Windows' Patchguard Hinders Security Vendors

eldavojohn writes "Windows' PatchGuard seems to be upsetting third party security vendors such as Symantec, Sana Security and Agnitum. It sounds like the 'black hats' will be able to bypass this security feature (which will be in all copies of Vista) but force security software companies to give up developing software for Windows. From the article: 'PatchGuard will make it harder for third parties, particularly host intrusion-prevention software, to function in Vista,' said Yankee Group analyst Andrew Jaquith. 'Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use "black hat" techniques to bypass the restrictions.' Apparently, using these techniques is not a difficult trick."

Oh noes!

"Oh noes, windows has security! What'll we do?"

C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too. Any blackhat technique they use would be immediately patched by Microsoft. Doesn't take a genius to see that.

Re:Oh noes!

I agree, this sort of system software IS going to break with each security rev of Windows. It only stands to reason that breaking viruses, which is what MS wants to do, is likely to break anti-virus software as well.

Re:Oh noes!

To add to your point, customers won't care when their viruses/malware break, but they will care when the security software they paid for breaks. It could also discourage people from applying updates, out of fear it will break their security software.

Re:Oh noes!

C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods?

Well, history tells us that the likelihood of Windows actually securing itsself is pretty slim.

If they could use black hat techniques, then it wouldn't be secure now, would it?

Having said that, it's a catch-22. If Windows implements an approved kernel hook for the antivirus companies, it will get exploited. If they don't, then no antivirus software, but just as many virus writers.

Wether or not Microsoft is going to help 3rd parties sell software to secure Windows, there will be people doing the same things they do now. Except in that case, the consumer is on their own and waiting for Microsoft to stop them from getting pwn3d.

Cheers

Re:Oh noes!

Viruses and you. In this case we're talking about locally executed binaries that are being run with root(admin) privileges.

I just felt it had to be said but : Since when can you not totally mess up a Linux system when you're running software as root?

Absolutely you can. But, if I choose to install software, I can decide that I trust it, and want it running as root. But the rest of the time, I'm logged in as a user who doesn't have root priveleges, and can't bork anything but my own stuff. If the user wishes to install kernel-level software, they're allowed. I've ran apache as both userland and root, except for which ports it can bind to, apache doesn't care.

That being said, the problem with windows (asides those I've mentioned which are valid security holes), lies not in the admin account being insecure but rather the fact that everyone and their uncle is an admin the entire time they're running.

That has always been the problem. You simply can't do anything on windows without being the admin, because so much crap just expects to have it, and fails if it doesn't. And then every damned website you visit which has an exploit is the administrator. Whee!! How fun!

Back in the day, if I wanted some software on a UNIX machine, and the cranky UNIX admin said "leave me the fsck alone", I could still untar it into my own directory, set my path variable (give or take one or two more) and just run it. The software ran just fine in userland, and was isolated from the OS. It could hose my files, but not the system.

Same deal on a Mac, the folder which was the install was the whole app. You could move it or delete it -- deleting was uninstalling basically. On Windows, every bloody piece of software expects to be able to write to the registy, install itsself for every user, demands that it write to Program Files, and possibly muck with some stuff in the Windows folders. Because that's how you're expected to do these things.

The fact that you can't do anything in Windows without being the admin has always been a major source of problems. If they had a model whereby users could install software into their own "user programs" or somesuch, and that was separated from the rest of the damned OS, these things couldn't happen.

However, as long as MS sticks with the way they have envisioned the world, preventing people from having kernel hooks (unless you use black hat methods) is kind of an empty solution, because it doesn't address the bigger problem of needing to be the Administrator to accomplish anything on a Windows machine.

Cheers

Re:Oh noes!

The fact that you can't do anything in Windows without being the admin has always been a major source of problems.

I agree, but theres no *point* in doing anything in Windows without being admin.

There is no point in running Windows as a non-priviledged user.

If you doubt my word, log into your favorite Windows as your unpriviledged user and set up a scheduled task to run cmd.exe

When the scheduled task runs and you get a command window try and see what you *cannot* do on the system...

(I used to put a great deal of effort into running as an unpriviledged user; I spent hours trying to get games to run without having to be Admin. It seems that I totally wasted my time. Thanks, Bill.)

