The 64-bit version of Microsoft’s latest operating system, Windows Vista, comes with a feature known as “PatchGuard.” PatchGuard will monitor “key resources used by the kernel or kernel code itself” (see Windows Vista Security – An Introduction to Kernel Patch Protection) to detect tampering. If it notices any writes to protected areas, it will immediately shut down the system. The goal of PatchGuard is to harden the kernel against malicious code. However, it also hardens the kernel against security software that does system call monitoring. This side-effect has stirred up unrest among vendors such as Symantec (see Assessment of Vista Kernel Mode Security). They argue that the inability to filter system calls make systems with PatchGuard less secure than systems that are only running their protection software. So who is correct in the kernel patching debate? This article argues that both parties are in the wrong, and suggests a better way that Microsoft can work with vendors to maximize overall security. (more…)

Yesterday I was talking with a friend who is working on security software for enforcing process system call policies in all versions of Microsoft Windows. This got me thinking, why has nobody made this software already? It is not a matter of monitoring and filtering system calls – people have been doing this for years. Restricting an application’s access to certain parts of the file system, mediating its network communication, and blocking unnecessary behavior makes so much sense. What is preventing system call filtering software from gaining mainstream popularity? In this article, we take a look at a few challenges that must be overcome in order for system call filtering software to see widespread success. (more…)