| Detailed
Information
Is 64 Bit Windows more secure?
Dec 13, 2005 Deb Shinder
http://www.windowsecurity.com/articles/64-Bit-Windows-More-Secure.html
Both Windows Server 2003 and Windows XP now come in 64 bit versions, to
run on the 64 bit processors made by Intel and AMD. 64 bit hardware and
operating systems offer some big advantages over the currently more
commonplace 32 bit systems, including the ability to handle more physical
memory and big performance boosts for applications that are written for
the 64 bit system.
Note: There are two 64 bit architectures. The Intel Itanium 64 bit
processor family that uses explicitly parallel instruction computing
(EPIC) technology is known as IA64; the AMD Opteron and Xeon with extended
memory 64 technology is known as x64.
If you’ve been considering upgrading your servers and/or client machines
to 64 bit Windows, you may be wondering: what about security? Moving to
the new systems will likely make your computing tasks faster, but will it
make them more or less secure? Network professionals have even more reason
to consider these questions now; in November 2005 at the IT Forum in
Barcelona, Spain, Microsoft announced that several of its upcoming
products will be made only in 64 bit versions. These include:
Exchange Server 12 Longhorn Small Business Server Longhorn Server R2
Centro (Microsoft’s recently announced mid-market solution that bundles
Longhorn Server, the next version of Exchange and the next version of ISA
Server, along with System Center management tools) In this article, we’ll
take a look at security issues regarding the relatively new 64 bit
Microsoft operating systems.
Why upgrade anyway?A 64 bit processor can handle twice as much data at a
time. That means processor-intensive activities will go much faster.
Processor-intensive activities include video editing and numbers
crunching, as well as 3D gaming (it’s no coincidence that the first group
to adopt 64 bit machines have been serious gamers).
Another advantage, and in some cases a bigger one, is that 64 bit systems
can utilize more RAM. A 32 bit processor can only address 4 GB of RAM. A
64 bit processor can theoretically access 18 exabytes. Windows XP Pro 64
bit Edition supports 128 GB of RAM and 16 terabytes of virtual memory.
Note: An exabyte is a billion gigabytes. A terabyte is a thousand
gigabytes.
The old “security through obscurity” issue - one reason Windows and
applications such as Internet Explorer are the target of more attacks is
because for the attacker, they present a much larger attack surface than
operating systems and applications that have a much lower market share.
Although “security through obscurity” is held in disdain by most security
pundits, it does work to the extent that more obscure targets attract
statistically fewer attacks. Because 64 bit Windows is much less commonly
deployed at this time than its 32 bit cousins, few malware authors have
turned their attention to it. Of course, this advantage will fade as the
64 bit operating systems become more widely adopted.
In fact, in 2004, Symantec reported the first virus written to infect 64
bit machines, called Shruggle. In May 2005 they reported a second 64 bit
virus, written to infect Windows portable executables (PE files), called
Rugrat. These won’t run on 32 bit platforms and were apparently created as
proof of concept viruses, with very few infections in the wild ever
reported.
This doesn’t mean your 64 bit system is safe from all malware written for
32 bit computers. Many 32 bit programs will run on the 64 bit OS. However,
programs that run in kernel mode won’t. This means that some of the most
dangerous malicious programs won’t run on 64 bit Windows. Unfortunately,
that’s not all it means.
Note: 64 bit Windows operating systems run 32 bit applications by using an
x86 emulator called Windows on Windows 64 or WOW64. WOW64 won’t run older
16 bit applications. IA64 doesn’t natively support WOW64.
Less protection for 64 bit machines? One reason many companies and
individuals have not yet upgraded to 64 bit Windows is the relative lack
of security software such as antivirus programs. That’s because most AV
programs do hook into the Windows kernel, so they have to be rewritten to
run on 64 bit Windows. For example, Panda Titanium gives an “Unknown OS”
message when you try to run it.
Symantec’s Antivirus Corporate Edition v.10 does support the x64 version
of Windows, and so does McAfee’s VirusScan Enterprise 8.01, but most of
the major AV vendors haven’t yet released 64 bit versions of their
products for standalone desktop machines and don’t plan to do so until
2006. There are some AV vendors that already have software out that
supports both x64 and IA64.
