Update to Integrity Protection Driver Available

[ipd () PEDESTALSOFTWARE COM (IPD)]

Name: Integrity Protection Driver (IPD)
Version: 1.1
Purpose: Prevent installation of rootkit device drivers on NT/2000
License: Open Source

Changes since 1.0
-----------------

1. Deny access to only the essential keys for adding device drivers.
Previously, the driver denied access to change any driver setting.

New features in 1.1
-------------------

1. Restrict use of rights that allow debugging, privileged operation
and changing access tokens.

2. Deny access to \device\physicalmemory.

3. Restrict ability to create threads in other processes and write to
the memory of other processes.

Integrity Protection Driver (IPD)
---------------------------------

The IPD is an Open Source device driver designed to prohibit the
installation of new services and drivers and to protect existing drivers
from tampering. It installs on Windows NT and Windows 2000 computers.

Updated information about this driver may be found at

      http://www.pedestalsoftware.com/

Motivation
----------

This driver was created to provide protection against rootkit
installation by attempting to block any new kernel code from being
installed and executed. This will help to prevent tojan hiding from
integrity checking programs such as Intact.

What It Does
------------

The IPD uses undocumented service function hooking to alter access
rights on driver-related registry keys, values and files to be read-only
no matter what account is requesting access. This effectively prohibits
the Service Control Manager or user applications from changing service
and driver keys and values in the registry and from adding to or
replacing existing driver binaries in the %SystemRoot%\system32\drivers
directory.

The IPD restricts all processes except some system processes(*) from
obtaining the following privileges:

   Debug Privilege
   TCB Privilege
   Create Token Privilege
   Assign Primary Token Privilege

The IPD forbids any process from opening \Device\PhysicalMemory.

The IPD forbids any process, except select system processes, from
creating threads in other processes and from writing in the virtual
memory space of other processes.

(*) See h_tok.c for a list of the system images that are permitted
these privileges.

Is there a way to circumvent the IPD?
-------------------------------------

The IPD attempts to block known methods for loading and executing
kernel code. There may be undocumented or undiscovered methods
for installing and executing kernel code. As new methods are
discovered the IPD can be updated to counter those methods.

Functionality Issues
--------------------

The IPD is designed to alter the operating system's normal operating
behavior. In doing so, there will be some loss of functionality. The
following are some of the constraints you may encounter:

\Device\PhysicalMemory issues:

NTVDM requires access to \Device\PhysicalMemory on startup. This means
that no 16-bit applications will work (unless an NTVDM session was
running before the IPD driver engaged and the 16-bit application is
not configured to run in it's own memory space). Some screen savers
(such as the blank screen saver) will not work because of this.

Legitimate device drivers may attempt to open \Device\PhysicalMemory
during normal operation. The IPD will block these attemps and so may
cause unexpected results. So far, we have not encountered any device
drivers that do this after startup.

Debugging Programs:

The IPD blocks the ability to debug programs.

What's Included
---------------

You should have received the following files with your distribution:

  ipd.sys         -- the compiled device driver for i386 computers
  ipdinstall.exe  -- the installation/remove program
  readme          -- this file
  driver/*        -- source files

Installation
------------

To install the IPD device driver, unzip all files into a directory.
Execute the ipdinstall.exe program to install and start the driver:

        ipdinstall.exe install

The driver is installed for "automatic" startup, which means it will
automatically start at system boot. The driver engages, or begins
protecting, 20 minutes after it has started.

IMPORTANT:

* Once the Driver is started it may not be stopped.

* Once the Driver is engaged it may not be removed. Even if the
appropriate Service Control Manager function call marks the driver for
deletion, the driver will still not be removed.

Removal
-------

YOU MUST REMOVE THE IPD DEVICE DRIVER WITHIN 20 MINUTES OF STARTUP,
AND THEN REBOOT THE SYSTEM. If the driver has already engaged then you
will have to reboot and remove it within 20 mintes of boot up.

The remove command is:

        ipdinstall.exe remove

Support
-------

There is no support. New versions can be found at
http://www.pedestalsoftware.com. Bug reports should be sent to
bugs () pedestalsoftware com.

References
----------

Undocumented Windows NT by Dabak, Phadke and Borate; M&T Books, 1999.
Windows NT/2000 Native API Reference, Gary Nebbett; Macmillan Technical
Publishing, 2000.
Microsoft Windows DDK.

Copyright and Grant of Use
--------------------------

The IPD is Open Source, please see the web site for details.

Who is Pedestal Software?
-------------------------

Pedestal Software is based near Boston, MA, and has been providing
security software since 1996. Its founders come from the financial
services and banking industries where security and system integrity
are top priorities.

On the web: http://www.pedestalsoftware.com
email:      support () pedestalsoftware com