An Introduction to Kernel Patch Protection

Hello, I'm Scott Field, an Architect working on Windows Kernel Security. There have been a lot of questions recently about a Windows technology called Kernel Patch Protection (sometimes referred to as PatchGuard) so I wanted to provide some context about the feature to help answer them. OS kernel design is a very specialized area of computer science that rarely receives a lot of public attention, so it's understandable that there are a lot of questions out there. The purpose of this post is to give a basic primer on Kernel Patch Protection and why it is an important technology to increase the security and reliability of Windows-based PCs.

What is the Kernel?
The kernel is the lowest-level, most central part of a computer operating system and one of the first pieces of code to load when the machine starts up. The kernel is what enables the software of the machine to talk to the hardware and is responsible for basic OS housekeeping tasks such as memory management, launching programs and processes, and managing the data on the disk. All applications and even the graphical interface of Windows run on a layer on top of the kernel. The performance, reliability, and security of the entire computer depend on the integrity of the kernel.

You may have heard the term "rootkit" and that they can be very difficult to detect and remove. Rootkits are a type of malicious software that can use a number of different techniques, including monitoring keystrokes, changing system log files or existing system applications, or creating a backdoor into the system to gain remote access to a computer and launch attacks. Rootkits often try to gain access to the kernel of the OS. Since the kernel has the power to control all of the other applications on the PC, the rootkit can actually hide itself from the file system or even anti-malware tools, and ultimately from view of the user.

The kernel is the most carefully coded piece of the entire operating system. Since all other programs depend upon it, a glitch in the kernel can make all other programs crash or perform unexpectedly. You're probably also familiar with the term, "Blue Screen of Death" (BSoD). This is the result of an error in the kernel or in a driver running in the kernel that is so severe that the system can't recover from it. The BSoD is bad, so we want to do everything we can to keep customers from seeing it. One of the ways we can do that is to maintain the integrity of the kernel by restricting what software is allowed to run in and interact with it.

What is Kernel Patching?
"Kernel patching" or "kernel hooking" is the practice of using unsupported mechanisms to modify or replace kernel code. Patching fundamentally violates the integrity of the Windows kernel and is undocumented, unsupported and has always been discouraged by Microsoft. Kernel patching can result in unpredictable behavior, system instability and performance problems—like the Blue Screen of Death–which can lead to lost user productivity and data. More importantly, kernel patching has increasingly become a mechanism used by malware developers to attack Windows systems.

Motivations for patching the kernel vary widely. Anti-malware vendors, for example, may intercept system calls to prevent applications they have deemed malicious from creating processes on the system. The goals of these types of software are obviously laudable but these practices also may cause reliability and performance problems. The greatest risk from kernel patching comes from virus and spyware writers that use this technique with malicious intent and to hide their presence.

Malware authors are motivated to patch the kernel because it is a powerful mechanism for attacking the user's PC and data. Patching can be used to implement rootkits, which also hide the presence of other malware on the system. This form of malware can be extremely potent—for example, allowing the capture of banking passwords and monitoring of all user activities.

What is Kernel Patch Protection?
There are many brand new security features in Windows Vista, but Kernel Patch Protection is actually not one of them. Kernel Patch Protection was first supported on x64 (AMD64 and Intel EMT64T) CPU architecture versions of Microsoft Windows including Microsoft Windows Server 2003 SP1 and Windows XP Microsoft Windows XP Professional x64 Edition. (Patch protection is currently not supported on x86 or ia64 architectures.) Though, as the use of 64-bit computers is increasing, Windows Vista users will end up benefiting most from this technology.

Kernel Patch Protection monitors if key resources used by the kernel or kernel code itself has been modified. If the operating system detects an unauthorized patch of certain data structures or code it will initiate a shut down of the system.

Kernel Patch Protection does not prevent all viruses, rootkits, or other malware from attacking the operating system. It helps prevent one way to attack the system: patching kernel structures and code to manipulate kernel functionality. Protecting the integrity of the kernel is a fundamental steps in protecting the entire system from malicious attacks and from inadvertent reliability problems that result from patching.

Impacts on Application Compatibility
Kernel Patch Protection may impact compatibility of some legitimate software, on x64 systems, which were built using unsupported kernel patching techniques. Microsoft is sensitive to how application compatibility changes impact our customers and our partners. That is the reason that we have implemented this technology on x64 systems only. As customers adopt the x64 platform, and new native 64-bit software, we have the opportunity to build a more secure and reliable next generation platform that does not facilitate unsupported and unreliable practices such as kernel patching.

We have also been asked to provide a supported way for 'known good' vendors to continue hooking the kernel but prevent others from doing so. Unfortunately, there is no reliable mechanism for us to distinguish between 'known good' software and malicious software. Moreover, we cannot prevent a malicious software author from "bundling" purportedly good software in an attempt to thwart the system. Even if we could include such a mechanism, it's unclear if we could use this mechanism to selectively allow kernel hooking in a manner that provides an acceptable trade off between performance and reliability and security. Furthermore, creating such an exception would greatly hamper the ability to utilize hardware assisted security technology, such as a virtual machine hypervisor, to further improve the integrity of the operating system.

Alternatives to Kernel Patching
Clearly, customers demand effective security solutions, and they can be developed without relying on kernel patching techniques. Some of the alternatives to kernel patching are:

  • Windows Vista includes the "Windows Filtering Platform", which enables software to perform network oriented activities such as packet inspection and other activities necessary to support firewall products.

  • The file system mini filter model allows software to participate in file system activities, which can be used by Anti-Virus software.

  • Registry notification hooks, introduced in Windows XP, and recently enhanced in Windows Vista, allow software to participate in registry related activities in the system.

These solutions were designed with reliability and long term supportability in mind, and also provide a means for multiple products to co-exist without the conflicts that kernel patching could cause. We have been working with our security partners and other types partners for almost 2 years to assist them in making their solutions compatible with our current x64 architecture—and we are working with them even more closely as the Windows Vista launch approaches. If your application or driver must perform a task that you believe cannot be accomplished without patching the kernel, contact your Microsoft representative or msra@microsoft.com for help in finding a documented alternative.

It's important to note that Kernel Patch Protection applies uniformly to Microsoft products as well as third party products. No code is allowed to modify the kernel using unsupported patching techniques. Security products developed by Microsoft only have access to the same supported interfaces that any other vendor would use.

In Conclusion
Since Microsoft announced our Trustworthy Computing initiative, helping to ensure the security of our customers has been one of our primary goals as an organization. Part of this is ensuring a rich ecosystem of powerful security products that will reduce the threats from malware and other types of attack. We would not develop a technology designed to lessen the security of our customers or weaken the security of the Windows platform.

We will continue to work with security partners to help them make their current and future products compatible with Kernel Patch Protection and the new security investments that we have made in Windows Vista.

More information on Kernel Patch Protection is available at these locations and we will update the post as more resources become available.

· Patching Policy for x64-Based Systems

· Kernel Patch Protection: Frequently Asked Questions

· Kernel Enhancements for Windows Vista and Windows Server "Longhorn"

· Microsoft Windows Vista Security Advancements [Word Document]

 

-- Scott Field