Language Selection

English French German Italian Portuguese Spanish

Device drivers filled with flaws

Filed under
Security

Operating system vendors and hardware makers should commit more resources toward systematically auditing Windows and Linux device-driver code for flaws, security researchers say.

While buffer overflows, a type of memory flaw that can lead to serious vulnerabilities, are quickly being eradicated in critical applications, the flaws are still easily found in device drivers, said David Maynor, a research engineer for Internet Security Systems' X-Force vulnerability analysis group.

"If you look through the device driver code, there are a lot of problems," he said in a recent interview. "The state of the code's security is not strong." During a few hours on a recent plane flight, for example, Maynor found more than a dozen glitches in several Windows XP drivers.

Windows is not the only operating system at risk. A survey of the Linux 2.6.9 kernel code performed by automated-code-checking software maker Coverity found that, while the overall quality of the code had increased significantly, more than 50 percent of flaws appeared in device drivers. Many of those flaws may not affect system security, but the ratio is generally indicative of the quality of the code, said Seth Hallem, CEO of Coverity.

"The people writing the device drivers are not generally the core programmers," he said. "It is not the operating-system implementers themselves -- the Linux programmers or Windows developers -- it is generally the vendors."

The warnings come as operating-system developers have placed security higher on their to-do lists. While the Windows and Linux operating systems have both undergone significant audits in the past several years, many device drivers -- especially those created by third-party hardware providers -- have seemingly escaped rigorous testing.

Device driver flaws can be more dangerous than other application vulnerabilities because device drivers are, in most cases, part of the kernel itself and subverting the critical software gives an attacker direct access to the kernel. Moreover, drivers that have direct memory access (DMA) -- such as USB drivers, CardBus drivers, graphics drivers and sound drivers -- could be used to overwrite system memory and exploit the system.

"Since drivers run in kernel-privilege state, if you can take them over you are in a privileged position," said Bill Weinberg, Linux evangelist for the Open Source Development Labs. "But it is not an trivial thing, you are more likely to crash the system."

"You no longer have a single computer," he said. "It is a collection of subsystems and device drivers are becoming that much more important."

Full Article.

More in Tux Machines

Leftovers: OSS and Sharing

  • 4 tips for teaching kids how to build electronics
    Kids are naturally curious about how things work, and with a new trend in hardware companies creating open source hardware products, it's a great time to teach kids about electronics. But modern technology can seem too complex to even begin to understand. So where do you start?
  • Oil companies joining open source world by sharing data [Ed: No, oil companies, sharing data is open data and not open source. More openwashing, like greenwashing]
    The oil and gas industry has long collected huge volumes of data, but it hasn’t always known quite what to do with it all. Often, the terabytes aren’t even stored on computer systems that readily talk to each other. Industry insiders are used to it, said Michael Jones, senior director of strategy at the oil and gas software maker Landmark. But it’s not OK, he said. So, about a year ago, Jones and some of his oil industry colleagues set about to fix it. This week, at Landmark’s Innovation Forum & Expo at the Westin hotel in northwest Houston, the company unveiled the beginnings of a collaborative its members called groundbreaking. In a move to drive technology further, faster — and, perhaps, take a bigger piece of the burgeoning big-data market — Landmark is pushing its main computing platform into the cloud, for all to use.
  • Interactive, open source visualizations of nocturnal bird migrations in near real-time
    New flow visualizations using data from weather radar networks depict nocturnal bird migrations, according to a study published August 24, 2016 in the open-access journal PLOS ONE by Judy Shamoun-Baranes from University of Amsterdam, the Netherlands, and colleagues.
  • Go! Speed Racer Go!
    I finally reached a point where I could start running the go version of sm-photo-tool. I finished the option validation for the list command. While I was testing it I noticed how much faster the Go version felt. Here are the python vs Go versions of the commands.
  • Semantic Interoperability for European Public Services will be presented at the SEMANTiCS 2016 conference
    The revision of the European Interoperability Framework and the importance of data and information standardisation for promoting semantic interoperability for European Public Services will be presented by Dr. Vassilios Peristeras, DG Informatics, ISA unit at the SEMANTiCS 2016 conference which takes place in Leipzig on September 13th and 14th 2016. The title of the presentation is “Promoting Semantic Interoperability for European Public Services: the European Commission ISA2 Programme” (slideset to appear here soon).

