Thinking 64-bit Vista? Think security
Enterprises planning to deploy the 64-bit version of Windows Vista will face a new security architecture, one that is still being hashed out between Microsoft Corp. and third-party security vendors, such as Symantec Corp. At the heart of the new system will be a kernel protection module called PatchGuard, which, some security vendors have charged, complicates the job of protecting the operating system.
The gist of the Cupertino, Calif.,-based company's concerns is the fact that the 64-bit version of Vista will feature an internal mechanism, called PatchGuard, that prohibits any parties other than Microsoft Corp. itself from making changes to the kernel, the heart of the operating system. The 32-bit version of Vista (the version most agencies will deploy) will not include PatchGuard.
In response, Microsoft has announced plans to add an application programming interface on top of PatchGuard, which should allow third-parties to build applications that will better protect the kernel. Vendors must now scurry to build software around this new set of APIs.
'We devised a new engineering approach that will create and extend new kernel-level APIs so that PatchGuard will be retained, the security of the kernel will be protected and, yet, security vendors will have an opportunity to meet their needs through these kernel-level API extensions,' said Brad Smith, a senior vice president and general counsel for Microsoft.
In the past, security software vendors, such as makers of intrusion prevention applications, have added extensions and patches to the Windows kernel to monitor and curtail malicious behavior (Windows XP comes in a 64-bit version). But going forward they may not be able to do so.
And while the security software vendors could be locked out of 64-bit Vista, Turner explained, researchers and malicious hackers could find ways to disable and work around PatchGuard.Flaws uncovered
Indeed, some flaws have already been uncovered.
'It is impossible to securely protect regions of code and data through the use of a system that involves monitoring said regions at a privilege level that is equal to the level at which third-party code is capable of running,' concluded a paper at the online journal Uninformed [GCN.com
Windows Vista is not the first Microsoft OS to use PatchGuard. The 64-bit versions of Microsoft Windows Server 2003 and Windows XP Professional also employed the technology. In the case of those OSes, Microsoft encouraged third parties to see if there were alternate ways of implementing the functionality. [Read Microsoft's 'Patching Policy for x64-Based Systems,' GCN.com GCN.com/702.]
According to a technical report Symantec issued [GCN.com/700], PatchGuard protects the kernel by periodically checking to ensure that major OS components have not been changed. In the beta version at least, once a change is detected the user sees the infamous Blue Screen of Death and loses all work. The feature cannot be disabled.
In the short term, the problem should not be one that most agencies need to worry about. The 64-bit version of Windows XP was never widely adopted because it required a 64-bit processor. Industry experts don't expect widespread adoption of 64-bit Microsoft Vista in the near future, either.