Slashdot Mirror
Security Firm Bypasses Patch Guard
filenavigator writes, "This week the security firm Authentium found a workaround for Patch Guard, the security feature Microsoft has embedded into the 64-bit version of Windows. It is supposed to keep out unsigned drivers, kernel modifications, and security company competitors. With Authentium's workaround it can be turned off, software installed, and turned right back on. Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."
I wonder what the implications will be for security: Oh, yes; Windows is already swiss cheese. . . . Dutch Cheese! Now with 100% more holes!
Ninjas and pirates. How piquant.
What's more reckless... writing software with security holes and making its' selling point the high level of security it contains... or discovering an exploit that defies the marketing team?
Yes, Microsoft's reckless ways *are* destroying the security of Windows users.
Necessity is the mother of invention.
If Microsoft hadn't been so assholeish about it, no one would have needed to circumvent their "protections".
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
You left the 'n' out of "defines".
Women are like electronics: you don't know how damaged they are until you try to turn them on.
Rather nice way to say "Thanks, we will fix this right away" eh?
So, the way to achieve this is by changing contents in the pagefile by writing disk sectors directly.
If such an obvious bypass has not been considered, how many other such issues exist that are yet undiscovered?
Then, the supposed 'fix' is to disallow writing raw disk sectors for any non kernel code. This will only work when not allowing for things like disk editors and recovery tools, because those would need ways to bypass this and this just opens up new attack vectors.
To users, security is about protecting the machine from external threats.
To Microsoft, security is about protecting the machine from everyone, including the owner and admin.
To users, security is about protecting the user's personal data and ability to use the machine.
To Microsoft, security is about protecting someone's data (not necessarily the user's) from everyone (perhaps including the user).
To the computer's owner, the machine is entirely their own domain, and exists for their own benefit to maximize their own interests.
To Microsoft, the machine is partitioned and not all of it belongs to the owner, ultimately to maximize Microsoft's interests.
To the computer's owner, their relationship to Microsoft is that the computer owner is the customer.
To Microsoft, their relationship to the computer's owner, is that the owner is both a customer and a product.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Malicious software and black hats will continue to use the pagefile exploit to overwrite what they need and do what they want, while legitimate software writers get locked out completely. Kind of defeats the purpose...or do you think that MS had a different purpose altogether?
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
The only realistic hope for security through obscurity is if your product never actually comes in contact with a customer. Doesn't matter what kind of black box you put things in - if it comes in contact with a customer, it should not be considered secret or secure.
If you can package it to put it into a black box, someone's either going to open it, poke at it for a response, or figure out how to replace it. And especially with computers, they'll figure out how to use it in a more general way than you intended.
If you cannot accept that your ideas, no matter how big or well-crafted, are just a part of the greater ocean of ideas, then as long as your ideas can be used, your ideas are going to be swept away against your wishes. Until the nature of humanity is changed, that is the nature of the way we deal with ideas (and thus software/hardware). I personally find much more comfort in that dynamic than pain - there are many more ways to use that dynamic rather than fight against the ocean, so to speak.
Ryan Fenton
Well, I hate to be contrarian (actually I don't) but in this case Microsoft is attempting to address you point 1. in a reasonable way, by disallowing unsigned drivers. The fact that the protection can be broken is problematic. The fact that Microsoft is now looking to close the loophole is fine.
Isn't the whole reason for these security companies' existance because of Microsoft's "reckless ways"? Although the notion of a black box kernel can (and I'm sure - will be abused by MS by eliminating DRM circumvention - say goodby to virtual CD drivers), isn't this the only true way of making sure that nothing gets past the kernel? Kudos to MS for plugging this hole.
"If your parents never had children, chances are you wonât either." -Dick Cavett
It would seem to me that backwards compatibility is, once again, a security hole.
[Fuck Beta]
o0t!
"Patch Guard ... is supposed to keep out ... security company competitors"
..."
Uhm. Yes. According to -some- security company competitors whose entirely livelihood depends on Windows being as insecure as it is? Certainly not according to Microsoft itself.
"Microsoft immediately responded"
really?
Microsoft doesn't respond anywhere in that article. In fact, page 2 (yes, it's one of THOSE articles) specifically reads:
"Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move."
So where -did- they respond?
"by saying their reckless
and that whole article doesn't contain the word 'reckless' at all. So where did they say this, again?
Mind you, the article itself is in error when on page 2 it states:
"Next Page: Microsoft defends itself."
And when you get to page 3, you get:
- a symantec spokesperson
- an industry watcher, possibly:
- Andrew Jaquith of Yankee Group
But absolutely no Microsoft. So where is Microsoft defending itself?
Don't get me wrong, I think PatchGuard probably has more holes than a slice of Swiss cheese... but the submitter's text needs redacting, and the original article could do with an -actual- statement from Microsoft.
Yeah, sure it is a far fetched conspirational theory. Mods, before you mod it troll or offtopic or wierd or paranoid, take a look at the comments in the code outed by MainSoft. Obsolete version of Windows NT code. But it had numerous comments like, "Private entry point for Jim to get Excel access memory faster". Private entry points, calls that take shortcuts through several application layers and protocols... that is how security holes are made. Such close nexus between application coders and OS coders is the reason why such api-layers are violated.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Sure, 64-bit means a memory cap so high it is very unlikely you will ever reach it, but what is the highest one machine is going to have? 8GB? 16GB? Even with that much memory, a paging file can sometimes increase performance. It may be because of architectural design faults. At one point Linux would run faster with a Swap-FS on a ramdisk than with no swap at all. (I'm completely unaware of when or if that has changed.)
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
sure it's not perfect, nothing is, but I find the effort of making patchguard a step in the right direction. Here's the thing, If it were possible to prevent anything but pre-approved code from running in kernel space, there would be basically no need for vendors to hook the kernel in the first place.
/dev/kmem which is a step in the right direction, but it's still not good enough.
Also, a lot of people are really talking it up about how Microsoft sucks and patchguard is just another flawed attempt at security by a company that doesn't know its ass from its elbow (or something to that nature)...but I haven't seen much if any effort by any of the other mainstream OSes to prevent kernel patching at all. It is downright trivial to write a Linux kernel module which hooks all sorts of critical data structures, same with FreeBSD and Solaris.
Is it the argument of the anti-patchguard people that if it can't be done perfectly, lets not even bother?
I guess the major driving point of my being a Microsoft apologist in this case is that, at least from an academic point of view, the kernel is supposed to be the only software which accesses these low level things and abstracts out interfaces for the rest of the software to utilize...the kernel shouldn't be exposing anything like direct disk access, or kernel space memory to user space....ever, under any circumstances. do that and things like rootkits are an awful lot harder to make in the first place.
Some Linux distros are starting to get the point by limiting and sometimes eliminating entirely access to
The way I see it, Microsoft may not be perfect, but at least they are trying.
proxy
There are good reasons to have virtual memory even when there is sufficient physical memory.
Some applications need a lot of RAM, but not all at once. So if they don't do a lot of page-outs, they are actually put a much less significant load on the overall system than the same applications would if they had to store their entire state in physical RAM.
-fb Everything not expressly forbidden is now mandatory.
The slashdot summary says "Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."
..."
But the article reads differently. "Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move. O'Donnell said that Authentium has informed Microsoft of its work, and that the software company asked it to abandon the tactic and wait for its new APIs
1. Uncle Ben historicly produces meals that make me constipated. 2. Uncle Ben wants to charge extra for meals that wont make me constipated. 3. Uncle Ben makes it hard for others to take a shit.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
It is a common misconception that machines only page when they are out of memory. Kernels will page various resources (file handles, etc) even when not out of ram. Also, paging allows the computer to decide what is useful and maximizes available ram by taking advantage of temporal localities in data and code.
Religion is a gateway psychosis. -- Dave Foley
I'm not sure what effect PatchGuard and its related technologies will actually have on security, but they certainly do cause certain hardware configurations to become unusable and confiscate a great deal of power in Microsoft's hands. I wanted to experiment with an M-Audio Delta 1010LT pro audio card on Vista 64-bit, but M-audio hasn't released any signed drivers for that particular card and has stated that they will not do so until Vista is officially shipped. Theoretically, it shouldn't have been possible for me to install the 64-bit XP drivers in their place, and it actually wasn't without some hacks. However, the necessary hacks are laid out in great detail in a public MSDN document and actually automated by some scripts in the latest Windows DDK: http://www.microsoft.com/whdc/system/platform/64bi t/kmsigning.mspx I just followed MS' tutorial on disabling driver signature enforcement and had the XP 64-bit drivers installed in about an hour, after self-signing them using automated tools. So, I'm skeptical of the strength of these new security measures. By the way, the XP drivers didn't work after all. :-)
Perhaps this link was added to the slashdot summary after you posted your comment for all I know, but the slashdot summary that I read had two links, and I found that statement quite clearly after following the first link. About the 13th paragraph down in that article states, complete with the additional link that I've included here:
So no points for grammar in that sentance (which I copied verbatim), but it seems to explain quite clearly what the Microsoft criticism is. That second linked article begins with the paragraph:
...and goes on for quite a while. Is this the statement you meant?