Summary

Previous page
Table of content
Next page

Code Integrity

A new technology is debuted in Windows Vista as a way to protect Windows files and programs from tampering. This technology is called code integrity or CI for short. What are the threats that make CI necessary? If a vital system file is modified or overwritten by a Trojan or a rogue administrator, suddenly the computer system is compromised. While we have to be realistic and acknowledge that any person who has physical access to your computer can "own" it, there are components in Vista that help limit, and, in some cases, prevent such attacks.

One such technology is Vista's new BitLocker Drive Encryption tool, available in the Ultimate and Enterprise versions of Vista, which you read about in the previous chapter. The fact that your OS's volume is encrypted with up to 512-bit encryption with a key stored away in either a TPM chip or a USB key stored a safe distance away means that even if the bad guys do have your laptop, they don't have your data. Ensuring the validity of the thousands of executable files in the \Windows directory is an essential part of maintaining code integrity, and you read in Chapter 4 that Microsoft employed what might be called "Windows Integrity Control Lite" by adjusting the NTFS permissions of the \Windows folder and its subfolders. (Recall that Microsoft calls it Windows Resource Protection or WRP.) Of course, WRP turns out not to be that effective, as takeown command makes taking ownership of Windows folders simple and from there files can be deleted. Oddly enough, WRP does less than WFP did because if you delete a file, like notepad.exe, then it doesn't get restored automatically-you've got to run sfc /scannow to make WRP notice the removed file!

Code integrity works by validating the integrity of files by checking the hash value for each file as Windows loads it. A file's hash value is a numeric value derived from a text string. The hash value is used to ensure that the file hasn't been modified, overwritten, or corrupted.

Code integrity also checks files that load in a protected process. The file hashes are stored either in a X.509 certificate embedded with the file or in the Vista system catalog. Vista also checks the integrity of the kernel, the hardware abstraction layer (HAL), and the boot-start drivers during boot. If any file or image fails the integrity verification process, Vista won't load it.

Note 

Vista code integrity does not verify the integrity of third-party files and images.
Tip 

You can ask Vista to check the digital signatures on your files at any time by running the sigverif command.

Code integrity also works as a suite of technologies, including technologies discussed later in this chapter, such as the new driver signing rules on 64-bit systems and PatchGuard.

What Can Go Wrong?

There are some potential problems that you could encounter due to code integrity failures, but they're uncommon. Some issues might include:

  • A boot-time driver or some code in the kernel fails the code integrity check and Windows won't start up.

  • A non-boot-time driver fails the code integrity check and the corresponding hardware device won't function properly after Windows starts up.

  • A service fails the code integrity check and Windows behaves in an irregular manner.

  • A Windows component fails the code integrity check and you cannot perform a specific task.

Clearly, some of these problems will require you to delve a bit to discover the underlying issue. Here are some code integrity troubleshooting tips.

Troubleshooting Services

To troubleshoot a service failure, check two places. First, check the Services Microsoft Management Console (MMC) snap-in by running services.msc. Ensure that the services that are set to run at startup are actually running. Note any services that failed. Second, check the audit log by running Event Viewer (eventvwr.msc). Look at the System log underneath the Windows logs and view the Applications and Services logs. Vista also includes a CodeIntegrity audit log, which is located in the Event Viewer at Applications and Services/Microsoft/CodeIntegrity. If you find a problem with a service, there are a few things you can do. If the service is a Windows service, use Microsoft Update to update the service. If no update is available, Google the Web for Knowledge Base or similar articles.

In some instances, the service itself will simply need to be replaced by a copy of the service that has not been tampered with or corrupted. Reinstalling the service and relevant components through a legitimate support channel (Microsoft Update, for example, for Windows services) will resolve this problem.

Troubleshooting Drivers

A boot-time driver failure or kernel code failure is the most clear code integrity failure. If either fails the code integrity check, Windows won't start up at all. You will have to use the Vista Recovery Console by booting into your Vista installation DVD. Then, at the Install Now screen, choose the Repair Your Computer option to access the System Recovery Options dialog, including the new and quite useful Startup Repair option.

Repairing a non-boot-time driver will not require the Startup Repair. Instead, review your audit logs by using the Event Viewer to determine which driver failed to load properly. Vista also includes a CodeIntegrity audit log, which is located in the Event Viewer at Applications and Services/Microsoft/CodeIntegrity. You can also check the Device Manager to view devices that are not operating properly. To get to Device Manager in Vista, click the Start button, right-click Computer, and select Properties. In System, click the Device Manager link on the left. In Device Manager, look for any devices that have a question mark (?) next to their description. These devices are malfunctioning, either due to a hardware problem or a missing or failing driver. To repair a failing driver, check with the hardware's manufacturer for an update or to get a pristine copy of the original driver that hasn't been tampered with or modified.

Troubleshooting Windows Components

The best way to troubleshoot a Windows component that is failing code integrity checks is to view the audit log in Event Viewer. Vista also includes a CodeIntegrity audit log, which is located in the Event Viewer at Applications and Services/Microsoft/CodeIntegrity. To resolve a Windows component issue, you will have to run Microsoft Update or use the System Recovery Options to repair the installation.



Previous page
Table of content
Next page
Administering Windows Vista Security. The Big Surprises
Administering Windows Vista Security: The Big Surprises
ISBN: 0470108320
EAN: 2147483647
Year: 2004
Pages: 101
Authors: Mark Minasi, Byron Hynes
BUY ON AMAZON
Project Management JumpStart
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Systematic Software Testing (Artech House Computer Library)
.NET System Management Services
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy