Sophisticated attackers may reach down into device drivers and manipulate them in ways that undermine security. In this video, Mike Chapple explains driver refactoring and driver shimming.
- [Instructor] Sophisticated attackers may reach down into device drivers and manipulate them in ways that undermine security. Let's talk about driver refactoring and driver shimming. Device drivers play an important role in computing. They serve as the software interface between hardware devices and the operating system. Device drivers are the reason that you can use almost any printer from a wide variety of manufacturers with Windows or any other operating system.
Microsoft for example, doesn't need to design Windows to work with every individual printer on the market. Instead, they provide printer manufacturers with the ability to write Windows drivers for their printers. When a manufacturer builds a new printer, they also design a device driver that provides Windows with instructions on how to interact with the printer. Device drivers require low level access to the operating system and therefore run with administrative privileges.
If an attacker can convince a user to install a malicious driver on their computer, that malware can gain complete control of the system. One way that attackers might do this is by refactoring an existing driver. If the attacker has access to the driver's source code, they can modify that source code to also include malware elements. This is very difficult to pull off in practice however, because it's not easy to get access to the source code for legitimate device drivers.
Attackers without access to the driver's source code can use a technique called shimming. This takes a legitimate driver and wraps a malicious driver around the outside of it. The malicious driver, known as the shim, receives requests from the operating system and simply passes them on to the legitimate driver so that the device functions normally. However, the driver can also carry out its malware payload in the background. Fortunately, modern operating systems all contain protections against malicious drivers.
The most important of these protections is code signing. Device manufacturers write drivers and then apply digital signatures to them so that the operating system can verify the driver's authenticity. If the driver is not digitally signed, or the digital signature is incorrect, the operating system may warn the user of the suspicious driver or prevent the driver's installation all together. The privileged nature of drivers gives them deep access to the operating system.
Security professionals must ensure that the drivers used in their organization are legitimate and were not modified to carry out malicious activities.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities