Deprecate unsafe functions
Create a process to look for and remove code vulnerabilities from your driver code. Because driver code is highly specialized, and threats continue to evolve, a single checklist cannot apply uniformly to all drivers. The following are general points to consider when creating drivers.
Operating system and compiler features
Be aware of changes in the operating system and compilers. New releases often contain new features that can help you to prevent or mitigate security threats.
For example, going back to the release of the Windows XP, Microsoft added safe string functions, which replaced the standard C/C++ string manipulation functions (strcat, strcpy and so on). The standard C/C++ functions do not enforce buffer sizes, thus allowing applications to write beyond the end of a buffer. The safe string functions prevent this error.
Important All drivers should use the safe string functions. For more information, see Using Safe String Functions and the header file Ntstrsafe.h.
Driver testing
Use driver development and testing tools available in the Windows Development Kit (WDK). The WDK includes tools such as Static and dynamic Driver Verifier and driver specific code analysis. These tools can find some types of bugs in driver code and can also find unsafe and insecure coding practices that lead to security issues.
For more information about these tools, see Tools for Verifying Drivers.
Driver specific code analysis
Driver specific code analysis uses a set of rules that are installed with the WDK to examine code in Visual Studio. For more information see Code Analysis for drivers overview.
HLK tests
The Windows Hardware Lab Kit (Windows HLK) is a test framework used to test hardware devices. For more information, see Windows Hardware Lab Kit in Test for performance and compatibility.
Kernel-mode drivers
Kernel-mode drivers run in the trusted system address space and are, in effect, extensions of the operating system. Kernel-mode drivers must validate all data and addresses that originate with user-mode processes.
Numerous security and reliability issues apply to kernel-mode drivers. The following are a few examples of the areas in which kernel-mode drivers can be vulnerable to security threats:
- Handling unexpected IOCTLs
- Validating buffer lengths
- Handling IOCTLs that permit FILE_ANY_ACCESS
- Securing device objects
- Securing Registry keys
- Handling user-mode buffers
- Using handles that are passed from user mode to kernel mode
For information about specific points at which kernel-mode drivers might be vulnerable, see the resources listed at the end of this topic and the white paper titled Common Driver Reliability Issues available for download at https://www.microsoft.com/whdc/driver/security/drvqa.mspx. All writers of kernel-mode drivers should become familiar with this material.
Resources
- 24 Deadly Sins of Software Security : Programming Flaws and How to Fix Them, by Michael Howard, David LeBlanc and John Viega
- Writing Secure SoftwareThe art of software security assessment : identifying and preventing software vulnerabilities by Mark Dowd, John McDonald and Justin Schuh
- Writing Secure Software Second Edition, by Michael Howard and David LeBlanc