Thursday, 4 July 2013

Is Windows 64-bit Version more secure than 32-bit?

Is Windows 64-bit Version more secure than 32-bit? 

Nowadays the new systems, Windows 7 and 8, are equipped with 64-bit of versions -  because they're not only providing an advantage of additional memory and also more secure than 32-bit versions. 

64-bit Operating Systems are immune to malware and they, definitely, have more security features, too. 



ASLR (Address Space Layout Randomization) is a computer security, which randomly arranging the data areas in memory. This feature ASLR prevents some types of security attacks and making more difficult for an attacker to predict target addresses to exploit a vulnerability in program. 

When the system obscures memory addresses from attacker then they've to be guessed and an incorrect guess may result in the program crashing; so, the attacker wouldn't be able to repeat. 

ASLR is also integrated in Windows 32-bit versions and other operating systems, but it's much more powerful on Windows 64-bit. A 64-bit system has a larger address space than a 32-bit and making ASLR much more effective.   

Driver Signing (or Code Signing) is a process of digitally signing executables and scripts with several valuable features such as digital signature mechanism to confirm the identity of author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash

The malware authors will have to bypass the signing process through a rootkit or try to signing the infected drivers with a stolen but valid certificate of a driver developer. This process makes more difficult to run the system by infected drivers. 

So, Windows 64-bit version enforces mandatory driver signing to prevent unsigned drivers provided by malware. The driver signing is even enforced on 32-bit version of Windows but they may not have compatibility to signed for the older 32-bit drivers.  

During development and test, 64-bit versions (of Windows Vista and later versions) will load kernel-mode, a default behavior, to verify the driver signature. This behavior can be disabled to facilitate driver development and non-automated testing. Developers can use either attach a Kernel Debugger or F8-Advanced Boot Option to temporarily disable load-time enforcement for a valid driver signature.  

Patching the kernel is an unsupported modification of  kernel, which never been supported by Microsoft because it may cause a number of negative effects such as reducing system security and reliability. 

But Kernel Patch Protection (K.P.P) is a patch guard of security feature found only on 64-bit versions of Windows, which protects against these negative effects and include as well for the Blue Screen of Death (results from serious errors in the kernel), Rootkits (modifying the Windows kernel to embed themselves in an operating system), and products that rely on kernel modifications then break the newer versions of Windows or updates, which change the way the kernel works. 

These protections could also be placed on Windows 32-bit versions but they may not have compatibility of software legacy.  

Data Execution Prevention (D.E.P) is also a security feature enhanced in modern OS such as Linux, Mac OS X, iOS, Microsoft Windows and Android to prevent application or service from a non-executable memory region. It helps to prevent certain exploits via buffer overflow, and runs in two modes viz., hardware enforced DEP and software enforced DEP.

If a system doesn't has DEP, an attacker can use the buffer overflow and write code into a region of memory application; then the code could be executed. 

If the system supports DEP, the attacker can do the things in the region of memory application; but the region would be marked as not-executable and could not be executed then attack will be blocked. 

64-bit systems has the hardware based DEP, and this feature is also supporting the modern CPU of 32-bit versions; but it's default settings are more restrictive for compatibility reason. To know more about DEP, visit: Microsoft’s documentation page

WoW64 (Windows 32-bit on Windows 64-bit) is a Windows subsystem, which capable to run 32-bit applications, and included on all 64-bit versions of Windows, such as Windows XP Professional x64 Edition, IA-64 and x64 versions of Windows Server 2003, as well the 64-bit versions of Windows Vista, Windows Server 2008, Windows 7 and Windows 8.  

According to Microsoft, 32-bit software will run under WOW64, which has a similar performance when executing under 32-bit. WoW64 is also designed to get the differences between 32-bit Windows and 64-bit Windows. 

The subsystem of  WoW64  comprises a lightweight compatibility layer, which has similar interfaces over 64-bit versions of Windows, and creates a 32-bit environment to run unmodified 32-bit Windows applications on a 64-bit system. 

Above clarified security features are foolproof and 64-bit Windows versions are still vulnerable to malware; however, 64-bit versions are definitely more secure than 32-bit.

No comments: