dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4432
SUMware2
Premium Member
join:2002-05-21

SUMware2

Premium Member

MS 'Locks-Out' Indie Security Tools

From The Register:

Developers cry foul over Windows kernel security
Lock-Out by John Leyden
Recently introduced security measures by Microsoft will make it more difficult to integrate third-party security tools with Windows, according to a rival personal firewall firm.

Kernel Patch Protection protects low-level system activities such as the file and registry operations of the Windows kernel. The technology is slated for delivery with Windows Vista and 64-bit versions of Windows. Agnitum describes Microsoft's approach as misguided, if not deliberately anti-competitive.

"Microsoft made a logical move with this attempt to protect Windows against rootkits," said Mikhail Penkovsky, vice president of sales and marketing at Agnitum. "Unfortunately, it doesn't really resolve the problem, and also makes it a great deal more difficult for independent security software developers to be fully compatible with Windows."

"Nobody knows if Microsoft has done this intentionally, but we can't avoid the suspicion that this move may have been designed to force users to rely on Microsoft and only Microsoft for Windows security," he added.

altermatt
Premium Member
join:2004-01-22
White Plains, NY

1 recommendation

altermatt

Premium Member

said by SUMware2:

force users to rely on Microsoft and only Microsoft for Windows security
You know what? I really wouldn't mind relying on Microsoft for Windows security---after all, it's their responsibility IMHO not to sell a product without making sure it is as secure as possible. Only two things keep me from doing so:
1. MS has never designed the tools necessary, and that stack up favorably to the competition, and so I choose to use the competition, and
2. I don't really trust MS fully, what with the WGA notification fiasco (I don't mean the one time validation, I mean the phoning home spyware), their old Palladium attempts and their draconian DRM initiatives, ad nauseum. Can't help but feel it's a bit of the fox guarding the henhouse. Some of the utilities on here actually are to protect me from, to paraphrase the old saying about the government, "we're from Microsoft and we're here to help."

Offer me a Windows that is as secure out of the box as my install of Windows is now (with the help of third party tools and a savvy girlfriend's guidance ), backed by a company that is open, honest, and collaborative with its customers instead of adversarial, and I'd be more than happy to become an "MS shop"; until then, thank heavens for the third party tools (yeah, and the savvy girlfriend.)

PhoneyWar
@littlecorner.org

PhoneyWar to SUMware2

Anon

to SUMware2
quote:
"Nobody knows if Microsoft has done this intentionally, but we can't avoid the suspicion that this move may have been designed to force users to rely on Microsoft and only Microsoft for Windows security," he added.
That would be like relying Hezbollah to protect you against Al-Qaeda or Social Services to protect children against pedophiles.

redxii
Mod
join:2001-02-26
Michigan
Asus RT-AC3100
Buffalo WZR-HP-G300NH2

3 edits

redxii to SUMware2

Mod

to SUMware2
Don't blame them, they are just catering to the type of people most of their users are. Even though they use lowered privileges by default in Vista, they are seeking to protect those who still allow random executables to run with full privileges.

Besides, I honestly can't say that I've had no problems with software like Alcohol 120% that do this (driver BSOD...).

EDIT: Clarified my last statement since I didn't mean to say that I didn't have any problems with software using this technique.

Khaine
join:2003-03-03
Australia

Khaine to SUMware2

Member

to SUMware2
Truthfully, nobody should be able to hook into the kernel. AFAIK all the ways to hook in a really hacks anyway.
HMS1
join:2006-01-14
Austin, TX

1 edit

1 recommendation

HMS1 to SUMware2

Member

to SUMware2
I agree with altermatt and PhoneyWar, it is a "fox guarding the henhouse" situation. To the extent it does force vendors to get kernel-mode code signed - i.e. to the extent they don't, or legally can't, rely on hacks to get around this requirement - it makes Vista users dependent on Microsoft for security.

In other words, even if a vendor gets a signature, the user is still relying on Microsoft, because then the vendor is no longer independent. Microsoft can require NDA or backdoors or anything else as a condition of a signature. So anything that's supposed to report on the lower levels of the OS, or prevent or enforce certain things there, is no more or less trustworthy than Microsoft alone. In the XP situation, you can at least compare output of one vendor's product against Microsoft's or another's, knowing they are not controlled by the same party.

