New Code Signing Rules

Giving 64-bit More Armor

Microsoft made its first foray into the 64-bit computing world in Windows XP and Windows Server 2003. Although the 64-bit market has not yet fully expanded, more computer manufacturers are pushing 64-bit processors. While 64-bit processors have been used in servers during the last two years, the fact that they have dramatically come down in price is also making many people move into the 64-bit world for their general computing.

What's so great about 64-bit, though? Is it just another shiny whiz-bang addition that doesn't really matter? Actually, 64-bit processors make working with databases, digital video, and large datasets much faster and easier. In addition, 64-bit clusters have higher reliability than 32-bit clusters.

Vista includes two major updates for the 64-bit architecture (actually, only one is new, but we'll talk about that in a minute): new driver signing rules and a kernel patching protection feature, commonly called "PatchGuard." We'll consider that first.

PatchGuard

Kernel Patch Protection, often referred to as "PatchGuard," is not new to Windows Vista; it was included in the 64-bit editions of Windows XP Professional and Windows Server 2003 SP1. However, it didn't receive too much attention at that time. This lack of fanfare may have been the result of a lack of 64-bit presence in the market. Regardless, PatchGuard is back in the 64-bit edition of Windows Vista, and there's been a lot more people talking about it, including third-party security vendors and antivirus providers.

Before we can talk about why Kernel Patch Protection is contentious or helpful, we must discuss first discuss what it is. Kernel Patch Protection protects the system kernel-the lowest, most central part of the operating system-from tampering. The kernel must be protected since all applications and the Windows graphical interface run on top of it. The kernel is also the first piece of operating system code that runs when you boot your computer. Clearly, if the kernel is damaged, you're in trouble. Microsoft Knowledge Base articles 146419, 155892, and 327101 detail how to recover from a missing or damaged kernel file, but, in all honesty, we shouldn't have to do this. The kernel must be protected. Most kernel problems result from a hardware failure, a malware intrusion, or from a patching error. While Windows can't prevent hardware failures, it can help prevent kernel patching. Vista's User Account Control will help alert you when malware attempts to install. However, if you click Continue or provide admin credentials for a rootkit, you're toast. Or are you?

Let's delve into how Vista Kernel Patch Protection mitigates rootkit and other malware attacks. Again, Kernel Patch Protection only applies to the 64-bit edition of Windows Vista. Microsoft wants to make the Blue Screen of Death (BSoD) history in Vista. The BSoD occurs when an error in the kernel presents itself or when a driver running in the kernel experiences an error. When you see the BSoD in Windows, you know it's time to reboot and hope that it doesn't recur.

Microsoft has always considered kernel patching (also called "kernel hooking") to be a no-no. Kernel patching involves using unsupported methods to replace part of the kernel code or to update ("patch") the kernel. When the kernel is patched, it can become unstable and unpredictable. In fact, you often see the BSoD following a kernel patch being applied. The fact is, most people who patch the kernel are in fact attacking it-malware and virus writers.

There is one major caveat here (which will make it very clear why Kernel Patch Protection is receiving a lot of buzz): antivirus and anti-malware vendors often use kernel patching to intercept system calls from code they have identified as malware. However, by running these programs in the kernel, the vendors can cause problems with the computer's reliability and performance.

When a rootkit is applied to a computer, often, all of its processes are invisible to the user. In fact, if you check the running processes by using Task Manager (Ctrl-Alt-Del in Vista and click Start Task Manager), you won't see the rootkit's processes running there at all. This means that the rootkit is invisible even to the computer's infrastructure itself. By placing itself into the system's kernel, the rootkit can penetrate into the bowels of the operating system to install other malware, such as a keylogger that traps your banking and computer passwords.

How does 64-bit computing on Windows Vista get us out of this nightmare?

Kernel Patch Protection actively monitors the kernel to determine whether any unauthorized kernel patching is being attempted. If Vista does detect that something is attempting to modify the kernel, it shuts down the computer.

While it would be nice if Kernel Patch Protection were a panacea or shield for all malware and viruses, it's unrealistic to believe that. Kernel Patch Protection will not prevent all malware from installing on the computer, but it will prevent malware from attacking the system by using kernel patching. As the most fundamental layer of the operating system, the integrity of the kernel must be preserved.

Great, PatchGuard Breaks My App: What Do I Do Now?

This is where we get into talking about the contentious points of Kernel Patch Protection-where it breaks existing 64-bit applications. If you're running an antivirus or anti-malware application, chances are that the application uses kernel patching to monitor malicious activity. Therefore, 64-bit applications must not modify the kernel or its resources. You can just imagine the horrible user experience caused by a buggy 64-bit application that continually attempts to modify the Vista kernel…shutdown after shutdown.

Where does that leave the antivirus and anti-malware makers in the 64-bit world? There are some alternatives to kernel patching.

• If an application uses kernel patching to inspect network packets, such as a firewall, it can instead use the Windows Filtering Platform (WFP). The WFP allows for an in-depth analysis of TCP/IP packets and the TCP/IP processing path. WFP also enables applications like antivirus and firewalls to both examine and change packets before they are further processed. WFP is a set of services and application programming interfaces (APIs) and cannot be implemented itself as a service. Windows Firewall is based on the WFP technologies.

• Antivirus and anti-malware software can use the "mini filter model" in Vista's file system.

• Applications that need to access the Registry can use registry notification hooks. Microsoft first introduced registry notification hooks in Windows XP.

Applications and drivers that attempt to patch the kernel must be modified to use only supported, public interfaces. If you can't redesign your application or driver to use one of these supported interfaces, then there is no way to perform the action on 64-bit Vista and still be secure.

The truth is that there have been a lot of changes in Vista that impact third-party application developers. Nearly all of these changes were made to improve security in the operating system. However, developers will have to be steadfast about researching application development requirements for Vista. In fact, Microsoft has asked developers that are uncertain or confused by development recommendations and requirements contact them at msra@microsoft.com.

Even Microsoft's applications have to follow the Vista application rules and receive no special treatment. All Vista 64-bit code cannot modify the kernel. Vista is requiring that all developers, whether third-party or Microsoft-based, use secure development methods through supported interfaces.

Applications that perform the following actions violate Vista's kernel patching rules:

• Patch the kernel.

• Modify the interrupt descriptor table.

• Modify the global descriptor table.

• Modify system service tables.

• Use kernel stacks not allocated by the kernel.

Microsoft has also made it clear that it will further enhance Kernel Patch Protection in the future by extending it to protect other kernel resources, but the specific kernel resources have not yet been cited.

So, You Want to Disable PatchGuard

Sorry, you can't disable Kernel Patch Protection on 64-bit systems. There is no exposed user interface for modifying this behavior. In all honesty, disabling this feature would make it easier to run some legacy applications, but it would also place you back into the uncertain realm of random drivers and applications modifying the kernel. Unfortunately, the term "kernel patching" does not immediately communicate its negative impact.