software inventory and install state on client machines. From a compatibility perspective, existing Windows Hardware Quality Labs certified x64 kernel drivers are considered validly signed in Windows Vista.


    Friday, March 23, 2007 8:44 AM

All replies