Re:Oh noes!

"Oh noes, windows has security! What'll we do?"

C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too. Any blackhat technique they use would be immediately patched by Microsoft. Doesn't take a genius to see that.

Part of the commplaint, though, is not just that they cannot provide proper security software for it but that MS' solution isn't actually providing any security. What they are saying is that this "security" feature makes it pretty much impossible to properly/legitimately do their job, but doesn't actually stop a good many of the techniques that hackers use.

Whether MS' technique works or not, it's bad for us as it limits our choices.

Of course I'm sure neither of these is a concern to symantec, only that they'll make less money, but they are still valid arugments to consider.

Re:Oh noes!

Does anyone else smell a new monopoly suit?

Microsoft moves into system security (with their firewall, spyware tool, and I think they recently bought an AV company), and then sets up a 'security' feature that just happens to block out their competitors?

Yeah... that smells pungent to me.

Re:Oh noes!

Don't kid yourself...this is NOT a case of Windows securing itself -- this is revenue protectionism at its best. Microsoft is actively trying to make third-party security vendors a thing of the past.

In all of this, Microsoft forgets the most important thing -- It's my freakin computer! If Microsoft hinders me from getting done what I (remember me? I'm the consumer) want, then I have to reconsider my OS decision -- which I did -- about 5 years ago -- and never looked back.

does this mean...

Does this mean there will be a new day of the week devoted to patching the patchguard?

Why would microsoft bother?

I can see why microsoft would want to stop people. It is probably an attempt to stop malware. However, I think there should be a way for this security software to exist, other than resorting to "black hat" techniques. I would say this could be described as Microsoft shooting itself in the foot. Trying to stop rootkits is good and everything, but not in a way that blocks my antivirus from protecting me.

Re:Why would microsoft bother?

Apparently microsoft thinks that its security measures are good enough that you dont need antivirus to protect you.

Re:Why would microsoft bother?

The obvious answer would be for Microsoft to define a well-known API for security software, where the entry-point for that set of functions is damn-near impervious. (A simple example - require that all software using such an API be digitally signed by a trusted vendor and counter-signed by the registered owner of the software. In a corporate setting, this would mean that patches would need to be signed off on by the IT department. In the home setting, users would have to specifically state that they approve that level of access for the software.)

Certificates of trust already exist in Windows. They're used by web browsers. It would be trivial to use the code that is already present to check for a valid certificate. The second layer of protection - requiring the user/IT department to countersign the patch - would make transparent breakins much harder. Not impossible, but definitely much harder.

Of course, this is all pointless these days, anyway. All a rootkit writer has to do is develop a mini hypervisor or hijack one already in use. For zombies, viruses, etc, you'd then have the externally-visible interfaces in the OS and everything else concealed outside. BIOS viruses could also be quite lethal, as they too would bypass this protection. Far too low a level for the OS to detect. These days, with graphics processors essentially being parallel CPUs, I'm surprised nobody has put a virus on the graphics card. If the PCI is multi-mastered (not uncommon on higher-end machines), then the card could control all the other devices without going through the OS at all, giving a virus that could inhabit that space ABSOLUTE power over the machine.

Should be an optional feature.

"Window's PatchGuard" should be an optional feature. If you dont' want to use it, (like me!), you should be able to NOT include it when installing etc. Being able to do what you want is the best way, forcing users only pisses them off.

Re:Should be an optional feature.

Using Windows is optional. If you don't like the features, you don't have to use it...

Re:Should be an optional feature.

Yes you could just run your software on one of the many other Windows compatible OSes out there. Oh wait....

Optional seccurity features are useless

If PatchGuard was optional, the first thing malware would do after getting into your computer is turn it off. (Of course, this is only a problem for people who want it turned on.) The only solution is to make security that can't be turned off.

Why does this sound familiar?

I remember something about the entire kernel becomming a "protected process" under an MS implementation of TCPA/TCG/Palladium/(insert name of the week meant to spoof drm watchers here).

This was meant to be an "effective" means to stop viruses, but it served more to force licensing fees out of companies which provide security solutions and to stop independent tinkerers (also known as "good" hackers) from providing cool kernel mods for power users.

