The Pluses and Minuses of 64-bit Vista Security

Microsoft’s Windows Vista was released almost a year ago. In the run-up to the launch, Bill Gates pledged to make Vista security the number one priority for the company. By writing code that was secure by design and implementation, the intention was to render the OS impermeable to the sophisticated malware and remote intrusion attacks that dogged its predecessor, Windows XP. Microsoft spent five full years creating the new OS from scratch and, by the time it hit the market in late January 2007, it was already two years later than originally planned.

During that two-year period, hardware manufacturers began rolling out devices that enabled computers to run 64-bit code on compatible operating systems. Recognizing the growing demand for 64-bit computing power, Microsoft split its Vista development process and subsequent releases into two subtypes: 32-bit (x-86) and 64-bit (x-64) versions.

The 64-bit systems provide a number of performance and expandability benefits over the x-86 models which also impact the way security is handled, and that’s the focus of this article. The next issue of Security Insight will take a broader look at all the security improvements incorporated in Vista.

Benefit # 1: Full Data Execution Prevention (DEP)

DEP uses modern processors’ functionality to map certain regions of memory as containing non-executable data bits, thereby preventing code from being executed from those locations. DEP helps prevent malicious code from exploiting buffer overflow situations that arise when a process has reached its allocated memory boundaries and attempts to write to the adjacent regions that are in use by other processes.

The x-64 DEP enables native hardware protection for all running programs and services. In comparison, DEP in 32-bit systems is enabled for only essential and opt-in programs and services.

Benefit # 2: Kernel Patch Protection (KPP)

Also referred to as Patch Guard, KPP is a measure that restricts any program from directly modifying the memory of the Windows kernel – the core part of the OS. Microsoft has long insisted that no kernel modifications should be permitted by third-party software, and in fact completely removed kernel access support for later versions of 64-bit Windows (XP and Vista). This move was designed to minimize the potential impact of sophisticated malware such as kernel-mode rootkits that act by patching the kernel (modifying the kernel structures in such a way that the new data being embedded can no longer be registered or recognized by the system) in order to become and remain hidden.

While the move was genuinely intended to help security by sealing the kernel against outside tampering, it proved costly for third-party security developers who relied on modifying the kernel in order to enforce protection that was not enforced by the OS itself. As it turned out, the way KPP works actually provides little deterrent to tenacious malware –KPP is designed to check the kernel integrity only occasionally, which allows illegal modifications to take place during idle intervals. Once this kernel modification is detected, the system initiates emergency shutdown, causing users to lose unsaved data.

Hackers and security researchers have, naturally, found ways to get around KPP. As Microsoft continues to patch KPP, examples emerge of how people have succeeded in bypassing the last KPP patch, confirming KPP’s limitations in resisting serious kernel-level intrusions.

In response to security vendors’ calls to provide a viable way to access the kernel to protect their users, Microsoft has now agreed to provide an API (Application Programming Interface) to qualifying security developers (including Agnitum). This API will be available in SP1 for Vista, currently in beta and slated for release in the first quarter of 2008.

Benefit # 3: Driver signing

Driver signing, another controversial but significant change from Microsoft, requires all kernel-mode drivers to be digitally signed; unfortunately, this also provides little help in combating sophisticated malware. The problem is that a trusted and certified software developer who turns rogue (or a disgruntled employee or former employee in possession of a digital certificate issued in the name of the employer’s company) can self-authenticate the driver with his/her personal signature and release malware into the wild. As soon as this happens, the driver can load unrestrictedly on users’ systems and go to work on 64-bit Vista as designed. The issuing authority or Microsoft (as was the case in a recent example) can of course revoke the certificate and thus disable the driver, but this takes time and users remain at risk while the driver is active.

Another weakness of this approach is that a simple command-line parameter can disable signing in Vista 64 altogether, something that would be pretty easy for malware to do.

Benefit # 4: Boot-time code integrity verification

When a computer loads the OS, every binary (executables, drivers and other program code) used in the process is verified to be authentic and original. This procedure ensures that the binary has not been modified and the system is clean. The binaries are verified by looking up their signatures in the system catalogs. At startup, the Vista boot loader checks the integrity of the kernel, the Hardware Abstraction Layer (HAL), and the boot-start drivers, reliably shielding a system from embedding of malicious, unauthorized or defective code.

Summary

Despite Microsoft’s progress in hardening their Vista 64-bit version, vulnerabilities that affect x-86 systems still apply to x-64 systems, and the experts believe this situation is here to stay. A glance at the history of documented vulnerabilities for Vista reveals that both systems are almost equally susceptible (for example, see this report from Microsoft) to malicious code programmed to take advantage of any given Vista vulnerability.

Conclusion

So what do these 64-bit improvements mean for users of Vista-based computers? For the most part, the changes are for the good and are well-designed, albeit sometimes poorly implemented. SP1 and the API will go a long way towards leveling the playing field between Microsoft and third-party security companies. But in the meantime, keep following good security practices and use third-party antivirus/antispyware, firewall and other protection, because these are generally more robust and flexible than the built-in Vista equivalents.