Discussion:
[vbox-dev] Windows hardening in 4.3.15
José Massada
2014-07-29 13:53:06 UTC
Permalink
Hi,

The new hardening code breaks VirtualBox when trying to load a custom built
PDM module (VERR_LDRIV_NOT_SIGNED). This is a custom virtual PCI device
that we've been using for quite some time now.

I've looked at the code and I see that some unsigned dlls are being ignored
if they are in certain system paths. I tried loading it from
\\SystemRoot\\System32\\ but with no luck.

Linux version works fine when installed to a root owned system path.

Am I to assume that I'll have to, somehow, sign the dll?
Too much hardening maybe?

Cheers,
Jose
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.virtualbox.org/pipermail/vbox-dev/attachments/20140729/0bd78295/attachment.html
Klaus Espenlaub
2014-07-29 18:43:06 UTC
Permalink
Jos?,
Post by José Massada
Hi,
The new hardening code breaks VirtualBox when trying to load a custom
built PDM module (VERR_LDRIV_NOT_SIGNED). This is a custom virtual PCI
device that we've been using for quite some time now.
Yes, that signing requirement is a change which had to be done in 4.3.14.
Post by José Massada
I've looked at the code and I see that some unsigned dlls are being
ignored if they are in certain system paths. I tried loading it from
\\SystemRoot\\System32\\ but with no luck.
There's no signing exemption for PDM modules, so there's no point in
moving them to such a directory.
Post by José Massada
Linux version works fine when installed to a root owned system path.
That's comparing apples and oranges, as the systems have a vastly
different basic security system design and need different approaches for
hardening.
Post by José Massada
Am I to assume that I'll have to, somehow, sign the dll?
Correct. You need a cert suitable for Windows kernel driver signing,
nothing else is accepted. There are very few CAs which offer this (as it
needs to be cross-signed by Microsoft).
Post by José Massada
Too much hardening maybe?
No, this is intentional and required for the hardening to work. It won't
go away in future builds.

Klaus
Post by José Massada
Cheers,
Jose
José Massada
2014-07-30 13:01:44 UTC
Permalink
Hi Klaus,

Thanks for the quick reply.

I tried loading a test-signed PDM module for development (obviously with
test-signing enabled in the machine) but it fails with a "no trusted paths"
error. I'm guessing that even on development or test machines you require
the module to be cross-signed with the Microsoft cert?
I'm also guessing you don't debug custom PDM modules with release versions
of VirtualBox. Is there any way I can do this without having to sign debug
binaries?

Thanks,
Jose



On Tue, Jul 29, 2014 at 7:43 PM, Klaus Espenlaub <klaus.espenlaub at oracle.com
Post by Klaus Espenlaub
Jos?,
Post by José Massada
Hi,
The new hardening code breaks VirtualBox when trying to load a custom
built PDM module (VERR_LDRIV_NOT_SIGNED). This is a custom virtual PCI
device that we've been using for quite some time now.
Yes, that signing requirement is a change which had to be done in 4.3.14.
Post by José Massada
I've looked at the code and I see that some unsigned dlls are being
ignored if they are in certain system paths. I tried loading it from
\\SystemRoot\\System32\\ but with no luck.
There's no signing exemption for PDM modules, so there's no point in
moving them to such a directory.
Post by José Massada
Linux version works fine when installed to a root owned system path.
That's comparing apples and oranges, as the systems have a vastly
different basic security system design and need different approaches for
hardening.
Post by José Massada
Am I to assume that I'll have to, somehow, sign the dll?
Correct. You need a cert suitable for Windows kernel driver signing,
nothing else is accepted. There are very few CAs which offer this (as it
needs to be cross-signed by Microsoft).
Post by José Massada
Too much hardening maybe?
No, this is intentional and required for the hardening to work. It won't
go away in future builds.
Klaus
Post by José Massada
Cheers,
Jose
_______________________________________________
vbox-dev mailing list
vbox-dev at virtualbox.org
https://www.virtualbox.org/mailman/listinfo/vbox-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.virtualbox.org/pipermail/vbox-dev/attachments/20140730/be67371c/attachment.html
Klaus Espenlaub
2014-08-04 07:58:58 UTC
Permalink
Jos?
Post by José Massada
Hi Klaus,
Thanks for the quick reply.
I tried loading a test-signed PDM module for development (obviously with
test-signing enabled in the machine) but it fails with a "no trusted
paths" error. I'm guessing that even on development or test machines you
require the module to be cross-signed with the Microsoft cert?
Should work, will ask the dev if any other steps are required.
Post by José Massada
I'm also guessing you don't debug custom PDM modules with release
versions of VirtualBox. Is there any way I can do this without having to
sign debug binaries?
We don't have any custom PDM modules in the strict sense, because that's
what "custom" implies. We are definitely testing with external PDM
modules (in particular the USB 2.0 support which is part of the
extension pack), but those are all "properly signed".

Klaus
Post by José Massada
Thanks,
Jose
On Tue, Jul 29, 2014 at 7:43 PM, Klaus Espenlaub
Jos?,
Post by José Massada
Hi,
The new hardening code breaks VirtualBox when trying to load a custom
built PDM module (VERR_LDRIV_NOT_SIGNED). This is a custom
virtual PCI
Post by José Massada
device that we've been using for quite some time now.
Yes, that signing requirement is a change which had to be done in 4.3.14.
Post by José Massada
I've looked at the code and I see that some unsigned dlls are being
ignored if they are in certain system paths. I tried loading it from
\\SystemRoot\\System32\\ but with no luck.
There's no signing exemption for PDM modules, so there's no point in
moving them to such a directory.
Post by José Massada
Linux version works fine when installed to a root owned system path.
That's comparing apples and oranges, as the systems have a vastly
different basic security system design and need different approaches for
hardening.
Post by José Massada
Am I to assume that I'll have to, somehow, sign the dll?
Correct. You need a cert suitable for Windows kernel driver signing,
nothing else is accepted. There are very few CAs which offer this (as it
needs to be cross-signed by Microsoft).
Post by José Massada
Too much hardening maybe?
No, this is intentional and required for the hardening to work. It won't
go away in future builds.
Klaus
Post by José Massada
Cheers,
Jose
Loading...