Securing interprocess communications

What is claimed is: 1 . A computer program product for securing interprocess communications in an operating system of an endpoint that includes a kernel space for operating system functions and a user space for user programs, the computer program product comprising computer executable code embodied in a non-transitory computer-readable medium that, when executing on the endpoint, performs the steps of: storing a tamper protection cache in the kernel space on the endpoint, the tamper protection cache identifying one or more protected processes for protection when executing in the user space; storing a digital signature in the tamper protection cache, the digital signature signed with a private key that provides a root of trust from a trust authority external to the operating system; monitoring execution of processes in the user space of the endpoint with an endpoint protection driver executing in the kernel space; directing an interprocess communication from a first process in the user space to a second process in the user space through the endpoint protection driver; and when the second process is a first one of the protected processes identified in the tamper protection cache, conditionally permitting the first process to provide data to the second process only when the first process is a second one of the protected processes identified in the tamper protection cache. 2 . A method for securing interprocess communications on an endpoint, the method comprising: storing a tamper protection cache in a kernel space of an operating system on the endpoint, wherein a memory of the endpoint includes the kernel space and a user space, and wherein the tamper protection cache identifies one or more protected processes for protection when executing in the user space; monitoring execution of processes in the user space of the endpoint with an endpoint protection driver executing in the kernel space; directing an interprocess communication from a first process in the user space to a second process in the user space through the endpoint protection driver; and conditionally managing the interprocess communication according to a protected status of each of the first process and the second process in the tamper protection cache. 3 . The method of claim 2 , wherein conditionally managing the interprocess communication includes, when the second process is a first one of the protected processes identified in the tamper protection cache, conditionally permitting the first process to provide data to the second process only when the first process is a second one of the protected processes identified in the tamper protection cache. 4 . The method of claim 2 , further comprising storing a process cache in the kernel space, the process cache including process properties for one or more processes executing on the endpoint. 5 . The method of claim 4 , wherein the one or more processes executing on the endpoint include one of the protected processes. 6 . The method of claim 4 , further comprising detecting a change to one of the process properties with the endpoint protection driver and evaluating the change for possible malicious activity. 7 . The method of claim 4 , wherein the process cache stores at least one of an application, an application family, an application path, and an application class for each of the one or more processes executing on the endpoint. 8 . The method of claim 2 , further comprising loading the endpoint protection driver before launching processes in the user space. 9 . The method of claim 2 , further comprising retaining process data for the first process in a process cache in the kernel space after the first process is terminated in the user space. 10 . The method of claim 9 , further comprising providing the process data for the first process from the process cache to an external security resource in response to a query from the external security resource. 11 . The method of claim 2 , wherein the tamper protection cache is digitally signed by a trust authority external to the operating system. 12 . The method of claim 11 , wherein the tamper protection cache is digitally signed using a private key, wherein a public key for a key pair that includes the private key and the public key is encoded into a binary representation of the endpoint protection driver stored in the kernel space. 13 . The method of claim 11 , wherein the trust authority includes a remote threat management facility. 14 . The method of claim 2 , wherein the tamper protection cache is digitally signed with a signature containing a signed hash of the tamper protection cache. 15 . The method of claim 2 , wherein the tamper protection cache includes two or more independent data stores identifying different protected objects, each of the two or more independent data stores separately controllable by a trust authority external to the operating system. 16 . The method of claim 2 , wherein the tamper protection cache identifies one or more protected computing objects selected from a group consisting of a directory, a registry key, and a file. 17 . A method for securing interprocess communications on an endpoint, the method comprising: storing a tamper protection cache in a kernel space of an operating system on the endpoint, wherein a memory of the endpoint includes the kernel space and a user space, and wherein the tamper protection cache identifies one or more protected processes for protection; monitoring execution of processes executing in the memory of the endpoint with an endpoint protection driver executing in the kernel space; directing an interprocess communication from a first process in the memory to a second process in the memory through the endpoint protection driver; and conditionally managing the interprocess communication according to a protected status of each of the first process and the second process in the tamper protection cache. 18 . The method of claim 17 wherein at least one of the first process and the second process is executing in the user space of the memory. 19 . The method of claim 17 wherein at least one of the first process and the second process is executing in the kernel space of the memory. 20 . A system comprising: an endpoint containing a memory; an operating system executing on the endpoint, the operating system dividing the memory into a kernel space for operating system functions and a user space for execution of user programs; a tamper protection cache stored in the kernel space of the memory and digitally signed by a trust authority external to the operating system, the tamper protection cache identifying one or more protected processes for protection when executing in the user space; and an endpoint protection driver executing in the kernel space of the memory, the endpoint protection driver configured to monitor execution of processes in the user space and to detect an interprocess communication from a first process in the user space to a second process in the user space, the endpoint protection driver further configured to control the interprocess communication by, when the second process is a first one of the protected processes identified in the tamper protection cache, conditionally permitting the first process to provide data to the second process only when the first process is a second one of the protected processes identified in the tamper protection cache.