Evaluation criteria for Kernel Patch Protection APIs in Windows Vista 64-bit
Microsoft's Ben Fathi discusses how the company determined which APIs to develop
and deliver first
Published: December 19, 2006
As many of you know, almost two years ago Microsoft released 64-bit versions of Microsoft Windows XP
Professional and Windows Server 2003 Service Pack 1 with a set of security enhancements called Kernel Patch
Protection, which aimed to increase security and reliability by limiting unauthorized software modifications to the
kernel. This same functionality is being carried over into 64-bit versions Microsoft’s next generation operating
system, Windows Vista.
Because Kernel Patch Protection can create compatibility issues for some features in third-party software,
Microsoft has been working for the past several months with independent software vendors (ISVs) to develop
documented and supported methods by which third-party software can work alongside Kernel Patch Protection on 64 bit
versions of Windows Vista.
Today, we are delivering the first draft set of these new application programming interfaces (APIs) for
Windows Vista. These APIs have been designed to help security and non-security ISVs develop software that extends
the functionality of the Windows kernel on 64-bit systems, in a documented and supported manner, and without
disabling or weakening the protection offered by Kernel Patch Protection. Additionally, Microsoft is making public
the criteria we are using to help evaluate and prioritize the types of APIs that will be developed and when they
will be delivered. See a copy of the whitepaper that explains our criteria.
The first set of APIs addresses some of the more urgent requirements identified by ISVs and fall into four
general categories:
1. | Create and Open Process & Thread Control, which can be used to govern whether applications are
allowed to be launched or manipulated. |
2. | Self-protection of security software, which involves providing API support to prevent tampering with
processes hosting security software. |
3. | Memory based controls, which would enable security software to prevent memory address space
manipulation operations of a running application. |
4. | Image loading operations, which can be used to prevent malicious software such as application or DLL
(dynamic-link library) code images from loading and executing. |
While we’ve made substantial progress in determining what this initial set of APIs will do, I want to
emphasize that they are not final. In the next several weeks, we’ll continue gathering input about the draft
specifications from ISVs and other security experts. Our plan is to release the first set of these APIs in both 32-bit
and 64-bit versions of Windows Vista Service Pack 1. Early test versions will be made available to ISVs so they can
update and test their software in time for release along with Service Pack 1. Even then, our collaborative work will
continue. Security is an on-going process in which we will continue to evolve our technologies as the attackers
continue to imagine and create new threats. Microsoft is fully committed to working with security ISVs to combat
these threats and to provide our mutual customers with a more secure and trusted computing experience.
