As Microsoft watchers know, the software giant’s exact words don’t always say what the company means. Last Thursday delivered another example of that, as Microsoft tried to dance around the politically explosive Windows kernel access issue.
Cybersecurity executives working with Microsoft say that Redmond appears to have figured out a way around the kernel dilemma, with one source saying, “If they can actually do it, it’s the best of both worlds.”
At issue is the fact that some vendors’ software needs visibility and functionality possible only at the kernel level, but access to the kernel carries the critical risk that any application error could crash the entire system — and make bringing the system back up exceedingly difficult.
Last summer’s CrowdStrike outage — in which a content update to its Falcon EDR resulted in an estimated 8.5 million Windows systems crashing — made the risk of third-party kernel-level access a global issue. The cybersecurity industry has been dealing with the fallout implications ever since.
Of course, there are several things security software needs to be able to do — and see — that can only happen within the kernel. Examples include inspecting memory or examining software libraries as they load. Moreover, if bad actors can potentially work their way into the kernel, cybersecurity defenses need to be there as well.
Flavio Villanustre, global CISO for the LexisNexis Risk Solutions Group, said that with last week’s announcement Microsoft has signaled that it has figured out a way to deliver kernel-level visibility and functionality to applications while they safely reside outside the kernel.
Microsoft cannot block access to the kernel “unless they provide the appropriate functionality and visibility outside the kernel,” Villanustre explained. “If they can actually do it, it’s the best of both worlds.”
The trick is to figure out how to grant such access “but to not compromise the integrity of the kernel, which threatens the entire system,” Villanustre said. “For now, they are not going to ban kernel access. They will eventually ban it, but not now.”
Microsoft’s exact words don’t quite say that, but it gets close.
What exactly are Microsoft’s intentions?
Microsoft’s Thursday statement said: “Next month, we will deliver a private preview of the Windows endpoint security platform to a set of MVI [Microsoft Virus Initiative] partners. The new Windows capabilities will allow them to start building their solutions to run outside the Windows kernel. This means security products like anti-virus and endpoint protection solutions can run in user mode just as apps do. This change will help security developers provide a high level of reliability and easier recovery resulting in less impact on Windows devices in the event of unexpected issues.”
Mitch Ashley, a VP at analyst firm Futurum, said Microsoft’s plans are not to give full kernel access to cybersecurity applications operating outside the kernel, but just some of that access. “It will be a limited subset.” The question of how much access is given is what is now being debated.
When Microsoft considered restricting or outright banning kernel access, “Microsoft knew that the cybersecurity community would not be happy,” Ashley said, because the “change will require security vendors to rearchitect their products” and it “also restricts what they can do.”
“Providing vendors a walled-garden access to the kernel means that there is no direct access to drivers and they cannot make modifications to the kernel and they must access it through Microsoft APIs,” Ashley said. “There will be no direct access to memory or hardware drivers or privileged operations in the operating system.”
Microsoft is “presenting this as a new way of creating security software that cohabitates with the Windows operating system as a user program,” he said.
The slow rollout is intended to placate cybersecurity vendors so that Microsoft “is not seen as just dumping this on them without first working with them on it,” Ashley said.
Future kernel access in the balance
Microsoft did not agree to an interview on its kernel strategy, but a representative did share with CSO a brief statement about the initial announcement’s intentions.
“This is an opportunity for partners to test building their solutions outside the kernel and is not an announcement of future plans for kernel access,” a Microsoft public relations spokesperson said.
The kernel issue has been explored by Microsoft for a long time, with various promises made.
At one point, CrowdStrike said it supported Microsoft’s effort to block kernel access. Microsoft has also argued that the kernel access issue was initially forced on Microsoft by European Union requirements.
Art Cooper, a principal security consultant for consulting firm TrustedSec, said that the “kernel access outside the kernel” approach is potentially the right idea, but that Microsoft is doing it in the most Microsoftian way.
“Once again, they are providing their customers with the Microsoft experience: ‘Somewhere down the line, we will explain what we meant,’” Cooper said. “The statement does not say that they will deny access to the kernel. They are just hinting. They are looking to up their game and they want to do it slowly.”
Cooper summed up the kernel challenge by pointing to the inherent cybersecurity contradiction.
“I have seen where having the access has made things disastrous and where not having the access has been disastrous,” Cooper said. “If I can’t have kernel access and the bad guys can, how do I battle that?”
Sean McElroy, chief risk and security officer at fintech Lumin Digital, said the kernel issue can be complicated.
“The security of the Windows operating system kernel and supporting ecosystem continues to face many challenges, largely because many applications, from enterprise security tools to consumer gaming anti-cheat systems, depend on the ability to use and abuse the Windows kernel directly,” McElroy said. “As a result, stability and security suffer both from malware authors who can readily hook and exploit the operating system, and even as we saw with CrowdStrike’s incident last year, it’s easy for defensive solutions to stumble when trying to address the fragile ecosystem.”
He agreed with others who said that Microsoft seems to want to eventually block kernel access, but it will take its time getting there.
“They are building the path so they eventually will close the door,” McElroy said. “But there are a lot of things you can’t do now unless you are in kernel mode. We are all working toward a vision where the kernel is less accessible.”