Kernel Patch Protection

Last updated
The kernel connects the application software to the hardware of a computer. Kernel Layout.svg
The kernel connects the application software to the hardware of a computer.

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XP and Windows Server 2003 Service Pack 1. [1]

Contents

"Patching the kernel" refers to unsupported modification of the central component or kernel of the Windows operating system. Such modification has never been supported by Microsoft because, according to Microsoft, it can greatly reduce system security, reliability, and performance. [1] Although Microsoft does not recommend it, it is possible to patch the kernel on x86 editions of Windows; however, with the x64 editions of Windows, Microsoft chose to implement additional protection and technical barriers to kernel patching.

Since patching the kernel is possible in 32-bit (x86) editions of Windows, several antivirus software developers use kernel patching to implement antivirus and other security services. These techniques will not work on computers running x64 editions of Windows. Because of this, Kernel Patch Protection resulted in antivirus makers having to redesign their software without using kernel patching techniques.

However, because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching. [2] [3] This has led to criticism that since KPP is an imperfect defense, the problems caused to antivirus vendors outweigh the benefits because authors of malicious software will simply find ways around its defenses. [4] [5] Nevertheless, Kernel Patch Protection can still prevent problems of system stability, reliability, and performance caused by legitimate software patching the kernel in unsupported ways.

Technical overview

The Windows kernel is designed so that device drivers have the same privilege level as the kernel itself. [6] Device drivers are expected to not modify or patch core system structures within the kernel. [1] However, in x86 editions of Windows, Windows does not enforce this expectation. As a result, some x86 software, notably certain security and antivirus programs, were designed to perform needed tasks through loading drivers that modify core kernel structures. [6] [7]

In x64 editions of Windows, Microsoft began to enforce restrictions on what structures drivers can and cannot modify. Kernel Patch Protection is the technology that enforces these restrictions. It works by periodically checking to make sure that protected system structures in the kernel have not been modified. If a modification is detected, then Windows will initiate a bug check and shut down the system, [6] [8] with a blue screen and/or reboot. The corresponding bugcheck number is 0x109, the bugcheck code is CRITICAL_STRUCTURE_CORRUPTION. Prohibited modifications include: [8]

Kernel Patch Protection only defends against device drivers modifying the kernel. It does not offer any protection against one device driver patching another. [10]

Ultimately, since device drivers have the same privilege level as the kernel itself, it is impossible to completely prevent drivers from bypassing Kernel Patch Protection and then patching the kernel. [2] KPP does however present a significant obstacle to successful kernel patching. With highly obfuscated code and misleading symbol names, KPP employs security through obscurity to hinder attempts to bypass it. [6] [11] Periodic updates to KPP also make it a "moving target", as bypass techniques that may work for a while are likely to break with the next update. Since its creation in 2005, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions. [6] [12] [13]

Advantages

Patching the kernel has never been supported by Microsoft because it can cause a number of negative effects. [7] Kernel Patch Protection protects against these negative effects, which include:

Microsoft's Kernel Patch Protection FAQ further explains:

Because patching replaces kernel code with unknown, untested code, there is no way to assess the quality or impact of the third-party code...An examination of Online Crash Analysis (OCA) data at Microsoft shows that system crashes commonly result from both malicious and non-malicious software that patches the kernel.

"Kernel Patch Protection: Frequently Asked Questions". Microsoft . 22 January 2007. Retrieved 22 February 2007.

Criticisms

Third-party applications

Some computer security software, such as McAfee's McAfee VirusScan and Symantec's Norton AntiVirus, worked by patching the kernel on x86 systems.[ citation needed ] Anti-virus software authored by Kaspersky Lab has been known to make extensive use of kernel code patching on x86 editions of Windows. [16] This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection. [17] Because of this, McAfee called for Microsoft to either remove KPP from Windows entirely or make exceptions for software made by "trusted companies" such as themselves. [4]

Symantec's corporate antivirus software [18] and Norton 2010 range and beyond [19] worked on x64 editions of Windows despite KPP's restrictions, although with less ability to provide protection against zero-day malware. Antivirus software made by competitors ESET, [20] Trend Micro, [21] Grisoft AVG, [22] avast!, Avira Anti-Vir and Sophos do not patch the kernel in default configurations, but may patch the kernel when features such as "advanced process protection" or "prevent unauthorized termination of processes" are enabled. [23]

Jim Allchin, then co-president of Microsoft, was an adamant supporter of Kernel Patch Protection. Jim Allchin at PDC 2005.jpeg
Jim Allchin, then co-president of Microsoft, was an adamant supporter of Kernel Patch Protection.

