A Reality Check on PatchGuard
I have to say that it is not surprising to see that Microsoft is countering the claims (that Symantec, McAfee, and others are making) that Windows Vista will hinder innovation, while putting consumers at risk. In fact, I think that it is to be expected. Some of the arguments that are being put forth in their favor are rather uninformed, exceptionally broad, and disingenuous. They have been presented in such a way as to position security vendors as though we have for decades preyed on the weak and stolen from the poor and with the emergence of Windows Vista, freedom from this tyranny is in sight. The reality is, we offer a real service—protection from real threats that will otherwise result in real losses—and this is by no means a protection racket. In any case, it’s not my intent to try and dissuade that part of the population that really thinks this; but, I will try to offer some insight to those who would consider themselves technologists.
It is important to remember that Windows Vista is not a security solution, it’s an operating system. Microsoft has made significant security improvements with the introduction of Vista; but, there is a reason why they themselves have introduced a security solution that still runs on top of it (Windows OneCare Live).
When we look at the future of computing, I think that one thing is a given: much like the evolution from 8-bit, to 16-bit, to the 32-bit processors of today, the majority of computers in the future will become 64-bit. It would also be safe to assume that, in the absence of any unforeseen events, Microsoft Windows will remain the dominant desktop operating system.
One of the main points of contention with Microsoft involves one specific new technology, implemented in the 64-bit version of Windows Vista (and previously introduced in XP 64-bit, and Server 2003). The 64-bit version of Windows Vista introduces PatchGuard. PatchGuard prevents anyone (with the exception of Microsoft) from tampering with, extending, enhancing, and protecting the Windows Vista kernel. It does this by detecting when a driver, or other code running inside the kernel, attempts to add this extended functionality. It monitors key system structures, one in particular being the System Service Dispatch Table (SSDT). When it detects a modification to this table, it results in a blue screen of death (BSOD), with the belief that malicious code may have tampered with the kernel. It is important to note that there are both legitimate, as well as malicious reasons for an application to modify this table.
Microsoft has drawn the false conclusion that anything using kernel SSDT hooking is a rootkit and should be considered malicious. Because rootkits happen to use this technique, they presume that any driver using this technique can also be considered a rootkit, which is flawed logic. Microsoft should instead be focusing on a solution to block out rootkits, while letting legitimate vendors in. In fact, with their driver-signing requirements for 64-bit Vista they have already made it difficult for a rootkit driver to load into the kernel, meaning that they can clearly discern a good driver from a malicious one.
The SSDT is frequently used by many software vendors in existing versions of Microsoft Windows to extend the kernel in order to protect users. Entire classes of security technologies, behavior blocking for one, rely on this much needed capability. The SSDT allows security vendors to monitor System Services, which are the fundamental functions in Windows that applications need to do their work. There are over 400 System Service calls. Each of these provide a specific function; whether it is to access the registry, access files, add a user to the system, or reboot the computer. By monitoring System Services, security technologies can monitor the behavior of both good and bad applications running on a system. (For example, is a threat attempting to add a new user account or reboot the computer, and should we allow this?) Behavior-blocking technologies have been in the market for years and provide many advantages when combined with existing antivirus solutions. They improve the overall level of protection for consumers. Microsoft provides no alternative technique to provide behavior blocking and tamper protection for the Windows platform other than by hooking these System Service calls.
If Microsoft is concerned about the stability of enhancing the kernel using the commonplace SSDT hooking technique, we recommend they provide a suitable alternative. Symantec ships products on over 200 million desktops that leverage this capability. For a good description of the benefits that behavior blocking technologies can provide, see the following articles:
Microsoft’s view of the security space today is limited to traditional antivirus and firewall. This is a very limited view of the security space and of the technologies that are protecting consumers now and will protect them in the future. It’s not clear how they themselves would implement behavior-blocking technologies with PatchGuard in place without modifying the PatchGuard code and adding behavior blocking software when convenient. Microsoft has, as a result, prevented competitors from supporting alternate security technologies except for those they condone—including technology currently running on millions of desktops.
Needless to say, the security industry is very concerned that the decisions being made with 64-bit Windows will, in turn, result in a less secure platform. They will directly impact the development of new security technologies, and Microsoft themselves will lose out, due to an insecure platform. Security ISVs who deliver advanced behavior blocking and tamper-resistant security technologies all agree that this issue must be addressed.
Some security vendors shipping traditional antivirus solutions may not have seen the implications of PatchGuard and as a result have mistakenly voiced their support for it. It is easy to miss the long-standing implications of these changes when focusing on traditional file-based scanning techniques. File-based scanning will continue to be possible on Windows Vista. It is the next generation of behavior-blocking technologies and future security models that will be extinguished through these limitations.
In addition, hackers have already broken PatchGuard and can disable it. This means that hackers can already get malicious code into the Windows Vista kernel; while legitimate security vendors can no longer protect it. This presents a serious new risk for consumers and enterprises worldwide. Now, you may ask yourself, if hackers can bypass PatchGuard, why don’t security vendors? We certainly could, if we chose to; however, Microsoft has firmly stated that any attempt to do so will result in an update to PatchGuard, which will detect these attempts. It would be foolish for Symantec to ship a product out to over 200 million desktops that may result in a BSOD on each desktop, if Microsoft decides to update PatchGuard.
Microsoft has legitimate reasons for protecting the Windows Vista kernel. Nobody can dispute that this is in everyone’s best interest. The main reason, besides security, is one of digital rights management (DRM). In order to provide a protected media path, the kernel must be protected from malicious applications that may steal video or audio content. Microsoft has to prevent anyone from writing a driver that will intercept protected content. As a result, they have implemented a significant portion of the Palladium NGSCB security model.
Whatever Microsoft’s intent, whether it is DRM or security, they have clearly avoided addressing some important issues. They have been disingenuous and have misled vendors under false pretenses during the development of Windows Vista. Here’s why:
• Symantec is not recommending that Microsoft remove PatchGuard from Windows Vista. That has never been a point of contention.
• Symantec has provided Microsoft with recommend APIs that will allow legitimate, authorized, and certified security vendors to leverage the same capabilities that we have in prior versions of Windows.
• Symantec has been asking for these capabilities for well over one year now and therefore these concerns are not a new development to Microsoft.
• Symantec has repeatedly suggested that Microsoft establish a new certification model that will certify legitimate vendors who seek to extend the Windows Vista kernel. This certification, on top of existing driver certification steps, will ensure that certified vendors are not attempting to bypass Windows DRM and that certified vendors are not malicious and are making genuine enhancements to Windows Vista.
This model will meet all of Microsoft’s goals. It will allow Microsoft to protect the Windows Vista kernel for both DRM and security, while continuing to allow legitimate, well-intentioned software vendors to enjoy the capabilities we need in order to innovate and protect the Internet.
Industry analysts agree with this position and recommend that enterprises voice their concern to help rectify this situation:
“Security firms' concerns over Microsoft closing access to the upcoming Windows Vista operating-system kernel have some validity. Microsoft should work with vendors to develop a method of extending kernel functionality... All enterprises: Pressure Microsoft and ISVs such as McAfee, Symantec and others to work together to develop a mutually acceptable, trusted method of extending kernel functionality to support Windows system call interception and kernel dispatch table modification...” - Neil MacDonald and John Pescatore of Gartner