Comment Agnitum's opinion (Score 1) 135
Agnitum's technical brief about Microsoft's approach to Kernel Patch Protection has sparked intense discussion at Digg/Slashdot.
May we participate in the debate?
Agnitum believes Microsoft's motivation for introducing Kernel Patch Protection is clear. It is attempting to better protect the typical user of Windows XP x64 and Server 2003 x64 from rootkit vulnerabilities.
Unfortunately, the approach taken by Microsoft limits the ability of third-party software developers to protect Vista users from other vulnerabilities inherent to Windows. This affects not just Agnitum. It affects Zone Labs, McAfee, Symantec and other developers of security software.
Third-party security software uses a variety of approaches to protect Windows users. As we noted in the technical brief, http://www.agnitum.com/news/kernel_patch_protectio n.php:
"One of the most commonly used approaches to implementing proactive protection involves changing and monitoring the Service Dispatch Table (SDT), which is used by the OS to transfer control from user-mode to kernel (low-level system mode)."
Developers who need deep kernel integration often patch the kernel by changing the service number in the SDT, and when a call is made to invoke a system service, the third-party code is invoked instead of the kernel code -- and the third-party code then returns control to the operating system.
Kernel patch protection in the x64 versions of XP removes the ability of developers to legitimately change the service number in the SDT by hiding it - but imposes no such restriction on hackers.
Which is the point we are trying to make. On the one hand, kernel patch protection makes it more difficult for security software to defend Windows from attack. On the other hand, "surprise kernel patches" open Windows to new, broad attack. And please also note that there is no such thing as a secure firewall if that firewall lacks deep OS integration.
This is not progress. Microsoft's approach forces users to rely on Microsoft and only Microsoft for operating-system security. If past experience is anything to go by, we know that third-party security tools are more robust and provide better protection than what Microsoft offers.
Clearly, kernel patch protection in its current form is not perfect. Yes, Microsoft is correct in wanting to protect users from rootkits. However, from my point of view, it is more necessary to introduce security measures that do not make users more vulnerable.
Igor Pankov,
Product Marketing Manager at Agnitum
May we participate in the debate?
Agnitum believes Microsoft's motivation for introducing Kernel Patch Protection is clear. It is attempting to better protect the typical user of Windows XP x64 and Server 2003 x64 from rootkit vulnerabilities.
Unfortunately, the approach taken by Microsoft limits the ability of third-party software developers to protect Vista users from other vulnerabilities inherent to Windows. This affects not just Agnitum. It affects Zone Labs, McAfee, Symantec and other developers of security software.
Third-party security software uses a variety of approaches to protect Windows users. As we noted in the technical brief, http://www.agnitum.com/news/kernel_patch_protecti
"One of the most commonly used approaches to implementing proactive protection involves changing and monitoring the Service Dispatch Table (SDT), which is used by the OS to transfer control from user-mode to kernel (low-level system mode)."
Developers who need deep kernel integration often patch the kernel by changing the service number in the SDT, and when a call is made to invoke a system service, the third-party code is invoked instead of the kernel code -- and the third-party code then returns control to the operating system.
Kernel patch protection in the x64 versions of XP removes the ability of developers to legitimately change the service number in the SDT by hiding it - but imposes no such restriction on hackers.
Which is the point we are trying to make. On the one hand, kernel patch protection makes it more difficult for security software to defend Windows from attack. On the other hand, "surprise kernel patches" open Windows to new, broad attack. And please also note that there is no such thing as a secure firewall if that firewall lacks deep OS integration.
This is not progress. Microsoft's approach forces users to rely on Microsoft and only Microsoft for operating-system security. If past experience is anything to go by, we know that third-party security tools are more robust and provide better protection than what Microsoft offers.
Clearly, kernel patch protection in its current form is not perfect. Yes, Microsoft is correct in wanting to protect users from rootkits. However, from my point of view, it is more necessary to introduce security measures that do not make users more vulnerable.
Igor Pankov,
Product Marketing Manager at Agnitum
