I Want My Kernel Patch Protection
The makers of the OutPost firewall, Agnitum has been making news with loud objections to a new security feature Microsoft is adding to Windows Vista. The new feature called, “Kernel Patch Protection” already exists in Windows x64
“Kernel patching is the practice of using internal system calls and other unsupported mechanisms to modify or replace code or critical structures in the kernel of the Microsoft Windows operating system with unknown code or data. “
Microsoft kernel patch protection prevents security software developers from installing security software at the kernel level, an approach that developers use to ensure security against malware applications.
"As the vendor of Outpost Firewall Pro, we have to install at the kernel level" said Alexey Belkin, chief software architect at Agnitum. "In addressing the potential problem of not being able to install Outpost on new versions of Windows, we have discovered that it is possible to drill past the new security measures introduced by Microsoft - if we use the same techniques used by hackers. That's a wide-open hole. If we discovered it, then hackers will discover it, and they will use that hole to install malicious software."
Developers sometimes patch the kernel by changing a function pointer in the system service table, which is an array of function pointers to in-memory system services.
Patching fundamentally violates the integrity of the Windows kernel by replacing actual kernel code with unknown third-party code. As a result, patching introduces problems in three primary areas: reliability, performance and, most importantly, security
While I frequently find reasons to criticize Microsoft you may all be surprised I’m on their side this time. I should note that my own product WinPatrol, doesn’t rely on Kernel Patching to do its job. All the “API’s” or system calls made by WinPatrol are standard functions available to all software vendors.
In a perfect world allowing security vendor to patch system tables in the kernel might be reasonable through a proper interface. Unfortunately, there are too many variables at work on any single computer system. I have never seen any system that doesn’t have two or more “quirks” in how Windows works or how applications interact. Allowing kernel patches creates a non-standard system which is difficult to support and invites more failures. What works on a test system at Agnitum may not be 100% reliable on my system. If a failure occurs it may not be obvious to whoever supports you.
Microsoft is however obligated under past anti-trust rulings to disclose all interfaces internal to Windows used by their own software. In theory, that means any function call available to Microsoft Defender or any other Microsoft security product is available to any of us. Microsoft claims they’ll abide by these rules and has even published their Twelve Tenets to Promote Competition this month. We'll be watching to see how this works out and I predict I'll be making future Blog entries about this topic.