"using these techniques is not a difficult trick."

it's written, but if you even a little bit of the linked-to article, you will see that
this is for x64, but no mention about i386 bits i.e. the great majority of PC. My guess is
that this will be similar for i386 as well, though.

Another law suit...

Providing Microsoft decides not to provide a better means for other software companies to run security products within Vista, I'm sure a large law suit will develop within the near future... in which case, MS will be handing over a good chunk of change... seems they always lose.

If they were smart, they would turn it into a way for them to make money. License the "technology" (for a "small" fee of course) to the software vendors so that they can attempt to provide a security solution.

"Security Software" vs. "Trojan"

Obviously if "security software" can bypass the restrictions, then so can malicious programs. There isn't any fundamental difference between software and malicious software that Windows can detect (one computer's virus is another computer's formatting software).

What? Did you run out of kayak stories ???

What? Did you run out of kayak stories ??? What sort of place is this anyway ?

Microsoft have their own security product - so DUH

Microsoft want you to pay them a monthly fee to get the Microsoft anti-malware stuff. Every obstacle they can toss in the way of cheaper alternatives is (for them) a good thing.

The rule is: If you are in the business of doing X - then Microsoft announce that they are getting into doing X - then you'd better find a way to do Y instead. In the absence of government intervention, an illegal monopoly can do pretty much whatever they heck they like.

Debugger Disables

It is fascinating that TFA explains how if a boot routine can initialize a "debugger attached" flag, the PatchGuard system is not initialized. From this aspect alone, I'd say MS should start playing more nicely with the vendors, since any malicious code worth it's salt should set this value permanently and then replace kernal routines on disk as necessary.

Also, given the fact that MS intends to making patching the standard for releasing a secure OS, the vendors can't really do this kernal checking themselves. Thus, I think it's safe to say from the perspective of this article, the OS's kernel is patchable by anyone.

Blackhat techniques

Um, how is this security if its easily bypassed? Isn't the point behind any security layer to make it so nobody can bypass it? Seems to me that if its that easy to circumvent, Microsoft is just spinning its wheels, and there will be plenty of market for companies like Symantec/McAffee to compete in. Its not like the virus/trojan/malware writers give a single shit about any layer of security that they can bypass. Easily.

Symantec should be glad that Vista will have this ineffective security layer, so they can sell software to patch it.

Micro$oft and Control

A few years ago in office 2000 Microsoft dictated what attachments you could receive and what you could not. It sounds like Microsoft is attempting to create a business model of "If you want security you get it from us." and "We know better, you do it our way." Does the phrase duck and cover mean anything to anybody?

To Save a Village...

Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use "black hat" techniques to bypass the restrictions.

"We had to hack the system in order to protect it"?

Dance puppets dance

1) Company creates horribly insecure OS.
2) New multi-billion $$ industry sprouts for the sole purpose of securing said OS.
3) Insecure OS company institutes blatantly obvious absolutely worthless security "features".
4) No longer new multi-billion $$ industry complains because new BS security measures are worthless & the new features steal their pennies.
4.5) Linux zealot chimes in on how these issues are not issues under their chosen OS.
5) Horribly insecure OS company forms new multi-billion $$ industry to secure their horribly insecure OS in a proprietary fashion.
6) Balmer covers the $1 he owes Gates for the bet they made on whether or not they can steal the billions from the industry that wouldn't exist had it not been for them & their lax attitude toward secure coding practices while blaming the whole fiasco on Google & Linux all the while creating a brand spanking new completely worthless multi-billion $$ proprietary industry. (Thank you Mortimer, er I mean Balmer)

Why do anti-virus applications need kernel access?

This may be a stupid question, but why do anti-virus applications need kernel access? Do these programs need kernel access to simply scan for viruses?

Hooks gone?

Am I getting this wrong, or have they actually removed the possibility of using hooks? Or are they just talking about creating a special hook interface for the security software vendors? Anyway, both cases would be obnoxious; removing hooks to improve security would break a lot of software, and creating a special hook interface for security software would be idiotic! Why leave a backdoor wide open?! It's like Greenpeace whining about too many whales in the ocean...

Doesn't affect me

The only Windows box in our house is my wife's laptop, and we'll be keeping XP on that until XP is no longer supported. By the time that happens, I think it's likely she'll be using a Mac - so if we need Windows for anything (which would be her sewing machine software) we can run it without internet access.

Misleading summary

Apparently, using these techniques is not a difficult trick.

The linked webpage contains a bunch of "techniques" which are mostly

"If we find a bug in this system call, PatchGuard will be worthless!"

along with a few

"This disables PatchGuard in the current beta build of Vista!"

Obviously...

This doesn't surprise me in the least. PatchGuard is obviously designed to eliminate third-party competition, not stop hackers.

I don't see what the big deal is

If Microsoft intends to have its own anti-virus software/mechanism they must feel they're capable of doing this without the kernel hooks requested by Norton and ilk. The only thing I would take issue with is if Microsoft uses an undocumented API in order to get an unfair advantage over the third party vendors. When that happens, wake me up and I'll get back up on my anti-Microsoft $oapbox. Until then... bleh.

What if windows ever did secure itself?

I think it's universally agreed that the biggest flaw in windows is security. To this extent, we've seen many a revision of windows that has altered the way windows works with certain tweeks, to try and make windows more secure.

Many people knock windows for being insecure, but it's not like Microsoft WANTS it to be that way. No, the people who want it to be that way are the "security" companies. Anti-virus companies have profitted from security flaws and viruses alike for many years now, and it has begun a rather booming business and the focal business model for companies like McAffee and Symantec. These companies have a vested interest in maintaining security flaws and the propagation of virues out on the internet.

Lets say the un-imaginable does happen: Windows impliments some radical change to secure the OS. What happens to these companies? They stand up and try and present themselves as our saviours against these "evil black hats" but aren't they the ones with the most to gain from the current business model? By making windows secure, they will effectively end a decade long business model for these security companies by making them obsolete. Thats a good thing for users, but a bad thing for them.

I find it appalling that they would consider Microsoft taking steps to secure their OS as being "anti-competetive" in nature. The "security" market in this case exists only due to flaws and vulnerabilities in Windows. Flaws, which Microsoft has stated time and time again they are trying to correct.

I think people underestimate the task put forth before Microsoft in making windows secure.

Take a look at MacOS. Crashed alot, lots of security flaws and viruses for being such a small marketshare at the time. Apple realized the problem, and understood that constantly applying bandaids to a broken OS wasn't working. They re-did the entire OS to get OSX. The problem, of course, is no OS9- programs run natively in OSX. They had an emulator for awhile, and alot of people struggled with the transition. Like a catapiller to a butterfly, they were reborn in a more evolved state.

Windows, on the otherhand, doesn't have that sort of luxary. If MS were to re-write their code so that no previous versions of software would work, and all developers had to start over from scratch and learn new methods to program, it would cause disasterous consequences both for MS, and potentially for the world over. Best case scenario would be apple releasing OSX x86 on non-apple hardware and taking over the entire market. This, of course, would be the virtual end of MS, which they have no desire to do.

Microsoft is faced with trying to secure a broken OS, without actually starting over (which isn't an option) or breaking the ability of developers to make software for the platform. I'd be curious (as I imagine MS would be too) if anybody can come up with a real solution to the problem? And if you can, can you do it while still allowing the current "security" companies to continue to cash-cow the general public?

New MS Crack House

I'll say it again, Microsoft has no incentive in providing a reasonably secure OS. (ex. your favorite distro) Like every version that's come before Longwait, it's a coordinated message to make the PHB's buy it because they "fixed security" in longwait.

Mom & Pop buyers will be okay with this because they'll pay MS every month like they pay a cable tv bill. The software monoculture pretty much dictates that their machine will be zombies anyway.

This works out great for me because I will have -plenty- of work baby sitting these things.

The whole "patchguard" concept is bogus

The whole "PatchGuard" concept shows how broken Microsoft's approach to an OS has become. The whole concept is to catch changes made by programs which already have full access to kernel space. By checking every five or ten minutes for a change, no less. That's inherently a futile exercise. It may break some current exploits, but it won't break new ones. Any program that has access to kernel space can take over the machine. It could load a whole new OS if it wanted to.

