Microsoft Tuesday released draft application programming interfaces designed to give independent security vendors a way to get around a kernel patch protection technology in Windows Vista. Known as PatchGuard, the Vista technology has been at the center of a simmering dispute between Microsoft and several security vendors who claim that PatchGuard hampers the ability of their products to deliver key security capabilities such as host-based intrusion detection. The technology has also been part of broader antitrust concerns in the European Union that Microsoft has been forced to respond to.
Ben Fathi Microsoft's vice president for the Windows core operating system, talked about the draft APIs and the company's rationale for releasing them. Excerpts from that interview follow:
What exactly did Microsoft announce today?
We published two documents. The first one is a document called the Criteria Evaluation document and it really is a document that describes the criteria for evaluating the requirements as they come in from our partners and how we are going to address them in terms of adding APIs to the kernel. It is a list of processes that we have gone through to decide whether something should be added as an API or whether there is an existing way of doing that or whether there is a simpler design that [we] can work out with our partner that avoids introducing new APIs and potentially new attack surfaces on the kernel.
We are publishing this to be very clear and aboveboard on what our processes are for establishing the new APIs that we are going to add to the kernel. And we want to hear feedback from partners and the industry on whether this is a good set of criteria or not.
And the second document?
The second document is the first draft of the actual APIs that we have been working on. We are publishing it for evaluation by our partners. The APIs will be available in Service Pack 1 [SP1] of Windows Vista later in 2007. We are working actively with our partners to get their feedback on things that aren't covered here in this first iteration of APIs. We plan to and are committed to working with them to continue to add APIs over time as needed to extend kernel functionality without compromising PatchGuard.
How many APIs did you release?
There are four different classes of APIs. We took of all the requirements from our partners and prioritized them based on the most important needs they had. These are the top four areas that came up. The first set of APIs is around creating and opening processes and threads. So [that means] giving them the ability to set a policy in place that says when a thread is created or when a process is created what kind of security precautions they want to take. The second area is around protection of security software to make sure the security software that gets installed on the system is not itself being modified by viruses. The third one is around memory-based controls. The fourth area is image loading operations. This is a set of APIs that allows security software to block the loading of certain executables or DLLs [dynamic link libraries] into memory.