Microsoft does not weaken Kernel Patch Protection by making exceptions to it, though Microsoft has been known to relax its restrictions from time to time, such as for the benefit of hypervisor virtualization software. [10] [24] Instead, Microsoft worked with third-party companies to create new Application Programming Interfaces that help security software perform needed tasks without patching the kernel. [15] These new interfaces were included in Windows Vista Service Pack 1. [25]

Weaknesses

Because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching. [2] This led the computer security providers McAfee and Symantec to say that since KPP is an imperfect defense, the problems caused to security providers outweigh the benefits, because malicious software will simply find ways around KPP's defenses and third-party security software will have less freedom of action to defend the system. [4] [5]

In January 2006, security researchers known by the pseudonyms "skape" and "Skywing" published a report that describes methods, some theoretical, through which Kernel Patch Protection might be bypassed. [26] Skywing went on to publish a second report in January 2007 on bypassing KPP version 2, [27] and a third report in September 2007 on KPP version 3. [28] Also, in October 2006 security company Authentium developed a working method to bypass KPP. [29]

Nevertheless, Microsoft has stated that they are committed to remove any flaws that allow KPP to be bypassed as part of its standard Security Response Center process. [30] In keeping with this statement, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions. [6] [12] [13]

Antitrust behavior

In 2006, the European Commission expressed concern over Kernel Patch Protection, saying it was anticompetitive. [31] However, Microsoft's own antivirus product, Windows Live OneCare, had no special exception to KPP. Instead, Windows Live OneCare used (and had always used) methods other than patching the kernel to provide virus protection services. [32] Still, for other reasons a x64 edition of Windows Live OneCare was not available until November 15, 2007. [33]

Related Research Articles

<span class="mw-page-title-main">Rootkit</span> Software designed to enable access to unauthorized locations in a computer

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

<span class="mw-page-title-main">Blaster (computer worm)</span> 2003 Windows computer worm

Blaster was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.

<span class="mw-page-title-main">Windows XP Professional x64 Edition</span> Windows XP edition for x86-64 computers released in 2005

Microsoft Windows XP Professional x64 Edition, released on April 25, 2005, is an edition of Windows XP for x86-64 personal computers. It is designed to use the expanded 64-bit memory address space provided by the x86-64 architecture.

<span class="mw-page-title-main">ESET NOD32</span> Computer protection software

ESET NOD32 Antivirus, commonly known as NOD32, is an antivirus software package made by the Slovak company ESET. ESET NOD32 Antivirus is sold in two editions, Home Edition and Business Edition. The Business Edition packages add ESET Remote Administrator allowing for server deployment and management, mirroring of threat signature database updates and the ability to install on Microsoft Windows Server operating systems.

Norton AntiVirus is an anti-virus or anti-malware software product founded by Peter Norton, developed and distributed by Symantec since 1990 as part of its Norton family of computer security products. It uses signatures and heuristics to identify viruses. Other features included in it are e-mail spam filtering and phishing protection.

<span class="mw-page-title-main">Microsoft Defender Antivirus</span> Anti-malware software

Microsoft Defender Antivirus is an antivirus software component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.

Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the Norton 360 security suite.

<span class="mw-page-title-main">MSAV</span>

Microsoft Anti-Virus (MSAV) is an antivirus program introduced by Microsoft for its MS-DOS operating system. The program first appeared in MS-DOS version 6.0 (1993) and last appeared in MS-DOS 6.22. The first version of the antivirus program was basic, had no inbuilt update facility and could scan for 1,234 different viruses. Microsoft Anti-Virus for Windows (MWAV), included as part of the package, was a front end that allowed MSAV to run properly on Windows 3.1x.

