 | By Ryan Russell
Microsoft is making statements claiming it’s going to let security vendors such as Symantec and McAfee have access to the Vista kernel. I don’t believe it.
Some people say that Microsoft is merely trying to protect the kernel and that Symantec and McAfee are afraid of fair competition. After Microsoft announced its new Vista security APIs, similar voices argued that allowing third-party security vendors to make effective products would also let in the bad guys.
Read on, and I’ll explain why I don’t think these arguments hold water.
|
What has Microsoft promised security vendors?
If you saw some of the initial news accounts, Microsoft appeared to be caving in to demands to allow greater access to other security vendors, as reported by Ars Technica on
Oct. 16. However, a follow-up article on
Oct. 18 reveals that both McAfee and Symantec haven’t been given much. A McAfee spokesmen says Microsoft has released only a single document vaguely describing some kind of API (application programming interface).
Microsoft has already hinted that the "full" security API may be a year or more away. The company is not providing any firm dates for any such development. At the same time, the current version of Vista may be the final release candidate, and Microsoft is on the verge of shipping the new OS to business users.
We’ve seen behavior like this in the recent past. Something tells me that Microsoft is trying to unfairly take advantage of its monopoly while dragging out any legal remedies as long as it can.
The factors driving Microsoft’s Vista promises
Let’s first look at Microsoft’s motivation. The Redmond company is now in the security utility business. Unlike many other cases, such as its bundling of Internet Explorer with Windows, Microsoft this time is not introducing a new product by giving it away free as part of the operating system. Instead, Microsoft is now charging extra for security software, on top of the price of Windows itself.
At the same time that Microsoft is deciding to compete with security vendors for sales, the company faces a very real threat from the European Union, as recently described in a News.com
analysis. If Microsoft tries to use its monopoly position to create a "security monoculture," in the words of one EU official, regulators might go as far as not allowing the sale of Vista in Europe.
Unlike fines of hundreds of millions of dollars, which Microsoft can afford to pay, the threat of an injunction has the company’s full attention.
I’m pretty sure that Microsoft doesn’t care about McAfee’s and Symantec’s complaints on their merits. But the fact that those companies have the ear of the EU has forced Microsoft to appear concerned.
Are there any valid reasons for Microsoft to lock security vendors out of the deepest parts of Vista? Microsoft has mentioned the importance of protecting the kernel from attackers. Let’s look into whether locking out security software improves users’ protection.
Keep in mind that we don’t yet know whether Microsoft will lock out its
own add-on software.
Can Vista actually protect its kernel?
All of the following applies only to the 64-bit version of Vista, not the 32-bit version. The shift to 64 bits required some significant architectural changes. In the process, Microsoft was able to enable a number of new protection mechanisms. To be sure, the 64-bit Vista is a cleaner Windows than any past Windows — no argument from me there.
Even so, can Vista successfully protect its own kernel? I believe that it cannot. The reason is simple: every new, 64-bit driver, which Microsoft requires to be digitally signed, runs at the same privilege level as the kernel itself. They all run in Ring 0 — the most privileged access level on Intel architecture, aside from hardware virtualization.
For the sake of this discussion, I’m making a blanket statement here that should be qualified. Some drivers may in fact run with fewer privileges. The new Vista architecture may allow for even more privilege restriction in the future. But my basic point stands: there will be a ton of code running next to the kernel that is not the kernel.
In my
June 6 article in the paid version of the newsletter, I talked about how Windows can be hacked via buggy drivers. All of that still applies to Vista. Sure, Vista will be better. I’m hoping for fewer bugs. The problem is, it has to be perfect and have
zero bugs in order for this model to really work.
That means zero bugs in all the Vista kernel code, zero bugs in all the drivers that Microsoft supplies, and zero bugs in any third-party drivers that you happen to install. If a single one of those pieces has a bug, then the bad guys can get into the kernel.
Microsoft has, of course, implemented several checks and balances in hopes of preventing the rootkits from moving in. But the rootkits will simply disable the checks. It will be the same game of patch-and-exploit that we’ve been playing for years now.
Why security vendors need equal access
A technical rendition of how the whole process works is provided in an excellent
article on the subject, aptly entitled
Bypassing PatchGuard on Windows x64, at security site Uninformed.org.
For another description, read Joanna Rutkowska’s
Oct. 19 analysis of the subject. This is the same Joanna Rutkowska who demonstrated one of the first “hypervisor” rootkits at Black Hat Briefings this year. She points out that a high level of sophistication won’t be necessary to subvert Vista. She may or may not disagree with me on whether vendors should be locked out of the kernel, but she certainly agrees with me that malware will get in.
I take it for granted that the black hats
will find ways into the kernel. Do you want security software to be able to go in and root the bad stuff out? If not, I believe your only alternative will be to wipe the disk and reinstall. Of course, a wipe-and-reinstall is not a bad idea if you want to be sure you’ve completely eliminated a pest. But we have to recognize that this is simply not practical advice for the vast majority of users.
There will continue to be kernel malware. I believe we need products to be able to remove that malware. That leaves one question: who should be allowed to make software that can do that?
I suspect Microsoft will permit its own software to do so. As a matter of fact, I’d complain loudly if Microsoft’s security software couldn’t operate on the kernel. When kernel threats appear, you bet I expect Microsoft to try to clean them out.
The question is whether you’ll be able to pay third parties to try also. Their approaches could well be more effective than Microsoft’s. I personally don’t want to rely solely on the Redmond software giant for such products. I want to have options and I want to have fair competition. Those are things you don’t have when a company that dominates a market is allowed to use its monopoly to shut out competitors.
Do I trust Symantec or McAfee to always remove malware better, to be bug-free, to not destabilize the system? No, not at all. But, by the same token, I don’t trust Microsoft to always have those qualities, either.
Despite my desire for competition, I use Windows, just as you probably do. But I’ve made a choice to use Windows. As long as I get to pick my poison, I’ll live with its side-effects.
Vista changes lock out antivirus makers
By Brian Livingston 