These include:
Avast. This includes their free edition. The same package is used for 32
bit and 64 bit installations; the software detects which operating system
it’s installing on and uses the appropriate drivers. The latest version of
AVG Professional now supports 64 bit platforms. Tiny Firewall has released
a public beta of a native 64 bit version that supports IA64 and x64. The
same problem applies to personal firewall software. McAfee Personal
Firewall v.6 doesn’t work on 64 bit systems. Sygate’s personal firewall
fails to start. ZoneAlarm 5.5 doesn’t work, although Zone Labs has said
they would have a 64 bit compatible version by the end of 2005.
The good news is that most anti-spyware programs, including Microsoft’s,
will run on 64 bit systems.
No more rootkits?There’s more good news: the current rootkits that have
been written for 32 bit systems, including the infamous Sony music CD
rootkit, don’t work in the 64 bit OS. That’s because when updating the
kernel code for the 64 bit version, Microsoft programmers took the
opportunity to include a “patch guard” – code that is part of the kernel
makes it impossible to install a patch in a running kernel (which kernel
mode rootkits do on 32 bit systems).
Likewise, processor vendors had an opportunity, in making the new 64 bit
processors, to include security mechanisms. Both AMD and Intel include
code in their 64 bit products to prevent the exploitation of buffer
overflow and buffer underrun conditions.
Boosting security performance, 64 bit processing will also make some
security mechanisms work better – or at least, faster. For example,
encryption is a very processor-intensive task. Encrypting and decrypting
data can result in a performance hit on 32 bit systems, but 64 bit systems
will be able to perform encryption tasks much more quickly. This will make
it more convenient for more people to use encryption technologies such as
EFS, IPsec and SSL, resulting in better security for confidential files
and network transmissions.
Summary: The decision on whether to upgrade to 64 bit machines will be
based on a number of factors: cost, performance needs, and security
considerations are all likely to be part of the mix. Enterprise customers
can safely upgrade now, with antivirus software from major vendors
available in corporate versions and with their machines behind perimeter
firewalls. You’ll reap some security benefits right away, such as the lack
of viruses and rootkits that target the 64 bit platform. Home and small
business users, however, who rely on personal firewalls and personal
editions of AV software, may want to wait until those products are more
widely available before taking the plunge.
Another Good Article with photos: Build A
Vista-Ready 64-Bit PC For Under $500
(3/06 prices)
http://content.techrepublic.com.com/2346-10878_11-3487.html?tag=gald
64-bit microprocessor rundown as of 2006:
http://en.wikipedia.org/wiki/AMD64#Differences_between_AMD64_and_EM64T
x86-64 is a 64-bit microprocessor architecture and corresponding
instruction set; it is a superset of the x86 architecture, which it
natively supports. It was designed by Advanced Micro Devices, which
markets it under the name AMD64. This architecture has also been adopted
under the names EM64T, IA-32e, and Intel64[1] by Intel. The names x86-64
or x64 are sometimes used as vendor-neutral terms to collectively refer to
the two nearly identical implementations.
The AMD64 instruction set is currently implemented in AMD's Athlon 64,
Athlon 64 FX, Athlon 64 X2, Turion 64, Opteron and later Sempron
processors.
The following processors implement the x86-64 architecture:
• AMD K8
o AMD Athlon 64
o AMD Athlon 64 X2
o AMD Athlon 64 FX
o AMD Opteron
o AMD Turion 64
o AMD Sempron ("Palermo" E6 stepping and all "Manila" models)
• Intel NetBurst (EM64T)
o Intel Xeon (some models since "Nocona")
o Intel Celeron D (some models since "Prescott")
o Intel Pentium 4 (some models since "Prescott")
o Intel Pentium D
o Intel Pentium Extreme Edition
• Intel Core microarchitecture (EM64T)
o Intel Xeon ("Woodcrest")
o Intel Core 2
During much of AMD's history, they have produced processors patterned
after Intel's, but, in an ironic twist of computing history, AMD64 has
been adopted (under the name EM64T or IA-32e) by Intel — the original
creators of the x86 processor line—in newer versions of its Pentium 4,
Pentium D, Pentium Extreme Edition, Celeron D, and Xeon processors, and in
its Core 2 processors.
