Kernel Patch Protection

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of x64 editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XP and Windows Server 2003 Service Pack 1.cite web
url=http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx
title=Kernel Patch Protection: Frequently Asked Questions
publisher=Microsoft
date=2007-01-22
accessdate=2007-07-30]

"Patching the kernel" refers to unsupported modification of the central component or kernel of the Windows operating system. Such modification has never been supported by Microsoft because it can greatly reduce system security and reliability. However, though Microsoft does not recommend it, it is technically possible to patch the kernel on x86 editions of Windows. But with the x64 editions of Windows, Microsoft chose to implement technical barriers to kernel patching.

Since patching the kernel is technically permitted in x86 editions of Windows, several antivirus software developers use kernel patching to implement antivirus and other security services. This kind of antivirus software will not work on computers running x64 editions of Windows. Because of this, Kernel Patch Protection has been criticized for forcing antivirus makers to redesign their software without using kernel patching techniques.

Also, because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching. This has led to additional criticism that since KPP is an imperfect defense, the problems caused to antivirus makers do not outweigh the benefits because malicious software will simply find ways around its defenses.

Technical overview

The Windows kernel is designed so that device drivers have the same privilege level as the kernel itself.cite web
url=http://uninformed.org/index.cgi?v=8&a=5&p=2
author=Skywing
title=Introduction
work=PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3
publisher=Uninformed
month=September
year=2007
accessdate=2007-09-20] In turn, device drivers are expected to not modify or "patch" core system structures within the kernel. In x86 editions of Windows, Windows does not enforce this expectation that drivers not patch the kernel. But because the expectation is not enforced on x86 systems, some programs, notably certain security and antivirus programs, were designed to perform needed tasks through loading drivers that modified core kernel structures.cite web
url=http://www.guardian.co.uk/technology/2006/sep/28/viruses.security
title=Antivirus vendors raise threats over Vista in Europe
last=Schofield
first=Jack
publisher=The Guardian
date=2006-09-28
accessdate=2007-09-20 "This has never been supported and has never been endorsed by us. It introduces insecurity, instability, and performance issues, and every time we change something in the kernel, their product breaks." —Ben Fathi, corporate vice president of Microsoft's security technology unit]

In x64 editions of Windows, Microsoft chose to begin to enforce the restrictions on what structures drivers can and cannot modify. Kernel Patch Protection is the technology that actually enforces these restrictions. It works by periodically checking to make sure that protected system structures in the kernel have not been modified. If a modification is detected, then Windows will initiate a bug check and shut down the system.cite web
url=http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx
title=Patching Policy for x64-Based Systems
publisher=Microsoft
date=2007-01-22
accessdate=2007-09-20]

Prohibited modifications include:
* Modifying system service tables
* Modifying the interrupt descriptor table
* Modifying the global descriptor table
* Using kernel stacks not allocated by the kernel
* Modifying or patching code contained within the kernel itself, or the HAL or NDIS kernel libraries [cite web
url=http://uninformed.org/index.cgi?v=3&a=3&p=7
title=System Images
work=Bypassing PatchGuard on Windows x64
author=skape
coauthors=Skywing
publisher=Uninformed
month=December
year=2005
accessdate=2007-09-21]

It should be noted that Kernel Patch Protection only defends against device drivers modifying the kernel. It does not offer any protection against one device driver patching another.cite web
url=http://uninformed.org/index.cgi?v=6&a=1&p=25
author=Skywing
title=Conclusion
work=Subverting PatchGuard Version 2
publisher=Uninformed
month=January
year=2007
accessdate=2007-09-21]

