We come here not to bury PatchGuard, but to praise it.
Amid all of the keening and hand-wringing from antivirus vendors, analysts and bloggers about PatchGuard —which is now known as Kernel Patch Protection (KPP)—it seems that the central point of the debate has been lost. The only question that really matters in this entire mess is whether preventing applications and processes from hooking the kernel is good for security. And the answer to that is a resounding yes.
"If the OS is built securely, it wouldn't let anything interpose into the kernel," said Gary McGraw, chief technology officer of Cigital Inc., a renowned authority on secure coding and software design, and no friend of Microsoft's in most cases.
The technical reasoning for this is fairly straightforward: Allowing software to elevate into the kernel can lead to instability and system crashes. It leaves the door open for malicious programs to use the same methods that legitimate applications use to access the kernel. And that leads to kernel-mode rootkits, nasty backdoor Trojans and all manner of other potential problems.
In past versions of Windows, Microsoft has provided data tables that were read/write and enabled outside applications to access the kernel. That was fine for a long time, but then came a wave of creative malware authors who crafted their programs specifically with the Windows kernel in mind. So when Vista hit the drawing board, Microsoft's developers figured the move from 32-bit to 64-bit was the ideal time to put some protections around the kernel to allay some of this madness.
"We realised that 64-bit was the right moment to do this. The engineering reason is that [allowing applications to hook the kernel] was never a safe practice to begin with. It's not good software design," said Stephen Toulouse, senior product manager in Microsoft's Security Technology Unit. "Sixty-four bit is a different platform. This is really a chance to change things that were unsafe. We're limiting a very specific type of behavior, not preventing people from loading kernel mode software. That doesn't mean there aren't ways to extend the kernel that are safe."
For example, for network IPS vendors that want to do deep packet inspection of network packets, Vista provides access to the network interface. And for host IPS applications, Vista includes minifilters in the file system.
Does the fact that it's Microsoft making these changes to an OS that includes antivirus and anti-spyware technology make people nervous, given the company's past anti-competitive practices? Yes. But it's also important to remember that Microsoft's own security suite, OneCare, has to obey the same rules in regard to the kernel as third-party applications do; it gets no special treatment.
And it's equally important to point out that KPP has been in the wild for some time, in Windows Server 2003 x64 Edition, without so much as a peep from the security vendors that are now so busy taking out newspaper ads and posting blog entries about the alleged evils of the technology. The other thing to consider is that fact that most other operating systems, such as Linux, Unix and Solaris, have included kernel protection for years. Where's the outrage there?
Much of the anger and rhetoric on this issue obviously stems from Microsoft's well-documented and well-earned reputation as a monopolist with a history of partnering with smaller vendors, learning their businesses and then shoving them aside and taking over their markets. Certainly the company's actions with KPP bear watching, especially given that after executives finally caved to the pressure on KPP and agreed to provide APIs for third-party vendors they quietly said those APIs will "hopefully" appear in Service Pack 1 for Vista, not the initial release.
So we'll watch and wait and hope that Microsoft lives up to its promises. If not, The European Commission, the Justice Department and millions of customers will likely let them know soon enough.
This was first published in November 2006