Windows Vista: PatchGuard
 

The Vista kernel (64-bit) is supposedly impenetrable to modification. This is very significant as kernel-mode rootkits are becoming increasingly widespread.

What is a Kernel Mode Rootkit?

This type of rootkit is a malicious program. It camouflages its existence within the system through amending kernel data – a set of utilities that allows the masking of another program’s presence.

What does PatchGuard do?

The PatchGuard utility observes and manages changes to the service table, as well as the kernel descriptor. It seems that this resolves the problem of Trojans cloaking their presence within the system. Upon close observation, however, PatchGuard is not capable of considerable security versus rootkits. It is characteristically susceptible, as shown by the host of documented means for disabling any security.

PatchGuard’s main weakness stems from its architecture – the programming that ensures security exists at the same stratum as the programming developed to defend. The ‘defense’ has the same level of privileges as a prospective invader, and thus prone to evasion or disabling. Currently, there are many recognized ways to circumvent PatchGuard.

PatchGuard’s level of protection against rootkits that change the kernel is problematic. This security does not guard the system against other kinds of rootkits as well. PatchGuard management is applicable to inert kernel components but does not shield dynamic configurations – objects outside the ‘kernel’ level.

One such rootkit is the FU, which operates by changing dynamic structures. Rootkits that employ this technology position themselves below kernel level, and are therefore, inaccessible.

PatchGuard’s fundamental weakness is due to its function and protection being at the same layer. Drivers successfully launched by malicious programs will be able to shut down PatchGuard.

Preventing alterations to the kernel is practical, as valid software cannot change the kernel for any reason. This improves the overall stability and security of the system.

Microsoft’s efforts at fortifying overall system stability have rendered the OS somewhat ineffective. By making kernel access unfeasible, the company has made it impractical for security solution entities to integrate greater product functionality. This has resulted in an inability to take advantage of the entire spectrum of antivirus tools that vendors have developed.

This issue is apparent not only with tools that defend against malicious rootkits, but also dynamic protection technologies that identify hidden threats (both of which were incorporated in tools for earlier OSs. Virus creators now have free rein - they do not need to directly override PatchGuard as rootkits will do the job.

In the realm of Vista kernel security, note that driver signing features and PatchGuard are functions available only on 64-bit platforms. This equipment is, currently, not as widespread as 32-bit. In addition, the Vista x86 OS does not provide specific protection against rootkits.