Ken Johnson, a Windows kernel mode and debugging guru, analyzes the Windows x64 Kernel Patch prevention system on his blog. From his perspective, PatchGuard is neither a security scheme nor a DRM measure due to the limited scope of the structures it protects. Instead, it is a tool to prevent vendors from destroying system security and stability. Johnson also forecasts a hypervisor-based PatchGuard mechanism for future revisions to this technology. Check out other posts on Nynaeve for a wealth of technical details on Windows mechanisms of interest to reverse-engineers.
I thought this whole arguement from MS was bunk until I installed McAfee V8.0i Enterprise edition on a new Dell M65 laptop running XP Pro. I can’t even begin to detail the multiple levels of hell that this program caused in conflicts. Apparently, according to a small obscure thread found after dredging the pits of google, McAfee’s buffer overflow protection created some sort of panic attack with the TPM software that Dell uses. This basically created an unbootable situation…..at least one that closely resembled the Blaster worm of a couple years ago.
Any-who, after disabling that bugger overflow (and upgrading to McAfee 8.5) everything was hunky-dory.
I believe MS has a right to be concerned when it comes to these security software devs poking sticks in their kernel…..no matter how swiss-cheese it may be.
Agreed – some AV software is almost worse than a Virus – an OS should be able to protect itself from such crap.
This link was cut out when I submitted the story, but take a look at this:
http://www.uninformed.org/?v=4&a=4
The Xbox 360 also has a hypervisor and it’s extremely secure, especially compared to the easily hackable Xbox 1. The only “problem” is that you only run what Microsoft signs.
I don’t see how it can help Windows unless they start signing third-party applications as well..?
I didn’t really see anything in that article that dissuades me from my belief that it’s all about DRM. If you can patch the kernel couldn’t you trick the system into thinking you have signed drivers or HDCP or any of the other stupid requirements needed for HD playback. I still believe that’s what MS is trying to stop.
Except Patchguard has been around since Windows Server 2003, which a) is long before HDCP was around, and b) I don’t see anyone buying Server 2003 so they can watch movies. It might have a secondary use for that now, but it certainly wasn’t what it was designed to do from the outset.
” a) is long before HDCP was around”
Hasn’t HDCP been around since 2001?
Also that was a server OS, the fact that it’s moving into their home OS shows a different strategy, probably motivated by DRM. A lot of arguments *for* trusted computing also talk about fewer rootkits and stuff too, which, while they’re not wrong, in its current form takes control away from a user into the hands of a company with the signing keys.
Edited 2007-01-31 21:52