[Cryptography] Is "drivers for foo" a major malware vector?

Bill Frantz frantz at pwpconsult.com
Tue Apr 19 19:03:02 EDT 2016


On 4/18/16 at 4:26 PM, huitema at huitema.net (Christian Huitema) wrote:

>That's the whole point of building a "golden path" for getting 
>drivers through Windows Updates. So that users won't have to 
>web through the dark corners of the Internet to get crazy 
>drivers. Positive message: "do this and you will be OK." That 
>tends to work better than negative warnings.
>Also, requiring signature of driver files, which provides some 
>traces. But then, we can get into the whole PKI argument again...

The best security I have seen for device drivers on a widely 
distributed system was in IBM's VM/370. VM/370 made a virtual 
370 for each user -- somewhat like modern virtual machine 
systems do for the i86. The 370 did its I/O through a "channel" 
which attached several devices and would run a "channel program" 
on each of these devices. The VM/370 monitor took a channel 
program from the virtual machine and translated it to run on the 
real channel. This translation made sure the channel program 
could not address other I/O devices on the channel or memory 
which was not part of the virtual machine [1].

CapROS <http://www.capros.org/> is a capability operating system 
which runs it's device drivers as normal application programs. 
It supports easy porting of device drivers from Linux.

The best kind of security for device drivers is to limit their 
authority. The need the authority to communicate with their 
device, the ability to read and write certain portions of 
memory, and perhaps the ability to append entries to a system 
log. They don't need much else and shouldn't have much else. The 
idea of running them at maximum privilege is just crazy.

Cheers - Bill

[1] There was one major security bug in this translation 
involving relaxing a restriction to support an IBM written 
channel program. That bug was fixed with patch.

-------------------------------------------------------------------------
Bill Frantz        | Airline peanut bag: "Produced  | Periwinkle
(408)356-8506      | in a facility that processes   | 16345 
Englewood Ave
www.pwpconsult.com | peanuts and other nuts." - Duh | Los Gatos, 
CA 95032



More information about the cryptography mailing list