VBootkit Bypasses Vista's Code Signing Mechanisms

Interesting work:

Experts say that the fundamental problem that this highlights is that every stage in Vista's booting process works on blind faith that everything prior to it ran cleanly. The boot kit is therefore able to copy itself into the memory image even before Vista has booted and capture interrupt 13, which operating systems use for read access to sectors of hard drives, among other things.

This is not theoretical; VBootkit is actual code that demonstrates this.

Posted on April 3, 2007 at 12:51 PM • 51 Comments

Comments

Carlo GrazianiApril 3, 2007 1:23 PM

Actually, Anonymous, given that Vista's code signing systems exist to protect the system against the legitimate owner of the computer (think DRM), its breakage may be the first reason I've seen to run Vista after all.

meApril 3, 2007 1:24 PM

On the contrary - that might be a reason to use it, e.g. to rip DRMed media.

jammitApril 3, 2007 2:21 PM

It sounds bitter-sweet to me. As the article said at the end, the only way to stop this is by introducing TPM in the hardware. Breaking software is nice because you get control of your machine back, breaking hardware isn't so nice.

SpencerApril 3, 2007 2:33 PM

From system design perspective, it is extremely difficult for a large team to be paranoid enough to prevent a break of this kind. Each sub-team must make some axiomatic assumptions in order for the system to be implemented.

Paranoia is under-rated but not everyone will be naturally (or unnaturally) paranoid enough to participate in secure system design.

Steve DispensaApril 3, 2007 3:13 PM

This, just like Patchguard, is really only a stopgap until hardware mechanisms are in place (TPM and a real Hypervisor, respectively). These measures aren't primarily targeting malware authors or individuals, they're targeting independent software vendors.

If the ISV community learns to live within the newly locked-down x64 world, then introduction of the hardware technologies will be feasible. If Microsoft hadn't taken (inevitably breakable) software-only steps, then they'd be forever unable to introduce the stronger hardware-supported solutions when they're ready for prime time.

Tyler LarsonApril 3, 2007 4:57 PM

This is the fundamental problem with trust and computing. If you can't trust your own executing code, then you can't trust anything. This isn't a Microsoft problem, it's a problem with software in general; no matter what precautions you take, if someone gets their own code in there first, then there is absolutely nothing you can do, no checks that can be run, to reliably verify the security of your system... not without harware support, that is.

That's the whole basis behind the Trusted Computing initiative. The TPM moves security into the hardware, allowing tampering like this to be detected or prevented. Whether allowing for that degree of certainty is a good idea for customers is a matter of politics, since it allows developers and vendors to strictly enforce rules that you might otherwise be able to break.

kokorozashiApril 3, 2007 5:18 PM

"A very time-consuming debugging process ... was required to determine the memory areas and checksums that have to be patched because they are different with every Vista build." Hmmm. Doesn't sound very scalable with respect to the endless stream of netborne updates emanating from Microsoft.

ThomasApril 3, 2007 7:56 PM

"""...every stage in Vista's booting process works on blind faith that everything prior to it ran cleanly."""

How else could it run?

Assume that the previous stage was subverted?
In this case the only secure response would be to abort startup.

AnonymousApril 3, 2007 8:09 PM

@kokorozashi
Not scalable for two guys to do it, but turn a fraction of the frustrated "HD Capable" video card owners loose who purchased that video card before the DRM lock-down was well established and you'll see the patches for this backdoor coming out soon after the Microsoft patches are released.

Dan

SpikelesApril 3, 2007 11:33 PM

"and capture interrupt 13, which operating systems use for read access to sectors of hard drives, among other things."

What? Are they living the 80's? Operating systems haven't used interrupt 13 to read hard drives for years, they all bypass the BIOS and directly access the hard drive controllers through DMA and IO operations. That's why you need to download motherboard "drivers", so the OS knows how to talk to the different chipsets without using slow and outdated BIOS calls.

PaulApril 3, 2007 11:37 PM

I don't see that this has much to do with DRM and TPM would not have much of an effect on this. Any reliance on TPM during the boot process could be pre-empted by simply faking the TPM interaction. Any public key verification would simply be bypassed.

OK, if the entire operating system was encrypted using the private key you couldn't very well bypass TPM. But I don't think anyone is thinking along those lines. Regardless of the verification, checking and such it would be trivial to simply preempt it or bypass it.

There is no practical defense for this sort of thing.

TPM-boyApril 3, 2007 11:57 PM

Paul,

read up on AMD's SKINIT instruction, and how it interacts with the TPM. This type of attestation does not require the OS to be encypted or anything like that. All it relies on is the TPM/SKINIT-signed bootloader correctly resetting platform state from whatever code may have run before. Not trivial, but certainly feasible. Pretty hard to attack with a software-only method, including virtualization-based attacks.

nixApril 4, 2007 12:03 AM

TPM isn't a panacea but only a layer of security. Keep in mind that TPM can be used to extend the reach of DRM. Now with the extended powers of TPM/DRM you machine isn't you own anymore. What your machine can and cannot do can be governed by others.

