Wayne Frazee.com
Login
A Security Vendor Finally Gets It about Vista In Public
  • Home
  • Scribblings
  • Avanade
  • Antivirus hubbub about releasing Windows Vista

Originally posted at http://blog.avanadeadvisor.com/blogs/waynea

This past monday, Sophos came out and stated on the record that they could not understand why Symantec and McAfee were going on about Microsoft's plan to protect the Windows Kernel.

Its about time someone figured this out.

The Security Vendor v. Microsoft Debacle

First, some context:
http://www.forbes.com/technology/security/2006/10/24/sophos-microsoft-vista-cx_ll_1023sophos.html
http://www.securityfocus.com/brief/335

And a take from SecurityFocus on Kernel Patch Protection:
http://www.securityfocus.com/brief/268

And the actual Sophos take on the subject:
http://www.sophos.com/pressoffice/news/articles/2006/10/vista-admins.html
http://www.sophos.com/pressoffice/news/articles/2006/10/sophos-vista.html

And Microsoft's recent statements on the subject:
http://www.regdeveloper.co.uk/2006/10/24/microsoft_at_rsa/
http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx

And, Microsoft's take on the support it has provided to Security Companies:
http://today.reuters.com/news/articlenews.aspx?type=technologyNews&storyID=2006-10-21T232638Z_01_L19161800_RTRUKOC_0_US-MICROSOFT-SECURITY.xml
http://today.reuters.com/news/articlenews.aspx?type=technologyNews&storyID=2006-10-19T001918Z_01_L18922351_RTRUKOC_0_US-MICROSOFT-EU.xml

As usual, Ars Technica boils it all down for us:
http://arstechnica.com/articles/culture/microsoft-antivirus.ars/1

Security has always been something that has interested me and I would submit that the development and release process for Microsoft Windows Vista has been one of the most publicly disclosed processes that we have had the opportunity to observe in the public domain.   If you have read all that... you realize that what it looks like is a fight over programming methodology. 

API v. Kernel Mode Code

I will preface this with re-iterating previous statments at the onset... I am not a programmer.  I do not claim to be.  I have a little bit of scripting work and some Linux based software development experience. 

From my point of view, the whole debate seems to boil down to this:

[Vendors]: We should be allowed to insert our own kernel mode code.
[Microsoft]: You dont need kernel mode access. We have an API for nearly every function the kernel executes, including access to the HAL which provides hardware access.  If you use the APIs appropriately, you dont have to insert your own code into the kernel.  Plus, if we do it this way, we can make 100% sure that we can tripwire the kernel to avoid rootkits and functional subversion.
[Vendors]: Your APIs are incomplete for what we want to have the freedom to do on your software.
[Microsoft]: We will give you better APIs and are willing to talk with you to find out what you need to do and help you do it.  We promised the EU thats what we would do, so here we are.
[Vendors]: We don't have the APIs yet, and anyway, thats not good enough, we want to be able to use our own kernel-mode code.

32 bit Vista Not Even Affected

There are two points I want to make here: 

First, the 32 bit version of Vista is not even affected by the Kernel Protections!  32bit Windows Vista will be much the same as XP is in terms of the security model.  This entire fight is really over the 64-bit implementation of the future (and frankly this is the platform that will be going mainstream over the Vista release cycle).

Second, a LOT of this entire battle depends on when, exactly, Microsoft releases the APIs that will allow the vendors access functions that are normally kernel mode and, at issue, how much the developers really need these additional APIs in the first place.

Architecture Gone Awry

The 32bit OS approach to modifying the kernel in order to use elevated privleges to audit system operations and file system access was always a less than optimal implementation in the first place.  Adding code, despite the fact that it is supposed to be protective code, as a primary function for kernel operation is never a positive function given that you now have an additional codebase to provide a threat vector against core system operation.  Towards the end of the 90's every virus and its brother would break symantec first, before doing anything else on a system.  Not only that, but the antivirus client itself provided a vector for a number of vulnerabilities as you can see at http://www.securityfocus.com/bid by choosing the Vendor "Symantec" and then looking through the results.  No code is perfect.  You are taking base vulnerabilities in the Windows kernel and then adding on top of it vulnerabilities that are also in your own code, which you have now modified the system pointers table to include your code. 

That leads us to the present.  The present argument between vendors and Microsoft is that Microsoft has essentially broken the architecture by which these antivirus vendors have been making antivirus protection for years now.  They want to keep doing it the same way.  Sophos' response on the issue is "Hey guys, so you cant do it the same way you always have.  You just did not plan for the new release.  We got with Microsoft, looked at what APIs are availible, and we looked at another way of doing heuristic detection.  We work you dont.  Stuff it up and get with the program."  They, of course, were a bit more eloquent with the press release they made on the web but the content was essentially the same.

And to a certain degree sophos has a point.  64-Bit computing offered Microsoft a clean slate opportunity to revise some aspects of the way the system works with respect to protecting the windows core functions.  Kernel protection is essentially a tripwire system that will detect changes made to these core files and throw them out, a virtal part of any intrusion or rootkit detection system.  Its inherently more secure to do it this way and makes no sense for Microsoft to alternatively allow any developer that wants to an easy method to modify the kernel, replacing system calls with thier own version of the same function.

Getting a Grip

What it really feels like in the whole debate is that the antivirus vendors need to come to grips with reality.  Kernel protection is not going away.  You have to modify your approach for what is essentially a new and ultimately neccessary method of protecting the kernel-mode area of windows to grant Windows the resistance to attack that these same vendors have called for in past years.  Why the security vendors are waiting until now to really start to complain about the approach rather than having spent this time working out a new architecture that will work is beyond me.  APIs are coming but there is no telling when the full structure of them will be out and availible and, even if they are availible, just what form the full API will take.  Microsoft is working with its EU obligations and making the offer to these vendors to get them APIs when they can, and in the meantime, to help them find ways to make thier software work. 

At this point, I am thinking Stop whining about the the security features, and work on moving forward with existing API documentation and the technical assistance that Microsoft is offering via conference and making product teams availible.

All content and materials Copyright ©2004 by Wayne S. Frazee. All Rights Reserved.

Please note that the postings on this site, including news, scribblings, past writings, posted files, and other material, are my own and don't necessarily represent neither Avanade's nor Avanade's Customers' positions, strategies or opinions nor that of any organization I have previously worked with or represented.