Driver Coding Exposes Microsoft Windows Malware Risks

Vulnerabilities were found in more than 40 Windows malware device drivers that resulted in the exploitation of compromising servers and PCs. These drivers were from 20 Microsoft-certified BIOS vendors and hardware inclusive of Intel, Huawei, ASUS, ASRock, Gigabyte.

A massive number of Windows malware driver design flaws were exposed by about 20 different hardware vendors Windows users compromising on security. This can create malware attacks. A report stating the headline “Screwed Drivers”, was presented by Eclypsium security researchers at DEF CON last weekend. It urges to provide better protection against such vulnerabilities.  

Security Overview of Driver

A security flaw is nothing but a flaw that permits an attacker to make a driver to malfunction in a manner that causes the device to become unusable or even crash. Also, driver code vulnerabilities can give an attacker to obtain access to the kernel. Hence, creating a chance of compromising the OS entirely. Their main goal is to get the driver function properly instead of if a malicious attacker will make an attempt to exploit susceptibility within their code. 

As the driver gets released, attackers can make an attempt to probe recognize the security flaws. In order to reduce the increasing chance of such vulnerabilities, developers must keep in mind these issues during the design and application phase. The motive should lie in eliminating all familiar security flaws before the release of the driver. 

For creating more secure drivers there lies the need for cooperation of the system architect, the developer for implementing the code, and the test team. Proper coordination of all these performances will head towards dramatically enhanced driver security. 

Security Checklist

In order to avoid the problems arising out of the attacked driver, some of the steps stated below will precisely make use of kernel memory and will improve the reliability of your driver. This will result in the reduction of support costs and enhance customer satisfaction with your item or product.  They are listed below:

  • Ensure that there is a need for kernel driver
  • Make use of driver frameworks
  • Control access to driver software 
  • Do not produce sign test driver code
  • Performance of threat analysis
  • Validation of Device Guard compatibility
  • Try to follow driver secure coding principles
  •  Technological specific code best practices to be followed
  • Performance of peer code review
  • Management of driver access control
  • Improve device installation security
  • Execution of proper release of driver signing
  • In order to investigate driver security use code analysis in Visual Studio
  • Usage of Static Driver Verifier for checking vulnerabilities
  • Checking of code with Binscope Binary Analyzer
  • Usage of code validation tools
  • Review of debugger extensions and techniques
  • Secure review of coding resources

Caution Measure

According to researches, if there is no availability of a vulnerable driver on a system, administer privilege would become necessary to place a vulnerable driver. Even drivers that allow you to access system components or system BIOS to support with updated firmware, diagnostics in running condition, or modification options allows attackers to use these tools to grow privileges and persist on the host invisibly.

To overcome this vulnerability, the application of Windows Defender Application Control by Windows users is a good option. According to Microsoft, this tool will block familiar vulnerable drivers and software. In addition, users can save themselves by switching on memory integrity for devices being capable of getting attacked. 

Lesser Risk Factor

The security firms calculate sales opportunities on the basis of vulnerabilities. There is also a chance of the user getting fooled into an installation of malware. This would take benefit of the said driver vulnerability. 

But it should be made in the knowledge of the attacker that this vulnerability resulted to make this work. Because the attack’s angle is convoluted and an attack to effect requires knowledge and idea of the PC, the real risk factor lies in between low to moderate.  

Global Impact

The driver design malware flow is applicable to all modern versions of Microsoft Windows. At present, there is no universal method to keep a Windows malware device away from these known bad drivers.

Not only the drivers but also the Windows malware can add drivers to obtain direct access to the hardware. So it is essential for both Microsoft and the third-party vendors to become more vigilant regarding the increase in widespread of these types of vulnerabilities.

Ending Note

Driver security is a complicated undertaking that consists of many elements. Drivers residing in the Windows kernel and having a problem in the kernel exposes difficulty to the entire OS. for this, paying close attention is necessary to driver security and design keeping security in mind. In addition, the creation of a threat model will turn out to be a boon for identifying attackers and considering if anything can be further restricted. 

Also, find out code reviewers with great knowledge to look for problems that you might have missed. You can even make use of driver verifiers for testing your driver with various inputs inclusive of corner cases.