Purple Pill: What Happened

Two weeks ago, I posted and published about a tool I wrote called Purple Pill, which used a bug in the ATI Vista x64 Video Driver to allow unsigned drivers to load. Within an hour, I pulled off the tool and the post, on my own accord, due to the fact I discovered ATI was not made aware of this particular flaw, and I wanted to follow responsible disclosure and allow ATI to fix their driver.

This flaw was especially severe, as it could be used for other purposes — including allowing a guest user access to a SYSTEM token, if the user was using a computer with an ATI Video Card. Therefore, it could have significant security implications beyond my original goal of bypassing Driver Signing on 64-bit Vista. On systems without the driver, administrative privileges would be required for any kind of attack. I originally thought this flaw had been reported to ATI since it was disclosed publically at Blackhat — something that’s usually only done once the presenter has notified the company. In this case, it seems this was not done, and I made an incorrect assumption. I should’ve checked the status of the flaw on my own, before posting the tool and I apologize for not having done so.

As for the act of bypassing driver signing, while I still disagree with Microsoft’s policy of not allowing users to set a permanent policy to explicitly allow this (at their own risk, perhaps even voiding support/warranty options), I have come to realize that attacking this policy isn’t the way to go. Microsoft has decided that Code Integrity is a new part of their security model and it’s not about to go away. Using kernel bugs to subvert it means that these measures would eventually be fixed, while exploiting 3rd party drivers potentially allows malware to figure out how to do this as well, and use the 3rd party driver maliciously. It is also a method that can be protected against, since Vista does have the ability to do per-driver blocking, and once the 3rd party vendor has upgraded all the customers, the older driver can be killed (or even shimmed against, since various kernel infrastructure in Vista allows for this kind of real-time patching).

I am currently exploring other avenues for allowing open source drivers to function on 64-bit Vista without requiring developers to pay for a certificate and deal with the  code signing authorities, while still respecting Vista’s KMCS policy, and continuing to protect against malicious drivers using such a method for their own gain. It is my hope to find a solution which will both please Microsoft and the KMCS policy, as well as make life easy for open source developers (and other non-commercial hobbyists) which for whatever reason don’t want to, or cannot, pay for a certificate.

3 Responses to “Purple Pill: What Happened”

  1. ericuday says:

    Hi Alex, this is Eric Kumar from Authentium Inc. (www.authentium.com). I am an Anti-Virus Researcher here. I had come across your blog post about “Purple Pill” a few months ago, but hadn’t had a chance to contact you about it. I wanted to ask if you could please provide me access to the tool? I would like to look at it for research purposes. I am starting to learn about kernel debugging and kernel mode drivers pertaining to rootkits on Windows. It would be great if I could also look at the source code for learning purposes.

    Eric Kumar
    Contact Info: ekumar at authentium dot com
    Blog: http://fightmalware.blogspot.com

  2. fourpastmidnight says:

    I, too, hope that some compromise can be made with driver signing and 64-bit Windows. I’m still using 32-bit and it is a goal of mine to write a driver for reiserfs3 for Windows (existing drivers, of which I’m only aware of 1, do not work as seamlessly as they should). However, if I upgrade to 64-bit Vista, I will not be able to use this driver. As a hobbyist, I can’t afford (nor do I want) to pay $10,000 to have my driver tested and signed. I just want to use it. I hope MS wakes up and smells the roses. MS used to pride itself on letting people use their PCs easily and with ingenuity. Now, they have taken that away.

    Another example is at my company, we use an unsigned driver provided by a vendor that talks to a specialized piece of hardware used in the temperature process control industry. What happens when x64 is mainstream? It will cost our vendor thousands to get the driver signed and our prices will go up and we will no longer be able to provide this flagship product. Requiring driver signing is bad news for small business.

Leave a Reply