Ultimately, since device drivers have the same privilege level as the kernel itself, it is impossible to completely prevent drivers from bypassing Kernel Patch Protection and then patching the kernel.cite web
url=http://uninformed.org/index.cgi?v=3&a=3&p=3
title=Introduction
work=Bypassing PatchGuard on Windows x64
author=skape
coauthors=Skywing
publisher=Uninformed
month=December
year=2005
accessdate=2007-09-20] KPP does however present a significant obstacle to successful kernel patching. With highly obfuscated code and misleading symbol names, KPP employs security through obscurity to hinder attempts to bypass it. [cite web
url=http://uninformed.org/index.cgi?v=6&a=1&p=10
title=Misleading Symbol Names
author=Skywing
work=Subverting PatchGuard Version 2
publisher=Uninformed
month=December
year=2006
accessdate=2007-09-20] Periodic updates to KPP also make it a "moving target", as bypass techniques that may work for a while are likely to break with the next update. Since its creation in 2005, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions.cite web
url=http://www.microsoft.com/technet/security/advisory/914784.mspx
author=Microsoft
title=Update to Improve Kernel Patch Protection
work=Microsoft Security Advisory (914784)
publisher=Microsoft
month=June
year=2006
accessdate=2007-09-21] cite web
url=http://www.microsoft.com/technet/security/advisory/932596.mspx
author=Microsoft
title=Update to Improve Kernel Patch Protection
work=Microsoft Security Advisory (932596)
publisher=Microsoft
month=August
year=2007
accessdate=2007-09-21]

Advantages

Patching the kernel has never been supported by Microsoft because it can cause a number of negative effects. Kernel Patch Protection protects against these negative effects, which include:
* The Blue Screen of Death, which results from serious errors in the kernel.cite web
url=http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx
title=An Introduction to Kernel Patch Protection
accessdate=2006-11-30
last=Field
first=Scott
date=2006-08-11
work=Windows Vista Security blog
publisher=Microsoft]
* Reliability issues resulting from multiple programs attempting to patch the same parts of the kernel.cite web
url=http://www.microsoft.com/security/windowsvista/allchin.mspx
title=Microsoft executive clarifies recent market confusion about Windows Vista Security
accessdate=2006-11-30
last=Allchin
first=Jim
authorlink=Jim Allchin
date=2006-10-20
publisher=Microsoft]
* Compromised system security.
* Rootkits can use kernel access to embed themselves in an operating system, becoming nearly impossible to remove.
* Products that rely on kernel modifications are likely to break with newer versions of Windows or updates to Windows that change the way the kernel works.

Microsoft's Kernel Patch Protection FAQ further explains:

Criticisms

Third-party applications

Some computer security software, such as McAfee's McAfee VirusScan and Symantec's Norton AntiVirus, works by patching the kernel. Additionally, anti-virus software authored by Kaspersky Lab has been known to make extensive use of kernel code patching on x86 editions of Windows. [cite web
url=http://uninformed.org/index.cgi?v=4&a=4&p=10
author=Skywing
title=Patching non-exported, non-system-service kernel functions
work=What Were They Thinking? Anti-Virus Software Gone Wrong
publisher=Uninformed
month=June
year=2006
accessdate=2007-09-21] This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection. [cite news
first=Elizabeth
last=Montalbano
title=McAfee Cries Foul over Vista Security Features
url=http://www.pcworld.in/news/index.jsp/artId=4587538
publisher=PC World
date=2006-10-06
accessdate=2006-11-30] Because of this, McAfee called for Microsoft to either remove KPP from Windows entirely or make exceptions for software made by trusted companies such as themselves.cite web
url=http://www.mcafee.com/us/local_content/misc/vista_position.pdf
title=Microsoft Increasing Security Risk with Vista
last=Samenuk
first=George
publisher=McAfee
date=2006-09-28
accessdate=2007-09-20] Interestingly, Symantec's "corporate" antivirus software does work on x64 editions of Windows despite KPP's restrictions. [cite web
url=http://www.symantec.com/enterprise/products/sysreq.jsp?pcid=1008&pvid=805_1
title=Symantec AntiVirus Corporate Edition: System Requirements
accessdate=2006-11-30
year=2006
publisher=Symantec]

