Microsoft To Revamp Windows Kernel Access for Security Vendors

Microsoft announced plans to modify Windows, enabling security vendors like CrowdStrike to operate outside the operating system's kernel. The move follows the July incident where a faulty CrowdStrike update caused widespread system failures. From a report: Microsoft says it has now "discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors" with partners like CrowdStrike, Broadcom, Sophos, and Trend Micro.

[...] While Microsoft isn't directly saying it's going to close off access to the Windows kernel, it's clearly at the early stages of designing a security platform that can eventually move CrowdStrike and others out of the kernel. Microsoft last tried to close off access to the Windows kernel in Windows Vista in 2006, but it was met with pushback from cybersecurity vendors and regulators.

Shift the liability

[GotNoRice]

Just state that if your security software demands direct access to the kernel, then your security company becomes liable for the consequences. I'd imagine the problem will fix itself at that point...

That'll only work until the law gets fixed.

[mmell]

Until then, both Microsoft and Crowdstrike have people fully aware of the use of pointers.

if (sue Microsoft) ; then POINT AT Crowdstrike

if (sue Crowdstrike) ; then POINT AT Microsoft

Re:

[NoWayNoShapeNoForm]

I hear that legal teams are trying very hard to dereference those pointers. /s

Re: Shift the liability

[drinkypoo]

Not providing a reasonable API to perform these functions is what's shitty and broken.

Re:

[Tony Isaac]

Microsoft is covering their rears here. In the end, when things go south, the Delta Airlines of the world don't care who was at fault, they'll sue everybody they can, regardless of whose actual fault it was.

Re:

[vbdasc]

Security vendors demand no such thing, as far as I'm aware.

Re:

[zlives]

ummm microsoft is a security vendor, they are answering their demand as a request. woes them

Re:

[gweihir]

You are advocating for MS to finally have real product liability? I applaud your suggestion and I am all for it!

Obviously, as soon as MS becomes liable for their crap, they will not survive for long.

Re:

[Ed Tice]

Why? Shouldn't security companies and their customers be able to contract as they see fit. Every single software deal between large companies is reviewed by lawyers on both sides and the amount of indemnification is mutually agreed. Now any company who wants to buy an endpoint security solution is required to pay for unlimited indemnification even if they don't want or need it? I don't understand your logic here.

Hmmm

[Pig Hogger]

What could possibly go wrong?

Re:

[FictionPimp]

I assume they could create a system that allows enough access to take down an entire world of windows computers. It would be a first, but it could happen.

Re:Hmmm

[caseih]

Well seeing that Linux and macOS both have a mechanism like MS is proposing, and Crowstrike uses it on those platforms, I'd say a lot can go right.

Hopefully they'll also add more smarts to the boot loader to fall back to a last good configuration automatically upon failed boot. Linux distros really need to do this too.

Re: Hmmm

[ArmoredDragon]

That opens up a means for attackers to downgrade software.

Re: Hmmm

[ArmoredDragon]

Oh and crowdstrike does indeed run in the linux kernel, and has caused kernel panics before:

https://www.theregister.com/20... [theregister.com]

I don't know about macos, but I suspect they didn't meet the same regulatory scrutiny Microsoft did, which is why kernel access was permitted to begin with. From what I know of macos and what kind of access crowdstrike would need for hooking detection, there's no such APIs available in macos. Besides, apple's security practices leave much to be desired; they rely heavily on code white

Re:

[caseih]

AFAIK macOS does provide an API that Crowdstrike uses. In Linux, besides the kernel module, there's eBPF. MS provides does not provide that kind of thing.

Crowdstrike can kernel panic Linux and I'm sure can cause macOS problems. But only Windows allows Crowdstrike to load as a pre-boot driver.

Re: Hmmm

[ArmoredDragon]

AFAIK macOS does provide an API that Crowdstrike uses

Whether it's adequate is a whole other matter. That's just the way apple is, you can only take what you're given. Microsoft was the same way untill regulators stepped in.

Also I'm not sure what you mean by "pre-boot driver", unless you're talking about boot-start drivers, which Microsoft isn't really in a position to decide who and who can't create these without, again, running into regulatory issues.

