Kernel Patch Protection: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 14:31, 23 July 2021 edit 112.104.64.114 (talk) →Technical overview ← Previous edit		Latest revision as of 02:32, 21 December 2024 edit undo GreenC bot (talk \| contribs) Bots 3,060,429 edits Reformat 1 archive link. Wayback Medic 2.5 per WP:USURPURL and JUDI batch #20
(11 intermediate revisions by 8 users not shown)
Line 1: {{Short description\|Security feature of Microsoft Windows}} [[Image:Kernel Layout.svg\|thumb\|200px\|The [[Kernel (~~computer~~operating ~~science~~system)\|kernel]] connects the application software to the hardware of a computer.]] '''Kernel Patch Protection''' ('''KPP'''), informally known as '''PatchGuard''', is a feature of 64-bit ([[x86-64\|x64]]) editions of [[Microsoft Windows]] that prevents patching the [[Kernel (~~computer~~operating ~~science~~system)\|kernel]]. It was first introduced in 2005 with the x64 editions of [[Windows ~~XP Professional x64 Edition\|Windows XP~~Vista]] and [[Windows Server 2003]] Service Pack 1.<ref name="KPP FAQ">{{cite web \|url=http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx \|title=Kernel Patch Protection: Frequently Asked Questions Line 9 ⟶ 10: }}</ref> "Patching the kernel" refers to unsupported modification of the central component or ~~[[Kernel (computer science)\|~~kernel]] of the Windows operating system. Such modification has never been supported by Microsoft because, according to Microsoft, it can greatly reduce system security, reliability, and performance.<ref name="KPP FAQ"/> Although Microsoft does not recommend it, it is possible to patch the kernel on [[x86]] editions of Windows; however, with the x64 editions of Windows, Microsoft chose to implement additional protection and technical barriers to kernel patching. Since patching the kernel is possible in 32-bit (x86) editions of Windows, several [[antivirus software]] developers use kernel patching to implement antivirus and other security services. These techniques will not work on computers running x64 editions of Windows. Because of this, Kernel Patch Protection resulted in antivirus makers having to redesign their software without using kernel patching techniques. However, because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching.<ref name="skape"/><ref>{{Citation \|last=dushane \|title=PatchGuardBypass \|date=2023-04-03 \|url=https://github.com/AdamOron/PatchGuardBypass \|access-date=2023-04-03}}</ref> This has led to criticism that since KPP is an imperfect defense, the problems caused to antivirus vendors outweigh the benefits because authors of [[malware\|malicious software]] will simply find ways around its defenses.<ref name="Samenuk"/><ref name="Gewirtz"/> Nevertheless, Kernel Patch Protection can still prevent problems of system stability, reliability, and performance caused by legitimate software patching the kernel in unsupported ways. ==Technical overview== Line 27 ⟶ 28: \|archive-date=3 March 2016 \|url-status=dead }}</ref> Device drivers are expected to not modify or ''patch'' core system structures within the kernel.<ref name="KPP FAQ"/> However, in [[x86]] editions of Windows, Windows does not enforce this expectation. As a result, some x86 software, notably certain security and [[antivirus software\|antivirus]] programs, were designed to perform needed tasks through loading drivers that modify core kernel structures.<ref name="Introduction"/><ref name="Fathi">{{cite web \|url=https://www.theguardian.com/technology/2006/sep/28/viruses.security \|title=Antivirus vendors raise threats over Vista in Europe \|last=Schofield \|first=Jack \|~~publisher~~work=[[The Guardian]] \|date=28 September 2006 \|access-date=20 September 2007 }} "This has never been supported and has never been endorsed by us. It introduces insecurity, instability, and performance issues, and every time we change something in the kernel, their product breaks." —Ben Fathi, corporate vice president of Microsoft's security technology unit</ref> In [[x86-64\|x64]] editions of Windows, Microsoft began to enforce restrictions on what structures drivers can and cannot modify. Kernel Patch Protection is the technology that enforces these restrictions. It works by periodically checking to make sure that protected system structures in the kernel have not been modified. If a modification is detected, then Windows will initiate a [[Fatal system error\|bug check]] and shut down the system,<ref name="Introduction"/><ref name="Patching Policy">{{cite web \|url=http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx \|title=Patching Policy for x64-Based Systems Line 43 ⟶ 44: \|date=22 January 2007 \|access-date=20 September 2007 }}</ref> with a [[Blue ~~Screen~~screen of ~~Death~~death\|blue screen]] and/or reboot. The corresponding bugcheck number is 