Microsoft releases first draft of PatchGuard APIs

**Anilrgowda** · 19-Dec-2006, 08:23 PM

Microsoft Corp. has released draft application programming interfaces (API) designed to allow third-party security products to get around a contentious kernel protection technology in the Vista operating system called PatchGuard.
The draft APIs will be available to security vendors for testing and comment through the end of January. A final version of the APIs will then become available when Microsoft releases Service Pack 1 for Vista sometime in mid-2007, according to Ben Fathi, vice president of development for the Windows Core Operating System.
Microsoft has also released a separate Criteria Evaluation document that details the processes Microsoft used in evaluating vendor requests for APIs to the Vista kernel. As with the draft APIs, Microsoft is seeking third-party security vendor feedback on its criteria evaluation processes.
"We are publishing this to be very clear and above board on what our processes are for establishing the new APIs that we are going to add to the kernel," Fathi said. "We want to hear feedback from partners and the rest of the industry on whether this is a good set of criteria or not."
The APIs and the criteria evaluation document are part of Microsoft's response to widespread concerns within the security industry and the European Union (EU) over PatchGuard, Fathi said.
Microsoft itself has said the kernel patch protection technology is vital to ensuring the security and stability of the 64-bit Vista operating system because it prevents unauthorized modifications to the kernel – both by security vendors and malicious attackers. The technology is especially key in protecting against problems such as rootkits, the company has said.
But several security vendors, including industry leaders such as Symantec Corp. and McAfee Inc., have claimed that PatchGuard prevents them from delivering certain functions such as host-based intrusion prevention and tamper protection for security software. Such functions require kernel level access to the operating system. Both vendors have argued that Microsoft is using its market dominance to unfairly hinder their capabilities at a time when Microsoft is seeking to expand its own presence in the security space.
In a bid to assuage those concerns and to address broader anti-trust concerns in the EU, Microsoft in October said it would deliver a set of APIs that would allow vendors to continue delivering advanced security features.
The draft APIs are based on feedback from 26 security vendors and address four major areas, Fathi said. They include APIs for tamper protection, memory-based controls and image loading operations. Together, the APIs address a majority of the issues raised by third-party security vendors in discussions over the past few months, Fathi said.
"Over the next few weeks, we will work with them to see if there are any changes that are needed," he said. "Hopefully, everybody will agree this is the right set of APIs and this is what we will deliver in SP1," he said. Microsoft also plans to continue to work with vendors in gathering requirements from them and delivering new APIs as needed.
At the same time, however, Microsoft has not changed its position regarding third-party access to the Vista kernel, Fathi said. Some vendors have asked the company to consider allowing qualified security vendors to modify the kernel. They point to the fact that they have been allowed to do so with 32-bit versions of Windows and argue that it should be allowed on 64-bit Vista, as well.
"What we have always said is we don't want third parties modifying the kernel itself to achieving some functionality because it is not supportable," Fathi said. "So our definition of access to the kernel is access through documented supported APIs."
Microsoft's kernel patch protection technology is an attempt by the company to take control of the "central core of the security problem," said Rob Enderle, president of the Enderle Group in San Jose. "They are approaching security on two fronts, (both with) products that lie on top of their own as well as with enhancements like PatchGuard to the operating system so that it is much more resilient to certain types of attacks," he said.
The APIs give Microsoft a way to appease "legal beagles," especially in the EU, while still allowing it to keep PatchGuard in place, said Roger Kay, an analyst with Endpoint Technologies in Wayland Mass. "It has used first-class negotiation techniques by asking the other side what their real needs are and by getting an answer from them," Kay said.
"Microsoft can say, 'We have taken care of those needs with these APIs,' without actually acceding to (vendors') requests to fiddle with the kernel," Kay said. "What Microsoft is saying is we need to keep the kernel sacrosanct. I'm pretty much in their camp with this one."
Kay noted that other vendors such as Apple also don't let third parties tamper with the operating system kernel.

