Kernel Patch Protection

From Wikipedia, the free encyclopedia

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of x64 editions of Microsoft Windows that prevents patching the kernel. It was first included with Windows XP x64 in 2005.[1]

Contents

[edit] Advantages

Patching the kernel has never been supported by Microsoft because it can cause a number of negative effects.[1] Kernel Patch Protection protects against these negative effects, which include:

  • The Blue Screen of Death, which results from serious errors in the kernel.[2]
  • Reliability issues resulting from multiple programs attempting to patch the same parts of the kernel.[1]
  • Rootkits can use kernel access to embed themselves in an operating system, becoming nearly impossible to remove.[2]


Microsoft's Kernel Patch Protection FAQ further explains:

Because patching replaces kernel code with unknown, untested code, there is no way to assess the quality or impact of the third-party code...An examination of Online Crash Analysis (OCA) data at Microsoft shows that system crashes commonly result from both malicious and non-malicious software that patches the kernel.

Kernel Patch Protection: Frequently Asked Questions (2007-01-22). Retrieved on February 22, 2007.

[edit] Criticisms

[edit] Third party applications

Some computer security software, such as McAfee's McAfee VirusScan and Symantec's Norton AntiVirus, works by patching the kernel. This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection.[3] Interestingly, Symantec's corporate antivirus software does work on x64 editions of Windows.[4]

Antivirus software made by competitors Sophos and Kaspersky Lab does not patch the kernel. These companies do not feel that KPP limits the effectiveness of their software.[5][6]

Contrary to some media reports, Microsoft will not weaken Kernel Patch Protection by making exceptions to third-party security applications. Instead, Microsoft is actively working with third party companies to create new Application Programming Interfaces that will resolve any problems KPP creates.[1] These new APIs are expected to be included with Windows Vista Service Pack 1.[7]

[edit] Weaknesses

In January 2006, security researchers Skape and Skywing published a report that describes methods, some theoretical, through which Kernel Patch Protection might by bypassed. In January 2007, Skywing published a second report on bypassing KPP version 2. Also, security company Authentium developed a working method to bypass KPP.[8]

Microsoft has been warning against modifying the kernel since the introduction of Windows 95, but did nothing to stop it. KPP helps but does not resolve the problem. KPP works by checking the links between different part of the kernel regularly, and if they appear modified then Windows will shut down. What Microsoft didn't realize is that the clock that counts down the time to the checker could be destroyed by un-linking it to the kernel checker. This would make it so the kernel checker would never receive the command to check, leaving the kernel vulnerable to hacks and rootkits.[9]

Nevertheless, Microsoft is committed to remove any flaws that allow KPP to be bypassed as part of its Microsoft Security Response Center process.[10]

[edit] Antitrust behavior

The European Commission expressed concern over Kernel Patch Protection, thinking it was anticompetitive.[11] However, Microsoft's own antivirus product, Windows Live OneCare, has no special exception to KPP. Instead, Windows Live OneCare uses (and has always used) methods other than patching the kernel to provide virus protection services.[12] Still, for other reasons an x64 edition of Windows Live OneCare is not yet available.[13]

[edit] External links

[edit] References

  1. ^ a b c d Allchin, Jim (2006-10-20). Microsoft executive clarifies recent market confusion about Windows Vista Security. Microsoft. Retrieved on November 30, 2006.
  2. ^ a b Field, Scott (2006-08-11). An Introduction to Kernel Patch Protection. Windows Vista Security blog. Microsoft. Retrieved on November 30, 2006.
  3. ^ Montalbano, Elizabeth. "McAfee Cries Foul over Vista Security Features", PC World, 2006-10-06. Retrieved on November 30, 2006.
  4. ^ Symantec AntiVirus Corporate Edition: System Requirements. Symantec (2006). Retrieved on November 30, 2006.
  5. ^ Jaques, Robert. "Symantec and McAfee 'should have prepared better' for Vista", vnunet.com, 2006-10-23. Retrieved on November 30, 2006.
  6. ^ Fulton, Scott M., III. "Sophos: Microsoft Doesn't Need to Open Up PatchGuard", BetaNews, 2006-10-20. Retrieved on January 22, 2007.
  7. ^ Fulton, Scott M., III. "Vista SP1 to Include Common Security APIs for Partners", BetaNews, 2006-10-19. Retrieved on January 22, 2007.
  8. ^ Hines, Matt. "Microsoft Decries Vista PatchGuard Hack", eWEEK, 2006-10-25. Retrieved on November 30, 2006.
  9. ^ Skywing (December 2006). Patching the Kernel Timer DPC Dispatcher. Subverting PatchGuard Version 2. Uninformed. Retrieved on February 2, 2007.
  10. ^ Gewirtz, David. "The great Windows Vista antivirus war", OutlookPower, 2006. Retrieved on November 30, 2006.
  11. ^ Espiner, Tom. "EC Vista antitrust concerns fleshed out", silicon.com, 2006-10-25. Retrieved on November 30, 2006.
  12. ^ Jones, Jeff (2006-08-12). Windows Vista x64 Security – Pt 2 – Patchguard. Jeff Jones Security Blog. Microsoft. Retrieved on March 11, 2007.
  13. ^ Windows Live OneCare Installation Requirements. Microsoft. Retrieved on March 11, 2007.