A workaround allowing cross-signing Windows drivers after April 2021?

Hello,

To make a long story short, I’ve managed to install a Windows driver which was compiled and cross-signed the old school way after the famous April 15 2021 deadline. I used a certificate that had expired at the the time of signature, but a forged timestamp made it appear to be valid. I installed the driver on a Windows 7 / 32 bit machine as well as a Windows 10 / 64 bit, however it’s not clear whether this method can be used for production drivers. This is why I’d like you guys to try this out.
.
Forging the timsstamp could be a workaround for releasing cross-signed drivers even after April 2021. It requires having a certificate that was valid at some time in the past. By using a timestamp server that allows choosing the desired time, the signature can be made to appear as if it was signed when the certificate chain was valid, but even more important: Making it appear to be a “legacy driver”, and hence accepted by all version of Windows, despite being cross-signed.
.
To install the driver on a computer, it must trust the forged timestamp. This is achieved by temporarily installing a root certificate in that computer’s registry. Unlike the code signature itself, for which only the Microsoft Code Verification Root certificate is trusted, the timestamp validation relies on a root certificate in the registry. It can therefore be added by an installation script or wizard for that purpose.
.
I’ve set up a timestamp server which allows selecting the timestamp’s time through the URL. I’ve also written a post in my blog on how to sign a driver with this method. Also in this post, I explain why I don’t think adding this root certificate poses a problem from a security point of view (if done correctly for a production driver).
.
The said post: http://billauer.co.il/blog/2021/04/windows-drivers-fake-timestamp/
.
The question is whether this works reliably on the variety of Windows configurations out there. And if there aren’t any other possible issues to consider. Please try this out, and report whether you managed to turn back time.
.
I’d like to emphasize that this isn’t like self-signed drivers. The method I suggest requires a legit certificate chain for the code signing path. The workaround relies on the certificate check for the timestamp, which appears to be less strict.
.
Thanks & regards,
Eli

I’ve set up a timestamp server which allows selecting the timestamp’s time through the URL.

The ethics of your procedure are questionable. I doubt you’ll get anyone on this list to try it.

MSFT has clearly stated that attempts to bypass their new policy will
result in cert revocation.
So good luck.

Mark Roddy

Sooooo NOT a solution.

Peter

PS… weighing whether the link to the post should be deleted. I guess people can make up their own minds when it comes to ethics.

Hello all,
.
I’m frankly surprised by these reactions. It appears like I’ve made some people here angry. Maybe I should have clarified that the motivation is releasing drivers for Windows 7 and 8. I can’t see the ethical issue with allowing people to install the software that they want on their own computers.

@Mark_Roddy said:
MSFT has clearly stated that attempts to bypass their new policy will
result in cert revocation.

That’s an interesting point. The question is whether unsupported OSes continue to get updates on revoked certificates.

@“Peter_Viscarola_(OSR)” said:
Sooooo NOT a solution.

Peter

PS… weighing whether the link to the post should be deleted. I guess people can make up their own minds when it comes to ethics.
I’m not posting here for publishing my blog, but to get feedback on this concept. It might definitely be a non-solution, and I guess this is the right place to come forward with specific technical reasons for why.
.
As my blog has good relations with Google, odds are that the said link will soon appear in search results for everyone who tries to figure out something about device driver signing in the “new era”. Once again, I’m not here for the exposure, but for the discussion.
.
I should also mention that the idea of installing a root certificate for the sake of installing a driver on an unsupported Windows version is far from new: This security survey shows how Savitech did exactly that for the sake of XP several years ago. So if forging the timestamp opens a possibility to install malware, there’s a good chance that the “bad guys” are already on that.
.
I hope I’ve clarified myself better.
.
Regards,
Eli

I think you misunderstand. No one here is angry at you. There’s just no doubt that what you have suggested is unethical. Whether we agree with them or not (and “NOT” is the general consensus), Microsoft has made the rules, and you’re violating those rules.

@Tim_Roberts said:
I think you misunderstand. No one here is angry at you. There’s just no doubt that what you have suggested is unethical. Whether we agree with them or not (and “NOT” is the general consensus), Microsoft has made the rules, and you’re violating those rules.

Thanks for that clarification. I have to admit that I didn’t make the connection between ethics and obeying Microsoft.
.
My original purpose of making this possible workaround public, was to collectively gain a better understanding on its technical prospects. Given the rather apocalyptic rhetoric I’ve seen around here regarding Windows 7 and 8, I expected enthusiastic cooperation from the members of this forum.
.
Given that enthusiasm is the last word to describe what happened here, this thread is quite pointless. For all I care, it can be deleted.
.
Thanks & regards,
Eli

I’m not sure why you are going through all of this trouble. Nothing has changed for now, Windows doesn’t check for expired cross certificates so you can still use them without any issues.

@antsteel said:
I’m not sure why you are going through all of this trouble. Nothing has changed for now, Windows doesn’t check for expired cross certificates so you can still use them without any issues.

The reason I got into this was to prepare for the possible future need to release an update on a driver for Windows 7 and 8. This way or another, my own code signing certificate will expire at some point, and having it renewed based upon an expired certificate is of course impossible.

Right. I wouldn’t characterize our replies as “anger.” Perhaps, rather, “dismissive.”

I don’t know what part of the industry you work in, but MY issue — aside from the blatant disregard for following the rules — is that not sure what problem you’re actually solving with this hack.

Would a big commercial enterprise agree to this type of a scheme to allow updated drivers to be installed? A medical equipment manufacturer? An IHV who makes, say, computer controlled laser cutting machines? An oil refinery?

I don’t think so. Not unless there was a truly critical need and it was temporary. It’s just blatant and obvious hacking.

Now… I agree that it’s not the worst sin… and it still does PRETTY much unambiguously identify the publisher of the driver (or, who it was at some point). But it’s just not any sort of viable work around, unless your target market is limited.

Peter

More than anything, I think this thread is a display of cultural differnces. I’m primarily in the Hardware + Linux field, porting drivers to Windows occasionally. The purpose of posting here was to validate an idea in a way that is mainstream in one cultural context, but not so much in another, it turns out.
.
Having realized that my suggested solution isn’t going to benefit any honest people, the next conclusion was that the only ones I might help are the bad guys. With this notion, I removed the blog post along with everything else I’d set up on this matter.
.
As all this may draw attention to a loophole in the driver installation procedure, I think that the fate of this thread is the dustbin as well, for the exact same reason.
.
Thanks and regards,
Eli

For what it is worth, I have never confused ethics with the idea of obeying anyone - quite often these things are at odds. And so much so that in my jurisdiction, the engineering curriculum and competence exams specifically emphasize this point. These bodies don’t recognize that engineering can be done with computers at all, but that’s a whole other question

Proper engineering discretion can recognize all sorts of things that might be generally frowned on as perfectly valid. A great example is the goto statement. Almost universally aprobated, there is nothing else like it when I need it and nothing else will do. But if I don’t need it, because a function or other structured construct can do the same job or a better one, then I shouldn’t

It seems to me that the negativity here is caused by looking from the different angle. For big enterprise (well, for any enterprise, actually) it is, indeed, a bad solution. Companies cannot afford to break MS rules. But not all of the world consists of just companies, there are also mere mortal users. Take me, for example (not as a company worker, but as an end-user). For my own personal purposes I patch VirtualBox sources and build them myself. But I cannot install and use the patched version, because the drivers have to be signed. And even if I would want to spend several hundreds $/year for a certificate, the CAs won’t sell it to me, because I’m not a company. And even if they did sell it to me, I still won’t be able to sign the drivers after July 1, because I would need an MS dashboard account and, again, I’m not a company. And even if I did have the Dashboard account, I still would not be able to send the drivers for signing, because they are GPL.

So, you see, the goal is clear, and totally legitimate; no ambiguous moral choices are needed. But there are obstacles on the way, which should not even be there, but they were artifically injected by Microsoft, and they prevent me from doing it. So what are my choices? Run the whole Windows in test mode and sacrifice the security of the whole machine for the purpose of running one unsigned driver? Or just not use VirtualBox at all (because the original unpatched version does not do what I need)? Or, maybe, use the workaround that the topic-starter suggested, and while being in the grey zone of legality, have a perfectly safe and working machine, doing for me what I want it to do? I don’t think many users in such situation will have many doubts about what to choose.

Well, you’re veering quite a ways off the path at this point. Your issue in the above post is with the whole concept of driver signing… not about down-level signing or building your own timestamp server.

just not use VirtualBox at all

That would be MY choice. Over time, we’ve seen an unending list of bugs and problems with VirtualBox, and I’m always surprised to hear that ANYone uses it. I mean… why WOULD you where there’s VMware?