This isn't fundamentally different from linux either, any modules in the kernel ramdisk image are going to lo

Re:

[fafalone]

Microsoft essentially already decides. You have to start with the advanced boot menu every boot and disable driver security for *all* drivers if you want to load a driver that hasn't been personally approved through their WHQL program, signed with a certificate starting around $400/yr, which individuals can't obtain, only businesses. Disabling that security triggers most game anticheat engines and some DRM stuff to block you from using it.
What kind of dystopian hell are they planning now to make it worse f

Re:

[Slayer]

Yeah, there were crashes of Redhat and Debian linux. In most cases it was incompatibility of the respective distro's linux kernel with the Crowdstrike software. I am not aware, that millions of systems were force fed this software without admin interaction. On the other side we do know, that it is quite easy to fix a non-booting linux system by booting from another boot medium, mounting the root file system and then fixing that.

Maybe these are among the main reasons, why the linux kernel panics did not make

Re:

[unrtst]

Well seeing that Linux and macOS both have a mechanism like MS is proposing, and Crowstrike[sic] uses it on those platforms, I'd say a lot can go right.

AFAIK, Crowdstrike on Linux still uses a kernel module. Have things changed?

Last I checked, it also didn't support recent (6.4+) kernels on non-LTS distros like Fedora, Arch, etc.. For example, their FAQ page (https://www.crowdstrike.com/products/faq/) lists Ubuntu releases from 14.04 through 22.04, but notably nothing after 22.04 (Ubuntu 22.04 was kernel 5.15; Ubuntu 23.10 introduced kernel 6.5).

While looking that FAQ page up, I did run into something noting that CrowdStrike on Linux "supports both Kernel

Re:

[caseih]

I believe they also use eBPF on Linux.

Re:

[bill_mcgonigle]

Crowdstrike on Linux uses eBPF and eBPF for Window already exists.

Re:

[thegarbz]

Well seeing that Linux and macOS both have a mechanism like MS is proposing, and Crowstrike uses it on those platforms, I'd say a lot can go right.

Don't jump to conclusions. Windows has several mechanisms already that allow tools to safely do security related things. E.g. eBPF. eBPF is significant because it Crowdstrike uses it on Linux, but does *not* use it on windows, despite it being available on windows for several years now.

Re:

[caseih]

From what I read, eBPF on Windows is not nearly so capable and advanced as it is on Linux.

Re:

[vbdasc]

For example, antimalware trying to fight malware that has more privileged access to the kernel. It would be fun to watch.

Opening the (back)Doors

[BrendaEM]

Stupid idea, as anti-virus software and companies became the problem, about 10 years ago. Didn't Microsoft Windows become disabled because of a 3rd party security solution called Crowdstrike?

Re:

[unrtst]

Are you OK? The crowdstrike incident you reference is right there in TFS. They did this because of it and the reaction to it.

Re:

[zlives]

same ceo different name for 2010 ref

First steps

[will4]

1. Don't allow non-microsoft software to run as a service, or a root level background process
2. Don't allow non-microsoft software to write anything, install files, DLLs, etc into C:\widnows
3. Don't allow non-microsoft software to write anything to the registry
4. Don't allow non-microsoft software add any Com objects to the registry

Isolate all non-OS software into each being in an isolated run time environment, with a local read only binary directory, local read/write data directory, a local registry and on

Re:

[RitchCraft]

You forgot step 5 which is Microsoft's goal: Don't allow any non-Microsoft software to run in Windows period. The Microsoft store is your friend.

Re:

[Joe_Dragon]

and now they allow win32 apps in the store.

But doing that will push adobe to make Linux installs? as they will not give M$ 30% of adobe CC costs.

Re:

[NoWayNoShapeNoForm]

and now they allow win32 apps in the store.

But doing that will push adobe to make Linux installs? as they will not give M$ 30% of adobe CC costs.

And any use of such Adobe software on Linux might result in a "tainted kernel" flag which means ... No Support For YOU ! when that Adobe junk crashes your Linux OS.

Re:

[Kernel Kurtz]

By their very nature I don't think anti-malware solutions will work well in a jail.

Re: First steps

[drinkypoo]

"Isolate all non-OS software into each being in an isolated run time environment"

You appear to be arguing that Microsoft should behave anticompetitively, which is part of how we got here.

Re:

[vbdasc]

1. Don't allow non-microsoft software to run as a service, or a root level background process
2. Don't allow non-microsoft software to write anything, install files, DLLs, etc into C:\widnows
3. Don't allow non-microsoft software to write anything to the registry
4. Don't allow non-microsoft software add any Com objects to the registry

5. Allow non-Windows Microsoft software to do any of the above things
6. The EU comes and kicks MS in the butt, and rightly so.

Re:

[Ed Tice]

We have this. It's called "S" (for secure, I guess?) mode.

Proactiveness.

