コンテンツにスキップ

利用者:Y717/わーくすぺーす/その3

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel. It was first introduced in 2005 with the x64 editions of Windows XP and Windows Server 2003 Service Pack 1.[1]

"Patching the kernel" refers to unsupported modification of the central component or kernel of the Windows operating system. Such modification has never been supported by Microsoft because it can greatly reduce system security and reliability. However, though Microsoft does not recommend it, it is technically possible to patch the kernel on x86 editions of Windows. But with the x64 editions of Windows, Microsoft chose to implement technical barriers to kernel patching.

Since patching the kernel is technically permitted in 32-bit (x86) editions of Windows, several antivirus software developers use kernel patching to implement antivirus and other security services. This kind of antivirus software will not work on computers running x64 editions of Windows. Because of this, Kernel Patch Protection has been criticized for forcing antivirus makers to redesign their software without using kernel patching techniques.

Also, because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching.[要出典] This has led to additional criticism that since KPP is an imperfect defense, the problems caused to antivirus makers do not outweigh the benefits because authors of malicious software will simply find ways around its defenses.[要出典] Nevertheless, Kernel Patching can still prevent system stability and reliability problems caused by legitimate software patching the kernel in unsupported ways.[要出典]

技術概要[編集]

Windows Kernel は、デバイスドライバがカーネル自身と同等の特権を持つ設計がなされている[2]。 In turn, device drivers are expected to not modify or patch core system structures within the kernel.[1] In x86 editions of Windows, Windows does not enforce this expectation that drivers not patch the kernel. But because the expectation is not enforced on x86 systems, some programs, notably certain security and antivirus programs, were designed to perform needed tasks through loading drivers that modified core kernel structures.[2][3]

In x64 editions of Windows, Microsoft chose to begin to enforce the restrictions on what structures drivers can and cannot modify. Kernel Patch Protection is the technology that actually enforces these restrictions. It works by periodically checking to make sure that protected system structures in the kernel have not been modified. If a modification is detected, then Windows will initiate a bug check and shut down the system,[2][4] with a blue screen and/or reboot. The corresponding bugcheck number is 0x109, the bugcheck code is CRITICAL_STRUCTURE_CORRUPTION. Prohibited modifications include:[4]

It should be noted that Kernel Patch Protection only defends against device drivers modifying the kernel. It does not offer any protection against one device driver patching another.[6]

Ultimately, since device drivers have the same privilege level as the kernel itself, it is impossible to completely prevent drivers from bypassing Kernel Patch Protection and then patching the kernel.[7] KPP does however present a significant obstacle to successful kernel patching. With highly obfuscated code and misleading symbol names, KPP employs security through obscurity to hinder attempts to bypass it.[2][8] Periodic updates to KPP also make it a "moving target", as bypass techniques that may work for a while are likely to break with the next update. Since its creation in 2005, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions.[2][9][10]

Advantages[編集]

Patching the kernel has never been supported by Microsoft because it can cause a number of negative effects.[3] Kernel Patch Protection protects against these negative effects, which include:

  • The Blue Screen of Death, which results from serious errors in the kernel.[11]
  • Reliability issues resulting from multiple programs attempting to patch the same parts of the kernel.[12]
  • Compromised system security.[2]
  • Rootkits can use kernel access to embed themselves in an operating system, becoming nearly impossible to remove.[11]
  • Products that rely on kernel modifications are likely to break with newer versions of Windows or updates to Windows that change the way the kernel works.[3]

Microsoft's Kernel Patch Protection FAQ further explains:

Because patching replaces kernel code with unknown, untested code, there is no way to assess the quality or impact of the third-party code...An examination of Online Crash Analysis (OCA) data at Microsoft shows that system crashes commonly result from both malicious and non-malicious software that patches the kernel. — Kernel Patch Protection: Frequently Asked Questions” (2007年1月22日). 2007年2月22日閲覧。

Criticisms[編集]

Third-party applications[編集]

Some computer security software, such as McAfee's McAfee VirusScan and Symantec's Norton AntiVirus, works by patching the kernel[要出典]. Additionally, anti-virus software authored by Kaspersky Lab has been known to make extensive use of kernel code patching on x86 editions of Windows.[13] This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection.[14] Because of this, McAfee called for Microsoft to either remove KPP from Windows entirely or make exceptions for software made by trusted companies such as themselves.[15]

Interestingly, Symantec's corporate antivirus software[16] and Norton 2010 range and beyond [17] does work on x64 editions of Windows despite KPP's restrictions. Antivirus software made by competitors ESET,[18] Trend Micro,[19] Grisoft AVG,[20] avast!, Avira Anti-Vir and Sophos do not patch the kernel in default configurations, but may patch the kernel when features such as "advanced process protection" or "prevent unauthorized termination of processes" are enabled. Sophos publicly stated that it does not feel KPP limits the effectiveness of its software.[21][22]

Jim Allchin, then co-president of Microsoft, was an adamant supporter of Kernel Patch Protection.