Linux at 25: How Linux changed the world

I walked into an apartment in Boston on a sunny day in June 1995. It was small and bohemian, with the normal detritus a pair of young men would scatter here and there. On the kitchen table was a 15-inch CRT display married to a fat, coverless PC case sitting on its side, network cables streaking back to a hub in the living room. The screen displayed a mess of data, the contents of some logfile, and sitting at the bottom was a Bash root prompt decorated in red and blue, the cursor blinking lazily. I was no stranger to Unix, having spent plenty of time on commercial Unix systems like OSF/1, HP-UX, SunOS, and the newly christened Sun Solaris. But this was different. Read more

Linux Kernel News and Microsoft Breaks PowerShell

  • Coherent Accelerators, FPGAs, and PLD Microconference Accepted into 2016 Linux Plumbers Conference
    It has been more than a decade since CPU core clock frequencies stopped doubling every 18 months, which has shifted the search for performance from the "hardware free lunch" to concurrency and, more recently, hardware accelerators. Beyond accelerating computational offload, field-programmable gate arrays (FPGAs) and programmable logic devices (PLDs) have long been used in the embedded space to provide ways to offload I/O or to implement timing-sensitive algorithms as close as possible to the pin.
  • Linux's brilliant career, in pictures
    Aug. 25 marks the 25th anniversary of Linux, the free and open source operating system that's used around the globe in smarphones, tablets, desktop PCs, servers, supercomputers, and more. Though its beginnings were humble, Linux has become the world’s largest and most pervasive open source software project in history. How did it get here? Read on for a look at some of the notable events along the way.
  • Quarter Century of Innovation – aka Happy Birthday Linux!
    Happy birthday Linux. You’ve defined how we should be using and adoption technology. You’ve disrupted and continue to disrupt, industries all over the place. You’ve helped define what it means to share ideas openly and freely. You’ve shown what happens when we collaborate and work together. Free and Open Source is a win-win for all and Linux is the Gold Standard of that.
  • Microsoft Open Source Czar Takes Spotlight at LinuxCon [Ed: Microsoft paid for this]
  • Windows Update borks PowerShell – Microsoft won't fix it for a week
    You'd be forgiven for thinking Microsoft is actively trying to stop people using Windows 10 Anniversary Edition. A patch this week broke one of the key features of the OS: PowerShell.

Android Leftovers

  • Xiaomi Redmi Note 4 unveiled in China, priced at $135
    Xiaomi took the wraps off their latest smartphone offering, the Redmi Note 4, earlier today, and as is expected from the budget-friendly Redmi series, the device offers a premium look, specifications, and features, and more importantly, an ultra-affordable price tag. The Redmi Note 4 retains the premium full metal unibody construction that was introduced with its predecessor, but now comes with a brushed metal finish and chamfered edges that looks and feels even better. The design language is quite similar as well, with the Redmi Note 4 also coming with a fingerprint scanner on the back. Under the hood, the Redmi Note 4 comes with a 5.5-inch Full HD display that is covered with a 2.5D curved glass panel. The phone is powered by a MediaTek Helio X20 processor, that is backed by the Mali-T880MP4 GPU and 2 GB or 3 GB of RAM. 16 GB or 64 GB are the on-board storage options available, which also dictates how much RAM you get, and you also get expandable storage via microSD card to cover all your needs. Keeping everything running is a huge 4,100 mAh battery.
  • New study finds iPhones fail far more often than Android phones
    Apple customers are generally a shockingly loyal bunch. The company’s high repeat customer rate can be attributed to a combination of factors that concern iPhones themselves as well as Apple’s industry-leading customer service. Dealing with Apple’s customer care department has always been a pleasure compared to dealing with rival companies, and iPhones themselves have historically been very reliable, offering a consistently smooth user experience that people love.
  • Relax, Spire can now connect to Android phones
    Spire, the wearable that promises to help you with healthy breathing and mindfulness, was previously only available for iOS devices. But that should change with an update rolling out now.
  • Android 7.0 Nougat: Small changes that make a big difference in UX
    The seventh iteration of Android (Nougat) has finally been released by the mighty Google. If you happen to be the owner of a Nexus device, you might see this update very soon. Everyone else...you know the drill. So after an extended period of waiting for the update to trickle through your carrier and onto your device, what can you expect to happen to your Android device once its center has become a creamier shade of Nougat?
  • Two Nokia Android smartphones show up in benchmark
    Nokia is definitely coming out with a few Android smartphones later this year, but today's Nokia has little in common with the company that ruled the mobile phone industry for years. For starters, the devices that will be released this year, or the next, will be made by a third-party company. Nokia won't be manufacturing phones anymore and most likely it won't manage the way they are sold through retailers and authorized resellers.
  • Proxima bae, Instagram scams, Android goes full crypto: ICYMI
  • PayPal adds proper Nexus Imprint fingerprint login support on Android
  • Google Duo has been downloaded 5 million times on Android since its release