[JThundley]

Microsoft: "We're going to be proactive about security"
*reacts only after bad press from a security failure*

Re:

[neilo_1701D]

Microsoft: "We're going to be proactive about security"
*reacts only after bad press from a security failure*

... around 20 YEARS since they last got proactive about security with Windows XP. Anyone remember the Microsoft trustworthy computing initiative from 2004?

Re:

[vbdasc]

"Trustworthy" computing, just like playsforsure, was little more than a plan to make Windows trustworthy in the eyes of MPAA/RIAA, and to make them trust Windows to not allow its users to pirate stuff. It had little to do with making Windows trustworthy in the eyes of the user.

Re:

[bill_mcgonigle]

NT 3.5.1 was actually somewhat proactive about security. Basically being a next-gen GUI VMS.

So of course Microsoft threw that all out with NT 4.

Re:

[vbdasc]

NT 4 was still reasonably secure. But it set Windows NT on the enshittyfying path that threw security under the bus in the name of "Ooh, shiny!".

Re:

[gweihir]

Indeed. MS has _never_ been proactive about security or reliability or usability. That will eventually kill them, but unfortunately that may still take quite a while.

Re:

[thegarbz]

Microsoft: "We're going to be proactive about security"
*reacts only after bad press from a security failure*

No, this is more about playing lip service. Microsoft didn't have a security failure here. Nothing was insecure. The only way to access the kernel area is for the computer's administrator to approve the installation of software to do so.

Now if you claim this is a security risk then we really should ban the ability to load kernel modules in *NIX.

The dumb part is MS already offers things like eBPF, but Crowdstrike chose not to use it on Windows (despite using it on Linux). This isn't a Microsoft failure, it's

There is no good solution

[MpVpRb]

If they allow access, bugs and bad guys will cause trouble
If they deny access, windows will become useless for many applications and they will have more freedom to do all sorts of nefarious stuff that users don't want

i abandoned windows 25 years ago

[FudRucker]

and i keep an eye on the disaster it continues to be and the most amazing thing about it is Microsoft's continued ability to sell that crap OS, Linux works great for me on my laptop, but unfortunately not everyone picked up on it or Microsoft would be out of business by now, my only question "why has no big company tried to muscle in on the desktop operating system market?"

Re:

[gtall]

MS is more than Windows. And if push comes to shove, they'll reskin Linux and continue to hold the butt cheeks of CIOs in companies.

I can't see it

[Virtucon]

I can't see Microsoft being able to handle this kind of undertaking and not introducing more major performance degradation, "feature bloat" and more vulnerabilities.
The problem was crowdstrike, which was compounded by IT shops not testing, having contingency plans, or realizing that updates can have consequences.

There are many solutions to this but it's up to the IT organizations that run enterprise-wide deployments of Windows that they can't always trust what their ISVs and msft give them regarding feature

Re:

[gweihir]

You still do not know that there was no way for the users to block the update that caused the problem? Please stop commenting and find out the actual facts.

Re:

[Virtucon]

You don't know what you're talking about. It's called software release hygiene [techcrunch.com] and it's not a new concept. If you don't have ISVs that allow
you to follow it then you have the wrong ISV. I've supported networks with over 30,000 wintel systems with most in production support roles. Every fix and every new release of anything gets white-gloved in a -1 environment before being released inside your firewall and passing governance.

If you're building software for release to customers, you practice software releas

Re:

[gweihir]

In the observed Crowdstrike failure scenario, the software installation was under user control. The config file update was not and could not be blocked in any regular way. The kernel-module crash was caused by a problem with the config file. Well, you could probably have done something with a firewall to block that config file update, but then you would have blocked the update but not have gotten the new config to test it. And, obviously, you would have gotten much delayed protection from emerging threats.

S

Re:

[vbdasc]

Instead of fancy names like "software release hygiene" why don't you just say "responsible testing policy" which is basically the same as what you describe? My point is, it isn't something fancy. I work in a software development company that focuses on small and medium customers, and both we and our competitors practice it, because it's the smart and the right thing to do.

I don't underestimate the guilt of Microsoft for this calamity... But it seems that a big name like Crowdstrike has gone complacent and l

Re:

[gweihir]

I don't underestimate the guilt of Microsoft for this calamity... But it seems that a big name like Crowdstrike has gone complacent and lazy. It has gone irresponsible. Its quality assurance has gone down the drain.

No doubt about that. The mistakes they made were on the level of an incompetent amateur, at best. It looks like they have first-week coders write code that can crash the kernel. I mean how can you not have complete input validation in a situation like that? How utterly clueless do you have to be to mess that up? Especially when it takes maybe an hour to code? And risk-management? I doubt they even have that.