Is this a technological issues or a people issue? IMHO; it is a people / trust issue. I am not willing to hand the keys to the kingdom over to any person; it is my machine.

Now to get back on topic to this post (FTA):
"A very time-consuming debugging process using the Bochs PC emulator was required to determine the memory areas and checksums that have to be patched because they are different with every Vista build. The two Indian experts said that it took them several weeks to go through all of the individual steps in the booting process the first time. They feel that, based on analysis, VBootkit would easily be able to patch, for instance, signed drivers on the fly and get around integrity checks. And since it runs with kernel privileges, it could in principle do everything the kernel can."

Looks like some of the randomization technologies that MS has instituted seem to help. The real question is: how effective will it be in the long/short run?

For the record: I do not trust MS to protect the interests of the user only that of large organizations (if that). My right to use my PC in the fashion I choose has been sold out to the media companies. The cost of PC's is being driven up by the step requirements of Vista as well as addition of copy protection technologies (IE: HDCP).

Here is the funny thing: I don't watch movies on my PC; however, I don't like people jacking with my rights.

glorbApril 4, 2007 1:39 AM

Spikeless: The operating system still needs to load itself / be loaded.
The only thing running on the machine that "knowns" about what kind of disk controllers etc you have is the BIOS.
So the OS will always need the old BIOS interrupts to load the first part of itself (ie at least the kernel + driver framework + disk drivers [+motherboard driver])

Anonymous02April 4, 2007 1:48 AM

Sincere question.

Why would this be a Windows only issue?

I would seem that this method can be used to by-pass any OS.

Neil BartlettApril 4, 2007 3:22 AM

Anonymous02: you're of course right, other OSes can be subverted. However, Vista is the only one that claims to make this impossible; a claim that is (now) demonstrably false.

Incidentally, the code signing feature in Vista appears to be a dual-use technology: it can be used for both good and evil. The evil use is DRM. The good use is protection against rootkits.

Roland RonquistApril 4, 2007 3:55 AM

I can see no reason why everybody is getting so excited about the possibilities with a TPM unit. With modern processors, both AMD and Intel, virtualization is very easy to accomplish. If there is a will/need there must be a way around SKINIT and other countermeasures. These clever Indian guys is a living proof that there is a serious interest in breaking technology in this particular area. Accordingly, the TPM unit either be hidden all together or being put behind a driver that will snoop on the communication with the TPM making the security less than intended.

Hence stating TPM as the "silver bullet" of DRM is about as naïve, as when the motion picture industry thought that region coded DVD:s would stop the flow of videos before official release dates in particular areas.

What a TPM unit can do is keeping track of secret keys and encrypt and sign things, both in a quite secure way. But no chip on any computer can ever decide which program to communicate with. It is impossible for the chip to know if it is dealing with a proper Microsoft Windows binary or something else. In the same way it is not possible for the operating system to be 100% certain it is dealing with real hardware on a platform supporting virtualization.

Roland Ronquist.

alessio porcacchiaApril 4, 2007 4:37 AM

this prove that after many release of windows, this OS remain insecure. I believe that Redmond for resolve this it would have to make as it made at the time of NT create a team of programmers derived on unix company (Digital) and control the source code.
remember: a frendly OS is not a Secure OS

NagilumApril 4, 2007 5:52 AM

To trust your previous boot step is not optional and no fault. Whatever checks you may conceive to somehow "verify" the previous step was ok, can be switched off by the previous boot step before entering the next boot step. So it would be a futile attempt.

fwyzardApril 4, 2007 6:17 AM

'fairness',
of course linux trusts its boot loaders (there are many) - but why would a linux box owner work around the kernel, when he can simply patch it and rebuild it as he wishes?
VBootkit is used to stop Vista from stopping the user from running some software/drivers; with linux you re already free to do whatever you want and are able to do :-)

dhasenanApril 4, 2007 7:27 AM

fairness:
This attack requires physical access to the machine. If someone wants to subvert your machine and has physical access, they'll probably succeed. Disk encryption is the only potential way around this, though you could alter the boot loader or OS kernel to record the drive's key for your later retrieval, if you could remove the hard drive.

