Language Selection

English French German Italian Portuguese Spanish

Device drivers filled with flaws

Filed under
Security

Operating system vendors and hardware makers should commit more resources toward systematically auditing Windows and Linux device-driver code for flaws, security researchers say.

While buffer overflows, a type of memory flaw that can lead to serious vulnerabilities, are quickly being eradicated in critical applications, the flaws are still easily found in device drivers, said David Maynor, a research engineer for Internet Security Systems' X-Force vulnerability analysis group.

"If you look through the device driver code, there are a lot of problems," he said in a recent interview. "The state of the code's security is not strong." During a few hours on a recent plane flight, for example, Maynor found more than a dozen glitches in several Windows XP drivers.

Windows is not the only operating system at risk. A survey of the Linux 2.6.9 kernel code performed by automated-code-checking software maker Coverity found that, while the overall quality of the code had increased significantly, more than 50 percent of flaws appeared in device drivers. Many of those flaws may not affect system security, but the ratio is generally indicative of the quality of the code, said Seth Hallem, CEO of Coverity.

"The people writing the device drivers are not generally the core programmers," he said. "It is not the operating-system implementers themselves -- the Linux programmers or Windows developers -- it is generally the vendors."

The warnings come as operating-system developers have placed security higher on their to-do lists. While the Windows and Linux operating systems have both undergone significant audits in the past several years, many device drivers -- especially those created by third-party hardware providers -- have seemingly escaped rigorous testing.

Device driver flaws can be more dangerous than other application vulnerabilities because device drivers are, in most cases, part of the kernel itself and subverting the critical software gives an attacker direct access to the kernel. Moreover, drivers that have direct memory access (DMA) -- such as USB drivers, CardBus drivers, graphics drivers and sound drivers -- could be used to overwrite system memory and exploit the system.

"Since drivers run in kernel-privilege state, if you can take them over you are in a privileged position," said Bill Weinberg, Linux evangelist for the Open Source Development Labs. "But it is not an trivial thing, you are more likely to crash the system."

"You no longer have a single computer," he said. "It is a collection of subsystems and device drivers are becoming that much more important."

Full Article.

More in Tux Machines

Today in Techrights

Software Freedom Conservancy Funding

  • Software Freedom Conservancy matching
    Non-profits that provide project support have proven themselves to be necessary for the success and advancement of individual projects and Free Software as a whole. The Free Software Foundation (founded in 1985) serves as a home to GNU projects and a canonical list of Free Software licenses. The Open Source Initiative came about in 1998, maintaining the Open Source Definition, based on the Debian Free Software Guidelines, with affiliate members including Debian, Mozilla, and the Wikimedia Foundation. Software in the Public Interest (SPI) was created in the late 90s largely to act as a fiscal sponsor for projects like Debian, enabling it to do things like accept donations and handle other financial transactions.
  • Clojars is Conservancy’s Newest Member Project
    Software Freedom Conservancy is pleased to announce the addition of Clojars as its newest member project. Clojars is a community-maintained repository for free and open source libraries written in the Clojure programming language. Clojars emphasizes ease of use, publishing library packages that are simple to use with build automation tools.

Leftovers: Software

  • systemd 233 about to be released, please help testing
    systemd 233 is scheduled to be released next week, and there is only a handful of small issues left. As usual there are tons of improvements and fixes, but the most intrusive one probably is another attempt to move from legacy cgroup v1 to a “hybrid” setup where the new unified (cgroup v2) hierarchy is mounted at /sys/fs/cgroup/unified/ and the legacy one stays at /sys/fs/cgroup/ as usual. This should provide an easier path for software like Docker or LXC to migrate to the unified hiearchy, but even that hybrid mode broke some bits.
  • Keep : A personal shell command keeper
    Introducing a new command line tool which solves the issue of memorizing commands or storing them somewhere which is difficult to find. With the grep and run commands, one can easily find their long forgotten commands and use them them right away.
  • qutebrowser v0.10.0 released
    I'm happy to annouce the release of qutebrowser v0.10.0! qutebrowser is a keyboard driven browser with a vim-like, minimalistic interface. It's written using PyQt and cross-platform. I haven't announced the v0.9.0 release in this blog (or any patch releases), but for v0.10.0 it definitely makes sense to do so, as it's mostly centered on QtWebEngine!
  • GNOME Pomodoro: A Pomodoro Timer With AppIndicator And GNOME Shell Support
    GNOME Pomodoro is, like the name suggests, a Pomodoro timer for GNOME. The application website mentions that it's currently only for GNOME Shell, however, an AppIndicator is also available.
  • 7 Awesome Open Source Build Automation Tools For Sysadmin/DevOps/Developers
    Build automation is a vital tool for devops, sysadmins, and developers. It is nothing but scripting or automating the process of compiling source code into binary. Sysadmins can use build tools to manage and update config files. Following is a list of awesome open source and popular tools associated with automating build processes on Linux or Unix-like system.

Android Leftovers