19-Dec-2006, 08:23 PM	#1 (permalink)
Anilrgowda Administrator Posts: 18,703 Join Date: Jan 2006 Rep Power: 10 IM:	Microsoft releases first draft of PatchGuard APIs Microsoft Corp. has released draft application programming interfaces (API) designed to allow third-party security products to get around a contentious kernel protection technology in the Vista operating system called PatchGuard. The draft APIs will be available to security vendors for testing and comment through the end of January. A final version of the APIs will then become available when Microsoft releases Service Pack 1 for Vista sometime in mid-2007, according to Ben Fathi, vice president of development for the Windows Core Operating System. Microsoft has also released a separate Criteria Evaluation document that details the processes Microsoft used in evaluating vendor requests for APIs to the Vista kernel. As with the draft APIs, Microsoft is seeking third-party security vendor feedback on its criteria evaluation processes. "We are publishing this to be very clear and above board on what our processes are for establishing the new APIs that we are going to add to the kernel," Fathi said. "We want to hear feedback from partners and the rest of the industry on whether this is a good set of criteria or not." The APIs and the criteria evaluation document are part of Microsoft's response to widespread concerns within the security industry and the European Union (EU) over PatchGuard, Fathi said. Microsoft itself has said the kernel patch protection technology is vital to ensuring the security and stability of the 64-bit Vista operating system because it prevents unauthorized modifications to the kernel – both by security vendors and malicious attackers. The technology is especially key in protecting against problems such as rootkits, the company has said. But several security vendors, including industry leaders such as Symantec Corp. and McAfee Inc., have claimed that PatchGuard prevents them from delivering certain functions such as host-based intrusion prevention and tamper protection for security software. Such functions require kernel level access to the operating system. Both vendors have argued that Microsoft is using its market dominance to unfairly hinder their capabilities at a time when Microsoft is seeking to expand its own presence in the security space. In a bid to assuage those concerns and to address broader anti-trust concerns in the EU, Microsoft in October said it would deliver a set of APIs that would allow vendors to continue delivering advanced security features. The draft APIs are based on feedback from 26 security vendors and address four major areas, Fathi said. They include APIs for tamper protection, memory-based controls and image loading operations. Together, the APIs address a majority of the issues raised by third-party security vendors in discussions over the past few months, Fathi said. "Over the next few weeks, we will work with them to see if there are any changes that are needed," he said. "Hopefully, everybody will agree this is the right set of APIs and this is what we will deliver in SP1," he said. Microsoft also plans to continue to work with vendors in gathering requirements from them and delivering new APIs as needed. At the same time, however, Microsoft has not changed its position regarding third-party access to the Vista kernel, Fathi said. Some vendors have asked the company to consider allowing qualified security vendors to modify the kernel. They point to the fact that they have been allowed to do so with 32-bit versions of Windows and argue that it should be allowed on 64-bit Vista, as well. "What we have always said is we don't want third parties modifying the kernel itself to achieving some functionality because it is not supportable," Fathi said. "So our definition of access to the kernel is access through documented supported APIs." Microsoft's kernel patch protection technology is an attempt by the company to take control of the "central core of the security problem," said Rob Enderle, president of the Enderle Group in San Jose. "They are approaching security on two fronts, (both with) products that lie on top of their own as well as with enhancements like PatchGuard to the operating system so that it is much more resilient to certain types of attacks," he said. The APIs give Microsoft a way to appease "legal beagles," especially in the EU, while still allowing it to keep PatchGuard in place, said Roger Kay, an analyst with Endpoint Technologies in Wayland Mass. "It has used first-class negotiation techniques by asking the other side what their real needs are and by getting an answer from them," Kay said. "Microsoft can say, 'We have taken care of those needs with these APIs,' without actually acceding to (vendors') requests to fiddle with the kernel," Kay said. "What Microsoft is saying is we need to keep the kernel sacrosanct. I'm pretty much in their camp with this one." Kay noted that other vendors such as Apple also don't let third parties tamper with the operating system kernel.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)