维基百科中关于64位操作系统内核保护的介绍

Kernel Patch Protection

From Wikipedia, the free encyclopedia

Jump to: navigation, search

The kernel connects the application software to the hardware of a computer.

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of x64 editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XP and Windows Server 2003 Service Pack 1.^[1]

"Patching the kernel" refers to unsupported modification of the central component or kernelof the Windows operating system. Such modification has never beensupported by Microsoft because it can greatly reduce system securityand reliability. However, though Microsoft does not recommend it, it istechnically possible to patch the kernel on x86 editions of Windows. But with the x64 editions of Windows, Microsoft chose to implement technical barriers to kernel patching.

Since patching the kernel is technically permitted in x86 editions of Windows, several antivirus softwaredevelopers use kernel patching to implement antivirus and othersecurity services. This kind of antivirus software will not work oncomputers running x64 editions of Windows. Because of this, KernelPatch Protection has been criticized for forcing antivirus makers toredesign their software without using kernel patching techniques.

Also, because of the design of the Windows kernel, Kernel PatchProtection cannot completely prevent kernel patching. This has led toadditional criticism that since KPP is an imperfect defense, theproblems caused to antivirus makers do not outweigh the benefitsbecause authors of malicious software will simply find ways around its defenses.

Contents

[hide]

• 1 Technical overview
• 2 Advantages
• 3 Criticisms
  • 3.1 Third-party applications
  • 3.2 Weaknesses
  • 3.3 Antitrust behavior
• 4 References
• 5 External links

[edit] Technical overview

The Windows kernel is designed so that device drivers have the same privilege level as the kernel itself.^[2] In turn, device drivers are expected to not modify or patch core system structures within the kernel.^[1] In x86editions of Windows, Windows does not enforce this expectation thatdrivers not patch the kernel. But because the expectation is notenforced on x86 systems, some programs, notably certain security and antivirus programs, were designed to perform needed tasks through loading drivers that modified core kernel structures.^[2][3]

In x64editions of Windows, Microsoft chose to begin to enforce therestrictions on what structures drivers can and cannot modify. KernelPatch Protection is the technology that actually enforces theserestrictions. It works by periodically checking to make sure thatprotected system structures in the kernel have not been modified. If amodification is detected, then Windows will initiate a bug check andshut down the system.^[2][4]

Prohibited modifications include:^[4]

• Modifying system service tables
• Modifying the interrupt descriptor table
• Modifying the global descriptor table
• Using kernel stacks not allocated by the kernel
• Modifying or patching code contained within the kernel itself,^[4] or the HAL or NDIS kernel libraries^[5]

It should be noted that Kernel Patch Protection only defends againstdevice drivers modifying the kernel. It does not offer any protectionagainst one device driver patching another.^[6]

Ultimately, since device drivers have the same privilege level asthe kernel itself, it is impossible to completely prevent drivers frombypassing Kernel Patch Protection and then patching the kernel.^[7] KPP does however present a significant obstacle to successful kernel patching. With highly obfuscated code and misleading symbol names, KPP employs security through obscurity to hinder attempts to bypass it.^[2][8]Periodic updates to KPP also make it a "moving target", as bypasstechniques that may work for a while are likely to break with the nextupdate. Since its creation in 2005, Microsoft has so far released twomajor updates to KPP, each designed to break known bypass techniques inprevious versions.^[2][9][10]

[edit] Advantages

Patching the kernel has never been supported by Microsoft because it can cause a number of negative effects.^[3] Kernel Patch Protection protects against these negative effects, which include:

• The Blue Screen of Death, which results from serious errors in the kernel.^[11]
• Reliability issues resulting from multiple programs attempting to patch the same parts of the kernel.^[12]
• Compromised system security.^[2]
• Rootkits can use kernel access to embed themselves in an operating system, becoming nearly impossible to remove.^[11]
• Products that rely on kernel modifications are likely to break withnewer versions of Windows or updates to Windows that change the way thekernel works.^[3]

Microsoft's Kernel Patch Protection FAQ further explains:

Because patching replaces kernel code with unknown, untested code,there is no way to assess the quality or impact of the third-partycode...An examination of Online Crash Analysis (OCA) data at Microsoftshows that system crashes commonly result from both malicious andnon-malicious software that patches the kernel.

– "Kernel Patch Protection: Frequently Asked Questions". 2007-01-22. http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx. Retrieved on 2007-02-22. 

[edit] Criticisms

[edit] Third-party applications

Some computer security software, such as McAfee's McAfee VirusScan and Symantec's Norton AntiVirus, works by patching the kernel. Additionally, anti-virus software authored by Kaspersky Lab has been known to make extensive use of kernel code patching on x86 editions of Windows.^[13] This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection.^[14]Because of this, McAfee called for Microsoft to either remove KPP fromWindows entirely or make exceptions for software made by trustedcompanies such as themselves.^[15] Interestingly, Symantec's corporate antivirus software does work on x64 editions of Windows despite KPP's restrictions.^[16]

Antivirus software made by competitors ESET,^[17] Trend Micro,^[18] Grisoft,^[19] and Sophos does not patch the kernel. Sophos publicly stated that it does not feel KPP limits the effectiveness of its software.^[20][21]

Jim Allchin, then co-president of Microsoft, was an adamant supporter of Kernel Patch Protection.

Contrary to some media reports, Microsoft will not weaken KernelPatch Protection by making exceptions to it, though Microsoft has beenknown to relax its restrictions from time to time, such as for thebenefit of hypervisor virtualization software.^[6][22] Instead, Microsoft worked with third party companies to create new Application Programming Interfaces that help security software perform needed tasks without patching the kernel.^[12] These new interfaces were included in Windows Vista Service Pack 1.^[23]

On December 21, 2006, McAfee's chief scientist George Heron statedthat McAfee was pleased with the progress Microsoft was making on thenew APIs.^[24]

[edit] Weaknesses

Because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching.^[7] This led the computer security providers McAfee and Symantec to say that since KPP is an imperfect defense, the problems caused to security providers do not outweigh the benefits because malicious software will simply find ways around KPP's defenses.^[15][25]

In January 2006, security researchers known by the pseudonyms"skape" and "Skywing" published a report that describes methods, sometheoretical, through which Kernel Patch Protection might be bypassed.^[26] Skywing went on to publish a second report in January 2007 on bypassing KPP version 2,^[27] and a third report in September 2007 on KPP version 3.^[28] Also, in October 2006 security company Authentium developed a working method to bypass KPP.^[29]

Nevertheless, Microsoft has stated that they are committed to removeany flaws that allow KPP to be bypassed as part of its standardSecurity Response Center process.^[30]In keeping with this statement, Microsoft has so far released two majorupdates to KPP, each designed to break known bypass techniques inprevious versions.^[2][9][10]

[edit] Antitrust behavior

In 2006, the European Commission expressed concern over Kernel Patch Protection, saying it was anticompetitive.^[31] However, Microsoft's own antivirus product, Windows Live OneCare,has no special exception to KPP. Instead, Windows Live OneCare uses(and has always used) methods other than patching the kernel to providevirus protection services.^[32] Still, for other reasons an x64 edition of Windows Live OneCare was not available until November 15, 2007.^[33]

