Security vendors and many journalists blasted Microsoft on its decision to enforce Kernel Patch Protection (KPP) in Windows Vista. The primary reason for the barrage was the lack of access to the operating system’s kernel this step imposed. The loudest complaints were related to the alleged lock out of third party security vendors, but are the complaints still valid?
KPP, commonly known as PatchGuard, is imposed only in the 64 bit version of Vista. It helps prevent modification to the kernel code. According to Microsoft, protecting the kernel is necessary to prevent the hiding of malware (e.g. rootkits) and to improve overall operating system stability ("Microsoft Security Intelligence Report", January-June 2006, released October 23, 2006, p. 35). Stability problems can occur when vendors extend or replace kernel services without using documented interfaces.
Conceptually, this is a positive move by Microsoft. What technology manager wants systems running that are not only susceptible to malware, but also to service delivery outages caused by intentionally installed business software drivers?
When the kernel restrictions were initially announced, vendors appeared to have no access to kernel services. Apparently in response to vendor and consumer complaints, as well as potential anti-trust issues in the EU, Microsoft began working to provide an API to allow access. According to Ben Fathi, vice president for the Windows core operating system, “We will continue to add APIs to make sure [vendors] get everything they want” (“Microsoft Releases Draft API for PatchGuard”, Jaikumar Vijayan, ComputerWorld, January 1, 2007). The first draft of the API was released in December 2006. However, hackers and at least one security vendor are hard at work looking for ways to break PatchGuard.
Preparing for this article, I searched Google for PatchGuard hacks and workarounds. A quick scan of the results revealed several sites at which hacking information is readily available. In fact, one site provided an online manual for breaking Microsoft’s kernel protection.
Authentium, a provider of a software development kit that includes malware protection, announced in October of 2006 that it had built a version of its product that bypasses PatchGuard restrictions (“Security Vendor Bypasses Microsoft’s Vista PatchGuard”, Matt Hines, eWeek, October 24, 2006). Microsoft quickly responded to this announcement by stating that any identified weaknesses would be quickly patched. Software vendors intentionally circumventing the API would soon find their software broken (“Microsoft Decries Vista PatchGuard Hack”, Matt Hines, eWeek, October 25, 2006). In addition, changes to the 64 bit kernel via patches and service packs are probable. In such cases, customers using applications that fail to use the Microsoft provided interfaces might find their software inoperable.
So I understand why hackers would step up to the challenge. Microsoft has essentially thrown down the gauntlet in stating that their 64 bit version of Vista is reasonably protected against attacks against the kernel. But I expect security vendors to take a more professional approach.
According to JupiterResearch, only about 5% of all Windows systems in organizations with 100 employees or more run a 64 bit version. No significant deployment increases are expected near term (“McAfee cries foul over Vista security features”, Elizabeth Montalbano, IDG News Service, October 4, 2006). Even if PatchGuard is a view into the future of Windows security architecture design for all versions of the OS, security vendors have time to modify their products before there is a significant revenue impact. Rather than expend resources fighting Microsoft, I suggest these companies work with the Vista team to develop a rich API set.
To be fair, there has been a move to the middle of the bridge by both Microsoft and the major security vendors. Let’s hope the bridge holds.