Intel: Driver flaws no major threat, yet

In a recent experiment, researchers at the Santa Clara, Calif.-based chipmaker searched for publicly known vulnerabilities in drivers for Microsoft's Windows operating system. They also hunted for malicious code that took advantage of those security holes. In particular, they wanted to find problems in kernel-level drivers and exploits that would give an attacker full rein over a vulnerable system.

The search came up almost empty.

"It was difficult to find something that was useful for us," David Schulhoff, a senior information security specialist at Intel, said Monday in a presentation at the Computer Security Institute's annual NetSec event. "There really are not that many Windows kernel-mode driver vulnerabilities out there."

Vulnerabilities in device drivers could be a serious threat to computer security, as they theoretically could be used by attackers to gain full access to the system. But Intel's research suggests the risk is low these days, because the number of publicly known issues is small and hackers prefer flaws that are easier to exploit.

Other security experts agree with Intel's assessment. "Device driver vulnerabilities are indeed rare," said Monty Ijzerman, senior manager of McAfee's Global Threat Group. "Device driver vulnerabilities are much more difficult to exploit than many user-mode vulnerabilities and exploitation often ends up in a denial of service."

But driver flaws have been getting more attention recently. Microsoft, for example, is readying tools for driver developers to scan their code for common vulnerabilities. The Redmond, Wash., software giant is worried that insecure drivers might end up hurting systems running Windows.

The operating system requires driver software for it to be able to run the hardware that is built-in or connected to the PC. A buggy driver can cause a lot of trouble. In particular, errors in the kernel-mode drivers, which run hardware such as network interface cards and hard disk drives, can cause fatal crashes that result in the famous "blue screen of death."

Because kernel-mode drivers run with the highest level of privilege on a Windows system, security holes in it can be useful to hackers. "If you are able to exploit something that is operating at that level, you have the keys to the kingdom," Schulhoff said.

Unsuccessful hunt
The Intel experts did find many vulnerabilities that mention the kernel or are related to it, but that ultimately do not really provide access to that low level on a Windows PC, Schulhoff said.

Another problem was that many of issues found were old flaws in third-party software. "Actually getting the vulnerable code proved to be impossible," he added.

Also, many of the vulnerabilities Intel looked at were flaws that were local, meaning attackers had to have on-site access to the PC, and that allowed them only to elevate their system privileges. These issues can't be ignored, but aren't nearly as serious as vulnerabilities that let hackers commandeer a computer remotely.

Moreover, the exploits for kernel-mode drivers that do exist have proven to be very unstable because of the challenge of writing code at that level. "You can't stray very far from the path of what needs to happen within the kernel, or you're going to end up crashing the system rather than being able to gain access to it," Schulhoff said.

Because driver coding is complicated and tedious, there have not been many attacks on it, said Ivan Macalintal, senior threat analyst and researcher at Trend Micro. "We haven't seen much of that because device driver coding is not in the line of the script kiddies--unlike the usual worm codes that have been exposed publicly," he said.

In addition to kernel-mode drivers, Windows works with user-mode drivers, which run printers, graphics, USB devices and other hardware. That kind of software typically has fewer privileges, meaning that an attack exploiting them can be of lesser risk. Drivers are developed by Microsoft as well as by hardware makers, such as Intel.

Ultimately, Intel researchers found a vulnerability in a Microsoft driver called TCPIP.sys, a part of Windows. Microsoft provided a fix for that "critical" flaw in April last year, in security bulletin MS05-019. Malicious code for the security problem is publicly available.

Somewhat erratic
In theory, launching that code should result in complete system access, but Schulhoff found the exploit to be somewhat erratic. "I never gained full control of the system, but it was a very effective denial-of-service exploit," he said. "It will completely lock up the system."

Though Intel researchers didn't manage to commandeer a computer with kernel-level malicious code, that doesn't mean there is no need for people to be wary of such issues, Schulhoff said. On his Windows machine, he found 336 ".sys" driver files in the Windows System folder. Of those, 218 were created by Microsoft and 24 by other companies he would trust, he said--but 94 others were questionable.

"That is certainly a concern. Who is putting this code on your system? And can you count on them to write secure code?" Schulhoff said. Also, he said it is not uncommon for developers to write drivers that don't access hardware, but perform some other task on the machine. That could mean more untrusted sources of driver code on a computer.

On the plus side, Intel's researchers found that the denial-of-service attack they did make happen would have been blocked by common host-intrusion prevention products--provided these were tuned well, said Dennis Morgan, a senior information security specialist at the chipmaker.

"Kernel-level device driver malware...is something you need to consider," Morgan advised. "I would treat it like any other vulnerability."

McAfee's Ijzerman noted that his company's host intrusion protection products can protect against exploitation of driver flaws. Intel's researchers also mentioned Cisco Systems' security software as a shield against such attacks.

The threat level may change, the Intel experts said. However, that may take a while, since attackers likely will first exploit the low-hanging fruit--the vulnerabilities in other software that are easier to take advantage of than the device driver bugs, said Alan Ross, a lead security architect at Intel.

"When device driver malware may come into play is once there are effective mitigations for the user mode stuff," he said. "But I don't even want to give a time frame."