[edit] References

1. ^ ^{a b} "Kernel Patch Protection: Frequently Asked Questions". Microsoft. 2007-01-22. http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx. Retrieved on 2007-07-30. 
2. ^ ^{a b c d e f g} Skywing (September 2007). "Introduction". PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3. Uninformed. http://uninformed.org/index.cgi?v=8&a=5&p=2. Retrieved on 2007-09-20. 
3. ^ ^{a b c} Schofield, Jack (2006-09-28). "Antivirus vendors raise threats over Vista in Europe". The Guardian. http://www.guardian.co.uk/technology/2006/sep/28/viruses.security. Retrieved on 2007-09-20. "This has never been supported and has never been endorsed by us. Itintroduces insecurity, instability, and performance issues, and everytime we change something in the kernel, their product breaks." —BenFathi, corporate vice president of Microsoft's security technology unit
4. ^ ^{a b c} "Patching Policy for x64-Based Systems". Microsoft. 2007-01-22. http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx. Retrieved on 2007-09-20. 
5. ^ skape; Skywing (December 2005). "System Images". Bypassing PatchGuard on Windows x64. Uninformed. http://uninformed.org/index.cgi?v=3&a=3&p=7. Retrieved on 2007-09-21. 
6. ^ ^{a b} Skywing (January 2007). "Conclusion". Subverting PatchGuard Version 2. Uninformed. http://uninformed.org/index.cgi?v=6&a=1&p=25. Retrieved on 2007-09-21. 
7. ^ ^{a b} skape; Skywing (December 2005). "Introduction". Bypassing PatchGuard on Windows x64. Uninformed. http://uninformed.org/index.cgi?v=3&a=3&p=3. Retrieved on 2007-09-20. 
8. ^ Skywing (December 2006). "Misleading Symbol Names". Subverting PatchGuard Version 2. Uninformed. http://uninformed.org/index.cgi?v=6&a=1&p=10. Retrieved on 2007-09-20. 
9. ^ ^{a b} Microsoft (June 2006). "Update to Improve Kernel Patch Protection". Microsoft Security Advisory (914784). Microsoft. http://www.microsoft.com/technet/security/advisory/914784.mspx. Retrieved on 2007-09-21. 
10. ^ ^{a b} Microsoft (August 2007). "Update to Improve Kernel Patch Protection". Microsoft Security Advisory (932596). Microsoft. http://www.microsoft.com/technet/security/advisory/932596.mspx. Retrieved on 2007-09-21. 
11. ^ ^{a b} Field, Scott (2006-08-11). "An Introduction to Kernel Patch Protection". Windows Vista Security blog. Microsoft. http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx. Retrieved on 2006-11-30. 
12. ^ ^{a b} Allchin, Jim (2006-10-20). "Microsoft executive clarifies recent market confusion about Windows Vista Security". Microsoft. http://www.microsoft.com/security/windowsvista/allchin.mspx. Retrieved on 2006-11-30. 
13. ^ Skywing (June 2006). "Patching non-exported, non-system-service kernel functions". What Were They Thinking? Anti-Virus Software Gone Wrong. Uninformed. http://uninformed.org/index.cgi?v=4&a=4&p=10. Retrieved on 2007-09-21. 
14. ^ Montalbano, Elizabeth (2006-10-06). "McAfee Cries Foul over Vista Security Features". PC World. http://www.pcworld.in/news/index.jsp/artId=4587538. Retrieved on 2006-11-30. 
15. ^ ^{a b} Samenuk, George (2006-09-28). "Microsoft Increasing Security Risk with Vista". McAfee. http://www.mcafee.com/us/local_content/misc/vista_position.pdf. Retrieved on 2007-09-20. 
16. ^ "Symantec AntiVirus Corporate Edition: System Requirements". Symantec. 2006. http://www.symantec.com/enterprise/products/sysreq.jsp?pcid=1008&pvid=805_1. Retrieved on 2006-11-30. 
17. ^ "64-bit Protection". ESET. http://www.eset.com/products/64bit.php. Retrieved on 2007-10-05. 
