There’s only so much you can do to stop running code from simulating UI actions


Commenter KiwiBlue asks whether Captcha-style tests were considered to prevent unsigned drivers from programmatically clicking the 'Install anyway' button.

I'm sure somebody considered it, but Captcha has its own problems.

"Type the (distorted) letters below"-type Captcha cannot be used by people with visual impairments, people who are dyslexic, or people who simply are not familiar with the Latin alphabet. (Believe it or not, the vast majority of people on the planet have a native language which does not use the Latin alphabet.) Using an audio captcha runs into the problem of different accents, letters whose readings vary (zee/zed anyone?), and computers without a sound card (like most servers).

And yes, there are other types of Captchas (dog/cat, for example), but the strongest argument against Captcha is probably that it's just adding more locks to the front door while leaving the service entrance wide open. Once you make it computationally infeasible to programmatically solve the Captcha, unscrupulous driver vendors would simply inject a DLL into the "Install this unsigned driver?" process and patch the call to Did­User­Answer­Captcha­Correctly so it always returns TRUE.

Or even easier, just programmatically set the Driver Signing Options to Install the software anyway.

If somebody is running code with administrative privileges, then they already own your machine. Any roadblocks you put up they can find a way to drive over. The goal is not so much putting up stronger and stronger roadblocks (because eventually people will simply drive around them) but rather making it clear to the developer that what they're doing is driving around a roadblock.

Comments (33)
  1. Sunil Joshi says:

    I always thought this idea had real potential:

    http://xkcd.com/233/

  2. Some Guy Up North says:

    "KEEP OUT" signs are generally a magnet for attention, though. Maybe what Windows needs are hacker honey-pots – encoded (or encrypted) sections that do ABSOLUTELY NOTHING, so that people who insist on peeking behind the doors labelled "NO ADMITTANCE" will be too busy to notice the unmarked door to the cable closet right next to it.

  3. acrostico says:

    I'm still a bit unconvinced. The signature check is done in the kernel, right? Couldn't it switch to a secure desktop like the one CTRL-ALT-DEL uses?

    [I think you're talking about a different issue. -Raymond]
  4. Joshua says:

    Given the existence of the code to silently patch Vista kernel to remove driver signing check (reboot required) I'd say the point has already been made.

  5. Robert says:

    That roadblock theory is all nice and well, but it seems to bother the customer more than the supplier. The supplier can, if morally flexible enough, circumvent it anyway, while the user is stuck with having to resort to test mode (you know, the one with the easily removed watermark?) or more technical measures to use e.g. open source drivers.

  6. Charles Oppermann says:

    The accessibility issues regarding Captcha types are numerous.  Raymond does a good job of summarizing them, but for other readers please note that while “dyslexia” is one possible consideration, there are many more users who have reading disorders.  The “Dyslexic” label is a narrow brush to paint this demographic group with.  Many people who have no idea they have visual processing issues – people who can read just fine – find themselves hung up at some Captcha images.  It can take several minutes to correctly interpret the characters and type them in the correct order.

    Also note that while total blindness requires a different method, don’t forget about the many more people who have low vision, who are colorblind, etc.  All of these issues (which can account for a significant percentage users) can really frustrate users and make it much harder to complete the task in a reasonable amount of time.

  7. ender says:

    I'm still not happy that I have to pay $299 on top of the Windows price just to be able to run certain code on the machine I own (without having to remember to press F8 on every bootup). Why are the cross-signing certificates for kernel mode components limited to so few CAs (most – if not all – of which seem to be owned by Verisign now)?

  8. Maurits says:

    Captcha is also bloody annoying.  A good rule of thumb for security features is that they should not cause undue pain to law-abiding citizens.

  9. Joe Dietz says:

    Please keep in your mind that 'driver signing' covers two entirely distinct and NOT RELATED forms of signature:

    1) Windows Hardware Quality Labs testing signatures.  (WHQL – pronounced "whicle").  These attest that the driver vendor passed some minimal smoke tests of Microsoft's devising.  It does not mean the driver is bug free, but that it met some minimal standards to be called a driver.  This costs a vendor on the order of $750 or so to submit for signing to Microsoft for each driver release.  Verisign isn't involved.  This is what the pop-up dialog is looking for.

    2) Authenticode signing of a driver.  This is the bit that was added in Vista for x64 operating systems to prevent drivers from being loaded that where not signed by a commercial entity of some sort.  This requires a code signing certificate issued by one of the select list of CA vendors that met some Microsoft standards for auditing their clients identities (the 'cross cert' establishes Microsoft's attestment of the CA).  A driver signed in this fashion doesn't have to ever been QA'd and might blow up in DriverEntry() for all anyone knows.  No relation to WHQL at all.  Unsigned drivers of this category simply won't load, there may be dialogs, but this is the boot and press F8 to load situation – and ONLY should be used by developers.

