Slide 1 Microsoft Kernel

Document Sample
Slide 1 Microsoft Kernel Powered By Docstoc
					         Kernel Mode Code Signing
on Windows Vista and Windows Longhorn Server
               TM




               Ramesh Chinta
           Program Manager (STU)


                                               1
     Agenda


• Motivation
• Kernel mode code signing policy means to you
• MSFT Programs for Code Signing
   – What they are
   – When to use them
• How to get a Software Publisher Certificate
• Development & Test with SPC
• Diagnostics and Troubleshooting




                                                 2
     Motivation

• Trustworthy computing built on a trusted kernel
   – Windows Vista has an identifiable kernel state
   – Reduce platform vulnerability from unknown
     binaries
• Identifiable kernel enables new scenarios
   – Access next generation premium content
   – Address growing threat of malicious rootkit
     attacks
   – Improve reliability by identifying and working with
     kernel mode software publishers
                                                           3
     Kernel Mode Code Signing policy

• Signature checks by OS loader and kernel
• On x64 64-bit platforms
   – Identity of all kernel mode binaries is verified
   – All kernel mode code must be signed in order to load
   – System audit events for integrity check failures
• On x86 32-bit platforms
   – Administrator prompted and accepts to install unsigned
     kernel mode code
   – Load-time checks done on all kernel mode binaries,
     unsigned code allowed to load
   – Next generation premium content may not be accessible,
     depending on content protection policy

                                                              4
      Which Kernel Mode Signature to use?

Signing Options       Functionality Identity   Intended
                      Verified to   Verified   Use
                      meet Logo
                      requirements
Windows Logo          Yes           Yes        Release
program
Kernel Mode Code      No            Yes        Release
Signing using a SPC
WHQL Test             No            Yes        Testing
Signature program
KMCS Test Signing     No            No         Testing
                                                          5
     Outline of Development Workflow

• Get Software Publisher Certificates (SPC)
• Develop and test your kmod
   – Use enforcement work around for early development
• Pre-release/testing
   – Use Makecert.exe or WHQL test signing
• Release
   – Sign kmods using SPC or use WHQL signing
• Installation


                                                         6
    Release signing

• How and when do I get one?
  – Get a SPC from a CA who issue certs required for kernel
    mode code signing
  – Get a corresponding cross cert
     • http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx
• Cross cert
  – System loader and kernel only trusts Microsoft root
    certificate
  – Cross certs provide a flexible way to establish trust to
    Commercial CA roots that issue SPCs

                                                                      7
Development Workflow


            Enforcement Work arounds

    • Enforcement work arounds for Vista RTM
         – Attach active kernel debugger and turn on debugging
              • Bcdedit –bootdebug ON
              • Bcdedit –debug ON
         – F8 one time option to disable enforcement for a boot
           cycle
    • For Vista Beta2 builds only:
         – To disable integrity checks in ntoskrnl.exe
            • bcdedit.exe /set nointegritychecks on
         – Re-enable integrity checks
            • bcdedit.exe /set nointegritychecks off


                                                                                          8
                       *Other names and brands may be claimed as the property of others
    Signing Basics

• Applies to both release and pre-release signing
• Embedded signing
  – Signature contained in PE
  – Protects an individual file
• Catalog signing
  – Contains hashes of files
  – Signing a catalog protects integrity of all files in the
    catalog
  – Better if you have to sign many files
                                                           9
Development Workflow


            What Do I Sign?

    • All boot start kmods must be embedded
      signed using a SPC
         – Significant performance gain at boot
         – Don’t forget to embedded sign export drivers
    • INF based installs
         – Sign the driver package catalog
    • Non INF installs
         – Sign the catalog or embed sign the kmod


                                                          10
     Signing Boot Start Drivers

• Boot start drivers are loaded by OS Loader
   – Start Type = 0, loaded by Winload
• Boot start driver files must be embedded signed
   – Signature contained in the binary file
   – Avoids boot time degradation locating catalog file
• Embedded sign before submitting to WHQL
   – Sign individual driver files, then submit package
   – This is a Logo requirement

                                                      11
Development Workflow


              Release Signing for INF Based Installs

   • Driver package contains .inf, .sys, .cat files

   • Sign .cat with Signtool
       Example
       SignTool sign /v /ac MSCV-VSClass3.cer /s my /n contoso.com /t
       http://timestamp.verisign.com/scripts/timestamp.dll tstamd64.cat

   • If submitting to WHQL for Logo driver binaries
     signing program
        – WHQL will sign your catalog
        – Don’t forget to embedded sign boot start binaries with SPC
          before submitting to WHQL

                                                                          12
      Release Signing for non-INF Installs

• Two options available
   – Embedded signing
      • Embedded sign binaries directly
      • Works with no changes to current install mechanisms
   Example
   SignTool sign /v /ac MSCV-VSClass3.cer /s my /n contoso.com /t
      http://timestamp.verisign.com/scripts/timestamp.dll toaster.sys
   – Catalog signing
       • Create a catalog and sign catalog using SPC
       • Install package contains other binaries whose integrity you want
         protected
       • Must install catalog as part of install process

                                                                            13
      Test signing
• Signing machine
   – Create a cert with makecert.exe
        • makecert -sr localMachine -ss PrivateCertStore -n CN=Contoso.com(Test)
          testcert.cer
   – Signing a catalog with the test certificate
        • SignTool sign /v /s PrivateCertStore /n contoso.com(Test) /t
          http://timestamp.verisign.com/scripts/timestamp.dll tstamd64.cat
   – Embedded signing with the test certificate
        • SignTool sign /v /s PrivateCertStore /n contoso.com /t
          http://timestamp.verisign.com/scripts/timestamp.dll toaster.sys
• Test machine
   – Adding the test certficicate to the trusted publisher store and root store
        • certmgr /add /c /s /r localMachine CA /n “Root Agency” /s /r localMachine root
        • certmgr.exe -add testcert.cer -s -r localMachine trustedpublisher
   – Enable test signed code to load using the bcd option
        • bcdedit.exe /set TestSigning on




                                                                                           14
     Verifying the Signature

• Is the kmod signed to the right root?
   – Catalog signing
      • SignTool verify /kp /v /c tstamd64.cat toaster.sys
   – Embedded signing
      • SignTool verify /kp /v toaster.sys




                                                             15
    Installation

• PnP Install
  – Install is the same – use the INF to install
• Non-PnP Install
  – Embedded signature for the kernel module
     • No change to the installation process
  – Catalog signature
     • Catalogs must be installed




                                                   16
    Diagnosis Steps

• Common symptom
  – Installed the driver through PnP
  – Driver will not load – error code 39
• Diagnosis steps
  – Is it mandatory signing that is causing the
    problem?
  – Is the kmod signed correctly?


                                                  17
    Is it mandatory signing that is causing the problem?


• Check the audit log and event log for image
  verification failures
• Run eventvwr.exe
  – Audit log
     • Event Viewer -> Global Logs -> Security
        – Event ID = 5038
  – Event log
     • Event Viewer -> Application Logs -> Microsoft ->
       Windows -> CodeIntegrity
        – Event ID = 3004

                                                          18
Sample event log entry




                         19
       Resources

• Windows Logo Program
  http://www.microsoft.com/whdc/winlogo
• WHQL Test Signature Program
  https://winqual.microsoft.com/help/use_help/testsignusersguide_help.aspx
• Windows Platform SDK download site
  http://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-
  E24F-4EA3-A93E-40C0EC4F68E5&displaylang=en
• Windows Quality Online Services (Winqual)
  https://winqual.microsoft.com
• Code Signing Best Practices
  http://www.microsoft.com/whdc/winlogo/drvsign/best_practices.mspx
• Driver Package Integrity during Plug and Play Device Installations in
  Windows Vista
  http://www.microsoft.com/whdc/winlogo/drvsign/pnp-driver.mspx


                                                                         20
       Additional Resources

• Code-signing for Protected Media Components in Windows Vista
   http://www.microsoft.com/whdc/winlogo/drvsign/Pmp-sign.mspx
• “Microsoft Cross-certificates for Windows Vista Kernel Mode Code
  Signing”
   http://go.microsoft.com/fwlink/?LinkId=66583
• “Boot Configuration Data Editor Frequently Asked Questions”
   http://www.microsoft.com/technet/windowsvista/library/85cd5efe-c349-427c-
   b035-c2719d4af778.mspx
• “CryptCATAdminAddCatalog in the SDK documentation on MSDN”
   http://msdn.microsoft.com/library/default.asp?url=/library/en-
   us/seccrypto/security/cryptcatadminaddcatalog.asp
• “Deploying Authenticode with Cryptographic Hardware for Secure
  Software Publishing”
   http://www.microsoft.com/technet/security/topics/cryptographyetc/authenticodets.
   mspx




                                                                                 21
      Additional Resources

• Certmgr
  http://msdn2.microsoft.com/en-us/library/e78byta0.aspx
• MakeCat
  http://msdn.microsoft.com/library/default.asp?url=/library/en-
  us/seccrypto/security/using_makecat.asp
• Makecert
  http://msdn2.microsoft.com/en-us/library/bfsktky3.aspx
• SignTool
  http://msdn.microsoft.com/library/default.asp?url=/library/en-
  us/seccrypto/security/signtool.asp
• Windows Driver Kit (WDK)
  http://www.microsoft.com/whdc/driver/WDK/aboutWDK.mspx
• Debugging Tools for Windows
  http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx



                                                                   22
23
        Code Signing Glossary

•   Code Signing - Digitally signing software to ensure its integrity and provide
    assurance of its origin
•   Code Sign with cross-certificate – Digitally sign software and include a cross-
    certificate issued by Microsoft for the issuing CA in the signature
•   Signed by Microsoft – The certificate used to code sign the product is issued to
    Microsoft. Products signed by Microsoft can include:
      – Windows Vista Inbox drivers, Drivers approved by WHQL
      – Premium logo program, Basic logo program, Unclassified products
•   Self-signed – The certificate used to sign the cod e is generated by makecert.exe
    and not thru a commercial CA
•   Catalog signed - Code signing method which applies the certificate to a catalog
    file, rather than directly to the binary
•   Embedded signed - Code signing method which applies the certificate directly to a
    binary file
•   Certificate - A digitally signed statement, typically an X.509 format, that contains
    information about an entity and the entity's public key, thus binding these two
    pieces of information together. A certificate is issued by a trusted organization (or
    entity) called a certification authority (CA).

                                                                                       24
Signing Infrastructure


              General Principles (part 1)

    • Secure Private Key
          – Smart Card or Hardware Security Module (HSM)
          – Floppy / USB storage is not recommended
    • Physical Security for signing environment
          – Security cameras, vault / safe, etc…
          – Limit access to small set of trusted employees
    • Accountability in code signing approval process
          – Need a quorum (>2) before signing code
    • Maintain audit trail for 3 years
          – Log Date, Binaries, Signer, Approver(s), etc…


                                                             25
Signing Infrastructure


              General Principles (part 2)

    • Release SPC for public releases only
          – For Kernel mode drivers only
    • Test signing during development phase
          – Test certificates available to project team
          – Allows testing of private binaries
          – Exercises relevant code paths
    • Automated processes must be secured
          – Access to automation = ability to sign code
          – Requires Authentication, Access control, Auditing




                                                                                            26
                         *Other names and brands may be claimed as the property of others

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:9/4/2011
language:English
pages:26