Antivirus software made by competitors ESET, [cite web
url=http://www.eset.com/products/64bit.php
title=64-bit Protection
publisher=ESET
accessdate=2007-10-05] Trend Micro, [cite web
url=https://imperia.trendmicro-europe.com/us/products/enterprise/officescan-client-server-edition/system-requirements/index.html
title=Minimum System Requirements
publisher=Trend Micro USA
accessdate=2007-10-05] Grisoft, [cite web
url=http://www.grisoft.com/doc/324/us/crp/3
title=AVG Anti-Virus and Internet Security - Supported Platforms
publisher=Grisoft
accessdate=2007-10-05] and Sophos does not patch the kernel. Sophos publicly stated that it does not feel KPP limits the effectiveness of its software. [cite news
first=Robert
last=Jaques
title=Symantec and McAfee 'should have prepared better' for Vista
url=http://www.vnunet.com/vnunet/news/2167016/symantec-mcafee-should-prepared
publisher=vnunet.com
date=2006-10-23
accessdate=2006-11-30] [cite news
url=http://www.betanews.com/article/Sophos_Microsoft_Doesnt_Need_to_Open_Up_PatchGuard/1161379239
title=Sophos: Microsoft Doesn't Need to Open Up PatchGuard
date=2006-10-20
accessdate=2007-01-22
author=Fulton, Scott M., III
publisher=BetaNews]

[
Jim Allchin, then co-president of Microsoft, was an adamant supporter of Kernel Patch Protection.]

Contrary to some media reports, Microsoft will not weaken Kernel Patch Protection by making exceptions to it, though Microsoft has been known to relax its restrictions from time to time, such as for the benefit of hypervisor virtualization software. [cite news
url=http://www.infoworld.com/article/07/01/19/HNpatchguardstitch_1.html
title=Researcher: PatchGuard hotfix stitches up benefit to Microsoft
date=2007-01-19
accessdate=2007-09-21
author=McMillan, Robert
publisher=InfoWorld] Instead, Microsoft worked with third party companies to create new Application Programming Interfaces that help security software perform needed tasks without patching the kernel. These new interfaces were included in Windows Vista Service Pack 1. [cite web
url=http://technet2.microsoft.com/WindowsVista/en/library/005f921e-f706-401e-abb5-eec42ea0a03e1033.mspx?mfr=true
title=Notable Changes in Windows Vista Service Pack 1
publisher=Microsoft
year=2008
accessdate=2008-03-20]

On December 21, 2006, McAfee's chief scientist George Heron stated that McAfee was pleased with the progress Microsoft was making on the new APIs. [cite web
url=http://www.eweek.com/article2/0,1895,2075846,00.asp
title=Microsoft Gets Positive Feedback for Vista APIs
last=Hines
first=Matt
publisher=eWEEK
date=2006-12-21
accessdate=2007-07-05]

Weaknesses

Because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching. This led the computer security providers McAfee and Symantec to say that since KPP is an imperfect defense, the problems caused to security providers do not outweigh the benefits because malicious software will simply find ways around KPP's defenses.cite news
last=Gewirtz
first=David
authorlink=David Gewirtz
title=The great Windows Vista antivirus war
url=http://www.outlookpower.com/issuesprint/issue200611/00001883.html
publisher=OutlookPower
date=2006
accessdate=2006-11-30 "The system's already vulnerable. People have already hacked into PatchGuard. System is already vulnerable no matter what. PatchGuard has a chilling effect on innovation. The bad guys are always going to innovate. Microsoft should not tie the hands of the security industry so they can't innovate. We're concerned about out-innovating the bad guys out there." —Cris Paden, Manager on the Corporate Communication Team at Symantec]

In January 2006, security researchers known by the pseudonyms "skape" and "Skywing" published a report that describes methods, some theoretical, through which Kernel Patch Protection might be bypassed. [cite web
url=http://www.uninformed.org/?v=3&a=3
title=Bypassing PatchGuard on Windows x64
author=skape
coauthors=Skywing
publisher=Uninformed
date=2005-12-01
accessdate=2008-06-02] Skywing went on to publish a second report in January 2007 on bypassing KPP version 2, [cite web
url=http://uninformed.org/index.cgi?v=6&a=1
title=Subverting PatchGuard Version 2
author=Skywing
publisher=Uninformed
month=December
year=2006
accessdate=2008-06-02] and a third report in September 2007 on KPP version 3. [cite web
url=http://uninformed.org/index.cgi?v=8&a=5
title=PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3
author=Skywing
publisher=Uninformed
month=September
year=2007
accessdate=2008-06-02] Also, in October 2006 security company Authentium developed a working method to bypass KPP. [cite news
first=Matt
last=Hines
title=Microsoft Decries Vista PatchGuard Hack
url=http://www.eweek.com/article2/0,1759,2037052,00.asp
publisher=eWEEK
date=2006-10-25
accessdate=2007-07-30]

Nevertheless, Microsoft has stated that they are committed to remove any flaws that allow KPP to be bypassed as part of its standard Security Response Center process. [cite news
last=Gewirtz
first=David
title=The great Windows Vista antivirus war
url=http://www.outlookpower.com/issuesprint/issue200611/00001883.html
publisher=OutlookPower
date=2006
accessdate=2006-11-30] In keeping with this statement, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions.

Antitrust behavior

In 2006, the European Commission expressed concern over Kernel Patch Protection, saying it was anticompetitive. [cite news
first=Tom
last=Espiner
title=EC Vista antitrust concerns fleshed out
url=http://software.silicon.com/os/0,39024651,39163525,00.htm
publisher=silicon.com
date=2006-10-25
accessdate=2006-11-30] However, Microsoft's own antivirus product, Windows Live OneCare, has no special exception to KPP. Instead, Windows Live OneCare uses (and has always used) methods other than patching the kernel to provide virus protection services. [cite web
url=https://blogs.technet.com/security/archive/2006/08/12/446104.aspx
title=Windows Vista x64 Security – Pt 2 – Patchguard
accessdate=2007-03-11
last=Jones
first=Jeff
publisher=Microsoft
date=2006-08-12
work=Jeff Jones Security Blog] Still, for other reasons an x64 edition of Windows Live OneCare was not available until November 15, 2007. [cite web
url=http://windowsvistablog.com/blogs/windowsvista/archive/2007/11/14/upgrade-to-next-version-of-windows-live-onecare-announced-for-all-subscribers.aspx
title=Upgrade to Next Version of Windows Live OneCare Announced for All Subscribers
last=White
first=Nick
work=Windows Vista Team Blog
publisher=Microsoft
date=2007-11-14
accessdate=2007-11-14]

References

External links

* [http://www.windows-now.com/blogs/robert/archive/2006/08/12/PatchGuard-and-Symantecs-Complaints-About-Windows-Vista.aspx The Truth About PatchGuard: Why Symantec Keeps Complaining]
* [http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx An Introduction to Kernel Patch Protection]
* [http://www.microsoft.com/security/windowsvista/allchin.mspx Microsoft executive clarifies recent market confusion about Windows Vista Security]
* [http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx Kernel Patch Protection: Frequently Asked Questions]
* [https://blogs.technet.com/security/archive/2006/08/12/446104.aspx Windows Vista x64 Security – Pt 2 – Patchguard]

Uninformed.org articles:
* [http://www.uninformed.org/?v=3&a=3 Bypassing PatchGuard on Windows x64]
* [http://www.uninformed.org/?v=6&a=1 Subverting PatchGuard Version 2]
* [http://www.uninformed.org/?v=8&a=5 PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3]

Working bypass approaches
* [http://www.codeproject.com/KB/vista-security/bypassing-patchguard.aspx A working driver to bypass PatchGuard 3 (including source code)]

Microsoft security advisories:
* [http://www.microsoft.com/technet/security/advisory/914784.mspx June 13, 2006 update to Kernel Patch Protection]
* [http://www.microsoft.com/technet/security/advisory/932596.mspx August 14, 2007 update to Kernel Patch Protection]