Windows 7 Architectural and Internal Security Improvements - Kernel Patch Protection

64-bit versions of Windows Vista and Windows 7, like the 64-bit versions of Windows XP and Windows Server 2003, support Kernel Patch Protection technology. Kernel Patch Protection prevents unauthorized programs from patching the Windows kernel, giving you greater control over core aspects of the system that can affect overall performance, security, and reliability. Kernel Patch Protection detects changes to critical portions of kernel memory. If a change is made in an unsupported way (for example, a user-mode application does not call the proper operating system functions), Kernel Patch Protection creates a Stop error to halt the operating system. This prevents kernel-mode drivers from extending or replacing other kernel services and prevents third-party software from updating any part of the kernel.

Specifically, to prevent Kernel Patch Protection from generating a Stop error, 64-bit drivers must avoid the following practices:

• Modifying system service tables
• Modifying the interrupt descriptor table (IDT)
• Modifying the global descriptor table (GDT)
• Using kernel stacks that are not allocated by the kernel
• Updating any part of the kernel on AMD64-based systems

In practice, these factors are primarily significant to driver developers. No 64-bit driver should ever be released that can cause problems with Kernel Patch Protection, so administrators should never need to manage or troubleshoot Kernel Patch Protection. For detailed information, read “An Introduction to Kernel Patch Protection” at http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx.

Kernel Patch Protection, hardware-based Data Execution Prevention (DEP), and required driver signing are the primary reasons that 64-bit systems can be more secure than 32-bit systems.


Source of Information : Windows 7 Resource Kit 2009 Microsoft Press