Intel implementations
EM64T was originally implemented on the E revision
(Prescott) of Pentium 4 line of microprocessors, which were supported by
i915P (Grantsdale) and i925X (Alderwood) chipsets in June 2004. EM64T's
implementation was largely due to the competitive pressure of AMD's AMD64
technology implemented on Opteron and Athlon64 lines of microprocessing
units, otherwise known as the K8 core, one year earlier in 2003; and the
technology was largely built compatible to AMD64, and the then announced
Windows XP Professional x64 Edition supporting AMD64 technology. Intel's
first processor to activate the EM64T technology was the multi-socket
processor Xeon codenamed Nocona. Since the Nocona Xeon itself is directly
based on Intel's desktop processor, the Pentium 4, the Pentium 4 also has
EM64T technology built in, although as with Hyper-Threading, this feature
was not initially enabled on the then-new Prescott design, likely because
enabling EM64T did not coincide with Intel's stance on x86-64 extensions
at that particular time. Intel has since begun selling EM64T enabled
Pentium 4s using the E0 revision of the Prescott core, being sold on the
market as the Pentium 4, model F. However, the revision F core was
targeted at workstations. Intel's official launch of EM64T to desktop was
the N0 Stepping Prescott-2M. The E0 revision also adds eXecute Disable(XD)
support to EM64T, Intel's name for the NX bit, and has been included in
the current Xeon codenamed Irwindale. All 9xx/8xx/6xx/5x6/5x1/3x6/3x1
series CPUs have EM64T enabled, as do the Core 2 CPUs, and as will all
future Intel CPUs. EM64T is also present in the last members of the
Celeron D line.
The first Intel mobile processor supporting EM64T is the Merom version of
the Core 2 processor, which was released on 27 July 2006. None of Intel's
earlier notebook CPUs (Core Duo, Pentium M, Celeron M, Mobile Pentium 4)
support EM64T.
Common 64-bit processors in 2006:
• Intel's IA-64 architecture (used in Intel's Itanium CPUs)
• AMD's AMD64 architecture, a 64-bit version of the x86 architecture (used
in AMD's Athlon 64, Opteron, Sempron, and Turion 64 CPUs). Intel now uses
the same instruction set, calling it EM64T, IA-32e, and Intel64.
Differences between AMD64 and EM64T
http://en.wikipedia.org/wiki/AMD64#Differences_between_AMD64_and_EM64T
There are a small number of differences between each
instruction set. Compilers generally produce binaries that target both
AMD64 and EM64T, making the differences mainly of interest to compiler
developers and operating system developers.
Currently:
• EM64T's BSF and BSR instructions act differently when the source is 0
and the operand size is 32 bits. The processor sets the zero flag and
leaves the upper 32 bits of the destination undefined.
• AMD64 supports 3DNow! instructions. This includes prefetch with the
opcode 0x0F 0x0D and PREFETCHW, which are useful for hiding memory
latency.
• EM64T lacks the ability to save and restore a reduced (and thus faster)
version of the floating-point state (involving the FXSAVE and FXRSTOR
instructions).
• EM64T lacks some model-specific registers that are considered
architectural to AMD64. These include SYSCFG, TOP_MEM, and TOP_MEM2.
• EM64T supports microcode update as in 32-bit mode, although it has been
rumored that AMD processors have supported programmable microcode (an
undocumented feature) for years.
• EM64T's CPUID instruction is very vendor-specific, as is normal for
x86-style processors.
• EM64T supports the MONITOR and MWAIT instructions, used by operating
systems to better deal with Hyper-threading.
• AMD64 systems allow the use of the AGP aperture as an IO-MMU. Operating
systems can take advantage of this to let normal PCI devices DMA to memory
above 4 GB. EM64T systems require the use of bounce buffers, which are
slower.
• SYSCALL and SYSRET are also only supported in IA-32e mode (not in
compatibility mode) on EM64T. SYSENTER and SYSEXIT are supported in both
modes.
• Near branches with the 0x66 (operand size) prefix behave differently.
One type of CPU clears only the top 32 bits, while the other type clears
the top 48 bits.