The whole concept of add-on programs having access to kernel memory is so insecure that it has to go. UNIX and Linux limit it to loadable drivers, and the serious microkernels like QNX and IBM's VM don't allow it at all. But the Microsoft world, mostly for historical reasons, has all sorts of crap running with access to kernel memory, from various "security programs" to game DRM components. All that crap should have been taken out in Vista. The fact that it wasn't indicates how minor a change at the kernel level Vista is over XP.

...stop the whining

"...But now they force security vendors to bring a knife to a gun fight..."

If you KNOW it's a gun fight, then bring an RPG.

I will never understand the level playing field argument in this situation. Since when is it an OS developer's duty to create an environment that is compatible with the software that is to run on it? I have never heard the argument that Motorola was in violation of antitrust law for creating processors that Windows wouldn't/couldn't run on.

I really don't want to own vista.

I just do not understand why anyone would want to run Vista? What's the advanage? where's the value?

Whaddya mean "black hat"

I really doubt that their objection is based at all or in part on any perceived dilemma of being forced into using "black hat" techniques.

Firstly, they haven't really stated what they consider to be a "black hat" technique, though I strongly suspect they mean that they object to actually having to actually develop and maintain code instead of relying on existing redmond-authored api's that provide a spoonfed data conduit.

Symantec's AV/Security products rely on MS' file access api's - as do most other major AV packages.
This means that they inherit all the weaknesses of the underlying win api's. This in turn is why they cannot detect, clean or prevent access to malware which cannot be addressed via the MS api's. I have had one virus and one trojan that Norton could not detect or clean, but which AVG and Kaspersky had no trouble blocking access and tossing into quarantine. Neither relies of MS file access api's in it's scan engine. Is this a "black hat" technique? If so, then black hat techniques are pretty much a requirement for effective security, and Symantec should wise up and get to work.

 

MS creating their own anti-virii

Would this be in line with Microsoft producing their own protection software and trying to drive others out of their market share? Sure would be a convenient way to do it, forcing Symantec, et al, to resort to hacking or paying extortion fees for kernel hookins.

these third-party companies wouldn't even exist

if it weren't for all the security flaws in Windows. they make their revenue based on the fact that there are security flaws that can be exploited by viruses and spyware. if people randomly stopped making viruses, then these third-party companies would be out of business, too.

Exactly what do you consider difficult?

using these techniques is not a difficult trick.

You keep using that word. I do not think it means what you think it means.

Ahem...

...we are forgetting Microsoft has it's own anti-virus software [windowsonecare.com]. I'm not saying MS is trying to shut out competition, but that MS wouldn't do this if it would break their own software. They probably have OneCare doing things the "correct" way.

So what we're really saying is...

...in Windows software world, your anti-virus hacks you?

But it's for your benefit?

Get over it

Look many hear are going to argue that Microsoft is being anticompetitive, and maybe they are or maybe they are not, its not really the point. What is M$ supposed to do?

On the one hand they could make kernel hooks available to vendors and perhaps secure their use with code signing or something. Then the AV companies would be happy; but it would only be moments before some blackhats found away to expoloit the system and make their code look legit. Once it is exploited M$ is again accused (fairly) of producing software that really does not meet resonable security expectations for what it costs and they risk loosing market share.

The other option is lock down lowlevel access as much as possible and keep non M$ code out of kernel space lots of the biggest security problems become much easier to solve and M$ can produce a better product. Now they might sell some enhancements that would be M$ code could run where others can't and that might look unfair but we live with all sorts of other products that discorage after market parts as well. The next obvious question is if the black hats can by pass security why can't the security vendors who can at least count on the person installing the software having root level permissions on the system? Sure you might be playing a game of hide and go patch with M$ breaking stuff all the time but lots of people do that already.

The real story here folks is we don't live in a command economy. If you make something you had better be sure their is a need or want out there for your product. You also need to understand that MARKETS CHANGE if your organization has a single revenue streem you better be developing others or finding new markets for your one product.