On the side of Microsoft, they set the culture (and it is not a good one) and they made it massively

Re:

[Virtucon]

I didn't develop the term, but it's still accurate. Don't assume common sense especially when multi billion-dollar software companies don't have it.

EU regulators really are partly to blame

[DeplorableCodeMonkey]

This explains [theregister.com] how the EU regulators did not prevent Microsoft from creating these user space APIs, but the flip side is they created a legally dicey situation where Microsoft could get in serious trouble if it ever granted itself privileged permission to create kernel level security tools.

It's not obvious that certain features can be implemented on Windows. For example, if Microsoft created its own deep permission system a la macOS for accessing folders, the microphone, web cam, etc. vendors could cry foul

Re:

[gweihir]

No, the EU is not. This is fully on Microsoft. The EU just enforces equal access because the EU has working anti-trust legislation. That MS did not give reasonable assurances they would restrict themselves to the API for its competing products made it impossible for the EU to accept that API. And that is squarely on MS. Note that if MS found that API insufficient in the future, they would have been entirely free to extend it, as long as all competitors got access to that extension.

Your "argument" just shows

Re:

[thegarbz]

Why would you blame MS for a 3rd party software installed by the computer administrator taking down the kernel - the same 3rd party who refuses to use APIs already in place despite using them on other systems?

Look gweihir I will adopt your point of view. As soon as I see you lobbying Linus Torvalds to ban / block the ability as root to load kernel modules I'll be right there with you. But until you do that I will call you either ignorant, hypocritical, or a combination of both.

Re:

[gweihir]

MS controls kernel access on Windows. Kernel drives on Windows have to be _signed_ by MS or they do not load. I guess you do not know that. There was no sane engineering reason to give AV makers kernel access. They only got it because MS decided for _business_ reasons to not restrict itself to the API.

Really, get some facts before you make baseless claims and invalid AdHominems. As it is, you just look like a clueless fanboi.

Re:

[thegarbz]

No they aren't. Unless you want to blame the EU for Linux having the ability to allow the user to run "sudo modprobe". The ability to access the kernel level is managed by the system administrator. Nothing more. You having ownership of your PC is a *good thing*.

Incidentally MS did create user space APIs, e.g. Windows has had eBPF for years now, but it is Crowdstrike who chose not to use it (despite doing so on Linux, ... and despite managing to get the Linux kernel to panic while using it as well https://ac [redhat.com]

Re:

[vbdasc]

The EU did the right thing, and it was to guarantee level playing field for software vendors and that Microsoft enjoys no unfair advantage to prevail over the competition.

The unintended consequences are entirely Microsoft's fault. They could exit antivirus market, but nah. They could make their AV products use the same access as everyone else, but nah. And no, MS granting only themselves kernel access would not make the situation better at all. What happened with Crowdstrike could happen with Microsoft's pr

Microsoft, Kernel revamp, Security.

[nightflameauto]

It has been discovered, after several technical meetings, that the best way to secure the Windows kernel is to block all access to it from here on forward. Therefore, the next version of Windows will boot to a pretty blue screen. Rest assured, the kernel is running just fine, perfectly secure in its new playground, your computer. You can't do anything with it, but it's secure! Finally!

Just End It

[Baloo Uriza]

Microsoft told Intel back in the runup for Vista to expect it to be their last version of Windows so they could focus on things that make them money and aren't a liability lawsuit away from ending the company. Whatever happened to that promise?

As usual for MS, far too late

[gweihir]

MS is constantly using bad tech and poisoning its eco-system by giving bad examples. Only when things have really go south do they start to come up with halfway decent solutions than anybody in sane environment was using all along.

Its not just security software

[jonwil]

Anything that runs in the kernel (hardware drivers, kernel-level anti-piracy, kernel-level anti-cheat etc etc) could cause the same BSOD and failures if it contains a bug that makes it crash.

Re:

[Ed Tice]

Indeed. The vast majority of the comments here are just hating on Windows and on endpoint security solutions in general. The conversation will be complete when somebody suggest not using your credit card online.

So it wasnâ(TM)t the EU, liars?

[jay age]

You said you had to give access directly to the kernel because of the deal between you and EC.
Now that you got off your incompetent asses, you finally get to create what Linux and MacOS already have.

So the EU deal doesnâ(TM)t prevent you in any way from doing it, and if you admitted it right away, youâ(TM)d look less like a bunch of losers.