Feeds

Device drivers filled with flaws

Security threatened, action required

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

The uneven skills of driver programmers have left a legion of holes in software that ships with Windows and Linux, security experts say.

Operating system vendors and hardware makers should commit more resources toward systematically auditing Windows and Linux device-driver code for flaws, security researchers say.

While buffer overflows, a type of memory flaw that can lead to serious vulnerabilities, are quickly being eradicated in critical applications, the flaws are still easily found in device drivers, said David Maynor, a research engineer for Internet Security Systems' X-Force vulnerability analysis group.

"If you look through the device driver code, there are a lot of problems," he said in a recent interview. "The state of the code's security is not strong." During a few hours on a recent plane flight, for example, Maynor found more than a dozen glitches in several Windows XP drivers.

Windows is not the only operating system at risk. A survey of the Linux 2.6.9 kernel code performed by automated-code-checking software maker Coverity found that, while the overall quality of the code had increased significantly, more than 50 per cent of flaws appeared in device drivers. Many of those flaws may not affect system security, but the ratio is generally indicative of the quality of the code, said Seth Hallem, CEO of Coverity.

"The people writing the device drivers are not generally the core programmers," he said. "It is not the operating-system implementers themselves - the Linux programmers or Windows developers - it is generally the vendors."

The warnings come as operating-system developers have placed security higher on their to-do lists. While the Windows and Linux operating systems have both undergone significant audits in the past several years, many device drivers - especially those created by third-party hardware providers - have seemingly escaped rigorous testing.

Microsoft acknowledged the threat but stated that the company's developers had already started checking drivers that have been shipped with Windows for flaws.

"Microsoft is aware of a scenario by which an attacker could attack an existing software vulnerability in a device driver (and) could compromise a user's system," the software giant said in a statement to SecurityFocus. "It's important to note that Microsoft's software development processes do cover instances where third party code included with the operating system may be reviewed before the code ships with Windows to help ensure that customers are not at risk from this type of threat."

Microsoft has also moved forward with development efforts to harden device drivers, according to sources familiar with the initiative. However, the company remained closed-lipped about the details of the effort.

Device driver flaws can be more dangerous than other application vulnerabilities because device drivers are, in most cases, part of the kernel itself and subverting the critical software gives an attacker direct access to the kernel. Moreover, drivers that have direct memory access (DMA) - such as USB drivers, CardBus drivers, graphics drivers and sound drivers - could be used to overwrite system memory and exploit the system.

Some security experts argue that such issues are a well-known problem, and one with which device-driver programmers should have already dealt. The problem has been known for a decade or more, said Crispin Cowan, director of software engineering for Novell, which distributes the SuSE Linux distribution. He acknowledged, however, that not everyone may have made auditing driver code a priority.

"If you can crash your kernel with an application that is a kernel flaw - if you can crash your kernel with a device driver, that is a device driver flaw," he said. "There is a huge numbers of device drivers in the Linux kernel source tree, many of them are ancient and not kept up to date."

Cowan did not agree that the quality of programming in device drivers pose any special threat to Linux.

"The Windows kernel may have gotten a lot of attention in recent years, which may have prompted Microsoft to look at the device drivers," he said. "The Linux kernel has always been audited for security so there is nothing new here."

Further reducing the threat, many device drivers can only be exploited by an attacker that has physical access to a computer, he said. The notable exceptions are networking, wireless and Bluetooth drivers.

Another Linux expert stressed that the existence of coding problems does not necessarily mean it is easy to use device drivers as an avenue of attack.

"Since drivers run in kernel-privilege state, if you can take them over, you are in a privileged position," said Bill Weinberg, Linux evangelist for the Open Source Development Labs. "But it is not an trivial thing, you are more likely to crash the system."

Auditing has become standard procedure for some hardware makers. Graphics card maker Nvidia, for example, does significant security checks during development and has used a third-party auditing firm to check its drivers using automated tools, said a source familiar with the arrangement.

The company audits both its graphics drivers and its nForce platform drivers, said spokesman Bryan Del Rizzo.

"We make sure that the drivers can't be used in a way to infiltrate the platform," he said.

Microsoft's latest security update to Windows XP, Service Pack 2, also includes a feature that limits the exploitability of many device driver flaws. Known as Data Execution Prevention or DEP, the feature prevents data, which has been inserted in memory by a malicious exploit, from running.

Drivers have to be programmed to use the feature, ISS's Maynor said. Hardware makers should add the support to their latest drivers, he said, because computers are becoming more complex under the hood.

"You no longer have a single computer," he said. "It is a collection of subsystems and device drivers are becoming that much more important."

Copyright © 2004, SecurityFocus logo

Related stories

Botnets, phishing and spyware - 2004 in review

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.