PatchGuard Should Mimic SecureBoot

PatchGuard is Microsoft’s implementation of Kernel Patch Protection available on Vista/7/8 64bit systems. The idea is to prevent any code from patching the kernel ie: third party code can not modify or change kernel code.

This has had an immense effect on the security of Windows 64bit systems. Rootkits are far more limited in what they can do and how they can hide.

The problem here is that no one’s allowed to patch it. That means we’re locked into the Microsoft security model, which until Windows 8 has been pretty awful (integrity levels.) So while a security company on 32bit can implement their own security model and have it act on a kernel-level (you need to be same rights or higher to properly intercept SYS_CALL etc) they’re just as limited as rootkits now, having to resort to other means to limit malware.

SecureBoot is another feature aimed at preventing bootkits. Where SecureBoot differs is that it maintains a whitelist so that signed software can actually ‘bypass’ (not truly a bypass as this is the design and strength of it) it.

It would have been cool if PatchGuard had done something similar. Had Microsoft implemented a vetting system for PatchGuard certs we’d still see security products on Windows capable of performing up-to-par with the 32bit counterparts.