Microsoft has dropped heavy hints that change is coming to the way security products interact with the critical core of the Windows platform, its software kernel, spurred to action by the IT outage that disrupted millions of CrowdStrike customers in July.
For security vendors, being able to load kernel (ring zero) drivers matters. If Microsoft removes that access — something Apple did for macOS in 2019 — their products will need to be heavily re-designed to implement security with lower privilege.
What’s not yet clear, however, is what form any change will take and on what timescale. Hanging over this is whether Microsoft’s own Defender will be affected, or spared. Although not as fully featured as independent endpoint detection and response (EDR) clients, it would presumably continue to operate at kernel level.
The issue of kernel access was top of the agenda at a special event in Redmond on September 10, the Windows Endpoint Security Ecosystem Summit, with representatives attending from Trend Micro, Sophos, ESET, Trellix, SentinelOne, Broadcom, as well as government.
Kernel privilege
However, most apposite of all perhaps was the presence of CrowdStrike Counsel for Privacy and Cyber Policy Drew Bagley.
The company earned its place at the event on July 19, when it gained unwanted fame globally after a faulty content update for the CrowdStrike Falcon Sensor EDR caused millions of Windows computers to crash to a blue screen.
This wasn’t like an application falling over. The software was operating with kernel access, which is why Windows itself crashed.
CrowdStrike has since published an account of what went wrong but the gist is that, as with other EDR platforms, a core element of the security on offer depends on such kernel mode access.
The advantage of kernel level drivers is security and performance. A driver at kernel level loads early in the boot process (in Windows after validating the developer’s private key via Driver Signature Enforcement), essential for detecting low-level malware such as rootkits which attempt to subvert the OS from within. Kernel loading also improves performance.
However, as the CrowdStrike incident reminded everyone, the downside is resilience. Should something go wrong, there is no room to fail gracefully. As Microsoft put it:
“All code operating at kernel level requires extensive validation because it cannot fail and restart like a normal user application.”
Interestingly, one of the security vendors present, Sophos, blogged at some length on its approach to kernel mode in the light of Microsoft’s briefing. This pointed out the importance of low-level access.
“The system access provided by kernel drivers is necessary to provide the security functions expected by users of a modern cybersecurity product,” wrote VP of Engineering for Windows products, Neil Watkiss.
This included the ability to prevent as well as simply observe possibly malicious activity while ensuring that EDR clients didn’t hamper Windows performance, he said.
The company currently uses five separate kernel level drivers as part of its EDR system, which is probably similar to other vendors. The CrowdStrike crash happened because of an issue in only one of its drivers, CSagent.sys.
Additional security capabilities outside of kernel mode
After reminding attendees of the need for testing (it’s not clear how this is done by some EDR vendors, a problem in itself), Microsoft’s Summit got down to addressing the bigger issue.
“Windows 11’s improved security posture and security defaults enable the platform to provide more security capabilities to solution providers outside of kernel mode,” Microsoft’s VP enterprise and OS security, David Weston, wrote in a blog post about the Summit.
In the light of the CrowdStrike incident, he continued, “our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode.”
The Summit had discussed how this could be done while bearing in mind the need to run EDR clients without sacrificing performance, security or anti-tampering, said Weston.
“As a next step, Microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners to achieve the goal of enhanced reliability without sacrificing security,” he added.
In short, Windows 11 offers plenty of ways for security and performance to be maintained without the risks associated with kernel mode.
Vendor omerta
CSO Online reached out to several vendors for their views, but none seemed keen to comment, unusually so, in fact. If any are privately critical of the downsides of losing kernel access, they aren’t willing to be public about it.
In fact, the only public negative feedback Microsoft’s plans have attracted is from Cloudflare CEO, Matthew Prince, who tweeted in August in response to news of the planned Summit:
“Regulators need to be paying attention. A world where only Microsoft can provide effective endpoint security is not a more secure world.”
Then again, Cloudflare doesn’t offer EDR software so has nothing to lose in speaking out.
Microsoft has been here before. In 2006, the company tested limiting kernel access to security clients, only to backtrack after some security vendors complained. But 2006 was a very different era for security. Meanwhile, CrowdStrike itself seems happy to work with Microsoft in this direction.
Such is the delicate balancing act all parties now face. Give the economically significant EDR sector enough hooks into Windows to continue doing its job while somehow reform Windows security architecture to avoid even the theoretical possibility of another global IT debacle caused by a single update.
As Watkiss of Sophos wrote: “Change isn’t easy. As both recent cybersecurity events and ongoing software trends have made clear, it is also not optional.”
No Responses