The cost of ignoring a theoretical flaw of host-based firewall solutions such as Zone Alarm or the popular Windows XP firewall is confirmed in practice in this paper. There is an unsolved ambiguity at the root of the design of these security artifacts--Is the operating system (OS) protecting the firewall, or is the firewall protecting the operating system? The theoretically correct answer is an enthusiastic, “Both!” That, unfortunately, is easier said than done--one or the other will have primacy, and its integrity will be assumed by necessity. This paper describes what happens when the assumption of integrity of the OS is taken for granted and shows, with a successful proof-of-concept implementation, that a malicious network device driver can become a backdoor undetectable to host-based firewalls.
The paper neglects one aspect. While the backdoor, as designed, works very well under the debugger, the paper never addresses how it could do something maliciously useful. For instance, one may argue that a second architectural component is needed to gather data of interest that the device driver backdoor may then export to the outside, undetected. How the data gatherer would push the harvested information to the device driver is not addressed. Communication is normally mediated by the OS, but such mediation is undesirable, and in fact impossible, as designed; yet, alternate routes are not clearly identified. Another omission is the installation modality of the malicious device driver; it is considered out of scope, which is acceptable. Installation, however, is likely to require privileged console access. This reinforces the truth that computer security is an articulated process with many components. Placing too much trust in a host-based firewall as a silver bullet is unwise, as there are no silver bullets.