Contrary to some media reports [誰によって?], Microsoft will not weaken Kernel Patch Protection by making exceptions to it, though Microsoft has been known to relax its restrictions from time to time, such as for the benefit of hypervisor virtualization software.[6][23] Instead, Microsoft worked with third party companies to create new Application Programming Interfaces that help security software perform needed tasks without patching the kernel.[12] These new interfaces were included in Windows Vista Service Pack 1.[24]

On December 21, 2006, McAfee's chief scientist George Heron stated that McAfee was pleased with the progress Microsoft was making on the new APIs.[25]

Weaknesses[編集]

Because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching.[7] This led the computer security providers McAfee and Symantec to say that since KPP is an imperfect defense, the problems caused to security providers do not outweigh the benefits because malicious software will simply find ways around KPP's defenses.[15][26]

In January 2006, security researchers known by the pseudonyms "skape" and "Skywing" published a report that describes methods, some theoretical, through which Kernel Patch Protection might be bypassed.[27] Skywing went on to publish a second report in January 2007 on bypassing KPP version 2,[28] and a third report in September 2007 on KPP version 3.[29] Also, in October 2006 security company Authentium developed a working method to bypass KPP.[30]

Nevertheless, Microsoft has stated that they are committed to remove any flaws that allow KPP to be bypassed as part of its standard Security Response Center process.[31] In keeping with this statement, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions.[2][9][10]

Antitrust behavior[編集]

In 2006, the European Commission expressed concern over Kernel Patch Protection, saying it was anticompetitive.[32] However, Microsoft's own antivirus product, Windows Live OneCare, had no special exception to KPP. Instead, Windows Live OneCare used (and had always used) methods other than patching the kernel to provide virus protection services.[33] Still, for other reasons a x64 edition of Windows Live OneCare was not available until November 15, 2007.[34]

References[編集]

