Language Selection

English French German Italian Portuguese Spanish

Device drivers filled with flaws

Filed under
Security

Operating system vendors and hardware makers should commit more resources toward systematically auditing Windows and Linux device-driver code for flaws, security researchers say.

While buffer overflows, a type of memory flaw that can lead to serious vulnerabilities, are quickly being eradicated in critical applications, the flaws are still easily found in device drivers, said David Maynor, a research engineer for Internet Security Systems' X-Force vulnerability analysis group.

"If you look through the device driver code, there are a lot of problems," he said in a recent interview. "The state of the code's security is not strong." During a few hours on a recent plane flight, for example, Maynor found more than a dozen glitches in several Windows XP drivers.

Windows is not the only operating system at risk. A survey of the Linux 2.6.9 kernel code performed by automated-code-checking software maker Coverity found that, while the overall quality of the code had increased significantly, more than 50 percent of flaws appeared in device drivers. Many of those flaws may not affect system security, but the ratio is generally indicative of the quality of the code, said Seth Hallem, CEO of Coverity.

"The people writing the device drivers are not generally the core programmers," he said. "It is not the operating-system implementers themselves -- the Linux programmers or Windows developers -- it is generally the vendors."

The warnings come as operating-system developers have placed security higher on their to-do lists. While the Windows and Linux operating systems have both undergone significant audits in the past several years, many device drivers -- especially those created by third-party hardware providers -- have seemingly escaped rigorous testing.

Device driver flaws can be more dangerous than other application vulnerabilities because device drivers are, in most cases, part of the kernel itself and subverting the critical software gives an attacker direct access to the kernel. Moreover, drivers that have direct memory access (DMA) -- such as USB drivers, CardBus drivers, graphics drivers and sound drivers -- could be used to overwrite system memory and exploit the system.

"Since drivers run in kernel-privilege state, if you can take them over you are in a privileged position," said Bill Weinberg, Linux evangelist for the Open Source Development Labs. "But it is not an trivial thing, you are more likely to crash the system."

"You no longer have a single computer," he said. "It is a collection of subsystems and device drivers are becoming that much more important."

Full Article.

More in Tux Machines

This Custom Android-x86 Build Puts Android 7.1.1 on Your PC, with Linux 4.11 RC7

GNU/Linux developer Arne Exton was happy to announce the release of a new build of his custom built Android-x86 project that lets uses runs the latest Android mobile operating system on their personal computers. Read more

Clear Linux Announces Intel Clear Containers 2.1.6 with Docker 17.04.0 Support

Clear Linux's Kent Helm was proud to announce the release and general availability of Intel Clear Containers 2.1.6, a maintenace update that promises to improve compatibility with recent Docker releases, but also adds various bug fixes. Read more

Nantes Métropole releases open source tool for LibreOffice transition

The French city of Nantes (Nantes Métropole) has released an open source tool used to schedule its migration to LibreOffice. The shift from commercial software to the free and open source LibreOffice productivity suite started in 2013 and is intended to save the administration EUR 260 000 per year. The transition was finalised in April 2016. Read more

Today in Techrights