Smoke and Mirrors: Windows Driver Signatures Are Optional

A conference talk from Recon2024 where Gabriel Landau, a principal at Elastic Security, reveals a previously-unnamed vulnerability class in Windows that allows bypassing Driver Signing Enforcement (DSE). Discover how incorrect assumptions in Windows' core design lead to security vulnerabilities that enable arbitrary code execution with kernel privileges. Learn about the history of this vulnerability class and see a live demonstration of exploiting Windows 11 to load unsigned drivers without using third-party code like Bring-Your-Own-Vulnerable-Drivers. The presentation covers potential fixes for this vulnerability, detection methods for defenders, and includes the release of a tool demonstrating the DSE exploit alongside a mitigation solution. Understand how this vulnerability class extends beyond Windows to affect any software relying on documented Windows behavior, with implications for both user and kernel-mode applications.