  1. ^ a b Kernel Patch Protection: Frequently Asked Questions”. Microsoft (2007年1月22日). 2007年7月30日閲覧。
  2. ^ a b c d e f g Skywing (2007年9月). “Introduction”. PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3. Uninformed. 2007年9月20日閲覧。
  3. ^ a b c Schofield, Jack (2006年9月28日). “Antivirus vendors raise threats over Vista in Europe”. The Guardian. 2007年9月20日閲覧。 "This has never been supported and has never been endorsed by us. It introduces insecurity, instability, and performance issues, and every time we change something in the kernel, their product breaks." —Ben Fathi, corporate vice president of Microsoft's security technology unit
  4. ^ a b c Patching Policy for x64-Based Systems”. Microsoft (2007年1月22日). 2007年9月20日閲覧。
  5. ^ skape; Skywing (2005年12月). “System Images”. Bypassing PatchGuard on Windows x64. Uninformed. 2007年9月21日閲覧。
  6. ^ a b Skywing (2007年1月). “Conclusion”. Subverting PatchGuard Version 2. Uninformed. 2007年9月21日閲覧。
  7. ^ a b skape; Skywing (2005年12月). “Introduction”. Bypassing PatchGuard on Windows x64. Uninformed. 2007年9月20日閲覧。
  8. ^ Skywing (2006年12月). “Misleading Symbol Names”. Subverting PatchGuard Version 2. Uninformed. 2007年9月20日閲覧。
  9. ^ a b Microsoft (2006年6月). “Update to Improve Kernel Patch Protection”. Microsoft Security Advisory (914784). Microsoft. 2007年9月21日閲覧。
  10. ^ a b Microsoft (2007年8月). “Update to Improve Kernel Patch Protection”. Microsoft Security Advisory (932596). Microsoft. 2007年9月21日閲覧。
  11. ^ a b Field, Scott (2006年8月11日). “An Introduction to Kernel Patch Protection”. Windows Vista Security blog. Microsoft. 2006年11月30日閲覧。
  12. ^ a b Allchin, Jim (2006年10月20日). “Microsoft executive clarifies recent market confusion about Windows Vista Security”. Microsoft. 2006年11月30日閲覧。
  13. ^ Skywing (2006年6月). “Patching non-exported, non-system-service kernel functions”. What Were They Thinking? Anti-Virus Software Gone Wrong. Uninformed. 2007年9月21日閲覧。
  14. ^ Montalbano, Elizabeth (2006年10月6日). “McAfee Cries Foul over Vista Security Features”. PC World. http://www.pcworld.in/news/index.jsp/artId=4587538 2006年11月30日閲覧。 
  15. ^ a b Samenuk, George (2006年9月28日). “Microsoft Increasing Security Risk with Vista”. McAfee. 2007年9月20日閲覧。
  16. ^ Symantec AntiVirus Corporate Edition: System Requirements”. Symantec (2006年). 2006年11月30日閲覧。
  17. ^ Symantec Internet Security product page”. Symantec (2011年). 2011年1月26日閲覧。
  18. ^ 64-bit Protection”. ESET. 2007年10月5日閲覧。
  19. ^ Minimum System Requirements”. Trend Micro USA. 2007年10月5日閲覧。
  20. ^ AVG Anti-Virus and Internet Security - Supported Platforms”. Grisoft. 2007年8月27日時点のオリジナルよりアーカイブ。2007年10月5日閲覧。
  21. ^ Jaques, Robert (2006年10月23日). “Symantec and McAfee 'should have prepared better' for Vista”. vnunet.com. http://www.vnunet.com/vnunet/news/2167016/symantec-mcafee-should-prepared 2006年11月30日閲覧。 
  22. ^ Fulton, Scott M., III (2006年10月20日). “Sophos: Microsoft Doesn't Need to Open Up PatchGuard”. BetaNews. http://www.betanews.com/article/Sophos_Microsoft_Doesnt_Need_to_Open_Up_PatchGuard/1161379239 2007年1月22日閲覧。 
  23. ^ McMillan, Robert (2007年1月19日). “Researcher: PatchGuard hotfix stitches up benefit to Microsoft”. InfoWorld. http://www.infoworld.com/article/07/01/19/HNpatchguardstitch_1.html 2007年9月21日閲覧。 
  24. ^ Notable Changes in Windows Vista Service Pack 1”. Microsoft (2008年). 2008年3月20日閲覧。
  25. ^ Hines, Matt (2006年12月21日). “Microsoft Gets Positive Feedback for Vista APIs”. eWEEK. 2007年7月5日閲覧。
  26. ^ Gewirtz, David (2006年). “The great Windows Vista antivirus war”. OutlookPower. http://www.outlookpower.com/issuesprint/issue200611/00001883.html 2006年11月30日閲覧。  "The system's already vulnerable. People have already hacked into PatchGuard. System is already vulnerable no matter what. PatchGuard has a chilling effect on innovation. The bad guys are always going to innovate. Microsoft should not tie the hands of the security industry so they can't innovate. We're concerned about out-innovating the bad guys out there." —Cris Paden, Manager on the Corporate Communication Team at Symantec
  27. ^ skape; Skywing (2005年12月1日). “Bypassing PatchGuard on Windows x64”. Uninformed. 2008年6月2日閲覧。
  28. ^ Skywing (2006年12月). “Subverting PatchGuard Version 2”. Uninformed. 2008年6月2日閲覧。
  29. ^ Skywing (2007年9月). “PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3”. Uninformed. 2008年6月2日閲覧。
  30. ^ Hines, Matt (2006年10月25日). “Microsoft Decries Vista PatchGuard Hack”. eWEEK. http://www.eweek.com/article2/0,1759,2037052,00.asp 2007年7月30日閲覧。 
  31. ^ Gewirtz, David (2006年). “The great Windows Vista antivirus war”. OutlookPower. http://www.outlookpower.com/issuesprint/issue200611/00001883.html 2006年11月30日閲覧。 
  32. ^ Espiner, Tom (2006年10月25日). “EC Vista antitrust concerns fleshed out”. silicon.com. http://software.silicon.com/os/0,39024651,39163525,00.htm 2006年11月30日閲覧。 
  33. ^ Jones, Jeff (2006年8月12日). “Windows Vista x64 Security – Pt 2 – Patchguard”. Jeff Jones Security Blog. Microsoft. 2007年3月11日閲覧。
  34. ^ White, Nick (2007年11月14日). “Upgrade to Next Version of Windows Live OneCare Announced for All Subscribers”. Windows Vista Team Blog. Microsoft. 2007年11月14日閲覧。

External links[編集]

Uninformed.org articles:

Working bypass approaches

Microsoft security advisories: