D
Deleted member 178
Thread author
Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XPand Windows Server 2003 Service Pack 1.[1]
"Patching the kernel" refers to unsupported modification of the central component or kernel of the Windows operating system. Such modification has never been supported by Microsoft because it can greatly reduce system security, reliability, and performance.[1] Although Microsoft does not recommend it, it is technically possible to patch the kernel on x86 editions of Windows; however, with the x64 editions of Windows, Microsoft chose to implement this additional protection and technical barriers to kernel patching.
Since patching the kernel is technically permitted in 32-bit (x86) editions of Windows, several antivirus software developers use kernel patching to implement antivirus and other security services. This kind of antivirus software will not work on computers running x64 editions of Windows. Because of this, Kernel Patch Protection has been criticized for forcing antivirus makers to redesign their software without using kernel patching techniques.
Also, because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching.[2] This has led to additional criticism that since KPP is an imperfect defense, the problems caused to antivirus makers outweigh the benefits because authors of malicious software will simply find ways around its defenses.[3][4] Nevertheless, Kernel Patching can still prevent system stability, reliability, and performance problems caused by legitimate software patching the kernel in unsupported ways.
read more : Kernel Patch Protection - Wikipedia, the free encyclopedia
PatchGuard and rootkit defense
Microsoft has a good reason for locking down the OS kernel: rootkit prevention. A rootkit is essentially a malicious hidden file that enables administrator-level access to a computer or network. By being hooked in at the kernel level, a rootkit is typically able to avoid detection while gaining virtually unrestricted access.
In 2005, it was discovered that Sony BMG Music Entertainment Inc., used rootkit-based copy-protection software. The Sony rootkit used kernel hooking to intercept and deny attempts to burn copies of CDs. In order to prevent rootkits or other malware from using kernel patching to facilitate attacks, Microsoft strengthened its protection of the system kernel with PatchGuard.
Is PatchGuard in the way of security?
Third-party software vendors, particularly antivirus and security software makers, balked loudly about being blocked from kernel patching, largely because it meant redesigning their software. They claimed that by locking out independent software vendors, Microsoft could leave the kernel open to attack from malicious developers. Like any security feature, PatchGuard is not perfect, but it will detect kernel tampering, whether by security software vendors or malware, so security vendors' claims that it only locks out the good guys are nonsense.
Yet some security software vendors claim that without unrestricted access to the system kernel, they are unable to perform the complex functions required for effective host-based intrusion prevention (HIPS). By definition, the HIPS should be able to monitor and analyze everything coming into or going out of the host system, and every process and service being executed -- including those of the kernel -- in order to assess it and respond accordingly. PatchGuard does not completely prevent HIPS functionality, though. Security software vendors may need to evolve their security models to inherently trust the kernel and inspect all other processes and events, but Microsoft is working with the security software vendors to develop APIs (application program interfaces) that allow their products to interact with the kernel in an authorized manner.
Though Microsoft's strategy forces security software vendors to adjust how they protect computer systems, it seems illogical to ask Microsoft to intentionally leave the kernel open in order to facilitate vendors' ability to defend it. PatchGuard is essentially a catch-22 for the software security industry; Windows users and ISVs alike have demanded that Microsoft build more security into Windows, which was the intent of PatchGuard. However, despite making Windows inherently more secure, PatchGuard has forced some security vendors to rethink their own largely successful Windows security strategies after losing the ability to modify the operating system core. Some antivirus vendors, namely Sophos, support Microsoft's new security model, and have blamed their competitors for investing their time fighting Microsoft rather than developing workable tools. Fortunately in that regard, PatchGuard protection only affects the 64-bit version of Windows Vista, a version that is growing in market share, but which is used by a small fraction of the overall Windows Vista market.
For enterprises, the root of the issue comes down to whether they trust Microsoft to write secure software. Assuming that the kernel is truly protected by PatchGuard, Microsoft hopes much of what independent security vendors bring to bear won't be necessary. Security vendors have had some success developing workarounds that bypass PatchGuard, suggesting that attackers can bypass PatchGuard as well. Enterprises that use the 64-bit version of Vista and rely on PatchGuard should ensure they have the latest updates from Microsoft to prevent such attacks. However, enterprises should also engage their antivirus or security software vendor to understand how their product(s) work with PatchGuard and whether there is any reduced functionality or decreased security provided as a result of PatchGuard's kernel protection.
Rather than pushing back on Microsoft to revert to a weaker security model by leaving the operating system kernel open, enterprises should encourage security software vendors to continue to adapt their products to work in tandem with PatchGuard. Vendors need to continuously update their approach to security and adapt to changes in the Windows operating system. They need to regularly evaluate what needs to be protected and how to do it, and they will need to cooperate with Microsoft to get the functionality they need, but it makes much more sense to ask security software vendors to evolve their security model with Microsoft, rather than to ask Microsoft to stagnate or revert to a less secure system.
Keeping the kernel safe
The kernel is the heart and soul of the operating system. While the slightest error in kernel patching can result in an unstable and unreliable system, having a rootkit surreptitiously integrated into the operating system kernel to avoid detection by the OS or third-party security products is a much more significant risk to enterprises. For that reason, PatchGuard represents a stronger way to combat today's malware and protect the kernel.
Microsoft PatchGuard: Locking down the kernel, or locking out security?