Vista's DRM features could bedevil AV

A security researcher is raising concerns about a digital rights management feature in Microsoft's new Vista operating system that he claims may make it easy for malicious code authors to block virus programs from removing their wares.

In a presentation to antivirus researchers at the annual Virus Bulletin Conference in Montreal, Canada, Aleksander Czarnowski of the Polish firm AVET Information and Network Security, said that a new Vista feature, dubbed "protected processes," which provides digital rights management functionality in Vista, could be abused to protect rootkits and other malicious code.

A protected process is a new kind of construct that runs alongside other processes, or instances of programs running simultaneously in multitasking operating systems such as Windows. Standard processes are subject to manipulation by other "parent" processes, or processes that privileged or administrative users create, making them subject to tampering by those interested in digital content piracy. Restrictions put into Windows Vista require new protected processes to be signed, and restrict interaction between standard and protected processes and threads (tasks) created by protected processes. For example, standard processes can't inject a thread into a protected process or access the virtual memory used by a protected process, according to Microsoft.

Those limitations are great for controlling the distribution of and access to valuable media content, because they allow content owners to run media in a protected state within Vista that limits the ways the media can be used to those condoned by the content (or copyright) owner. However, protected processes could bedevil virus software vendors that want to analyse changes made by malicious software, Czarnowski warned.

"Protected processes are insulated from other applications, even with administrative privileges," he said.

For example, Czarnowski hypothesized that malicious software that was able to take control of protected processes could use them to modify memory addresses and make other changes that would be invisible to virus software and other detection tools running in the same environment.

Protected processes create an underlying architecture for PMP (Protected Media Path), a secure platform for displaying working with "premium" media content on Vista and Longhorn, and preventing piracy.

PMP, which includes modules such as PE (Protected Environment) and PUMA (Protected User Mode Audio) includes user-mode and kernel-mode protection to prevent what Microsoft calls "rogue software components" from stealing content.

"I don't think anyone in this DRM race thought about the consequences of putting this ability in the wrong hands," Czarnowski said. "Protected Processes are a weapon and, as with every weapon, everything depends on how you use it."

Microsoft wasn't immediately able to offer comment for this article, but the company seemed to be aware that protected processes could be subject to abuse.

A company document on "best practices" with protected processes warns developers not to "attempt to circumvent this restriction by installing a kernel-mode component to access the memory of a protected process," because Vista and third-party products rely on the fact that "protected processes are signed code that is run in a contained environment."

Czarnowski said he doesn't know of any efforts to manipulate protected processes. His comments came at the tail end of a technical presentation on rootkit techniques at the Virus Bulletin show.

Among other things, Czarnowski predicted that Vista's kernel protection technology, PatchGuard, would become a major target of the malicious coding community and that techniques for evading kernel protections might be publicly available within a year of Vista's release -- and perhaps sooner.

Senior technical consultant at Kaspersky Labs, Shane Coursen, said both the driver-signing protections and kernel protection have been proven to be vulnerable to manipulation.

The efficacy of hacks such as " Blue Pill ," an effort to circumvent Vista kernel protections that was developed and demonstrated by Singapore's Computer Security Initiative Consultancy (COSEINC)'s Joanna Rutkowska, are still being debated. It's only a matter of time before other malicious code authors build on the work of researchers like Rutowska, Coursen said.

"Based on past experience, it usually takes a little more than a year for these advanced technologies to come out and be used by the bad guys. Unfortunately, we have some things in the works already and that could move up the timeline," Coursen said.