    Most shipping drivers you find on Vista and later however have both types of signatures, the authenicode signature is typically embedded into the driver binary – though it can be catalog signed, but that slows down the bootloader which does the signature checks in some situations (boot drivers specifically).  The WHQL signature is attached via a catalog file that gets installed on the system at driver installation time.

  10. Leo Davidson says:

    I dislike captchas but I would quite like it if Windows showed me some nice dog and cat pictures in the background while I'm waiting for drivers to install.

  11. Joshua says:

    Since Raymond isn't going to cover this again anyway:

    What's going on here is many developers who would normally follow the rules have decided that Microsoft has not followed the rules and so will go to any lengths necessary to get what they want.

    Microsoft raised pretty darn high to keep unsigned drivers out; however the nature of this game is last move wins.

    Do not be so stupid as to weave your copy protection into the driver signing unless you want your copy protection broken too, for that will be the consequence. Without arguing who is right, without listing a finger, I can see that this must be the end.

  12. Rick C says:

    "Another entry onto the "topics I will never cover again" list."

    Raymond, please don't do that.  Just remove comments like ender's and Robert's–or edit a note onto them saying those are not acceptable topics.

    It's your blog.  It's your right to control the discussion.

    [Continuously monitoring to delete comments is too much work. Easier just to remove the attractive nuisance. -raymond]
  13. Rick C says:

    "Also note that while total blindness requires a different method, don’t forget about the many more people who have low vision, who are colorblind, etc. "

    This is an excellent point.  A website I used to run, had some information displayed in bright red text (#ff0000) and for years, one user complained about how it was hard to read.  Nobody else could ever see any problem with it, so we never did anything about it–and then one day he was diagnosed with red-green color-blindness.

  14. GrayShade says:

    One thing I hate is the security warning shown for files downloaded from the Internet (like unsigned executables).

    Since I'm opening the file right now, there's no need to be asked about it a second time, yet the "Always ask before opening this file" checkbox is checked by default.

  15. David Ching says:

    "unscrupulous driver vendors would simply inject a DLL".

    And yet, MS has created the Protected Media Path, which does prevent DLL injection for DRM purposes.  They could have deployed it instead of creating the decoy page.  

    However, as someone who has made a career out of (tastefully) re-purposing off-the-shelf software by using DLL injection, API hooking, Windows hooks, Accessibility hooks, etc. I would say MS has done the right thing to tolerate these "hacks" because the hacks do add value to the end user.  Sometimes a lot of value.  And that raises the value of Windows.

    Still, it is not MS's responsibility to provide backwards compatibility for hacks.  MS already does not provide backwards compatibility for things like antivirus and disk defragmenter programs, disabling them when the new Windows is installed over the existing one.  It could do so with these display utility hacks as well.

    Shipping a decoy page instead of disabling the rogue display utilities is a mistake of policy.

  16. Alex Grigoriev says:

    @Leo:

    Don't give them the idea. It took how many years to kill the darn search puppy, and other cutiness (like "unused icon cleanup"); I don't want MS start that crap again.

  17. acrostico says:

    Why isn't my comment valid? The issue is that vendors are able to simulate a click on "Install anyway" when installation of an unsigned driver is attempted. I have been under the impression that a "secure desktop" exists, safe from keyloggers and the like, that is used for security critical interactions like logins, pressing CTRL-ALT-DEL, etc. So I reiterate my question: can't the question be asked using the secure desktop, since installing a driver is basically one of the most critical things one can do to its system?

    [You're conflating two different features. One is on x86 which asks for approval for unsigned drivers at install time. As I noted in the article, you can secure the click all you want. They'll just move to a weaker link (patching the return value from the function). The other is the controversial feature on x64 machines to refuse to load signed drivers at all. This article is about the first issue, not the second. -Raymond]
  18. Maurits says:

    to refuse to load signed drivers at all

    That's perhaps a bit extreme…

  19. Scott says:

    > Continuously monitoring to delete comments is too much work. Easier just to remove the attractive nuisance. -raymond

    I understand it's your playground, but can you not post articles in these collections with comments disabled (and perhaps some note as to why you've done this)?

    Some of us really appreciate these topics.  It'll be sad to see them go.

    [My autoposter doesn't currently support the "post with comments disabled" feature, and I don't like the idea of posting without comments enabled. It's easier just to not post at all. It's not like I have a shortage of topics. -Raymond]
  20. Robert says:

    Not only are most (all?) of them owned by VeriSign, *all* off them were in the USA. Seriously, over 95% of the world's population live *outside* the USA. Didn't Microsoft get the memo?

    [I should've expected this. Any time the phrase "driver signing" appears in an article, people start complaining about it (even though whether driver signing is a good idea was not the topic). Another entry onto the "topics I will never cover again" list. -Raymond]
  21. Worf says:

    @GrayShade: If you want to disable those warnings, remove the alternate stream. It's how Explorer determine wheter or not to pop up that dialog.

