Windows Kernel Patch Protection

Kernel Patch Protection (also known as 'patchguard') is a Windows mechanism designed to control the integrity of vital code and data structures used by the operating system. It was introduced in Windows 2003 x64 and has been constantly improved in further Windows versions. Security updates to Windows App Platform and Frameworks, Windows Wireless Networking, Windows Storage and Filesystems, Microsoft Scripting Engine, Internet Explorer, Windows Input and Composition, Windows Cryptography, Windows Virtualization, Windows Datacenter Networking, the Microsoft JET Database Engine, Windows Server, Windows Kernel.

Most new PCs have been shipping with the 64-bit version of Windows — both Windows 7 and 8 — for years now. 64-bit bit versions of Windows aren’t just about taking advantage of additional memory. They’re also more secure than 32-bit versions.

64-bit operating systems aren’t immune to malware, but they do have more security features. Some of this also applies to 64-bit versions of other operating systems, such as Linux. Linux users will gain security advantages by switching to a 64-bit version of their Linux distribution.

Address Space Layout Randomization

ASLR is a security feature that causes a program’s data locations to be randomly arranged in memory. Before ASLR, a program’s data locations in memory could be predictable, which made attacks on a program much easier. With ASLR, an attacker has to guess the correct location in memory when trying to exploit a vulnerability in a program. An incorrect guess may result in the program crashing, so the attacker won’t be able to try again.

Windows 10 Kernel Patch Protection

This security feature is also used on 32-bit versions of Windows and other operating systems, but it’s much more powerful on 64-bit versions of Windows. A 64-bit system has a much larger address space than a 32-bit system, making ASLR that much more effective.

Mandatory Driver Signing

The 64-bit version of Windows enforces mandatory driver signing. All driver code on the system must have a digital signature. This includes kernel-mode devices drivers and user-mode drivers, such as printer drivers.

Mandatory driver signing prevents unsigned drivers provided by malware from running on the system. Malware authors will have to somehow bypass the signing process through a boot-time rootkit or manage to sign the infected drivers with a valid certificate stolen from a legitimate driver developer. This makes it more difficult for infected drivers to run on the system.

Driver signing could also be enforced on 32-bit versions of Windows, but it isn’t — likely for continued compatibility with old 32-bit drivers that may not have been signed.

To disable driver signing during development on 64-bit editions of Windows, you would have to attach a kernel debugger or use a special startup option that doesn’t persist across system reboots.

Kernel Patch Protection

KPP, also known as PatchGuard, is a security feature only found on 64-bit versions of Windows. PatchGuard prevents software, even drivers running in kernel-mode, from patching the Windows kernel. This has always been unsupported, but it’s technically possible on 32-bit versions of Windows. Some 32-bit antivirus programs have implemented their antivirus protection measures using kernel patching.

PatchGuard prevents device drivers from patching the kernel. For example, PatchGuard prevents rootkits from modifying the Windows kernel to embed themselves in the operating system. If an attempt at kernel patching is detected, Windows will immediately shut down with a blue screen or reboot.

This protection could be put into place on the 32-bit version of Windows, but it hasn’t been — likely for continued compatibility with legacy 32-bit software that depends on this access.

Data Execution Protection

DEP allows an operating system to mark certain areas of memory as “non-executable” by setting an “NX bit.” Areas of memory that are supposed to hold data only will not be executable.

For example, on a system without DEP, an attacker could use some sort of buffer overflow to write code into a region of an application’s memory. This code could then be executed. With DEP, the attacker could write code into a region of the application’s memory — but this region would be marked as not-executable and could not be executed, which would stop the attack.

64-bit operating systems have hardware-based DEP. While this is also supported on 32-bit versions of Windows if you have a modern CPU, the default settings are more stringent and DEP is always enabled for 64-bit programs, while it’s disabled by default for 32-bit programs for compatibility reasons.

The DEP configuration dialog in Windows is a bit misleading. As Microsoft’s documentation states, DEP is always used for all 64-bit processes:

“System DEP configuration settings apply only for 32-bit applications and processes when running on 32-bit or 64-bit versions of Windows. On 64-bit versions of Windows, if hardware-enforced DEP is available it is always applied to 64-bit processes and kernel memory spaces and there are no system configuration settings to disable it.”

WOW64

64-bit versions of Windows run 32-bit Windows software, but they do it through a compatibility layer known as WOW64 (Windows 32-bit on Windows 64-bit). This compatibility layer enforces some restrictions on these 32-bit programs, which may prevent 32-bit malware from functioning properly. 32-bit malware will also be unable run in kernel mode — only 64-bit programs can do that on a 64-bit OS — so this may prevent some older 32-bit malware from functioning properly. For example, if you have an old audio CD with the Sony rootkit on it, it won’t be capable of installing itself on a 64-bit version of Windows.

64-bit versions of Windows also drop support for old 16-bit programs. In addition to preventing ancient 16-bit viruses from executing, this will also force companies to upgrade their ancient 16-bit programs that could be vulnerable and unpatched.

Given how widespread 64-bit versions of Windows now are, new malware will likely be capable of running on 64-bit Windows. However, the lack of compatibility can help protect against old malware in the wild.

Unless you use creaky old 16-bit programs, ancient hardware that only offers 32-bit drivers, or a computer with a fairly old 32-bit CPU, you should be using the 64-bit version of Windows. If you’re not sure which version you’re using but you have a modern computer running Windows 7 or 8, you’re likely using the 64-bit edition.

Of course, none of these security features is foolproof, and a 64-bit version of Windows is still vulnerable to malware. However, 64-bit versions of Windows are definitely more secure.

Image Credit: William Hook on Flickr

Windows 10 Kernel

Linux kernel patchREAD NEXT

Windows 10 Kernel Dma Protection

  • › Just Bought a Mac? 14 Essential Apps You Should Install
  • › Why You Should Sign In With Google, Facebook, or Apple
  • › A New Wireless Standard: What Is Amazon Sidewalk?
  • › How to Use Text Editing Gestures on Your iPhone and iPad
  • › Windows 10’s BitLocker Encryption No Longer Trusts Your SSD