----------- On edit:
In threads here and elsewhere one regularly sees "If you don't trust Microsoft then why do you use Windows". The answer for me has been, partial trust plus partial verification and policing of Windows behavior has been a tolerable tradeoff for the nice GUI and hardware and application support. Now comparing XP and Vista, and considering WGA, DRM, driver signing etc., the balance of factors has tipped such that it no longer comes out positive.
HMS1

HMS1 to Khaine

Member

to Khaine
said by Khaine:

Truthfully, nobody should be able to hook into the kernel. AFAIK all the ways to hook in a really hacks anyway.
Yes, but it's not just hooks, it's all drivers. »www.microsoft.com/whdc/w ··· ign.mspx
Correct me if I'm misunderstanding some distinctions here.
BarneyBadAss
Badasses Fight For Freedom
Premium Member
join:2004-05-07
00001

BarneyBadAss to Khaine

Premium Member

to Khaine
said by Khaine:

Truthfully, nobody should be able to hook into the kernel. AFAIK all the ways to hook in a really hacks anyway.
Your correct..

but installation exits should be in place for the 3rd party products...

and the MS products should be forced to use them as well... not some "Secret" developer special interfaces offering better performance.

The other thing that would be requried is a management tool that allows control access to those installation exit points... but I'll presume this would be too much effort MS to implement.

mattei
Moderated, now muzzled
join:2001-03-19
Canada

mattei to SUMware2

Member

to SUMware2
»Your Digital identity + TPM !
said by mattei :

I'm more concerned with the (Microsoft Windows Vista) trusted kernel concept and associated costs.
Yep. A "fox guarding the hen house" and already charging residency fees. Then again, the fox did build the house. To come: egg lockers by the hour, promptly followed by skillet rentals, by the egg.
dave
Premium Member
join:2000-05-04
not in ohio

dave to SUMware2

Premium Member

to SUMware2
I'm strongly in favour of this.

I'm generally against installing 3rd party code that, for example, goes around patching system service vectors because they never tell you what they're doing. I'm thus not even told that, in essence, I'm no longer running a stock kernel.

Maybe if such products gave complete technical disclosure I wouldn't be so suspicious.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

said by dave:

I'm strongly in favour of this.

I'm generally against installing 3rd party code that, for example, goes around patching system service vectors because they never tell you what they're doing. I'm thus not even told that, in essence, I'm no longer running a stock kernel.

Maybe if such products gave complete technical disclosure I wouldn't be so suspicious.
Ok. Valid concern but you then trust Microsoft fully. Very few knowledgeable users are willing to do that. This issue is just another nail in the coffin of Vista. It tells me that I have maybe 4-5 years to move to Linux and if that proves too difficult, unpalatable, etc. then this will be my last computer. The internet has been a fun, interesting ride for over seven years now but I am rapidly tiring of the effort it now takes to retain some privacy and to keep Microsoft in its place.
dave
Premium Member
join:2000-05-04
not in ohio

dave to SUMware2

Premium Member

to SUMware2
For driver signing - guys I respect over at OSR (www.osronline.com, registration required) think that the current program is now reasonable enough. These guys write drivers for a living.

For kernel patching - well, too bad. I'd rather have no-one patching SS vectors that have malware patching SS vectors. I don't see any reason why this prevents 3rd party AV products (filter drivers are a documented interface), malware scanners (the file APIs are documented), etc.

As far as trusting Microsoft - well, sure, of course I do. I have no choice, I run their OS. They have complete access to my data. If you "don't trust Microsoft" you shouldn't trust them to, for example, always call your 3rd part firewall at the right places...

This doesn't seem like a 'nail in the coffin' of Vista to me. This seems like some overdue kernel hardening.

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

funchords to SUMware2

MVM

to SUMware2
I approve.

If we had this, the Sony DRM Rootkit debacle never would have happened.
SUMware2
Premium Member
join:2002-05-21

1 edit

SUMware2

Premium Member

said by funchords:

I approve.

If we had this, the Sony DRM Rootkit debacle never would have happened.
You're correct.

Because if MS had a business deal with Sony, and allowed Sony (or any other company) to install its DRM rootkit (or any other software) without asking anyone's permission (other than MS), and agreed not to detect it as hostile (wink wink - business partner), users would never have known.

Hence, no debacle.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

But Microsoft did not prevent Sony from install its DRM rootkit without asking anyone's permission.

How will the world be any different is Microsoft actively gave Sony the go-ahead to install its DRM rootkit without asking anyone's permission?

You are, I assume, claiming that Russinovich would have been unable to write Rootkit Revealer if Windows did not allow patching of kernel entry points. I haven't examined the R-R source code, but that doesn't sound right to me. As I understood it, R-R worked by comparing the results of different paths through the kernel code: e.g. native APIs versus Win32 APIs, not by patching anything.