<span class="mw-page-title-main">Windows Live OneCare</span> Discontinued Microsoft security software

Windows Live OneCare was a computer security and performance enhancement service developed by Microsoft for Windows. A core technology of OneCare was the multi-platform RAV, which Microsoft purchased from GeCAD Software Srl in 2003, but subsequently discontinued. The software was available as an annual paid subscription, which could be used on up to three computers.

<span class="mw-page-title-main">Windows Vista</span> Seventh major release of Windows NT, released in 2007

Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years earlier, at the time being the longest time span between successive releases of Microsoft's Windows desktop operating systems. Development was completed on November 8, 2006, and over the following three months, it was released in stages to computer hardware and software manufacturers, business customers, and retail channels. On January 30, 2007, it was released internationally and made available for purchase and download from the Windows Marketplace; this is the first release of Windows to be made available through a digital distribution platform.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

Windows Vista, an operating system released by Microsoft for consumers on January 30, 2007, has been widely criticized by reviewers and users. Due to issues with new security features, performance, driver support and product activation, Windows Vista has been the subject of a number of negative assessments by various groups.

<span class="mw-page-title-main">Security and Maintenance</span> Microsoft Windows software

Security and Maintenance is a component of the Windows NT family of operating systems that monitors the security and maintenance status of the computer. Its monitoring criteria includes optimal operation of antivirus software, personal firewall, as well as the working status of Backup and Restore, Network Access Protection (NAP), User Account Control (UAC), Windows Error Reporting (WER), and Windows Update. It notifies the user of any problem with the monitored criteria, such as when an antivirus program is not up-to-date or is offline.

Norton 360, developed by Gen Digital Inc., is an “all-in-one” security suite for the consumer market. Originally released in 2007, it was discontinued in 2014; its features were carried over to its successor, Norton Security.

A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network. An exploit taking advantage of a zero-day is called a zero-day exploit, or zero-day attack.

<span class="mw-page-title-main">Symantec Endpoint Protection</span> Computer security software

Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers. It has the largest market-share of any product for endpoint security.

<span class="mw-page-title-main">Microsoft Security Essentials</span> Free antivirus product produced by Microsoft for the Windows operating system

Microsoft Security Essentials (MSE) is an antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge. It replaces Windows Live OneCare, a discontinued commercial subscription-based AV service, and the free Windows Defender, which only protected users from spyware until Windows 8.