    Bah. stupid idiotic commenters and their stupid driver signing complaints. No wonder we can't have nice topic discussions around here.

  22. Dave says:

    Any time the phrase "driver signing" appears in an article, people start

    complaining about it (even though whether driver signing is a good idea

    was not the topic). Another entry onto the "topics I will never

    cover again" list.

    Why fight it?  Just enjoy the whoopee-cushion affect: driver signing, DRM, Zune, antitrust, Hitler, ka-pow!

  23. Dave says:

    Any time the phrase "driver signing" appears in an article, people start

    complaining about it (even though whether driver signing is a good idea

    was not the topic). Another entry onto the "topics I will never

    cover again" list.

    Why fight it?  Just enjoy the whoopee-cushion affect: driver signing, DRM, Zune, antitrust, Hitler, ka-pow!

  24. Neil says:

    It's not like I have a shortage of topics.

    5 years' worth of commenter misconceptions, for a start… At least I now know how .SYS files can exceed 64K.

  25. Signer says:

    I'm still not happy that I have to pay $299 on top of the Windows price just to be able to run certain code on the machine I own

    That's a annual cost btw.

  26. David Walker says:

    @Signer:  You own the machine, and you can feel free to write your own operating system.  If you don't like Windows, don't use it.

  27. Signer says:

    My employer owns the machine. I'm forced to use windows.

    [Now I'm confused. "I should be able to do anything I want on a machine I own, even when I don't own it." You know what? Don't bother explaining. -Raymond]
  28. Signer says:

    A verisign cert isn't trustworthy, only expensive. It doesn't prevent malware, it's only a mandatory tax on windows driver developers.

  29. Marvin says:

    Not wishing to appear stupid – but what is this $299 annual cost mentioned twice in these comments? The first one made me think the person was writing code on his own machine and then running it there (and only there) but (for some reason I don't understand) was going off to buy some certificate or other in order to be able to run it?! I've never had to do that? Please someone explain…

  30. Anon says:

    I happen to agree with the commenters that the x64 code-signing requirement was a bad idea.  However:

    1) this article is not about that kind of signing, it's about the WHQL signing, the kind you can just click through.

    2) Raymond is not responsible for the descision to add the disputed requirement, does not have the power to reverse that decision, and does not even work on that part of the code.

    3) if you actually read the post, you would see the basic tenents of an anti-DRM argument: if you can run code on the machine as an Administrator (as the owner of the machine can), any "roadblocks" (DRM, code-signing requirements) can be driven over.  Anybody who is intent on breaking the rules will find a way to do so.  Only the conclusion is missing: since the roadblocks will not deter the rule breakers, all they really accomplish is to impede the legitimate users.  Since these restrictions only serve to "punish" the legitimate users while not stopping any of the "bad" things, they are counterproductive.

  31. "safe from keyloggers and the like"

    Nope … anything which reads the keystrokes on their way in to the system (rogue keyboard driver, hardware keylogger plugged in to the keyboard cable or hidden inside the keyboard itself, clever Tempest-style monitoring of the keyboard wiring) won't even notice the change of desktop, let alone be blocked by it. I seem to recall reading of the FBI cracking some criminal enterprise using physical keyloggers to capture passwords as they were typed.

    Mark Russinovitch had a post a while ago about the problem with 'Power User' accounts … among other things, they can modify the on-disk copy of the kernel, then reboot before file protection reverses the change. Once you have the ability to install your own kernel (or a duplicate of the current one, with all privilege checks NOPed out). Essentially, Power Users are just an inconvenience away from being Administrators anyway; whether patching out a function in the kernel is a bigger inconvenience than a CAPTCHA is probably a matter of debate. (Hence Power User being retired as a concept from Windows Vista onwards.)

    I doubt I will ever forget the time a CAPTCHA presented me with some word in Hebrew, though. "OK, I can see the letters … but I don't have any of them on my keyboard …" I suppose I could have fired up charmap.exe, but I just chickened out and hit reload to get something in my own alphabet.

  32. Rick C says:

    "I doubt I will ever forget the time a CAPTCHA presented me with some word in Hebrew, though"

    The recaptcha guys have started putting in Greek letters.  If you know the English equivalent, you can use that, so that r can be used for a rho.

    Either that or they aren't validating non-English letters.  I haven't fully tested that yet.

  33. David Ching says:

    @Anon: Nothing says that an Administrator has to have absolute power over all Windows subsystems, and indeed they don't with DRM as implemented in the Protected Media Path.  An Administrator cannot run a process that injects a DLL into the protected media processes!  If MS is concerned enough about the Unsigned Driver scenario, they could likewise make that bulletproof even from elevated apps.  But having worked at companies that need to ship unsigned drivers for legitimate reasons, I can completely understand why they devise the hacks they do in order to give their users a seemless install experience.  After all, it's their tech support that will be footing the bill (and not MS's) for anything but a seemless install experience.

Comments are closed.