The Inquirer-Home

Graphics drivers are malware compliant

DAAMIT, Nvidia fail to stick to spec
Fri Aug 03 2007, 11:08
AN INSECURITY expert presenting at Black Hat yesterday succeeded in illustrating the incredible danger posed by Windows Vista drivers - and fingered ATI and Nvidia as having particularly badly written drivers.

Joanna Rutkowska is a leader in the field of virtualisation technology and demonstrated a hack dubbed 'Blue Pill' at last year's Black Hat, the annual hacker conference held in Las Vegas. Using Vista's built-in virtualisation technology, Blue Pill was designed to work as malware, executing itself on boot to give itself hypervisor privileges in the Vista virtualisation system - effectively gaining control of the system in a way that Windows itself could never hope to detect, thus becoming the ultimate rootkit.

Whilst Microsoft claimed to have closed off that exploit for the final release of Vista, there are still plenty of ways to attack Windows Vista and install malicious rootkits, which her presentation yesterday proved. By using the Nvidia driver as a proxy for writing code to the kernel, she showed how a rootkit was able to bypass Vista's kernel protection system, which claims to prevent unsigned and unreliable code causing problems.

"The whole problem in Nvidia," Rutkowska explained, "Is that the driver doesn't do the proper checks and can do a write for an arbitrary registry." By failing to check what it's writing, it's possible for hackers to attach code and have it written into the registry by the Nvidia driver.

It's not just Nvidia's problem, or even ATI's - although both were singled out as particularly bad examples of driver writing. "There are thousands, maybe tens of thousands of third-party drivers that are poorly written and could be a problem," Rutkowska said.

What's worse is that the drivers were so badly written, and their architecture so poorly designed, that a user doesn't even have to have an Nvidia or ATI graphics card installed with the driver to take advantage - it's enough simply to include the driver file with any other job lot of code, stick it anywhere on the C: drive, then proceed to use it as an attack vector.

There's more Black Hat coverage over here, but nothing at the conference seems to be quite as revealing as this presentation. Can Nvidia and ATI go back to the drawing board and re-write their drivers to avoid being a massive malware attack vector? Given the problems they appear to ahve getting Vista working properly at all, we're not entirely confident.

Neither Nvidia nor ATI, Daamit, were able to offer up coherent comments when we asked them to this morning. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Heartbleed bug discovered in OpenSSL

Have you reacted to Heartbleed?