Uninformed: Informative Information for the Uninformed

Vol 8» 2007.Sep


PatchGuard is a controversial feature of Windows x64 editions, starting with Windows Server 2003 x64 / Windows XP x64, and continuing on with Windows Vista x64 and Windows Server 2008 x64. The design goals behind PatchGuard are to prevent the kind of rampant hooking and modification of various kernel code and data structures that has been so common on x86 versions of Windows. Microsoft has stated that the vast majority of kernel crashes are caused by third party drivers, and the author's experiences with Windows firmly support this supposition. Because accessing internal kernel data structures and hooking kernel functions typically requires intricate synchronization with the rest of the system in order to be performed in a completely safe fashion, especially on multiprocessor machines, many third party drivers that perform these sorts of dangerous tasks have historically made egregious mistakes that have often lead to system stability or a compromise of system security. The latter is especially common in cases where third party programs hook functions, such as system calls, and subsequently fail to perform sufficient parameter validation.

Microsoft's solution to this problem is to attempt to forcibly prevent third party code from making unauthorized modifications to internal kernel data structures and code through technical means in addition to discouraging developers from performing such tasks. However, due to the nature of how the Windows kernel (and its supporting drivers) are designed, it is not feasible for kernel mode drivers to run at a lower effective privilege level than the kernel itself. This poses a problem with respect to Microsoft's goal of blocking unauthorized kernel patches due to the fact that there is no hardware-enforced separation between the kernel itself and third-party drivers. As such, said third party drivers have free reign to manipulate kernel code and data as desired.

Although emerging technologies such as TPM and hardware-assisted virtualization (hypervisors) may eventually provide a mechanism to deploy a hardware-enforced boundary between certain key parts of the kernel and the third party drivers that interact with it, such an approach is not generally applicable to most computers sold today, given the current state of the technology involved (with respect to both hardware and software capabilities). Lacking a complete, hardware-enforced solution, Microsoft has turned to other approaches to dissuade third party software from making unauthorized kernel modifications. Specifically, the resulting kernel patch protection mechanism ("PatchGuard") is instead based on highly obfuscated code that, while running at the same effective privilege level as both the kernel itself and third party drivers, is designed to be resilient against detection and/or modification by third party drivers. This code is responsible for periodically checking the integrity of key kernel code and data structures and will bring down the system if such modifications are detected. By virtue of the fact that attempting to blithely patch the kernel as was once possible on Windows x86 editions, attempting to perform the same operations will result in a system crash on x64 versions of Windows. As such, third party drivers are effectively preventing from making such modifications on a large-scale basis with respect to code deployed on customer systems.

However, like all systems that are founded upon the principal of security through obscurity, PatchGuard has inherent weaknesses. These weaknesses can be exploited by third party drivers to either disable PatchGuard entirely or circumvent its checks altogether while peacefully co-existing with PatchGuard. Microsoft is fully aware of these deficiencies with respect to the fundamental approach taken by PatchGuard and has resorted to periodically updating PatchGuard in such a way as to block known public bypass techniques. The net result is that Microsoft gives the impression of a ``moving target'' to any ISV that would defy Microsoft's wishes with respect to circumventing PatchGuard. This helps to show that any code designed to stop or disable PatchGuard may become invalidated at some point in the future such as when Microsoft releases a new update for PatchGuard. This has resulted in a small arms race with code to circumvent PatchGuard being written by third parties, and Microsoft responding by developing and deploying countermeasures in the form of an updated version of PatchGuard that is not susceptible to these bypass techniques. This cycle has continued through several iterations already; in fact, PatchGuard is now being deployed to the general public in its third iteration.