References

  1. 1 2 3 "Kernel Patch Protection: Frequently Asked Questions". Microsoft. 22 January 2007. Retrieved 30 July 2007.
  2. 1 2 3 skape; Skywing (December 2005). "Introduction". Bypassing PatchGuard on Windows x64. Uninformed. Archived from the original on 17 August 2016. Retrieved 20 September 2007.
  3. dushane (2023-04-03), PatchGuardBypass , retrieved 2023-04-03
  4. 1 2 3 Samenuk, George (28 September 2006). "Microsoft Increasing Security Risk with Vista". McAfee . Retrieved 8 July 2013.
  5. 1 2 Gewirtz, David (2006). "The great Windows Vista antivirus war". OutlookPower. Archived from the original on 1 February 2013. Retrieved 8 July 2013. "The system's already vulnerable. People have already hacked into PatchGuard. System is already vulnerable no matter what. PatchGuard has a chilling effect on innovation. The bad guys are always going to innovate. Microsoft should not tie the hands of the security industry so they can't innovate. We're concerned about out-innovating the bad guys out there." —Cris Paden, Manager on the Corporate Communication Team at Symantec
  6. 1 2 3 4 5 6 7 Skywing (September 2007). "Introduction". PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3. Uninformed. Archived from the original on 3 March 2016. Retrieved 20 September 2007.
  7. 1 2 Schofield, Jack (28 September 2006). "Antivirus vendors raise threats over Vista in Europe". The Guardian . Retrieved 20 September 2007. "This has never been supported and has never been endorsed by us. It introduces insecurity, instability, and performance issues, and every time we change something in the kernel, their product breaks." —Ben Fathi, corporate vice president of Microsoft's security technology unit
  8. 1 2 3 "Patching Policy for x64-Based Systems". Microsoft. 22 January 2007. Retrieved 20 September 2007.
  9. skape; Skywing (December 2005). "System Images". Bypassing PatchGuard on Windows x64. Uninformed. Archived from the original on 17 August 2016. Retrieved 21 September 2007.
  10. 1 2 Skywing (January 2007). "Conclusion". Subverting PatchGuard Version 2. Uninformed. Archived from the original on 4 March 2016. Retrieved 21 September 2007.
  11. Skywing (December 2006). "Misleading Symbol Names". Subverting PatchGuard Version 2. Uninformed. Archived from the original on 3 March 2016. Retrieved 20 September 2007.
  12. 1 2 Microsoft (June 2006). "Update to Improve Kernel Patch Protection". Microsoft Security Advisory (914784). Microsoft. Retrieved 21 September 2007.
  13. 1 2 Microsoft (August 2007). "Update to Improve Kernel Patch Protection". Microsoft Security Advisory (932596). Microsoft. Retrieved 21 September 2007.
  14. 1 2 Field, Scott (11 August 2006). "An Introduction to Kernel Patch Protection". Windows Vista Security blog. Microsoft . Retrieved 30 November 2006.
  15. 1 2 Allchin, Jim (20 October 2006). "Microsoft executive clarifies recent market confusion about Windows Vista Security". Microsoft . Retrieved 30 November 2006.
  16. Skywing (June 2006). "Patching non-exported, non-system-service kernel functions". What Were They Thinking? Anti-Virus Software Gone Wrong. Uninformed. Retrieved 21 September 2007.
  17. Montalbano, Elizabeth (6 October 2006). "McAfee Cries Foul over Vista Security Features". PC World. Archived from the original on 5 April 2007. Retrieved 30 November 2006.
  18. "Symantec AntiVirus Corporate Edition: System Requirements". Symantec. 2006. Archived from the original on 15 May 2007. Retrieved 30 November 2006.
  19. "Symantec Internet Security product page". Symantec. 2011. Retrieved 26 January 2011.
  20. "High-performance threat protection for the next-generation of 64-bit computers". ESET. 2008-11-20. Archived from the original on 2008-11-20.
  21. "Minimum System Requirements". Trend Micro USA. Archived from the original on 8 February 2012. Retrieved 5 October 2007.
  22. "AVG Anti-Virus and Internet Security - Supported Platforms". Grisoft. Archived from the original on 27 August 2007. Retrieved 5 October 2007.
  23. Jaques, Robert (23 October 2006). "Symantec and McAfee 'should have prepared better' for Vista". vnunet.com. Archived from the original on 27 September 2007. Retrieved 30 November 2006.
  24. McMillan, Robert (19 January 2007). "Researcher: PatchGuard hotfix stitches up benefit to Microsoft". InfoWorld . Retrieved 21 September 2007.
  25. "Notable Changes in Windows Vista Service Pack 1". Microsoft. 2008. Archived from the original on 3 May 2008. Retrieved 20 March 2008.
  26. skape; Skywing (1 December 2005). "Bypassing PatchGuard on Windows x64". Uninformed. Archived from the original on 1 August 2017. Retrieved 2 June 2008.
  27. Skywing (December 2006). "Subverting PatchGuard Version 2". Uninformed. Retrieved 2 June 2008.
  28. Skywing (September 2007). "PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3". Uninformed. Retrieved 2 June 2008.
  29. Hines, Matt (25 October 2006). "Microsoft Decries Vista PatchGuard Hack". eWEEK . Retrieved 2 April 2016.
  30. Gewirtz, David (2006). "The great Windows Vista antivirus war". OutlookPower. Archived from the original on 4 September 2007. Retrieved 30 November 2006.
  31. Espiner, Tom (25 October 2006). "EC Vista antitrust concerns fleshed out". silicon.com. Archived from the original on 2 February 2007. Retrieved 30 November 2006.
  32. Jones, Jeff (12 August 2006). "Windows Vista x64 Security – Pt 2 – Patchguard". Jeff Jones Security Blog. Microsoft. Archived from the original on 9 December 2008. Retrieved 11 March 2007.
  33. White, Nick (14 November 2007). "Upgrade to Next Version of Windows Live OneCare Announced for All Subscribers". Windows Vista Team Blog. Microsoft. Archived from the original on 1 February 2008. Retrieved 14 November 2007.

Uninformed.org articles:

Working bypass approaches

Microsoft security advisories:

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.