Previously:
• Early AMD64 processors lacked the CMPXCHG16B instruction, which is an
extension of the CMPXCHG8B instruction present on most post-486
processors. Similar to CMPXCHG8B, CMPXCHG16B allows for atomic operations
on 128-bit double quadword (or oword) data types. This is useful for high
resolution counters that could be updated by multiple processors (or
cores). Without CMPXCHG16B the only way to perform such an operation is by
using a critical section.
• Early Intel CPUs with EM64T lacked LAHF and SAHF instructions supported
by AMD64 until introduction of Pentium 4 G1 step in December 2005. LAHF
and SAHF are load and store instructions, respectively, for certain status
flags. These instructions are used for virtualization and floating-point
condition handling.
• Early Intel CPUs with EM64T also lack the NX bit (No Execute bit) of the
AMD64 architecture. The NX bit marks memory pages as non-executable,
allowing protection against many types of malicious code.
• Originally EM64T hardware allowed access only to 236 bytes of memory,
while AMD64 systems can handle up to 240 bytes (with planned expansion to
256 bytes). However, as of recent publications, EM64T now provides 240
bytes of memory access.
Market analysis:
AMD64 represents a break with AMD's past behavior of following Intel's
standards, but repeats Intel's earlier behavior of extending the x86
architecture, from the 16-bit 8086 to the 32-bit 80386 and beyond, without
ever removing backward compatibility.
It was believed at one point that 64-bit RISC chips such as the DEC Alpha
would eventually replace the outdated and quirky x86 architecture. Part of
the reason this did not happen was the vast investment in application
software for x86 systems. AMD64 effectively migrates the x86 architecture
into a fully 64-bit environment, while maintaining legacy compatibility
with x86 applications.
As of 2006, there has still been a lack of adoption of 64-bit software for
most consumer and business applications. Most current software
applications do not need to address more than 2 GiB of memory.
Nevertheless, the cost-effectiveness of the chips has been that AMD has
been able to capture a much larger share of desktop and laptop sales at
the expense of Intel simply because of the performance for cost and growth
capability should 64-bit applications become common. Intel in the summer
of 2006 had announced a substantial reduction in net revenue and major
restructuring.
Also see good background and history of the 64-bit processor at:
http://en.wikipedia.org/wiki/64-bit
________________________________
Should you upgrade to 64 bit for best scalability? August 21, 2006
http://articles.techrepublic.com.com/5100-10878_11-6107229.html#
Takeaway: If your company needs to buy new computer systems in the near
future, you may be wondering whether it's time to take the plunge and go
64 bit. Is the extra scalability of 64 bit hardware worth the extra cost?
64-bit technology is undoubtedly the wave of the future. 64-bit processors
have been pretty common in high end servers since 2004 and now 64-bit
desktop machines are being offered by most PC vendors. Since 64-bit CPUs
can handle more memory and larger files, and since 64-bit processors are
backwardly compatible with 32 bit operating systems and applications, it
seems obvious that 64-bit hardware provides you with the ultimate in
scalability. If you're in the position of buying new computers in the new
future, you may be wondering whether it’s worth the cost to go 64-bit.
Let’s take a look at some of the pros and cons.
What is 64-bit processing anyway?
When we talk about "bits" as applied to computer processors, we’re talking
about the maximum size number that the processor’s registers can store and
handle at one time. This means a 64-bit processor can handle numbers that
are twice as large as those handled by a 32 bit processor. Practically
speaking, what does this mean to you?
Advantages of 64-bit systems
Just as the transition from 16-bit to 32-bit PCs in the 1980s greatly
increased computing power, the leap from 32-bit to 64-bit will double the
amount of data that a processor can handle on each clock cycle.
A big advantage of the 64-bit system is its ability to support more system
memory. Most computer users know that programs run faster (and you can run
more programs simultaneously) if you add more RAM. Unfortunately, 32 bit
chips can generally only address 4 GB of memory.
There was a time when 4 GB of RAM seemed like more than enough memory for
any computer, but that’s no longer true with today’s memory-hungry
applications. And it’s not just heavy gamers who need lots of memory. The
popularity of running multiple servers as virtual machines on a single
physical computer has vastly increased the memory needs of those machines,
and even on workstations, memory-intensive graphics and video
applications, Computer Aided Design (CAD) programs, computer simulation
and modeling software and the like are pushing the upper limits of that 4
GB ceiling.
64-bit processors, on the other hand, can address enormous amounts of
memory--up to 16 exabytes. To put that number into perspective, it’s equal
to over 16,000,000,000,000,000,000 bytes, or 16 billion gigabytes. You can
be pretty sure that by the time you need more memory than that, the 64-bit
system you buy today will be long gone. Of course, the amount of memory
you can actually install in a system is limited by its motherboard, the
number of memory slots it has and the size of memory modules that are
available. Many current 64-bit motherboards will accommodate 8 to16 GB or
more of RAM.
By allowing for the addressing of more RAM, 64-bit processing can greatly
improve video encoding and decoding, CAD, VMs and some other applications.
But does more bits mean better performance? Well, maybe and maybe not.
You’ll see a performance increase for applications that use 64-bit
integers, but don’t expect most of your apps to run any faster than they
do on your 32 bit systems. And your web browser will still be limited by
your Internet connection speed, you word processing program will still be
bottlenecked by how fast you can type, and so forth. In fact, there can
actually be a slight performance decrease caused by the switch to a 64-bit
processor, because the larger memory address pointers take up twice as
much room in the cache.
What’s available in 64-bit?
There’s little doubt that 64-bit computing will eventually make 32-bit
systems obsolete. Major hardware and software vendors are all headed in
that direction. Intel shipped the 64-bit Itanium for high end servers way
back in 2001. AMD introduced its 64-bit Opteron and Athlon 64 processors
in 2003 and Intel brought out its EM64T line, updating versions of its
Xeon and Pentium 4 lines to 64-bit the next year. In 2005, IBM came out
with a dual core 64-bit PowerPC processor that was code named Antares, and
AMD released dual core 64-bit Opterons for servers and Athlon 64s for
desktops. Today AMD also offers the Sempron and Turion 64, Intel has the
Itanium 2 and other platforms, such as MIPS, SPARC and HP’s PA-RISC, also
support 64-bit computing.
Linux was the first operating system to run on Intel’s Itanium. For
workstations, Microsoft offers the Windows XP 64-bit edition for the IA-64
(Itanium) architecture and the Windows XP x64 edition for AMD64 and Intel
EM64T architectures. Windows Server 2003 Standard, Enterprise and
Datacenter editions all come in 64-bit versions. Mac OS X "Tiger" can run
64-bit applications on PowerPC G5 64-bit systems, and the next version
("Leopard") is expected to be a full 64-bit OS.
To take full advantage of 64-bit technology, though, you need 64-bit
applications -- and that's where the problem lies. While there are a
number of software vendors in the business space that do provide native
64-bit server applications (some examples include Microsoft’s 64-bit
enabled SQL Server 2005, IBM’s Tivoli Storage Manager, e-commerce software
from Computer Associates, and software from Oracle and SAP), and in fact,
Microsoft made waves by announcing that Exchange 2007 would be 64-bit
only, there are far fewer desktop/consumer level applications available in
64-bit versions.
Should you upgrade now?
If this technology is out there, and the industry is moving toward a
64-bit takeover, does that mean you should buy only 64-bit computers as
you add new systems or replace old ones? The answer is (as it so often
is): it depends.
One of the biggest problems with making the transition to 64-bit is
finding the appropriate drivers for hardware peripherals. If you need to
use older devices, you may want to think twice about making the move to
64-bit. On the other hand, if you need to run memory-intensive
applications that will benefit from the larger memory space offered by
64-bit systems, spending the extra bucks to upgrade will probably pay off
in the long run.
Your best strategy might be to go to 64-bit when you replace servers or
install new ones, then upgrade to 64-bit for graphics and CAD workstations
and the like. As for those workstations that are used for ordinary office
productivity software, email, web and the like, you probably don’t need
the scalability of 64-bit anytime soon, so you can save money by sticking
with 32-bit systems there.
One thing you can be sure of: if you do buy 64-bit hardware, you’ll have
more scalability. After all, even if you don’t plan to upgrade your
operating systems yet, you can always run 32-bit software on the 64-bit
machines until you’re ready to go to the new OS.