0x109, the bugcheck code is CRITICAL_STRUCTURE_CORRUPTION. Prohibited modifications include:<ref name="Patching Policy"/> * Modifying [[System call\|system service]] descriptor tables * Modifying the [[interrupt descriptor table]] * Modifying the [[Global Descriptor Table\|global descriptor table]] * Using kernel [[Stack (abstract data ~~structure~~type)\|~~stack~~stacks]]s not allocated by the kernel * Modifying or patching code contained within the kernel itself,<ref name="Patching Policy"/> or the [[Hardware abstraction layer\|HAL]] or [[Network Driver Interface Specification\|NDIS]] kernel libraries<ref>{{cite web \|url=http://uninformed.org/index.cgi?v=3&a=3&p=7 Line 88 ⟶ 89: \|archive-date=17 August 2016 \|url-status=dead }}</ref> KPP does however present a significant obstacle to successful kernel patching. With highly [[obfuscation (software)\|obfuscated code]] and misleading symbol names, KPP employs [[security through obscurity]] to hinder attempts to bypass it.<ref name="Introduction"/><ref>{{cite web \|url=http://uninformed.org/index.cgi?v=6&a=1&p=10 \|title=Misleading Symbol Names Line 143 ⟶ 144: Microsoft's Kernel Patch Protection FAQ further explains: {{~~quotation~~blockquote\|Because patching replaces kernel code with unknown, untested code, there is no way to assess the quality or impact of the third-party code...An examination of Online Crash Analysis (OCA) data at Microsoft shows that system crashes commonly result from both malicious and non-malicious software that patches the kernel.\|{{cite web \|url=http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx \|title=Kernel Patch Protection: Frequently Asked Questions \|website=[[Microsoft]] \|date=22 January 2007 \|access-date=22 February 2007}}}} ==Criticisms== ===Third-party applications=== Some computer security software, such as [[McAfee]]'s [[McAfee VirusScan]] and [[~~NortonLifeLock~~Gen Digital\|Symantec]]'s [[Norton AntiVirus]], worked by patching the kernel on x86 systems.{{citation needed\|reason=but NIS2010/11 works on my version of WIn7x64 :/\|date=January 2011}} Anti-virus software authored by [[Kaspersky Lab]] has been known to make extensive use of kernel code patching on [[x86]] editions of Windows.<ref>{{cite web \|url=http://uninformed.org/index.cgi?v=4&a=4&p=10 \|author=Skywing Line 198 ⟶ 199: \|publisher=[[Trend Micro]] USA \|access-date=5 October 2007 \|archive-date=8 February 2012 \|archive-url=https://web.archive.org/web/20120208124040/https://imperia.trendmicro-europe.com/us/products/enterprise/officescan-client-server-edition/system-requirements/index.html \|url-status=dead }}</ref> [[Grisoft]] AVG,<ref>{{cite web \|url=http://www.grisoft.com/doc/324/us/crp/3 Line 228 ⟶ 232: \|author=McMillan, Robert \|publisher=[[InfoWorld]] }}</ref> Instead, Microsoft worked with third-party companies to create new [[API\|Application Programming ~~Interface~~Interfaces]]s that help security software perform needed tasks without patching the kernel.<ref name="Allchin"/> These new interfaces were included in [[Windows Vista#Service Pack 1\|Windows Vista Service Pack 1]].<ref>{{cite web \|url = http://technet2.microsoft.com/WindowsVista/en/library/005f921e-f706-401e-abb5-eec42ea0a03e1033.mspx?mfr=true \|title = Notable Changes in Windows Vista Service Pack 1 Line 323 ⟶ 327: \|date=12 August 2006 \|work=Jeff Jones Security Blog \|archive-date=9 December 2008 \|archive-url=https://web.archive.org/web/20081209034856/http://blogs.technet.com/security/archive/2006/08/12/446104.aspx \|url-status=dead }}</ref> Still, for other reasons a x64 edition of Windows Live OneCare was not available until November 15, 2007.<ref>{{cite web \|url = http://windowsvistablog.com/blogs/windowsvista/archive/2007/11/14/upgrade-to-next-version-of-windows-live-onecare-announced-for-all-subscribers.aspx Line 341 ⟶ 348: ==External links== {{usurped\|1=[https://web.archive.org/web/20070217053224/http://www.windows-now.com/blogs/robert/archive/2006/08/12/PatchGuard-and-Symantecs-Complaints-About-Windows-Vista.aspx The Truth About PatchGuard: Why Symantec Keeps Complaining]}} [https://web.archive.org/web/20061124094344/http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx An Introduction to Kernel Patch Protection] [https://web.archive.org/web/20070205155710/http://www.microsoft.com/security/windowsvista/allchin.mspx Microsoft executive clarifies recent market confusion about Windows Vista Security] [http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx Kernel Patch Protection: Frequently Asked Questions] *[https://blogs.technet.com/security/archive/2006/08/12/446104.aspx Windows Vista x64 Security – Pt 2 – Patchguard] {{Webarchive\|url=https://web.archive.org/web/20081209034856/http://blogs.technet.com/security/archive/2006/08/12/446104.aspx \|date=2008-12-09 }} '''Uninformed.org articles:'''