Symantec Vista White Paper Links to PatchGuard Crack
In a curious decision on the part of a security software company, a white paper released today on the Web site of Symantec - whose opinions of Microsoft's implementation of PatchGuard protection on 64-bit Windows Vista are well known - contains the address of an independent research paper which includes a demonstration of defeating PatchGuard, complete with source code, in an early Vista beta.
The address of the PDF white paper entitled "Bypassing PatchGuard on Windows x64" -- which was released in December 2005 and has since acquired a modicum of fame and respect -- is located in Symantec's 16-page analysis of Microsoft's security technologies, in a footnote to this sentence: "As demonstrated during the development process of Windows Vista and during its release, hackers can and will subvert PatchGuard."
One of the linked paper's authors, however - a professional developer and Microsoft MVP named Ken Johnson, using the handle Skywing - is certainly no "hacker" by the more negative connotation, working for a company that produces virtual private network software for Windows, and performing legitimate reverse engineering as a hobby. Johnson originally co-authored the thoughtful and well-researched paper as a wake-up call for Microsoft well prior to Vista's release.
"In the interest of not identifying a problem without also proposing a solution," Johnson and his co-author wrote in the paper's conclusion, "each bypass technique [presented here] has an associated list of ways in which the technique could be mitigated by Microsoft in the future."
Symantec's reference to Johnson's work comes by way of a newly refreshed indictment of Microsoft's PatchGuard technology, whose intention in 64-bit Vista is to disable unauthenticated programs from direct access to the system kernel. While such technology was designed to disable rootkits, it also prevents anti-virus programs including Symantec's and McAfee's from being able to detect when other unauthorized programs are attempting to bypass the system, whether or not such attempts would be successful if left unmonitored.
In its white paper, Symantec lumped PatchGuard together with two other Microsoft technologies formally adopted by Vista: code integrity for ensuring the legitimacy of installed executables by means of hash signatures of their binary contents, and driver signing for verifying the authenticity of low-level programs written by third parties.
"The kernel integrity protection mechanisms that are present on 64-bit Windows Vista can only be described as a bump in the road," Symantec's paper suggests. "That is, while these technologies may slow down an attacker, they may not provide a meaningful defense against a determined one."
Researchers for Symantec's paper analyzed all three 64-bit Vista security innovations, and came to a dire conclusion: "Results have shown that all three technologies can be permanently disabled and removed from Windows Vista after approximately one man-week of effort. A potential victim need make only one mistake to become infected by a threat that does the same."
But as if that didn't say enough, the paper then makes a very sweeping and potentially unsubstantiated claim: that all three technologies are left capable of being "stripped from Windows Vista in their entirety." Later in the paper, Symantec did demonstrate how a group policy object editor can be used (by design) to turn off a different Vista security feature, User Account Control - which stops the system and notifies users whenever a system-changing event is about to occur. Many security firms, among others, have touted UAC as more likely to be seen as an annoyance than a feature by users, probably likely to be turned off anyway.
Symantec advises against doing so, however, and in its paper's conclusion gently admonishes users at large for even thinking about such things - even when someone else puts the idea in their heads. "Symantec continues to see the user as the weakest link," the paper concludes, "as social engineering attacks become more elaborate in order to undermine the security technologies within Windows Vista."
But in the conclusion to Johnson's 2005 treatise, ironically, he just as gently chastises large security companies - Symantec being named among them later - for paying less attention to the details and engineering of PatchGuard bypasses than even Microsoft.
"While security software vendors may not make use of techniques used to bypass PatchGuard due to marketing and security concerns," Johnson wrote, "it can certainly be said that malicious code will. As such, malicious code actually gains an upper-hand in the competition since security vendors end up with their hands tied behind their back. In order to address this concern, Microsoft appears to be willing to work actively with vendors to ensure that they are still able to accomplish their goals through more acceptable and documented approaches."
Since Johnson's writing, Microsoft has pledged to open up avenues for legitimate kernel access to security companies, in a technology update the company says will be part of Vista Service Pack 1.
But Johnson went on: "Another important question to consider is whether or not Microsoft will really break a vendor that has deployed a solution to millions of systems that happens to disable PatchGuard through a bypass technique. One could feasibly see a McAfee or Symantec doing something like this, although Microsoft would hope to leverage their business ties to ensure that McAfee and Symantec did not have to resort to such a technique. The fact that McAfee and Symantec are such large companies lends them a certain amount of leverage when negotiating with Microsoft, but the smaller companies are most likely going to not be subject to the same level of respect and consideration."
Maybe...maybe not. While it's a noteworthy company in its own right, Sophos is indeed smaller than McAfee or Symantec, and yet it states Microsoft's partnership on security issues has been most forthcoming.
In a post last month to his personal blog, Ken Johnson predicted that Microsoft is indeed learning significant lessons from its deployment of PatchGuard - lessons that company may very well put to use in its next operating system revision. There, Johnson believes, Microsoft will pair PatchGuard with virtualization technology to produce a patch-proof system that Symantec and others will truly have to reckon with, by means other than open complaints.
Johnson writes: "When PatchGuard is hypervisor-backed, it won't be feasible to simply patch it out of existence, which means that ISVs will either have to comply with Microsoft's requirements or find a way to evade PatchGuard entirely."