digital signature check of user executable from driver

OSR_Community_User · November 8, 2006, 5:19am

Hi all,

Can anyone tell me if and how could I check from a driver, that a process which tries to connect to a communication port of the driver is digitally signed or not, if the signature if valid, who signed that process and so on. This could be a quite effective way to prevent unauthorized processes to connect to the driver.

Any comments on this subject are welcomed.

thank you very much,

Sandor LUKACS
Virus Analyst, SOFTWIN

Tim_Roberts · November 8, 2006, 2:29pm

xxxxx@bitdefender.com wrote:

Can anyone tell me if and how could I check from a driver, that a process which tries to connect to a communication port of the driver is digitally signed or not, if the signature if valid, who signed that process and so on. This could be a quite effective way to prevent unauthorized processes to connect to the driver.

A process cannot be signed. An executable can be signed, but that
doesn’t necessarily mean anything.

How are you going to define “unauthorized”?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · November 9, 2006, 1:57am

Tim Roberts wrote:

xxxxx@bitdefender.com wrote:

> Can anyone tell me if and how could I check from a driver, that a process which tries to connect to a communication port of the driver is digitally signed or not, if the signature if valid, who signed that process and so on. This could be a quite effective way to prevent unauthorized processes to connect to the driver.
>
>
A process cannot be signed. An executable can be signed, but that
doesn’t necessarily mean anything.

How are you going to define “unauthorized”?

Even if there are no fully documented ways, one can determine the
executable that corresponds to the process. So one question is, that if
and how could we check from the driver the signature of an executable?

Another separate, but related problem is, that one process once loaded
from an executable can be altered in memory. However this whole
signature checking is to be used with many other security and safety
checks. Think about, that one process or executable is “authorized” if
it is signed by smb I shall trust, and I shall not sign anything that is
not meant to communicate with my driver. The signature shall confirm,
that at least the executable on disk was not altered by anyone.

have a nice day,

Sandor LUKACS
Virus Analyst, SOFTWIN

–
This message was scanned for viruses by BitDefender for Linux Mail Servers.
For more information please visit http://www.bitdefender.com/