User Feedback:
“Last Christmas I got my 80+ year old mother a new computer with the 64
bit AMD. I was able to load all her programs including Office 97 and some
really old geneology programs. Everything worked. One exception. Her
favorite game, a DOS based program would not work. I guess asking a 64 bit
system to be backwards campatable with a 16 bit program is too much to
ask.”
QUES: “I am trying to get a 64bit OS (ANY of them) to load up on my Compaq
Presario S6900nx system. It's equiped w/ AMD Athlon 64 3200+ chip.
When I boot from any of the MS 64 bit versions of OS, I get "no 64 bit
System detected" or something along those lines.
Compaq support is every bit as useless as you'd expect regarding this.
They parrot the same thing to any question asked...yes, your system will
run a 64 bit OS, no Compaq does not support this at this time. Microsoft
support points you back to Compaq and vice versa...
Anyone have any ideas on how I can get this to load up?”
ANS: “Is it because the ASUS nForce 3 150 M'Board this doesn't appear on
the MS 64 Bit Supported list? You could try loading a 64 Bit version of
Knoppix and see if that will load but I think you'll find that the M'Board
Chip Set doesn't support the 64 Bit OS. It's one thing to have a 64 Bit
CPU and another thing to have a M'Board capable of running a 64 Bit OS.”
An Introduction to Kernel Patch Protection
8/11/06
http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx
Hello, I'm Scott Field, an Architect working on Windows Kernel Security.
There have been a lot of questions recently about a Windows technology
called Kernel Patch Protection (sometimes referred to as PatchGuard) so I
wanted to provide some context about the feature to help answer them. OS
kernel design is a very specialized area of computer science that rarely
receives a lot of public attention, so it's understandable that there are
a lot of questions out there. The purpose of this post is to give a basic
primer on Kernel Patch Protection and why it is an important technology to
increase the security and reliability of Windows-based PCs.
What is the Kernel?
The kernel is the lowest-level, most central part of a computer operating
system and one of the first pieces of code to load when the machine starts
up. The kernel is what enables the software of the machine to talk to the
hardware and is responsible for basic OS housekeeping tasks such as memory
management, launching programs and processes, and managing the data on the
disk. All applications and even the graphical interface of Windows run on
a layer on top of the kernel. The performance, reliability, and security
of the entire computer depend on the integrity of the kernel.
You may have heard the term "rootkit" and that they can be very difficult
to detect and remove. Rootkits are a type of malicious software that can
use a number of different techniques, including monitoring keystrokes,
changing system log files or existing system applications, or creating a
backdoor into the system to gain remote access to a computer and launch
attacks. Rootkits often try to gain access to the kernel of the OS. Since
the kernel has the power to control all of the other applications on the
PC, the rootkit can actually hide itself from the file system or even
anti-malware tools, and ultimately from view of the user.
The kernel is the most carefully coded piece of the entire operating
system. Since all other programs depend upon it, a glitch in the kernel
can make all other programs crash or perform unexpectedly. You're probably
also familiar with the term, "Blue Screen of Death" (BSoD). This is the
result of an error in the kernel or in a driver running in the kernel that
is so severe that the system can't recover from it. The BSoD is bad, so we
want to do everything we can to keep customers from seeing it. One of the
ways we can do that is to maintain the integrity of the kernel by
restricting what software is allowed to run in and interact with it.
What is Kernel Patching?
"Kernel patching" or "kernel hooking" is the practice of using unsupported
mechanisms to modify or replace kernel code. Patching fundamentally
violates the integrity of the Windows kernel and is undocumented,
unsupported and has always been discouraged by Microsoft. Kernel patching
can result in unpredictable behavior, system instability and performance
problems—like the Blue Screen of Death–which can lead to lost user
productivity and data. More importantly, kernel patching has increasingly
become a mechanism used by malware developers to attack Windows systems.
Motivations for patching the kernel vary widely. Anti-malware vendors, for
example, may intercept system calls to prevent applications they have
deemed malicious from creating processes on the system. The goals of these
types of software are obviously laudable but these practices also may
cause reliability and performance problems. The greatest risk from kernel
patching comes from virus and spyware writers that use this technique with
malicious intent and to hide their presence.