Or perhaps you're claiming that now Microsoft has stopped people from patching system services, they're free to follow their plan for world domination by compromising their own operating system, by hiding things from their own APIs? If that's the case, why did they wait?
SUMware2
Premium Member
join:2002-05-21

1 edit

SUMware2

Premium Member

said by dave:

You are, I assume, claiming that Russinovich would have been unable to write Rootkit Revealer if Windows did not allow patching of kernel entry points.
Do you think that MS could make this possible, in any way, at any time in the future, Dave?
said by dave:

I haven't examined the R-R source code, but that doesn't sound right to me. As I understood it, R-R worked by comparing the results of different paths through the kernel code: e.g. native APIs versus Win32 APIs, not by patching anything.
It would be interesting to hear your opinion if you actually do examine the code.
said by dave:

Or perhaps you're claiming that now Microsoft has stopped people from patching system services, they're free to follow their plan for world domination by compromising their own operating system, by hiding things from their own APIs? If that's the case, why did they wait?
I make no claims, Dave. As Mikhail Penkovsky of Agnitum says, this is speculation.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

said by SUMware2:

Do you think that MS could make this possible, in any way, at any time in the future, Dave?
Of course, and they always could. It has nothing to do with whether 3rd party code can patch system service vectors.

funchords
Hello
MVM
join:2001-03-11
Yarmouth Port, MA

funchords to SUMware2

MVM

to SUMware2
said by SUMware2:
said by funchords:

I approve.

If we had this, the Sony DRM Rootkit debacle never would have happened.
You're correct.

Because if MS had a business deal with Sony, and allowed Sony (or any other company) to install its DRM rootkit (or any other software) without asking anyone's permission (other than MS), and agreed not to detect it as hostile (wink wink - business partner), users would never have known.

Hence, no debacle.
Touché.
HMS1
join:2006-01-14
Austin, TX

2 recommendations

HMS1

Member

said by funchords:I approve.

If we had this, the Sony DRM Rootkit debacle never would have happened.
said by SUMware2:You're correct.

Because if MS had a business deal with Sony, and allowed Sony (or any other company) to install its DRM rootkit (or any other software) without asking anyone's permission (other than MS), and agreed not to detect it as hostile (wink wink - business partner), users would never have known.

Hence, no debacle.

I was actually planning to say something like this, but it's not quite right. Users would soon have noticed that their copying abilities were restricted. And some would have sooner or later traced it to auto-run having been allowed on the BMG disc.

Then the real hackers would have set about finding the cause, and traced it to a DRM mechanism protected by Windows, and eventually found a fix for it. In the worst case, a reinstall would fix it.

It would still have been a debacle because it would show vividly for the public how subversive DRM can be, and for IT folks, it would show how insidiously the signed-code regime can support it. That's why Microsoft is trying to "soften up" the public now to accept the DRM in Vista, hoping they won't be offended when they start experiencing rights-removal as compared with other OS's.
dave
Premium Member
join:2000-05-04
not in ohio

dave to SUMware2

Premium Member

to SUMware2
By the way, there are two ways around the signing requirement.

1) Hook up a debugger.

2) Set something called 'test mode'.

Under these conditions, kernel modules must still be signed, but the CA is not checked.

This obviously is not adequate for 'production use' but does allow developers to load anything they like into their own kernels.

Black Box
join:2002-12-21

Black Box

Member

said by dave:

By the way, there are two ways around the signing requirement.

1) Hook up a debugger.

2) Set something called 'test mode'.

Under these conditions, kernel modules must still be signed, but the CA is not checked.

This obviously is not adequate for 'production use' but does allow developers to load anything they like into their own kernels.
For how long?
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

said by Black Box:

For how long?
Forever, is my guess.

Microsoft understands that in order for it to have a successful OS, it absolutely needs people other than Microsoft to develop device drivers. Without the ability to run drivers that have not been 'approved' by WHQL, 3rd party driver development is dead.

Microsoft may be ruthless but they're not stupid.

There's more about it at OSR Online, but you'll have to register for that site.

antiserious
The Future ain't what it used to be
Premium Member
join:2001-12-12
Scranton, PA

1 recommendation

antiserious

Premium Member

said by dave:

Microsoft may be ruthless but they're not stupid.


... I'm not entirely sure about that, but only time will tell ... this is a logical step for MS to take in their quest to control absolutely everything about your computer (if it still IS your computer when they get done 'securing' it for you), and I'm sure many many people won't notice or mind - but I do, and I do ...

... I can't get past this : if MS could (or would) build a truly safe, secure O/S you wouldn't need any add-on security - but the consensus is, you do ... so now you HAVE to trust the people that didn't secure things adequately to supply you with the tools to secure things adequately ... what's wrong with this picture ? .... I believe it's imperative that there are third-party security vendors watching over MS and what they consider 'acceptable practices', and without them I wouldn't feel 'secure' for a minute, but that's just me ...