18. ^ "Minimum System Requirements". Trend Micro USA. https://imperia.trendmicro-europe.com/us/products/enterprise/officescan-client-server-edition/system-requirements/index.html. Retrieved on 2007-10-05. 
19. ^ "AVG Anti-Virus and Internet Security - Supported Platforms". Grisoft. http://www.grisoft.com/doc/324/us/crp/3. Retrieved on 2007-10-05. 
20. ^ Jaques, Robert (2006-10-23). "Symantec and McAfee 'should have prepared better' for Vista". vnunet.com. http://www.vnunet.com/vnunet/news/2167016/symantec-mcafee-should-prepared. Retrieved on 2006-11-30. 
21. ^ Fulton, Scott M., III (2006-10-20). "Sophos: Microsoft Doesn't Need to Open Up PatchGuard". BetaNews. http://www.betanews.com/article/Sophos_Microsoft_Doesnt_Need_to_Open_Up_PatchGuard/1161379239. Retrieved on 2007-01-22. 
22. ^ McMillan, Robert (2007-01-19). "Researcher: PatchGuard hotfix stitches up benefit to Microsoft". InfoWorld. http://www.infoworld.com/article/07/01/19/HNpatchguardstitch_1.html. Retrieved on 2007-09-21. 
23. ^ "Notable Changes in Windows Vista Service Pack 1". Microsoft. 2008. http://technet2.microsoft.com/WindowsVista/en/library/005f921e-f706-401e-abb5-eec42ea0a03e1033.mspx?mfr=true. Retrieved on 2008-03-20. 
24. ^ Hines, Matt (2006-12-21). "Microsoft Gets Positive Feedback for Vista APIs". eWEEK. http://www.eweek.com/article2/0,1895,2075846,00.asp. Retrieved on 2007-07-05. 
25. ^ Gewirtz, David (2006). "The great Windows Vista antivirus war". OutlookPower. http://www.outlookpower.com/issuesprint/issue200611/00001883.html. Retrieved on 2006-11-30. "The system's already vulnerable. People have already hacked intoPatchGuard. System is already vulnerable no matter what. PatchGuard hasa chilling effect on innovation. The bad guys are always going toinnovate. Microsoft should not tie the hands of the security industryso they can't innovate. We're concerned about out-innovating the badguys out there." —Cris Paden, Manager on the Corporate CommunicationTeam at Symantec
26. ^ skape; Skywing (2005-12-01). "Bypassing PatchGuard on Windows x64". Uninformed. http://www.uninformed.org/?v=3&a=3. Retrieved on 2008-06-02. 
27. ^ Skywing (December 2006). "Subverting PatchGuard Version 2". Uninformed. http://uninformed.org/index.cgi?v=6&a=1. Retrieved on 2008-06-02. 
28. ^ Skywing (September 2007). "PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3". Uninformed. http://uninformed.org/index.cgi?v=8&a=5. Retrieved on 2008-06-02. 
29. ^ Hines, Matt (2006-10-25). "Microsoft Decries Vista PatchGuard Hack". eWEEK. http://www.eweek.com/article2/0,1759,2037052,00.asp. Retrieved on 2007-07-30. 
30. ^ Gewirtz, David (2006). "The great Windows Vista antivirus war". OutlookPower. http://www.outlookpower.com/issuesprint/issue200611/00001883.html. Retrieved on 2006-11-30. 
31. ^ Espiner, Tom (2006-10-25). "EC Vista antitrust concerns fleshed out". silicon.com. http://software.silicon.com/os/0,39024651,39163525,00.htm. Retrieved on 2006-11-30. 
32. ^ Jones, Jeff (2006-08-12). "Windows Vista x64 Security – Pt 2 – Patchguard". Jeff Jones Security Blog. Microsoft. https://blogs.technet.com/security/archive/2006/08/12/446104.aspx. Retrieved on 2007-03-11. 
33. ^ White, Nick (2007-11-14). "Upgrade to Next Version of Windows Live OneCare Announced for All Subscribers". Windows Vista Team Blog. Microsoft. http://windowsvistablog.com/blogs/windowsvista/archive/2007/11/14/upgrade-to-next-version-of-windows-live-onecare-announced-for-all-subscribers.aspx. Retrieved on 2007-11-14. 

