Microsoft is going back to the security drawing boards in the wake of the CrowdStrike debacle, proposing changes that would restrict kernel access.
The kernel is the core component in any operating system, the most low-level part controls the hardware, communicates with the software, manages processes, file systems, drivers, and more. Because the kernel is often one of the first elements of the boot process, protecting the kernel is a critical component of good security practices.
CrowdStrike’s cybersecurity software is designed to operate at the kernel level, which is why the results were disastrous when the company pushed a faulty update earlier this month. The update bricked millions of Windows PCs and brought multiple industries to a grinding halt.
In the aftermath of the incident, Microsoft is reevaluating best practices for Windows security, including the option to restrict kernel access, as the Microsoft VP John Cable outlines in a blog post:
This incident shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience. These improvements must go hand in hand with ongoing improvements in security and be in close cooperation with our many partners, who also care deeply about the security of the Windows ecosystem.
Examples of innovation include the recently announced VBS enclaves, which provide an isolated compute environment that does not require kernel mode drivers to be tamper resistant, and the Microsoft Azure Attestation service, which can help determine boot path security posture. These examples use modern Zero Trust approaches and show what can be done to encourage development practices that do not rely on kernel access. We will continue to develop these capabilities, harden our platform, and do even more to improve the resiliency of the Windows ecosystem, working openly and collaboratively with the broad security community.
Cable’s comments about encouraging “development practices that do not rely on kernel access” are telling, since CrowdStrike’s kernel access directly led to the issue. In contrast, Apple does not allow developers access to the macOS kernel, implementing that change in 2020. As a result, macOS is largely immune to a CrowdStrike-type issue.
See Also: Expert: “This Outage Is a Wake-Up Call To Re-Evaluate Cybersecurity Strategies”
Unfortunately for Microsoft, the reason the company still allows access to the kernel is because of a 2009 agreement with the EU that was designed to level the playing field and give third-party companies the same access to the Windows kernel as Microsoft has.
Competition vs Security
The issue underscores potential problems with the EU’s current regulatory path. The bloc is hell-bent on cracking open every platform, and make as level a playing field as possible. Apple has become a popular target, with the EU seemingly intent on making iOS function like—and be as open as—Android.
Unfortunately, while such goals are laudable, the reality is that breaking open legacy platforms often has unforeseen consequences, with the CrowdStrike incident being a case in point. Because the EU wanted third-party developers to have full access to the kernel that Microsoft developers and owns, the stage was set for one of the worst outages in computer history.
The reality is that some systems are simply not designed to be cracked open in such a way that anyone and everyone can have access, and doing so opens the door to serious issues.
What About Open-Source?
Critics will point to the open nature of open-source software as proof that prying open existing platforms is viable. Unfortunately, this is comparing apples to oranges.
In the case of true open-source software, all the various components are open and accessible, meaning the software entire stack can be inspected and audited. This helps ensure that flaws like the CrowdStrike flaw don’t make it into production systems.
In contrast, prying open a closed-source platform to allow third-parties to have access doesn’t mean that the entire stack is now open and auditable. Nor does it mean that any third-party software that hooks into the pried-open platform is open for inspection and audit.
As a result, the type of “openness” the EU forced on Microsoft is the worst of both worlds, not the best. It essentially reduces the security of closed-source Windows by prying it open so other closed-source applications can hook into in ways that cannot easily be inspected, tested, or verified before something bad happens.
The Future
Hopefully, companies, organizations, and lawmakers learn from the CrowdStrike debacle and recognize that changes need to be made:
- Companies need to get behind the kind of Zero Trust methods Cable outlined and stop relying on kernel access.
- Microsoft should renegotiate its agreement with the EU to eliminate outside access to the Windows kernel.
- Lawmakers need to recognize that “openness” for the sake of openness sometimes creates more problems than it solves. Any such regulatory efforts need to be made with a greater understanding of the industry and potential issues of decisions that are made.
Until the above steps are universally taken, CrowdStrike-type incidents will keep happening.