... there are a lot of people that made a lot of money by not overestimating the intelligence of the average human, and I'm sure MS will go on raking it in, just not from me ... fortunately, there are alternatives - and excellent ones at that ... I'll keep my XP drive running as long as it serves me, but it appears it will be my last MS O/S ... I'm sure they won't mind, I know I don't ...

... IMHO, fwiw ...

Khaine
join:2003-03-03
Australia

Khaine to SUMware2

Member

to SUMware2
I agree with dave, this should mean higher quality device drivers, which means less BSOD

Also with Vista aren't microsoft creating a way to have userspace device drivers kinda like FUSE ?

Black Box
join:2002-12-21

Black Box to dave

Member

to dave
said by dave:
said by Black Box:

For how long?
Forever, is my guess.
Don't be so sure. I can see them rolling out "developer" versions of Windows for 1500$, keeping the "consumer" version without that horrendous security hole for our own "protection".
dave
Premium Member
join:2000-05-04
not in ohio

dave to Khaine

Premium Member

to Khaine
said by Khaine:

Also with Vista aren't microsoft creating a way to have userspace device drivers kinda like FUSE ?
There is a user-mode driver framework in XP, but I don't know what drivers it's useful for - could be only things like printer drivers, etc.
dave

dave to Black Box

Premium Member

to Black Box
said by Black Box:

I can see them rolling out "developer" versions of Windows for 1500$, keeping the "consumer" version without that horrendous security hole for our own "protection".
Seems unlikely to me, but then we're both just speculating.

One reason I say "unlikely" is that the inability to debug software on the exact same platform as your customer is a serious blow to reliability.

Khaine
join:2003-03-03
Australia

Khaine to dave

Member

to dave
said by dave:

said by Khaine:

Also with Vista aren't microsoft creating a way to have userspace device drivers kinda like FUSE ?
There is a user-mode driver framework in XP, but I don't know what drivers it's useful for - could be only things like printer drivers, etc.
Thats right, I have the Windows User Mode Driver Framework service on my machine. According to »www.microsoft.com/whdc/d ··· FAQ.mspx
quote:
A user-mode driver cannot directly access hardware or use kernel-mode resources. For example, it cannot perform direct memory access (DMA), handle interrupts, or allocate memory from nonpaged pool. However, you might be able to split your driver so that part of it runs in kernel mode and part of it runs in user mode.

A user-mode driver cannot have kernel-mode clients because Windows does not allow calls from kernel mode to user mode. The majority of drivers for input, display, and most network and storage devices cannot be migrated to user mode because they have kernel-mode clients. For the same reason, user-mode drivers must be at the top of the device stack; they cannot attach to the middle of the stack. However, a stack can contain more than one user-mode driver; that is, a user-mode driver can have user-mode children.
it also goes on to say
quote:
UMDF will support devices such as the following for the Windows Vista timeframe:
•Digital cameras
•Portable media players
•Cell phones
•Personal digital assistants (PDAs)
•Other devices, such as USB, that connect to a protocol bus
Not quite as powerful as fuse (which is only for filesystems AFAIK)

Also according to »www.techworld.com/news/i ··· sID=5002 "The goal is obviously to improve reliability, alongside the plan to make most drivers run in user mode."

which would mean shifting more drivers into userspace, more like a microkernel.

Although I'm no expert in this area, this is a good thing, when things go wrong in kernel space it usually brings down the whole machine, in userspace it only takes down the process the fault is in.
Bane75
join:2002-09-20
Parker, CO

Bane75 to SUMware2

Member

to SUMware2
You guys are hilarious. First you bitch MS out for having an insecure OS, then when they implement things that they should to protect the kernel, you bitch they are doing it to be anti -competitive.

The MS bashing for the sake of bashing MS is old. No, MS is not perfect and the features they are implementing may have problems, but at least they are listening to customers and trying.
haertig
join:2000-12-31
Broomfield, CO

haertig to SUMware2

Member

to SUMware2
I think this change is perfectly congruent with the target Microsoft audience. And a very good change for that audience. Windows is targeted at the masses, most of whom have no real technical skills regarding computers and programming. The typical Windows user does not want contol of their operating system, and wouldn't know what to do with such power if they had it. These users need a safety net and restraining harness, and they don't worry about the limitations it might force upon them. I am not knocking "these users" at all. They make up the majority of computer users. They are Microsoft's target. Microsoft hit the bullseye when shooting at this target.

There are other OS'es out there that allow you total control, if that's what you want (but not everybody wants this or is capable of handling it - nothing wrong with that). The learning curve is steeper, and the technical knowledge and skill requirements are higher. But these other OS'es are not targeted at the masses, and may not work out well for those who erroneously think they are.