[edit] External links

• The Truth About PatchGuard: Why Symantec Keeps Complaining
• An Introduction to Kernel Patch Protection
• Microsoft executive clarifies recent market confusion about Windows Vista Security
• Kernel Patch Protection: Frequently Asked Questions
• Windows Vista x64 Security – Pt 2 – Patchguard

Uninformed.org articles:

• Bypassing PatchGuard on Windows x64
• Subverting PatchGuard Version 2
• PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3

Working bypass approaches

• A working driver to bypass PatchGuard 3 (including source code)

Microsoft security advisories:

• June 13, 2006 update to Kernel Patch Protection
• August 14, 2007 update to Kernel Patch Protection

[hide]

v • d • e

Windows componentsCore

Aero · AutoRun · ClearType · Desktop Window Manager · DirectX · Explorer · Taskbar · Start menu · Shell (namespace · Special Folders · File associations) · Search (Saved search · iFilters) · Graphics Device Interface · Imaging Format · .NET Framework · Server Message Block  · XML Paper Specification · Active Scripting (WSH · VBScript · JScript) · COM (OLE · OLE Automation · DCOM · ActiveX · ActiveX Document · Structured storage · Transaction Server) · Previous Versions · Win32 console

Management
tools

Backup and Restore Center · command.com · cmd.exe · Control Panel (Applets) · Device Manager · Disk Cleanup · Disk Defragmenter · Driver Verifier · Event Viewer · Management Console · Netsh · Problem Reports and Solutions · Sysprep · System Policy Editor · System Configuration · Task Manager · System File Checker · System Restore · Windows Installer · PowerShell · Windows Update · WAIK · WinSAT · Windows Easy Transfer

Applications

Calculator · Calendar · Character Map · Contacts · DVD Maker · Fax and Scan · Internet Explorer · Journal · Mail · Magnifier · Media Center · Media Player · Meeting Space · Mobile Device Center · Mobility Center · Movie Maker · Narrator · Notepad · Paint · Photo Gallery · Private Character Editor · Remote Assistance · Sidebar · Snipping Tool · Sound Recorder · Speech Recognition · WordPad

Games

Chess Titans · FreeCell · Hearts · Hold 'Em · InkBall · Mahjong Titans · Minesweeper · Purble Place · Solitaire · Spider Solitaire  · Tinker

Kernel

Ntoskrnl.exe · hal.dll · System Idle Process · Svchost.exe · Registry · Windows service · Service Control Manager · DLL · EXE · NTLDR / Boot Manager · Winlogon · Recovery Console · I/O · WinRE · WinPE · Kernel Patch Protection

Services

BITS · Task Scheduler · Wireless Zero Configuration · Shadow Copy · Error Reporting · Multimedia Class Scheduler · CLFS

File systems

NTFS (Hard link · Junction point · Mount Point · Reparse point · Symbolic link · TxF · EFS) · FAT32·FAT16·FAT12 · exFAT · CDFS · UDF · DFS · IFS

Server

Domains · Active Directory · DNS · Group Policy · Roaming user profiles · Folder redirection · Distributed Transaction Coordinator · MSMQ · Windows Media Services · Rights Management Services · IIS · Terminal Services · WSUS · Windows SharePoint Services · Network Access Protection · DFS Replication · Remote Differential Compression · Print Services for UNIX · Remote Installation Services · Windows Deployment Services · System Resource Manager · Hyper-V

Architecture

NT series architecture · Object Manager · Startup process (Vista) · I/O request packets · Kernel Transaction Manager · Logical Disk Manager · Security Accounts Manager · Windows Resource Protection · LSASS · CSRSS · SMSS · MinWin

Security

User Account Control · BitLocker · Defender · Data Execution Prevention · Protected Media Path · Mandatory Integrity Control · User Interface Privilege Isolation · Windows Firewall · Security Center

Compatibility

Unix subsystem (Microsoft POSIX  · Interix) · Virtual DOS machine · Windows on Windows · WOW64

Retrieved from "http://en.wikipedia.org/wiki/Kernel_Patch_Protection"

Categories: Microsoft Windows security technology | Windows NT kernel