Microsoft PatchGuard: Locking down the kernel, or locking out security?

For more on Vista Senior News Writer Bill Brenner explains why Microsoft Vista and VPNs may not always mix. Tony Bradley examines the pros and cons of BitLocker. Learn more about Microsoft Windows Vista challenges and pitfalls.

Patchguard and kernel patching
Before examining PatchGuard, it's necessary to talk about kernel patching. Kernel patching, also referred to as kernel hooking, is the process of modifying the operating system kernel to alter its behavior or capture certain events. Security vendors in particular, including McAfee Inc. and Symantec Corp., have relied on kernel patching to implement antivirus services, protecting the OS and its applications by intercepting and blocking potentially malicious actions or processes.

PatchGuard, also known as Kernel Patch Protection, sparked controversy because it prevented this type of modification to the OS. PatchGuard monitors kernel code and system resources used by the kernel, and it initiates an automatic shutdown of the system if it detects unauthorized kernel patching.

PatchGuard and rootkit defense
Microsoft has a good reason for locking down the OS kernel: rootkit prevention. A rootkit is essentially a malicious hidden file that enables administrator-level access to a computer or network. By being hooked in at the kernel level, a rootkit is typically able to avoid detection while gaining virtually unrestricted access.

In 2005, it was discovered that Sony BMG Music Entertainment Inc., used rootkit-based copy-protection software. The Sony rootkit used kernel hooking to intercept and deny attempts to burn copies of CDs. In order to prevent rootkits or other malware from using kernel patching to facilitate attacks, Microsoft strengthened its protection of the system kernel with PatchGuard.

Is PatchGuard in the way of security?
Third-party software vendors, particularly antivirus and security software makers, balked loudly about being blocked from kernel patching, largely because it meant redesigning their software. They claimed that by locking out independent software vendors, Microsoft could leave the kernel open to attack from malicious developers. Like any security feature, PatchGuard is not perfect, but it will detect kernel tampering, whether by security software vendors or malware, so security vendors' claims that it only locks out the good guys are nonsense.

Yet some security software vendors claim that without unrestricted access to the system kernel, they are unable to perform the complex functions required for effective host-based intrusion prevention (HIPS). By definition, the HIPS should be able to monitor and analyze everything coming into or going out of the host system, and every process and service being executed -- including those of the kernel -- in order to assess it and respond accordingly. PatchGuard does not completely prevent HIPS functionality, though. Security software vendors may need to evolve their security models to inherently trust the kernel and inspect all other processes and events, but Microsoft is working with the security software vendors to develop APIs (application program interfaces) that allow their products to interact with the kernel in an authorized manner.

Though Microsoft's strategy forces security software vendors to adjust how they protect computer systems, it seems illogical to ask Microsoft to intentionally leave the kernel open in order to facilitate vendors' ability to defend it. PatchGuard is essentially a catch-22 for the software security industry; Windows users and ISVs alike have demanded that Microsoft build more security into Windows, which was the intent of PatchGuard. However, despite making Windows inherently more secure, PatchGuard has forced some security vendors to rethink their own largely successful Windows security strategies after losing the ability to modify the operating system core. Some antivirus vendors, namely Sophos, support Microsoft's new security model, and have blamed their competitors for investing their time fighting Microsoft rather than developing workable tools. Fortunately in that regard, PatchGuard protection only affects the 64-bit version of Windows Vista, a version that is growing in market share, but which is used by a small fraction of the overall Windows Vista market.

For enterprises, the root of the issue comes down to whether they trust Microsoft to write secure software. Assuming that the kernel is truly protected by PatchGuard, Microsoft hopes much of what independent security vendors bring to bear won't be necessary. Security vendors have had some success developing workarounds that bypass PatchGuard, suggesting that attackers can bypass PatchGuard as well. Enterprises that use the 64-bit version of Vista and rely on PatchGuard should ensure they have the latest updates from Microsoft to prevent such attacks. However, enterprises should also engage their antivirus or security software vendor to understand how their product(s) work with PatchGuard and whether there is any reduced functionality or decreased security provided as a result of PatchGuard's kernel protection.

Rather than pushing back on Microsoft to revert to a weaker security model by leaving the operating system kernel open, enterprises should encourage security software vendors to continue to adapt their products to work in tandem with PatchGuard. Vendors need to continuously update their approach to security and adapt to changes in the Windows operating system. They need to regularly evaluate what needs to be protected and how to do it, and they will need to cooperate with Microsoft to get the functionality they need, but it makes much more sense to ask security software vendors to evolve their security model with Microsoft, rather than to ask Microsoft to stagnate or revert to a less secure system.

Keeping the kernel safe
The kernel is the heart and soul of the operating system. While the slightest error in kernel patching can result in an unstable and unreliable system, having a rootkit surreptitiously integrated into the operating system kernel to avoid detection by the OS or third-party security products is a much more significant risk to enterprises. For that reason, PatchGuard represents a stronger way to combat today's malware and protect the kernel.

About the author:
Tony Bradley is a CISSP, and a Microsoft MVP (Most Valuable Professional). He is a Security Consultant with BT in Houston. Tony is also a respected expert and author in the field of information security whose work is translated and read around the world. He contributes regularly to a variety of Web and print publications, and has written or co-written eight books. In addition, Tony is the face of the About.com site for Internet / Network Security, where he writes articles and tips on information security and has almost 40,000 subscribers to his weekly newsletter. Mr. Bradley has consulted with Fortune 500 companies regarding information security architecture, policies and procedures, and his knowledge and skills have helped organizations protect their information and their communications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Network Security Tactics,   Windows Security: Alerts, Updates and Best Practices,   Application and Platform Security,   Operating System Security,   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics How to properly implement firewall egress filtering What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler Windows Security: Alerts, Updates and Best Practices Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft to fix 26 flaws in Windows, Office Microsoft warns that IE zero-day vulnerability causes data leakage Microsoft issues critical security update, blocks IE 6 attacks Microsoft emergency IE update to block latest corporate attacks Latest zero-day attacks only target IE 6, Microsoft says Hackers used IE zero-day in Google, Adobe attacks, McAfee says Microsoft issues advisory on Internet Explorer zero-day Microsoft releases Windows OpenType Font Engine patch Microsoft to patch single Windows 2000 vulnerability Malware, Viruses, Trojans and Spyware Malware in Google attacks uses spaghetti code Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Another PDF attack targets Adobe zero-day vulnerability Security report finds rise in banking Trojans, adware, fewer viruses How to prevent rogue antivirus programs in the enterprise How to stop keylogging malware with more than basic antivirus software, firewalls Conficker-infected machines now number 7 million, Shadowserver finds FBI estimates rogue antivirus losses exceeding $150 million Security researchers continue hunt for Conficker authors RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.