But I don’t think that was the point of your post.

In MY mind, for you the personal user, the choice really is between not patching VirtualBox at all and, alternatively, patching it, building your own version, and being content to run the self-signed version on a machine that you’ve put in Test Mode. You’re among the vanishingly small number of people in the world who want to write and run their own kernel-mode software, for their own private use. You’re certainly correct: Driver signing does not now, and never has, done anything to accommodate such people (beyond, as I said, enabling test mode).

But, as I said… we are a very long way from where this thread started.

Peter

@“Peter_Viscarola_(OSR)” said:
Well, you’re veering quite a ways off the path at this point. Your issue in the above post is with the whole concept of driver signing… not about down-level signing or building your own timestamp server.
The own timestamp server was deployed for signing drivers in a way that makes Windows accept them. It’s a tool, which can be used for good and for bad. Lots of people here seem to stick with the “bad” viewpoint, so I tried to reveal the “good” (or at least “neutral”) side of it.

Over time, we’ve seen an unending list of bugs and problems with VirtualBox, and I’m always surprised to hear that ANYone uses it. I mean… why WOULD you where there’s VMware?
Well, that is definitely off-topic, it was just one example; I could name any other GPL application with drivers.
! In short, VBox better fits my needs than VMware. It’s free, for starters, compared to a quite expensive VMware. It’s open source, so if there’s anything I dislike, I can it fix myself, which I cannot do with proprietory VMware. Also, I’ve had issues with VMware installer twice, when it completely ruined all my OS network subsystem, and then refused to uninstall, reinstall or repair anything, and I had to clean up hundreds of registry items manually. VBox never game me such grief, and even if it did, it’s much less intrusive in the system, so fixing it manually would be much easier. And, finally, I personally find VBox interface more appealing. Well, to be fair, I did, before they reskinned it into a flat style; but then again, I can fix it myself.
! I admit that VMware is more powerful in many respects. But in my scenarios I very rarely bump into the VBox limitations I cannot overcome.

In MY mind, for you the personal user, the choice really is between not patching VirtualBox at all and, alternatively, patching it, building your own version, and being content to run the self-signed version on a machine that you’ve put in Test Mode. You’re among the vanishingly small number of people in the world who want to write and run their own kernel-mode software, for their own private use. You’re certainly correct: Driver signing does not now, and never has, done anything to accommodate such people (beyond, as I said, enabling test mode).
You forget about other people, who don’t write their own drivers, but would like to use software with drivers, written by somebody else, whom they trust (if this was a personal project, the developer may not have ability to sign these drivers). This group is much larger than the one you named (even if from Microsoft’s point of view they don’t deserve to be noticed). And all these users are affected by this Microsoft’s policy, and they all will benefit, if they receive a way to run a software they want to run.

But, as I said… we are a very long way from where this thread started.
I don’t understand why you are saying that. The topic started exactly with driver signing, its restrictions and a way to overcome them. It’s even titled “A workaround allowing cross-signing Windows drivers”. I mean, how could discussion about driver signing and Windows accepting signatures be “a long way” from this topic? I’m really confused. :confused:

So, you see, the goal is clear, and totally legitimate; no ambiguous moral choices are needed

That’s simply not true. Your GOAL is one that the company that licensed the software to you does not condone. The fact that you don’t like that does not not relieve you of the moral responsibility here.

Let’s say that your goal is to own an iPod, but you don’t have money for one, so you skip in to the Apple Store and steal one. Just because that satisfied your goal does not mean the goal was legitimate, nor that no moral choices were involved. It’s exactly the same thing here. You want to run your driver on Windows. Microsoft does not want you to do that. You can certainly choose to ignore Microsoft’s restrictions, but it is very much an ethical choice.

“But how will I do what I want to do?” Get rid of Windows and use Linux, where you have the freedom to do what you want.

More than anything, I think this thread is a display of cultural differnces

I think setting up a fake timestamp server to bypass (perhaps misguided) attempts by MS to “de-support” certain platforms would be a no no regardless of cultural differences.

It appears like I’ve made some people here angry
It’s a perpetual state of anger, don’t worry :slight_smile:

I’ve read nothing that appears to me to be ‘anger’, just people pointing out that what you are doing is misguided. If you really are going to publish your hack for the world to use, please include the fact that MSFT is likely to revoke any cert using this hack.

What’s the point of forging a timestamp, when windows doesn’t even care about timestamps in loading or installing drivers?