Driver Security in Windows 10

February 18, 2020 by

Greg Belding

Drivers are an essential group of files that allow a hardware component(s) to communicate with the computer’s operating system (OS). If an attacker successfully exploits a kernel-based driver, the user might as well sign away the OS to the attacker. 

This article details driver security in Windows 10, including fundamentals of driver signature enforcement, driver security threat modeling, the Windows 10 driver security checklist and driver security challenges.

Driver security fundamentals

Driver security is a trade-off between security and usability. Security and usability must be balanced, so the level of security implemented is appropriate and the usability of the drive is high enough to satisfy the user. Open, high-level usability profiles contribute to recurring security issues with Microsoft products.

Just like in other versions of Windows, users must have administrator privileges to install drivers in Windows 10. These drivers also must be from trusted sources (and even this may not keep a Windows 10 system safe from driver security issues which will be discussed below).

Vulnerabilities within drivers plague information security professionals, and this is exacerbated by Windows 10 drivers that run in kernel mode. Drivers running in kernel-mode operate on ring 0 in an x86 system. This means that if an attacker exploits the driver, the whole OS could be compromised. 

For those needing clarification on this point, most device drivers operate one ring above, on ring 1, which is separated from the lower-level rings for security purposes as they house more central components to the system. If they get attacked or go down, your system will be in major trouble.

Security updates for drivers are automatically downloaded in Windows 10, which is the default setting for nearly all updates. However, Windows 10 users may need to manually install driver updates that have not downloaded and installed for some reason. 

These updates can be installed by using the device manager as well. To find the device manager, either search “device manager” in the Windows 10 search bar or navigate to the control panel. Once you have the device manager open, right-click on the device with the driver you want to update and click “update driver.” Choose the option of Search Automatically for Updated Driver software. Windows even allows for manual installation of manufacturer driver updates. 

Driver signature enforcement

Beginning with Windows 10 version 1607, all newly-created Windows 10 drivers in new OS installations must be submitted to the Windows Hardware Developer Center Dashboard portal (dev portal) and approved. Driver signature enforcement prevents an unsigned driver from being installed. 

This causes problems for those trying to install an unsigned driver. Driver signature enforcement (DSE) can be disabled to install trusted but unsigned drivers, but it is recommended that the DSE be immediately enabled following installation.

Driver threat modeling

Threat modeling requires a high-level analysis of the driver, how it will be used and what threats may be realized. It is a useful structured approach to secure driver design. Microsoft suggests that driver threat modeling should answer four questions, including “Which assets need protection?” 

Windows 10’s driver security checklist

Most users follow Microsoft’s driver security recommendations. Developers often question these recommendations. Realizing this, Microsoft offers a drive security checklist that applies to Windows 10 developers. The security checklist includes “Perform threat analysis.” 

Each list item has a task associated with it that developers should explore to ensure driver security.

Driver security challenges

With the seemingly robust Windows 10 driver security illustrated above, don’t let this give you a false sense of hope or security with regard to the security readiness that Windows 10 affords. Going back to the Windows 10 recurring theme of the trade-off between security and usability, security for drivers in Windows 10 is not perfect. 

Recently, security researchers have identified over 40 drivers in use with Windows 10 that could potentially allow attackers to elevate privileges above that of the user pace. Some of these devices come from major manufacturers including Intel, ASUS and Toshiba. To be fair to Windows 10, these driver security issues were identified in previous versions of Windows as well, but this should not let Microsoft off the hook of improving Windows security for the future.

This risk is definitely a true threat, but don’t worry — it’s easier to safeguard against than you may think. 

Windows 10 users should regularly scan their systems for outdated drivers and then manually download and install those that need installing. Windows security, including driver security, will probably always require a degree of self-initiative, so having to take a proactive measure like this should not come as too big of a surprise.

Conclusion

Driver security didn’t change much between Windows 8 and Windows 10. However, driver updates and driver signature enforcement are enabled by default and updates are installed automatically in Windows 10. These settings can also be disabled if needed, maintaining Windows’ high usability reputation while moving towards greater driver security.

Sources

1. Driver security checklist, Microsoft
2. Threat modeling for drivers, Microsoft
3. Driver Signing changes in Windows 10, version 1607, Microsoft Tech Community
4. How to properly update device drivers on Windows 10, Windows Central
5. How to Disable Automatic Driver Downloads on Windows 10, Laptop Mag