So, this VBootkit only matters in situations where security is already weak on pretty much all home and most business and government machines. It has functionality that regular developers can use, not just security specialists; and they can in turn create something for regular users to use to control their own computers and have them do stuff that Microsoft does not allow. That's the main benefit.

headholeApril 4, 2007 7:44 AM

drm, tpm, or any other acronym is just one step along the way to being controlled. If you lift that rock a little, careful the light can be blinding/enlightening, you will see that this is just another one of those cracks that ultimately will be around longer than MS, hopefully. To think that there will ever be a secure MS product is @#$%ing bizzare. LOL

AnonymousApril 4, 2007 7:56 AM

pointfree, though on slashdot I'd mod you +5, funny, the thing itself is just as possible on Mac, Linux or else. Only, on Linux, we won't see much of DRM; while Mac may be overflowing with it.
AFAICS, this is no Windows-specific 'feature'.
How, if not by trust alone, will you go through boot process stages ?
As much as I despise Microsoft, I don't see any exploit, except through physical access. And physical access has never been even considered as 'feasible to secure'.

I do need some time to ponder about a chance to intrusion-detection-like means to identify a change of relevant data in memory / stack.

rockstarApril 4, 2007 8:06 AM

What does this mean in terms of compromising the aes encryption. If you are rocking a full drive encryption with bitlocker it wouldn't be effective, correct?

If the above is true than we are just back where we have always been, preboot authentication for a fully encrypted drive is still the only security - and i also don't see this as anything worse than the -s os x boot.

A Real GuyApril 4, 2007 8:11 AM

Pardon me if this is flamebait. I just, I just can not stand the windows desktop monopoly. it is very expensive and inefficient. "Microsoft" is not computing. Microsoft is some forced hodge-podge of .... well, it's just garbage! and they keep forcing people to eat it. And that's the truth! And one thing is very certain, this bloated garbage is certainly not economically scalable for people of regular means who are ethical and use software legally. Microsoft has temporarily appropriated desktop computing. They are a novelty cpmpany with novelty workers and novelty enthusiastics, I gcould go on and on, but if your product is not economically scalable and economically advantageous to the user, there is no utility at all, none, in fact it is the reverse: extortion. And even more important that that, what is Microsoft's strength, computing? No it is not. Microsoft's strength is monopoly and extortion. and that goes for every one of you here that work for their efforts. All you do is control and oppress stupid people and take their money, even if it is from the local governments and hospitals.

DaveBApril 4, 2007 8:47 AM

"A Real Guy" - your post reminds me of the Simpsons episode in which public access television is described as "the home of the bizarre rant" :)

There should really be an anti-MS spleen-venting website where people can't just let off steam without having to worry about making sense or being relevant.... oh yeah, that's what slashdot is for...

nachoApril 4, 2007 9:35 AM

Doesn't TPM require a net connection in order to authenticate? In order to check the signing of something, I require the trusted third party to do the introduction. So how does TPM work on a non-connected computer?

Will TPM operating systems require constant connectivity? Can I have to get rid of my laptop then?

I can keep a public and private key in the TPM chip. So the TPM can do signing of things, but without authenticating that this "chip" is who it says it is, how do I trust it? Otherwise, why wouldn't someone just virtualize it, and always "sign off" that whatever it is, is ok?

I have yet to figure out how the TPM ecosystem works. What CA holds the digital signature for my computer? Who pays that CA to manage those cert's? Is the CA then involved in the production of TPM chips? I just don't get it.

So someone who is paranoid about TPM, can you please explain to me the problem? How will TPM really work (not pi in the sky powerpoint bs) and when do I actually need to start worrying?

annoyedApril 4, 2007 10:49 AM

The timing was bad for this ... I wish they would have waited for the first consumer vista-based cable-card implementations to be mass marketed and in peoples hands before they released this.

Now cablecards may be delayed or cancelled, or at least dependent on a newer implementation that at least patches for this problem...

theThibsApril 4, 2007 12:28 PM

The value in VBootkit isn't about someone else subverting your machine. It's about you subverting Vista on your own machine, so you can run software of your choosing.

Me, I'm sticking with XP; if it ever comes down to a choice between Vista and no Windows, I'll be 100% Linux.

Doctor JApril 4, 2007 12:38 PM

http://en.wikipedia.org/wiki/...
http://en.wikipedia.org/wiki/Trusted_Computing

From my limited understanding:

Upon boot, the BIOS/TPM chip can load code off disk into protected memory. Only the TPM chip can write to this memory; not even the OS. The code read off disk has a digital signature. If the TPM chip determines that the signature is valid, it sets a flag (in protected memory) indicating "secure mode." It then runs the code.

So the fundamental limitation seems to be that there are things software just can't do.

AnonymousApril 4, 2007 12:53 PM

They are reaching nearly the 666, Apocalipsis, End of every the times. Please, read the Holy Bible before than to continue.

throxApril 4, 2007 1:14 PM

As far as I'm aware, Vista only makes the claim that you can't subvert it when it has a TPM installed. All these guys have really done is shown exactly that - no TPM and the platform can be subverted.

