Kernel Patch Protection

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Safield (talk | contribs) at 03:55, 23 February 2007 (→‎Antitrust behavior: changed "re-written" to "written". The former implies that Onecare once employed kernel patching, which is not true.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of x64 editions of Microsoft Windows that prevents patching the kernel. It was first included with Windows XP x64 in 2005.[1]

Advantages

Patching the kernel has never been supported by Microsoft because it can cause a number of negative effects.[1] Kernel Patch Protection protects against these negative effects, which include:

  • The Blue Screen of Death, which results from serious errors in the kernel.[2]
  • Reliability issues resulting from multiple programs attempting to patch the same parts of the kernel.[1]
  • Rootkits can use kernel access to embed themselves in an operating system, becoming nearly impossible to remove.[2]

Microsoft's Kernel Patch Protection FAQ explains:

Because patching replaces kernel code with unknown, untested code, there is no way to assess the quality or impact of the third-party code...An examination of Online Crash Analysis (OCA) data at Microsoft shows that system crashes commonly result from both malicious and non-malicious software that patches the kernel.

Criticisms

Third party applications

Some computer security software, such as McAfee's McAfee VirusScan and Symantec's Norton AntiVirus, works by patching the kernel. This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection.[3] Interestingly, Sophos's corporate antivirus software does work on x64 editions of Windows.[4]

Antivirus software made by competitors Sophos and Kaspersky Lab does not patch the kernel. These companies do not feel that KPP limits the effectiveness of their software.[5][6]

Contrary to some media reports, Microsoft will not weaken Kernel Patch Protection by making exceptions to third-party security applications. Instead, Microsoft is actively working with third party companies to create new Application Programming Interfaces that will resolve any problems KPP creates.[1] These new APIs are expected to be included with Windows Vista Service Pack 1.[7]

Weaknesses

In January 2006, security researchers Skape and Skywing published a report that describes methods, some theoretical, through which Kernel Patch Protection might by bypassed. In January 2007, Skywing published a second report on bypassing KPP version 2. Also, security company Authentium developed a working method to bypass KPP.[8]

Microsoft has been warning against modifying the kernel since the introduction of Windows 95, but did nothing to stop it. KPP helps but does not resolve the problem. KPP works by checking the links between different part of the kernel regularly, and if they appear modified then Windows will shut down. What Microsoft didn't realize is that the clock that counts down the time to the checker could be destroyed by un-linking it to the kernel checker. This would make it so the kernel checker would never receive the command to check, leaving the kernel vulnerable to hacks and rootkits.[9]

Nevertheless, Microsoft is committed to remove any flaws that allow KPP to be bypassed as part of its Microsoft Security Response Center process.[10]

Antitrust behavior

The European Commission expressed concern over Kernel Patch Protection, thinking it was anticompetitive.[11] However, Microsoft's own antivirus product, Windows Live OneCare, has no special exception to KPP and will also have to be written to work with it.[12]

External links

References

  1. ^ a b c d Allchin, Jim (2006-10-20). "Microsoft executive clarifies recent market confusion about Windows Vista Security". Microsoft. Retrieved 2006-11-30.
  2. ^ a b Field, Scott (2006-08-11). "An Introduction to Kernel Patch Protection". Windows Vista Security blog. Microsoft. Retrieved 2006-11-30.
  3. ^ Montalbano, Elizabeth (2006-10-06). "McAfee Cries Foul over Vista Security Features". PC World. Retrieved 2006-11-30.
  4. ^ "Symantec AntiVirus Corporate Edition: System Requirements". Symantec. 2006. Retrieved 2006-11-30.
  5. ^ Jaques, Robert (2006-10-23). "Symantec and McAfee 'should have prepared better' for Vista". vnunet.com. Retrieved 2006-11-30.
  6. ^ Fulton, Scott M., III (2006-10-20). "Sophos: Microsoft Doesn't Need to Open Up PatchGuard". BetaNews. Retrieved 2007-01-22.{{cite news}}: CS1 maint: multiple names: authors list (link)
  7. ^ Fulton, Scott M., III (2006-10-19). "Vista SP1 to Include Common Security APIs for Partners". BetaNews. Retrieved 2007-01-22.{{cite news}}: CS1 maint: multiple names: authors list (link)
  8. ^ Hines, Matt (2006-10-25). "Microsoft Decries Vista PatchGuard Hack". eWEEK. Retrieved 2006-11-30.
  9. ^ Skywing (2006). "Patching the Kernel Timer DPC Dispatcher". Subverting PatchGuard Version 2. Uninformed. Retrieved 2007-02-02. {{cite web}}: Unknown parameter |month= ignored (help)
  10. ^ Gewirtz, David (2006). "The great Windows Vista antivirus war". OutlookPower. Retrieved 2006-11-30.
  11. ^ Espiner, Tom (2006-10-25). "EC Vista antitrust concerns fleshed out". silicon.com. Retrieved 2006-11-30.
  12. ^ Jones, Jeff (2006-08-12). "Windows Vista x64 Security – Pt 2 – Patchguard". Jeff Jones Security Blog. Retrieved 2006-11-30.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Kernel_Patch_Protection&oldid=110242168"