Malware authors are motivated to patch the kernel because it is a powerful
mechanism for attacking the user's PC and data. Patching can be used to
implement rootkits, which also hide the presence of other malware on the
system. This form of malware can be extremely potent—for example, allowing
the capture of banking passwords and monitoring of all user activities.
What is Kernel Patch Protection?
There are many brand new security features in Windows Vista, but Kernel
Patch Protection is actually not one of them. Kernel Patch Protection was
first supported on x64 (AMD64 and Intel EMT64T) CPU architecture versions
of Microsoft Windows including Microsoft Windows Server 2003 SP1 and
Windows XP Microsoft Windows XP Professional x64 Edition. (Patch
protection is currently not supported on x86 or ia64 architectures.)
Though, as the use of 64-bit computers is increasing, Windows Vista users
will end up benefiting most from this technology.
Kernel Patch Protection monitors if key resources used by the kernel or
kernel code itself has been modified. If the operating system detects an
unauthorized patch of certain data structures or code it will initiate a
shut down of the system.
Kernel Patch Protection does not prevent all viruses, rootkits, or other
malware from attacking the operating system. It helps prevent one way to
attack the system: patching kernel structures and code to manipulate
kernel functionality. Protecting the integrity of the kernel is a
fundamental steps in protecting the entire system from malicious attacks
and from inadvertent reliability problems that result from patching.
Impacts on Application Compatibility
Kernel Patch Protection may impact compatibility of some legitimate
software, on x64 systems, which were built using unsupported kernel
patching techniques. Microsoft is sensitive to how application
compatibility changes impact our customers and our partners. That is the
reason that we have implemented this technology on x64 systems only. As
customers adopt the x64 platform, and new native 64-bit software, we have
the opportunity to build a more secure and reliable next generation
platform that does not facilitate unsupported and unreliable practices
such as kernel patching.
We have also been asked to provide a supported way for 'known good'
vendors to continue hooking the kernel but prevent others from doing so.
Unfortunately, there is no reliable mechanism for us to distinguish
between 'known good' software and malicious software. Moreover, we cannot
prevent a malicious software author from "bundling" purportedly good
software in an attempt to thwart the system. Even if we could include such
a mechanism, it's unclear if we could use this mechanism to selectively
allow kernel hooking in a manner that provides an acceptable trade off
between performance and reliability and security. Furthermore, creating
such an exception would greatly hamper the ability to utilize hardware
assisted security technology, such as a virtual machine hypervisor, to
further improve the integrity of the operating system.
Alternatives to Kernel Patching
Clearly, customers demand effective security solutions, and they can be
developed without relying on kernel patching techniques. Some of the
alternatives to kernel patching are:
• Windows Vista includes the "Windows Filtering Platform", which enables
software to perform network oriented activities such as packet inspection
and other activities necessary to support firewall products.
• The file system mini filter model allows software to participate in file
system activities, which can be used by Anti-Virus software.
• Registry notification hooks, introduced in Windows XP, and recently
enhanced in Windows Vista, allow software to participate in registry
related activities in the system.
These solutions were designed with reliability and long term
supportability in mind, and also provide a means for multiple products to
co-exist without the conflicts that kernel patching could cause. We have
been working with our security partners and other types partners for
almost 2 years to assist them in making their solutions compatible with
our current x64 architecture—and we are working with them even more
closely as the Windows Vista launch approaches. If your application or
driver must perform a task that you believe cannot be accomplished without
patching the kernel, contact your Microsoft representative or msra@microsoft.com
for help in finding a documented alternative.
It's important to note that Kernel Patch Protection applies uniformly to
Microsoft products as well as third party products. No code is allowed to
modify the kernel using unsupported patching techniques. Security products
developed by Microsoft only have access to the same supported interfaces
that any other vendor would use.
In Conclusion
Since Microsoft announced our Trustworthy Computing initiative, helping to
ensure the security of our customers has been one of our primary goals as
an organization. Part of this is ensuring a rich ecosystem of powerful
security products that will reduce the threats from malware and other
types of attack. We would not develop a technology designed to lessen the
security of our customers or weaken the security of the Windows platform.
We will continue to work with security partners to help them make their
current and future products compatible with Kernel Patch Protection and
the new security investments that we have made in Windows Vista.
|
