Language Selection

English French German Italian Portuguese Spanish

Device drivers filled with flaws

Filed under
Security

Operating system vendors and hardware makers should commit more resources toward systematically auditing Windows and Linux device-driver code for flaws, security researchers say.

While buffer overflows, a type of memory flaw that can lead to serious vulnerabilities, are quickly being eradicated in critical applications, the flaws are still easily found in device drivers, said David Maynor, a research engineer for Internet Security Systems' X-Force vulnerability analysis group.

"If you look through the device driver code, there are a lot of problems," he said in a recent interview. "The state of the code's security is not strong." During a few hours on a recent plane flight, for example, Maynor found more than a dozen glitches in several Windows XP drivers.

Windows is not the only operating system at risk. A survey of the Linux 2.6.9 kernel code performed by automated-code-checking software maker Coverity found that, while the overall quality of the code had increased significantly, more than 50 percent of flaws appeared in device drivers. Many of those flaws may not affect system security, but the ratio is generally indicative of the quality of the code, said Seth Hallem, CEO of Coverity.

"The people writing the device drivers are not generally the core programmers," he said. "It is not the operating-system implementers themselves -- the Linux programmers or Windows developers -- it is generally the vendors."

The warnings come as operating-system developers have placed security higher on their to-do lists. While the Windows and Linux operating systems have both undergone significant audits in the past several years, many device drivers -- especially those created by third-party hardware providers -- have seemingly escaped rigorous testing.

Device driver flaws can be more dangerous than other application vulnerabilities because device drivers are, in most cases, part of the kernel itself and subverting the critical software gives an attacker direct access to the kernel. Moreover, drivers that have direct memory access (DMA) -- such as USB drivers, CardBus drivers, graphics drivers and sound drivers -- could be used to overwrite system memory and exploit the system.

"Since drivers run in kernel-privilege state, if you can take them over you are in a privileged position," said Bill Weinberg, Linux evangelist for the Open Source Development Labs. "But it is not an trivial thing, you are more likely to crash the system."

"You no longer have a single computer," he said. "It is a collection of subsystems and device drivers are becoming that much more important."

Full Article.

More in Tux Machines

Security: Reproducible Builds, Windows Phones, Debian, Mageia Identity Security Breach and More

  • Reproducible Builds: Weekly report #147
  • Windows Phones Get Cumulative Update KB4074592, PDF Support Now Broken
    Just when you thought Windows 10 Mobile is dead, here’s Microsoft rolling out a new cumulative update for the platform as part of its February patching cycle. Windows 10 cumulative update KB4074592, which is also released on PCs running the Creators Update (version 1703) – phones have never received the Fall Creators Update, comes with little changes for mobile devices, though it does something that many users might notice. Microsoft doesn’t provide a separate change log for mobile and PC, so the release notes that you can find at the end of the article include all the improvements and security fixes that Microsoft included in KB4074592 for both platforms.
  • Time to Join Extended Long Term Support for Debian 7 Wheezy
    Debian 7 Wheezy LTS period ends on May 31st and some companies asked Freexian if they could get security support past this date. Since about half of the current team of paid LTS contributors is willing to continue to provide security updates for Wheezy, I have started to work on making this possible.
  • Hackers Infiltrated Tesla to Mine Cryptocurrency
    While Elon Musk was busy planning how to launch his Tesla Roadster into the depths of space last month, a hacker was silently using Tesla’s computing power to mine an unknown amount of cryptocurrency. The unidentified attackers found their way in through cracks in Tesla’s cloud environment, according to a report issued by RedLock security on February 20. The miners were able to gain access via an unprotected Tesla Kubernete console—an open source system that manages applications. Included on this console were the access credentials to Tesla’s Amazon Web Service. Once they obtained access to the console, the attackers were able to run scripts that allowed them to stealthily mine cryptocurrency.
  • Hacking at EPFL Toastmasters, Lausanne, tonight
    ...remember to turn off your mobile device or leave it at home, you never know when it might ring or become part of a demonstration.
  • Mageia Identity Security Breach
    A user was able to gain access to our LDAP database and has published the email addresses and names, as well as apparent password hashes, of anyone who has signed up to identity.mageia.org. However, the published hashes do not match those on record, and all capitalisation has been removed, so it is not clear that the actual passwords have been compromised. All of the passwords have since been reset as a security precaution. New rules have been added to prevent access to the LDAP server. The sysadmins are investigating how the fields were read, as the configuration should have specifically prevented this. The passwords stored by the Mageia LDAP server are hashed and salted, meaning that the full decryption of the password, if they have actually been leaked, into a human-usable format would require significant computing power for safe and complex passwords.

today's howtos

Canonical Donates Ubuntu Phones to UBports to Continue Ubuntu Touch Development

UBports devs announced today on Twitter that Canonical sent them a few old Ubuntu Phone devices to continue the development of the Ubuntu Touch mobile operating system. Now that Canonical has ceased the development of its revolutionary Unity 8 user interface for the Ubuntu Touch mobile operating system used on smartphones from Meizu and BQ, the company decided to donate several devices to the UBports community. UBports is recreating Ubuntu Touch, maintaining, updating, and modifying its code to offer the world a free and open source mobile operating system for those who want to use something else than Android, iOS, and what else is still out there. Read more Also: Ubuntu Server 18.04 LTS Will Default To The New Installer The New Ubuntu 18.04 LTS Server Installer

LibreOffice 6.1 Arrives in August with Revamped Online Experience, New Features

Last week, we talked with The Document Foundation's marketing assistant Mike Saunders about the 1 million downloads milestone reached by the major LibreOffice 6.0 release in only two weeks after its launch, who told us that the team is already working on the next version, LibreOffice 6.1, due for release in August. LibreOffice 6.1 will be the first major update to the 6.x series of the office suite and will add yet another layer of new features and improvements to the open-source and cross-platform office suite used by millions of computer users worldwide, and we'd like you to be the first to know about them. Read more