In association with heise online

08 January 2013, 10:57

Jailbreak for Windows 8 RT

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Windows 8/RT logo A developer calling himself 'clrokr' has found a way of bypassing the code integrity checking feature in Windows RT. Windows RT is the version of Windows 8 designed for tablets containing ARM processors. The bypass should enable users to run unsigned desktop applications on Surface tablets and other devices running Windows RT.

The developer ascribes the breakthrough to the thoroughness with which Microsoft has ported its operating system to the ARM platform. Functionally, he says, Windows RT has been implemented so cleanly that, deep in the kernel, the same byte is used to specify the minimum level for code signing as is used in the desktop version. Windows uses this byte to determine the quality of code signatures. Unsigned applications receive the lowest possible classification of 0. Microsoft signatures are classed as 8 and Windows components are classed as 12.

On x86 desktop machines, applications run with a minimum signing level of 0. Windows RT by contrast only accepts signatures with level 8 or above, that indicates signatures directly approved by Microsoft. This figure is stored directly in the kernel, where it cannot be changed. Once the system has loaded this value into memory, however, it can be modified there. To do so, clrokr used the remote debugger to hook into the active user's CSRSS process and then inject modified code. The Client/Server Runtime Subsystem is a core component of the Windows kernel.

Due to its complexity, the method described by clrokr for circumventing code signing does not represent a security risk in practice. The minimum signing level is also only reset until the machine in question is restarted and no Windows/ARM-compiled desktop applications which could be started using this technique exist at present. It thus remains to be seen whether and when Microsoft will feel bound to fix this vulnerability.

Clrokr's description of his technique concludes with the observation that requiring signatures is not a technical necessity, but a "bad marketing decision" by Microsoft. He notes that Windows RT needs the Win32 ecosystem to strengthen its position as a productivity tool and appeals to Microsoft to make code signing optional.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit