Authentium Asks Microsoft To Approve Vista Kernel Trick

A security company that made headlines last week when it announced an end-around the kernel security in the 64-bit version of Windows Vista says it has opened direct talks with

October 31, 2006

4 Min Read
Network Computing logo

A security company that made headlines last week when it announced an end-run around the kernel security in the 64-bit version of Windows Vista said Monday it was in talks with Microsoft, and hoped the software giant would license its technology.

"We're focusing on a positive outcome," said John Sharp, the chief executive of Authentium. "One would be for Microsoft to certify our technology. Another would be for Microsoft to produce an API [Application Programming Interface] that would allow access to the kernel."

Sharp's comments Monday were a departure from published accounts last week that spelled out Authentium's method of injecting code into the kernel of Windows Vista, and follow-on reports claiming that Microsoft was furious at the approach.

"We momentarily turn off PatchGuard, install our code, then we turn [PatchGuard] back on, all in under a millisecond," acknowledged Sharp. "Yes, there were reports of Microsoft [being angry], but they're actually intrigued by what we're doing." Sharp denied that Microsoft had aimed any negative comments its way.

"We've not had a single direct conversation about anything other than engineering-based [topics], and how we work with PatchGuard. From our stand point, it's all been a very intelligent dialog," Sharp said.PatchGuard is Microsoft's name for the technology it's used in 64-bit versions of Windows XP and Server 2003, and will add to Vista. PatchGuard, which is designed to stop rootkits from making changes at the kernel level, has been repeatedly knocked by security vendors, notably Symantec and McAfee, who have charged that by blocking "kernel hooking" -- intercepting Windows' system calls and modifying the kernel dispatch table -- Microsoft was making it impossible for them to implement advanced security techniques including anti-tampering and behavioral-based malware detection systems.

To placate the European Union's antitrust agency, which had not only heard from Symantec and McAfee, but had noted its own concerns over Vista's security features, Microsoft earlier this month agreed to sit down with third-party security companies and draft a set of Vista APIs that would let future products duplicate the advanced techniques now used on 32-bit Windows. The rub, countered the unconvinced, was that the APIs would take years to build.

Authentium said it has figured out a way to circumvent, but not disable, PatchGuard, so it could not only sniff out malicious code, but disarm it before it could do harm.

But even as Sharp rejected the idea that Authentium had backpedaled from its supposed stare-down with Microsoft last week, he took issue with the Redmond, Wash. developer's stance on Vista security. "Microsoft thinks security vendors should be happy to stand aside and [only] monitor the kernel," he said. "But we should be the policeman. We've been excellent responders."

Claiming that "better security" in Vista 64-bit required more than simple anti-virus monitoring -- "several companies, including us, go a step farther and patch exploits discovered in the kernel," said Sharp -- dismissed as short-sighted some analysts' comments that kernel access shouldn't be a major issue for security vendors because 64-bit Vista won't be used in appreciable numbers for years."It's all about time-to-market," said Sharp. "If Microsoft doesn't release APIs [for accessing kernel data] for 12-18 months, that's just the starting point for development. We could be three or four years developing software after that."

Instead, said Sharp, Authentium has asked Microsoft to certify its approach to kernel security with the idea toward licensing the technology -- dubbed "TSX " and VirtualATM" by the West Palm Beach, Fla.-based security company -- to online banks, financial institutions, Microsoft, or other security vendors.

"Microsoft could certify our API as the basis for other people to interface with PatchGuard," said Sharp. "With the investment we've made it would have to be a commercial license, but Microsoft does business like that all the time."

If Microsoft gave a green light to Authentium's turn-off/install/turn-on approach to PatchGuard, Sharp said Authentium could have finished code "pretty quickly."

"We see the certification of our interface as a test case," concluded Sharp. "If they certify it, it's great news for everybody. We respect Microsoft's attempt to make the operating system more stable [using PatchGuard], but there's a middle ground here."0

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights