Assessment of Vista Kernel Mode Security
The Windows Vista operating system launches one of the most aggressive assaults on kernel mode security threats seen to date; even when compared to those capabilities seen in Mac OS X, Linux, and many UNIX variants. Microsoft is using a number of new security technologies in order to accomplish this:
• Driver signing (mandating digital signatures on all drivers)
• PatchGuard (protecting key kernel data structures – on 64-bit Windows)
• Kernel-mode code integrity checks (validating kernel component hashes)
• Optional support for Secure Bootup using a TPM hardware chip
• Access to \Device\PhysicalMemory blocked from user-mode
Our new paper, Windows Vista Kernel Mode Security takes a detailed look at the Vista boot process and these new security technologies. It also discusses techniques by which driver signing and PatchGuard can be subverted by an attacker and disabled within Windows Vista.
Microsoft’s motivation in protecting the Vista kernel is twofold. The first and most obvious reason is one of security. Kernel mode threats such as Rootkits and malicious drivers have become commonplace and eradicating this risk is certainly in everyone’s best interest.
The second motivation, which may not be as apparent as of yet, is one of digital rights management (DRM). In order to create a protected path between DRM components and the system hardware, it is vital that no malicious code be allowed to insert itself within the media path lest it intercept protected content. This is apparent as Microsoft is positioning Vista as a safe platform for the delivery of protected media content.
In order to accomplish this, Microsoft has implemented many characteristics of the original Palladium model (now known as NGSCB) that has received a significant amount of criticism over the past several years.
While this is a noble effort, these new security technologies have a serious side effect. This side effect is that nobody, with the exception of Microsoft, can make changes to certain components of the Windows kernel. The PatchGuard functionality restricts any software that may be attempting to make extensions to the Vista kernel (even those attempting to do so for legitimate reasons). This includes techniques that are commonplace today such as system service dispatch table (SSDT) hooking and interrupt dispatch table (IDT) hooking to name a few.
Another disturbing side effect of this technology is that while legitimate security vendors can no longer make extensions to the Vista kernel (any attempt to circumvent these security features may only work temporarily), researchers and attackers can, and have, already found ways to disable and work around PatchGuard.
These new technologies, along with Microsoft’s unwillingness to make compromises in this area have serious implications for the security industry as a whole.
If Microsoft wants to make Vista more secure, it should provide equal access to the platform that its own developers have to ensure that security vendors can continue to innovate on the platform, and to ensure that consumers and OEMs can continue to choose the best security solutions for the platform. This has always been the case with prior operating systems.
If security vendors don’t have access to the platform kernel, it cuts down on our ability to innovate and create compatible solutions.
As a result, customers around the world will lose their ability to choose what security solutions they would like to run on their operating systems, and be forced to use only those solutions offered or allowed by Microsoft. A lack of choice for customers prevents them from having the widest variety of options for security solutions to quickly address a constantly evolving landscape of security threats. In the end, a less secure Internet will result and both consumers and enterprises will find themselves more vulnerable to cyber attack.