Microsoft PatchGuard: Locking down the kernel, or locking out security?

With Microsoft's release of Windows Vista, the software giant locked down the kernel and forced independent security vendors to change the way that they provide antivirus services. So is the OS safer from attacks as a result? Contributor Tony Bradley examines the controversial PatchGuard feature of Windows Vista and explains its role in fighting rookits and other malware.

When Microsoft introduced the Vista operating system, with it came a number of dramatic changes to the way that Windows functions. Perhaps most notable among those changes was a new feature called PatchGuard. It was intended to provide a more secure computing environment, but it has been a source of controversy among vendors and customers alike. In this article, we will examine PatchGuard and why, despite its controversial approach, the feature helps make the Windows OS more secure.

For more on Vista

Senior News Writer Bill Brenner explains why Microsoft Vista and VPNs may not always mix.

Tony Bradley examines the pros and cons of BitLocker.

Learn more about Microsoft Windows Vista challenges and pitfalls.
Patchguard and kernel patching
Before examining PatchGuard, it's necessary to talk about kernel patching. Kernel patching, also referred to as kernel hooking, is the process of modifying the operating system kernel to alter its behavior or capture certain events. Security vendors in particular, including McAfee Inc. and Symantec Corp., have relied on kernel patching to implement antivirus services, protecting the OS and its applications by intercepting and blocking potentially malicious actions or processes.

PatchGuard, also known as Kernel Patch Protection, sparked controversy because it prevented this type of modification to the OS. PatchGuard monitors kernel code and system resources used by the kernel, and it initiates an automatic shutdown of the system if it detects unauthorized kernel patching.

PatchGuard and rootkit defense
Microsoft has a good reason for locking down the OS kernel: rootkit prevention. A rootkit is essentially a malicious hidden file that enables administrator-level access to a computer or network. By being hooked in at the kernel level, a rootkit is typically able to avoid detection while gaining virtually unrestricted access.

In 2005, it was discovered that Sony BMG Music Entertainment Inc., used rootkit-based copy-protection software. The Sony rootkit used kernel hooking to intercept and deny attempts to burn copies of CDs. In order to prevent rootkits or other malware from using kernel patching to facilitate attacks, Microsoft strengthened its protection of the system kernel with PatchGuard.

Is PatchGuard in the way of security?
Third-party software vendors, particularly antivirus and security software makers, balked loudly about being blocked from kernel patching, largely because it meant redesigning their software. They claimed that by locking out independent software vendors, Microsoft could leave the kernel open to attack from malicious developers. Like any security feature, PatchGuard is not perfect, but it will detect kernel tampering, whether by security software vendors or malware, so security vendors' claims that it only locks out the good guys are nonsense.

Yet some security software vendors claim that without unrestricted access to the system kernel, they are unable to perform the complex functions required for effective host-based intrusion prevention (HIPS). By definition, the HIPS should be able to monitor and analyze everything coming into or going out of the host system, and every process and service being executed -- including those of the kernel -- in order to assess it and respond accordingly. PatchGuard does not completely prevent HIPS functionality, though. Security software vendors may need to evolve their security models to inherently trust the kernel and inspect all other processes and events, but Microsoft is working with the security software vendors to develop APIs (application program interfaces) that allow their products to interact with the kernel in an authorized manner.

Though Microsoft's strategy forces security software vendors to adjust how they protect computer systems, it seems illogical to ask Microsoft to intentionally leave the kernel open in order to facilitate vendors' ability to defend it. PatchGuard is essentially a catch-22 for the software security industry; Windows users and ISVs alike have demanded that Microsoft build more security into Windows, which was the intent of PatchGuard. However, despite making Windows inherently more secure, PatchGuard has forced some security vendors to rethink their own largely successful Windows security strategies after losing the ability to modify the operating system core. Some antivirus vendors, namely Sophos, support Microsoft's new security model, and have blamed their competitors for investing their time fighting Microsoft rather than developing workable tools. Fortunately in that regard, PatchGuard protection only affects the 64-bit version of Windows Vista, a version that is growing in market share, but which is used by a small fraction of the overall Windows Vista market.

For enterprises, the root of the issue comes down to whether they trust Microsoft to write secure software. Assuming that the kernel is truly protected by PatchGuard, Microsoft hopes much of what independent security vendors bring to bear won't be necessary. Security vendors have had some success developing workarounds that bypass PatchGuard, suggesting that attackers can bypass PatchGuard as well. Enterprises that use the 64-bit version of Vista and rely on PatchGuard should ensure they have the latest updates from Microsoft to prevent such attacks. However, enterprises should also engage their antivirus or security software vendor to understand how their product(s) work with PatchGuard and whether there is any reduced functionality or decreased security provided as a result of PatchGuard's kernel protection.

Rather than pushing back on Microsoft to revert to a weaker security model by leaving the operating system kernel open, enterprises should encourage security software vendors to continue to adapt their products to work in tandem with PatchGuard. Vendors need to continuously update their approach to security and adapt to changes in the Windows operating system. They need to regularly evaluate what needs to be protected and how to do it, and they will need to cooperate with Microsoft to get the functionality they need, but it makes much more sense to ask security software vendors to evolve their security model with Microsoft, rather than to ask Microsoft to stagnate or revert to a less secure system.

Keeping the kernel safe
The kernel is the heart and soul of the operating system. While the slightest error in kernel patching can result in an unstable and unreliable system, having a rootkit surreptitiously integrated into the operating system kernel to avoid detection by the OS or third-party security products is a much more significant risk to enterprises. For that reason, PatchGuard represents a stronger way to combat today's malware and protect the kernel.

About the author:
Tony Bradley is a CISSP, and a Microsoft MVP (Most Valuable Professional). He is a Security Consultant with BT in Houston. Tony is also a respected expert and author in the field of information security whose work is translated and read around the world. He contributes regularly to a variety of Web and print publications, and has written or co-written eight books. In addition, Tony is the face of the About.com site for Internet / Network Security, where he writes articles and tips on information security and has almost 40,000 subscribers to his weekly newsletter. Mr. Bradley has consulted with Fortune 500 companies regarding information security architecture, policies and procedures, and his knowledge and skills have helped organizations protect their information and their communications.

This was last published in April 2008

Dig Deeper on Microsoft Windows security