HalApril 4, 2007 2:05 PM

Dr. J, you are totally wrong in your description of the TPM. The TPM is a passive chip and can only hold a few keys and hashes. What happens is the CPU firmware, at boot time (or now at "late launch" time via Intel LaGrande and AMD Pacifica) hashes code modules into the TPM chip as they load. Each subsequent piece of code hashes the next piece into the TPM before running it. Then at the end the TPM can produce a signature on these hashes, allowing verification of the boot (or launch of a VMM) sequence.

Nacho is right that ultimately this signature is only verifiable by standing outside the box. Within the box you can never be sure that you are talking to a valid TPM chip, because your verification code could be hacked. You could arrange it so that you couldn't connect to some web service unless your boot was "clean". Or there could be a USB token you plug in which would not show a green light unless you had a clean boot.

This part is all hypothetical for now as Nacho points out. The one part that does exist is that some brands of TPMs are sold with X.509 certificates on their internal signature keys. The CA is ultimately Verisign which has a special root key for TPMs. These certs are what will eventually prevent virtualization of TPMs and prevent virtualized rootkits. However it will still be true that you can only verify the boot from outside the box.

anonymousApril 4, 2007 6:39 PM

Neil,

DRM can have useful business models. Consider free content with ads. With DRM you can have the ads upated. If you are who I think you are, I am a bit concerned about your views. I hate copy protection as much as you do, but would not really mind downloading the shows of my choice - such as old episodes of The New Statesman etc. if all I had to do was check out some current commercials as well.

AnonymousApril 4, 2007 11:46 PM

I think this kind of attack and easily be subverted with the BitLocker Capability.

ie Volume Encryption with Boot Integrity. If the Boot code up to the bootmanager is not the same as it was at the time BitLocker was turned ON, nothing can get past Boot manager and nothing can be run off the OS volume as it remains encrypted.

Elbert GospodmentApril 5, 2007 2:23 AM

i seem to recall back in the 70's or 80's a couple of hardware cards had been produced that allowed circumvention of some sort of protection. Is it not likely that a DIY setup will be developed and made available to overcome drm and tpm issues?

wng_z3r0April 5, 2007 7:38 AM

Since when is this about DRM in the first place? You can always choose to run unsigned drivers by hitting f8 at boot and loading with the unsigned drivers. This feature has soley to do with keeping rootkits etc out of the kernel without giving the user some warning. Anything to the contrary is laughable.

wng

Devil's AdvocateApril 5, 2007 7:58 AM

So this attack allows one with physical access to a Vista computer to bypass code signing mechanism. Great. But wouldn't it be easier just to press F8 during boot? What is the point of this "attack"?

Ben LiddicottApril 5, 2007 8:35 AM

In the long term, all that can be obtained from DRM or copy protection is tamper-evidence.

DerpApril 5, 2007 1:51 PM

People are going to tamper with stuff they buy and stuff they borrow. We should be allowed to borrow content or even an OS if we agree to return it when finished. That's how the library operates. DRM is DUMB. There are no digital rights to manage.

Derp^2April 5, 2007 4:44 PM

My favorite line on DRM goes like this:

DRM 'manages' rights in the same way that jail 'manages' freedom.

derfApril 5, 2007 11:41 PM

It seems overblown to worry about something as complex as TPM or TC when all one needs to do to hack Vista is accidentally load up the wrong animated cursor.

lame_dudeApril 6, 2007 10:49 AM

I'm thinking DRM is like an Ostrich.If you have hidden just your head, you no longer see a threat.However, this does not prevents you from being eaten by someone.So, DRM is most stupid invention in the world.It will never stop those people against which it targeted.And it will always cause headaches to legitimate users.

P.S. Also I'm preferring to decide myself what to run.And I'm not willing to allow MS to decide instead of me what happens in my system.Trust is mutual and cannot be enforced.So, "trusted" computing has nothing to do with trust.I do not trust to MS or "trusted" platform vendors since I do not feel like they're willing to protect MY interests.Instead they want MY PC to trust THEM, but why I AM should trust them, at all?I'm do not trust MS.So, I have migrated from XP to Kubuntu. Sorry, MS :P

lame_dudeApril 6, 2007 11:18 AM

> In the long term, all that can be obtained from DRM
> or copy protection is tamper-evidence.
Actually, in long term you will see that DRM makes legal users life harder and pirates are not affected since they're about to get unDRMed versions :).So all what this achieves is that it is getting harder and harder to be legal.You have to obey some moron restrictions put by some assholes...err.. and have to pay money for all this.Cool, yeah?What now?Next time I also have to pay for handcuffs on my hands?Shall I buy cord and soap as well for my execution?

I have to ask: WTF some assholes allowed to break into my private life and to point me where I can watch movie and where I can not, which device\software I can use and which ones I can not.Why someone allowed to conduct such dictatorship at all?This should be illegal much more than DRM hacking!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..