, SecurityFocus 2005-05-26
The uneven skills of driver programmers have left a legion of holes in software that ships with Windows and Linux, security experts say.
Since drivers run in kernel-privilege state, if you can take them over you are in a privileged position. But it is not an trivial thing, you are more likely to crash the system.
While buffer overflows, a type of memory flaw that can lead to serious vulnerabilities, are quickly being eradicated in critical applications, the flaws are still easily found in device drivers, said David Maynor, a research engineer for Internet Security Systems' X-Force vulnerability analysis group.
"If you look through the device driver code, there are a lot of problems," he said in a recent interview. "The state of the code's security is not strong." During a few hours on a recent plane flight, for example, Maynor found more than a dozen glitches in several Windows XP drivers.
Windows is not the only operating system at risk. A survey of the Linux 2.6.9 kernel code performed by automated-code-checking software maker Coverity found that, while the overall quality of the code had increased significantly, more than 50 percent of flaws appeared in device drivers. Many of those flaws may not affect system security, but the ratio is generally indicative of the quality of the code, said Seth Hallem, CEO of Coverity.
"The people writing the device drivers are not generally the core programmers," he said. "It is not the operating-system implementers themselves -- the Linux programmers or Windows developers -- it is generally the vendors."
The warnings come as operating-system developers have placed security higher on their to-do lists. While the Windows and Linux operating systems have both undergone significant audits in the past several years, many device drivers -- especially those created by third-party hardware providers -- have seemingly escaped rigorous testing.
Microsoft acknowledged the threat but stated that the company's developers had already started checking drivers that have been shipped with Windows for flaws.
"Microsoft is aware of a scenario by which an attacker could attack an existing software vulnerability in a device driver (and) could compromise a user's system," the software giant said in a statement to SecurityFocus. "It's important to note that Microsoft's software development processes do cover instances where third party code included with the operating system may be reviewed before the code ships with Windows to help ensure that customers are not at risk from this type of threat."
Microsoft has also moved forward with development efforts to harden device drivers, according to sources familiar with the initiative. However, the company remained closed-lipped about the details of the effort.
Device driver flaws can be more dangerous than other application vulnerabilities because device drivers are, in most cases, part of the kernel itself and subverting the critical software gives an attacker direct access to the kernel. Moreover, drivers that have direct memory access (DMA) -- such as USB drivers, CardBus drivers, graphics drivers and sound drivers -- could be used to overwrite system memory and exploit the system.
Some security experts argue that such issues are a well-known problem, and one with which device-driver programmers should have already dealt. The problem has been known for a decade or more, said Crispin Cowan, director of software engineering for Novell, which distributes the SuSE Linux distribution. He acknowledged, however, that not everyone may have made auditing driver code a priority.
"If you can crash your kernel with an application that is a kernel flaw -- if you can crash your kernel with a device driver, that is a device driver flaw," he said. "There is a huge numbers of device drivers in the Linux kernel source tree, many of them are ancient and not kept up to date."
Cowan did not agree that the quality of programming in device drivers pose any special threat to Linux.
"The Windows kernel may have gotten a lot of attention in recent years, which may have prompted Microsoft to look at the device drivers," he said. "The Linux kernel has always been audited for security so there is nothing new here."
Further reducing the threat, many device drivers can only be exploited by an attacker that has physical access to a computer, he said. The notable exceptions are networking, wireless and Bluetooth drivers.
Another Linux expert stressed that the existence of coding problems does not necessarily mean it is easy to use device drivers as an avenue of attack.
"Since drivers run in kernel-privilege state, if you can take them over you are in a privileged position," said Bill Weinberg, Linux evangelist for the Open Source Development Labs. "But it is not an trivial thing, you are more likely to crash the system."
Auditing has become standard procedure for some hardware makers. Graphics card maker NVidia, for example, does significant security checks during development and has used a third-party auditing firm to check its drivers using automated tools, said a source familiar with the arrangement.
The company audits both its graphics drivers and its nForce platform drivers, said spokesman Bryan Del Rizzo.
"We make sure that the drivers can't be used in a way to infiltrate the platform," he said.
Microsoft's latest security update to Windows XP, Service Pack 2, also includes a feature that limits the exploitability of many device driver flaws. Known as Data Execution Prevention or DEP, the feature prevents data, which has been inserted in memory by a malicious exploit, from running.
Drivers have to be programmed to use the feature, ISS's Maynor said. Hardware makers should add the support to their latest drivers, he said, because computers are becoming more complex under the hood.
"You no longer have a single computer," he said. "It is a collection of subsystems and device drivers are becoming that much more important."