McAfee wants to modify your kernel – Tales from the Crypto

McAfee wants to modify your kernel


Much press has been made lately about the complaints by McAfee and Symantec that they have been locked out of modifying the Windows Vista x64 kernel through the closure of undocumented back-doors that they used to use. (Sadly, none of what either company has said seems to carry any technical explanation with it, just rhetoric wailing that “customers’ security will suffer”.)

Jesper wrote about this on his blog, as did Sandi and Walter, as well as Stephen Toulouse – and there are many others out there with various perspectives. Rocky Heckman, for instance, or Microsoft’s security head honcho, Ben Kingsley.

I think that this is more a reliability issue than a security issue (I see reliability as an important aspect of security).

Although it’s got a security “face”, in that you have to work hard to prevent attackers from modifying the kernel, it has a reliability “body” – the goal is, of course, to reduce the number of people with their fingers in the kernel, on the basis that many of them have no business there, or skill in that realm.

Given the buffer overflows and reliability issues caused by some of the security products from third-party vendors, it seems like a good idea to avoid having them tie in to the highest-privileged component on the system.  Symantec and McAfee are not OS kernel developers, they shouldn’t be writing into the OS kernel.

Sure, we could say that about Microsoft, if we were to assume that Microsoft is the hive-minded Borg that the company is often portrayed to be. But let’s step back a moment, and consider that the company is made up of application developers and kernel developers, among other distinctions that could be made.

Microsoft has made it clear that their own application developers will not be given undocumented hooks into the kernel – kernel development will be restricted to kernel developers.

Back when I was on the inside of Microsoft, I heard repeatedly that development was to be done using only published APIs. If I wanted to use another team’s API that wasn’t published, even if I could discover it by looking through source code, the only appropriate method was to request that the owners of that code publish it as an API, so that I could legitimately use it.

A recent example of this “only use the published APIs” approach is the WiFi Live Beta program that started up recently. You could spot that this was likely to be coming, because before it was announced, there was a release of WiFi Native APIs.

Symantec and McAfee have heard that they will be locked out from unauthorised modifications to the kernel for some months now (I know, because I’ve heard this for some months now, and I’m not in the inner circle of virus companies that gets more information than I do).

Why did they choose this time to start the PR blitz?

What else is going on right now that would cause this to be a worthwhile time to complain like this?

2 Responses to McAfee wants to modify your kernel

Leave a Reply

Your email address will not be published. Required fields are marked *