If M$ actually succedes is producing a system with pretty good overall security then two things are true, one is that many users decide that additional security software offers too little utility to invest in at any price and two given the number of plays in the security market there would likely be so much supply that prices would have to drop until the less effice firms vacate the market.

Being upset with M$ securing their product as an security software developer would be a bit like a garage owner being upset that auto makers are putting cars out only need tune ups ever 5 years instead of every 5k miles. It might suck to be and security vendor or a garage owner but those are the breaks. Best stop crying and find a way to use your talent for something people will still want you would be better served.

Really?

It sounds like the 'black hats' will be able to bypass this security feature (which will be in all copies of Vista) but force security software companies to give up developing software for Windows.

What? Microsoft exploit its control of the operating system to destroy competitors? Surely you jest. HA HA HA!

"A laugh can be a very powerful thing. Why, sometimes in life it's the only weapon we have," Roger Rabbit

PatchGuard is NOT security

Despite what everyone seems to think, PatchGuard is not security. It's "security through obscurity", which is not security. If you are a rootkit running in kernel mode, you can patch out PatchGuard. It may be difficult to reverse engineer, but it CAN be defeated. I still think it's a great idea.

The "security" vendors out there have nobody to blame but themselves. For years now they've been installing badly designed "security" software that damages the integrity of the system. This software adds hooks into syscalls that frequently crash the system or make it easy for unprivileged user-mode programs to crash the system. Worse, some of these unintentionally add back doors to the system that allow privilege escalation.

PatchGuard prevents legitimate software developers from doing things they shouldn't be doing. If a legitimate software developer breaks PatchGuard, the next second Tuesday their software will stop working. Meanwhile, rootkits are completely unaffected; they've pwned your system for a month already.

Many people suggest that kernel drivers should need to be signed to solve these problems. This is a terrible "solution" for many reasons. For one, you have to severely restrict user mode in order for it to work. To explain it to UNIX users, "mkfs", "fsck", etc. would have to become kernel programs because otherwise bypassing signature checks becomes easy: overwrite /dev/hda with a hacked MBR and reboot.

Driver signing throws the ability to write kernel software out the window for anyone not able to pay the VeriSign Tax - and only corporations, not individuals, can get such a signing key.

PatchGuard does have one problem from my perspective: you cannot implement features that Microsoft hasn't implemented or has removed. For example, I wanted to make my own NTVDM for Win64 since Microsoft removed it. I found out that it is impossible, because Microsoft removed support for LDTs in Win64. You can't add it yourself with a kernel driver, because you'd need to patch the context switch mechanism - the kernel doesn't have code to switch LDTR values between processes anymore.

Melissa

Re:Please get it right

that wasn't flamebait, it was insightful.

Re:If Microsoft were serious about security...

"-Make programs have an .EXE extension to execute! No more .SCRs, for example. They're getting worse rather than better about this; I downloaded the AOL antivirus to try it out (OT rant about it follows) and the download had a .MSI extension. It confused me for a minute; is this like .ISO when it's really not an ISO but you have to rename it to get through the firewall? No, it just ran, and installed AOL's software."

Every GUI OS understands the concept of file -> application mappings. Most use file extenstions as one method of performing the mapping. MSIs are mapped to the Microsoft Installer application. There's nothing malacious or secret going on there. Or are you really stupid enough to open notepad and using the menu to open a text file instead of just double-clicking the file directly?

Re:Please get it right

Are you talking about XWindows

Technically, it's "XWindow", singular. As in "The X Window System". But they've been struggling with trying to make people get it right for decades now.

Re:If Microsoft were serious about security...

STOP HIDING EXTENSIONS!!! Christ, it's incredibly STUPID that I can write a virus named NakedLady.JPG.exe and it will show up in most peoples' computers as NakedLady.JPG.

In the first, hiding extension is an option; in the second, I for one still find it hard to believe that the trick you describe works - tooltip information, never mind bringing up the properties dialog box, would give the game away right quick.

Don't Drink the Water

No good. Microsoft will stop supporting them. [microsoft.com]

Go listen to "Don't Drink the Water" by the Dave Matthews Band (sorry I can't include a link to the audio file, you know how it is, but the text is on-line [lyricsfreak.com]) and think about how the words apply here. Chilling.