Vista's PatchGuard Bypassed

[iago]

Doesn't bode well....

Via eWeek:

Security software maker Authentium says that it has created a new
version of its flagship product that circumvents the PatchGuard kernel
protection technology being added to Microsoft's next-generation Vista
operating system.

The company, based in Palm Beach Gardens, Fla., maintains that it has
built a version of its Authentium ESP Enterprise Platform that can
bypass PatchGuard without setting off the desktop alarms produced by
the security feature when the Vista kernel is compromised.

More:
http://www.eweek.com/article2/0,1759,2036585,00.asp

[Warrior]

It isn't "Vista's" patchguard, it's been in Windows since Windows 2003. It's suspicious that it hasn't been broken until now. Do they have any proof? Has any 3rd party confirmed this?

[iago]

Windows 2003 let you hook kernel calls, didn't it?  The same anti-virus works for it that works for other Windowses, so it can't be the same as Vista. 

And I don't know about "proof" -- we'll see.

[Warrior]

"PatchGuard was first introduced in the x64 edition of Windows Server 2003 Service Pack 1, and was included in Windows XP Professional x64 edition. However in the initial implementation, it could be subverted when used with hardware virtualization systems, by injecting unsigned code when the kernel memory was paged out[19]. To block this, in the Release Client releases and later, Microsoft blocked raw disc access from user mode applications. But this can cause compatibility problems with older disc utilities.[20]"

Maybe Vista improves it somehow but that's how it was on Windows 2K3

[iago]

"PatchGuard was first introduced in the x64 edition of Windows Server 2003 Service Pack 1, and was included in Windows XP Professional x64 edition. However in the initial implementation, it could be subverted when used with hardware virtualization systems, by injecting unsigned code when the kernel memory was paged out[19]. To block this, in the Release Client releases and later, Microsoft blocked raw disc access from user mode applications. But this can cause compatibility problems with older disc utilities.[20]"

They blocked direct access, yeah, but any program with a signed kernel level component (whatever they're called) still has direct access, and can be manipulated by malicious programs to cause the same problem.  As a result, the fix has been called useless.  I'm not an expert, so take it with a grain of salt.

[iago]

I like this line somebody posted to a mailing list:

"The bad guys will [likely] be able to find another hole. It doesnt matter to them if the hole is later patched, as they only need their software to install once. "

And it's true.  One vulnerability, and malware installs.  How do you get rid of it?  You don't. 

<edit> back to the original point: I think that the Win2k3 64-bit anti-virus programs are severely crippled, but Vista is going to bring the problems to the home user.  At least, that's what I understand from what I've been reading.

[iago]

Sorry for so many posts, but I'm reading a big thread about this on a security board.  Here's Microsoft's response:

[quoteMicrosoft officials say they are unhappy that security software maker
Authentium has decided to bypass the controversial PatchGuard kernel
protection feature in its next-generation Vista operating system, and
said that the tactic could lead to eventual problems for users of the
company's software.

Responding to Authentium's move to circumvent PatchGuard in its
products, company officials said that the decision to hack the feature
could prove unwise for the security vendor as Microsoft will work to
close off any flaws that allow unauthorized kernel interaction, making
technologies dependent on such access obsolete.

As a result, users of applications that circumvent PatchGuard could
find themselves unprotected from attack, or dealing with other problems
driven by a lack of authorized integration between Vista and those
products.

[/quote]

More:
http://www.eweek.com/article2/0,1759,2037052,00.asp


Somehow, that doesn't fill me with confidence.  Like I said last post, all it takes is one vulnerability, and malware will be able to do whatever it wants, unstopped.

[Warrior]

In the end though, who's right here? Microsoft for wanting to close off the kernel to anyone but them, or the security people for wanting to make their Antiviruses better?

It looks to me like the AV companies simply go out looking for vulns in Windows to keep their profits on their product up. If there are no visible holes rather than use the Security APIs Microsoft is planning to make open which Windows Defender uses in Vista they'd rely on existing holes in Windows.

I think the AV companies are wrong, but I also think Microsoft needs to stop adding bandaids all over it's OS and just fix the damn holes.

No matter how well Patchguard protects the system, IF malware gets into the kernel, Windows is screwed.

Attack the problem at the root, dont just try to circumvent it.

[iago]

No matter how well Patchguard protects the system, IF malware gets into the kernel, Windows is screwed.

Exactly, which is why they need anti-malware programs that can clean malware that's acting like kernel drivers. 

[Skywing]

I think that there is a bit confusion on what exactly PatchGuard is supposed to accomplish.  I don't really think that it's an antimalware initiative so much as something to force third party driver vendors that do sleazy things (of which I would absolutely rate AV/security software as #1 in doing badness in kernel land on Windows) to clean up their act a bit.  There might be a lil bit of marketting spin to that effect, but I seriously doubt that malware prevention is the real purpose here.

PatchGuard is not out there to stop the "bad guys" from rootkit'ing your box.  It is, however, designed to stop the McAfee's of the world from designing, shipping, and supporting products that rely on unsafe hacks on a large scale (at least in my opinion).  I would imagine that PatchGuard is in this respect mostly a stopgap designed to make the large scale implementation of kernel patching on released products difficult enough to be not worth it (especially from a support perspective, when your target can change with any hotfix, as it did when PatchGuard v2 was deployed to Windows Server 2003 x64 in a critical update some months ago) until there is sufficient infrastructure in place in the operating system to take advantage of the new hardware support in most shipping processors today to prevent kernel patching after boot.

For all the bad press people give Microsoft, they have some very smart people working for them, and they have no illusions about protecting against malware running with the same privilege set as the kernel.  PatchGuard is not about malware, it's about stopping people from releasing software that does things like poke internal structures without proper synchronization, hook system calls without validating usermode-based parameters, and other things that generally destroy the reliability and security of the system as a whole.  These same people also know that PatchGuard in its current form is only a road bump (and a defeatable one at that if one is so determined), in the form of obfuscation and the like, to prevent this sort of behavior in kernel drivers.  The key is to make the target changable enough that vendors will think twice before trying to support something that attempts to hack around PatchGuard.

That being said, I don't necessarily agree that PatchGuard is the best solution to the problem.  There are a number of very interesting things that you could only do by patching the kernel on Windows, but unfortunately, at this point, the number of vendors that use this power "for evil" (read: introducing instability and security holes) seems to be the majority.  It will be interesting to see how Microsoft intends to address this in the future, as there are a couple of legitimate products I know of which are negatively impacted by PatchGuard.

BTW, about the operating systems supported by PatchGuard: This includes x64 versions of Windows Server 2003, and x64 versions of Windows Vista.  (The x64 version of Windows XP uses the Windows Server 2003 x64 kernel, and thus also has PatchGuard included.)  x86 versions of the above operating systems do not have any kind of patch protection mechanisms like PatchGuard.

Oh, and as a quick side note: The more conspiracy-theorist-minded among you might see some interesting parallels with hardware-based kernel patch protection, TPM, kernelmode code signing requirements, and the like.  I'll leave it up to you to decide where things are really going with that, though.