Sophos on Symantec's Vista Complaints
The scope of security vendor Symantec's recent set of complaints against Microsoft concern a future feature of Windows Vista entitled PatchGuard, which Microsoft describes as a facility that protects the operating system kernel against being patched or rewritten by an outside, unauthorized source - for instance, a rootkit.
"Patching fundamentally violates the integrity of the Windows kernel," reads an August 11 blog post by Microsoft kernel security architect Scott Field, "and is undocumented, unsupported and has always been discouraged by Microsoft." Without explaining exactly how PatchGuard will do this - for obvious reasons - Field makes the promise that, "If the operating system detects an unauthorized patch of certain data structures or code it will initiate a shut down of the system."
Ostensibly, Symantec's argument, as reported yesterday by the Associated Press, is that Microsoft is using this new mechanism as a way to entrench itself in the software security space - to provide a class of security feature that competitors cannot.
"Microsoft is using their dominant position," Symantec vice president for consumer engineering Rowan Trollope told the AP, "to regulate what security can be provided on their system and how that security is provided."
But the technical argument runs deeper. The AP report says Symantec is seeking certain interface information that Microsoft plans to use for its own Vista security suite, called Defender, along with other information. Symantec told the AP it feels Microsoft used to provide this information freely all the time, though now it only provides this information to partners.
Based on available data, Symantec may also be seeking information on PatchGuard, specifically to see how Microsoft plans to secure the kernel, under the theory that if Microsoft closes off the kernel to everyone, third parties such as Symantec cannot offer their customers alternatives.
No Symantec spokespersons were available for comment to BetaNews today, perhaps because the company may be making good on its threat - described in the AP story yesterday - to raise its new round of complaints to the European Commission, which is already investigating other Symantec complaints on different aspects of Vista.
But we wondered, if Microsoft's choice not to provide, shall we say, "interoperability information" about PatchGuard truly does hurt security vendors, then why wouldn't it hurt them all equally? Why does Symantec appear to be alone in this particular round of complaints?
BetaNews approached Sophos, which is a Microsoft "Gold Partner," and a member of a group that Symantec's Trollope characterized yesterday for the AP as receiving privileged information first, at the expense of rivals. (Symantec was a certified partner with Microsoft earlier this year, and that relationship does not appear to have been officially terminated, despite recent circumstances.)
"I think that the industry as a whole is trying to come to terms with exactly what it is that Microsoft is going to accomplish through its introduction of PatchGuard," Ron O'Brien, senior security consultant with Sophos, told BetaNews. "But from what we have learned in our dialog with Microsoft, which is ongoing, the objection on the part of some vendors is that PatchGuard will prevent access to the kernel, which is that very basic level of the operating system where people feel that they may need to go, in order to provide a total security solution."
Conceivably, if Sophos wanted to provide a "total security solution," given this new set of circumstances, wouldn't it need to understand some of PatchGuard's secrets? Surprisingly, O'Brien told us no. "At this point in time, Sophos does not see the need to be able to access the kernel within the Microsoft operating system," he said.
"If there is a point in time where the kernel becomes the subject of malware being written specifically to it, then I would expect that we would go back to Microsoft and tell them we need to be able to access the kernel. But at this point, it doesn't appear to be necessary."
Nothing about the way PatchGuard works, O'Brien reiterated, would hinder Sophos' architecture for an enterprise security suite. In fact, he argued, if Microsoft wants to use its own methods to close off the kernel, that's a good thing. There's no need for some other company, in the name of security, to pry it open again, just to see how the kernel can be pried open again, in order for it to devise a way to seal it closed.
As Scott Field wrote on his Microsoft blog, "We have also been asked to provide a supported way for 'known good' vendors to continue hooking the kernel but prevent others from doing so. Unfortunately, there is no reliable mechanism for us to distinguish between 'known good' software and malicious software. Moreover, we cannot prevent a malicious software author from 'bundling' purportedly good software in an attempt to thwart the system. Even if we could include such a mechanism, it's unclear if we could use this mechanism to selectively allow kernel hooking in a manner that provides an acceptable trade off between performance and reliability and security."
"The impression that I have so far is that Microsoft is going to be offering a very basic level of protection," Sophos' O'Brien remarked. "In fact, PatchGuard is actually designed to prevent malware writers from being able to access the kernel... If there is a point in time in which the kernel and the accessibility to the kernel is compromised, then we would need to work with Microsoft to be able to access the kernel and correct whatever changes had been made by whatever malware was written to it."
Microsoft did not comment today on Symantec's recent round of complaints, and may be withholding comment until it learns what Symantec intends to do with the European Commission. But for now, at least its partners are helping to frame an affirmative defense for the company.
For years, security vendors have insisted that Microsoft do something to secure the kernel. Now that it looks like they may actually be doing that (putting aside all doubts, for the moment, with regard to how long it holds up), competitors are insisting that they be taught how Microsoft is doing it, the argument goes, so they can follow suit. But giving PatchGuard an "API," if you will, would be contrary to the purpose of the device itself - like attaching an entryway to a sarcophagus.
Sophos' Ron O'Brien was willing to concede the following: "Both Symantec and McAfee, frankly, have a very large consumer customer base, which would potentially be at risk if Microsoft were to enter that market. So I look at that as being a kind of extenuating circumstance."