Skirting Microsoft's Maginot Line

Authentium CEO: We won't wait for PatchGuard fix

As Microsoft’s Vista operating system slouches toward completion, there’s been a rising chorus of criticism from independent software vendors about Vista’s supposed strong suit: security. PatchGuard, a kernel-protection technology, is a favorite target. Aside from blocking access to the kernel for third-party products, some security firms are raising questions about whether the kernel-protection feature will even work. Latest among them is Authentium, a provider of security SaaS (software as a service) products, which said recently that a new product, VirtualATM, can shut off PatchGuard so the company could secure online banking transactions, even on infected PCs. InfoWorld Senior Editor Paul F. Roberts caught up with Authentium CEO John Sharp last week to talk about the controversy.

InfoWorld: Do you worry that Windows Vista, with its built-in anti-spyware, firewall, and auto updates, as well as Microsoft’s other enterprise security offerings, will undermine the value that your company offers?

John Sharp: My biggest concern is that [Microsoft] will undermine innovation. We’ve developed a terrific technology that works in a very different way from the way security works in Vista. If we’re not allowed to innovate and McAfee and Symantec aren’t allowed to innovate, we’re going to end up with very mediocre security tools. Or, we’ll get terrific tools, but on a time line that allows hackers to do damage in the meantime. Our message to Microsoft is that, “We’ve got great technology. We’d like you to certify it. If you do that today, we can be operational with it in a couple months.”

IW: You initially claimed that the technology you’ve developed, VirtualATM, disabled PatchGuard to secure online banking transactions. Later, you revised that to say that VirtualATM is a complementary security layer that leaves PatchGuard in place. Which is it?

Basically PatchGuard controls process creation and termination, access to memory, anti-tamper and code loading at the kernel. VirtualATM works in all those areas to manage secure banking transactions. [VirtualATM] enables a single trusted process environment to connect to a bank through a VPN connection and enable a transaction, even if you’re infected with spyware or a rootkit and they’ve hacked your kernel.


IW: So when you say that you’re leaving PatchGuard in place, but just suspending it to run VirtualATM, that sounds like you’re not really leaving it in place.

JS: PatchGuard is there to put up a wall to unauthorized changes to the OS. We’re asking Microsoft to certify our capability in this area or provide us with an API or build one based on our technology. Whatever gets the solution to market faster. What we want is a certified capability to do what we do, because after what we do with VirtualATM, the end point is more secure with respect to online banking transactions with Windows.

IW: In doing that, you know that you’re doing something that Microsoft doesn’t want you to do, but you did it anyway. Why?

JS: We did it because we had an innovative approach and we wanted to support that. It’s not accurate to say that Microsoft doesn’t support it. We’ve had ongoing conversations with them for weeks. They’ve known what we’re up to in that respect, and certainly in the last few weeks they’ve known we’re taking this approach.

IW: But given Vista’s ship date and the time it takes to get the API, you’re not planning to shelve VirtualATM in the meantime?

JS: No we’re not. But we’re talking about 64 bit here. There will be a while before that’s available in large numbers. By then we’ll have figured out an approach for 64 bit that’s in line with what Microsoft wants to do.

IW: Given the issues that have come up with VirtualATM and the earlier “Blue Pill” attack, does PatchGuard start to seem more like a “Maginot Line,” as you’ve suggested — an imposing defense that’s easily circumvented?

JS: Yes. It’s worth looking at both [VirtualATM and Blue Pill]. Both came from people who care about Microsoft. Authentium is a well-regarded security developer. I haven’t noticed much coming from the Black Hat community with respect to what they’re doing [with PatchGuard]. I suspect that they’ll hold off on revealing anything before Vista’s RTM [release to manufacturing] date has been announced.