Why is CrowdStrike allowed to run in the Windows kernel?


A 2009 EU anti-competition ruling has been used as a line of defence by Microsoft as questions are being asked over why a third-party product was able to take down Windows.

On Friday 19 July, 8.5 million PCs experienced the so-called Blue Screen of Death, which occurs when the Windows operating system (OS) experiences a major fault and halts to prevent further damage.

Such events do occur, but the root cause has been identified as a buggy update in third-party anti-virus software called Falcon, provided by CrowdStrike. The buggy file should have been detected by Falcon, but it too had a bug which read the file and caused it to crash.

Crashes are a regular occurrence for PC users, but very rarely do they cause the system to halt. In this case, however, as Computer Weekly has previously reported, Falcon runs as a kernel mode device driver at what is known as Ring Zero. This gives it full access to the Windows operating system, which is the same access core Windows components developed by Microsoft have.

The reason, according to Microsoft, that CrowdStrike, has this access, is due to a 2009 European Commission ruling, which stipulates that Microsoft must ensure that third-party products can interoperate with Microsoft’s relevant software products using the same interoperability information on an equal footing as other Microsoft products.

Microsoft software licensing expert Rich Gibbons said: “Microsoft has received some criticism for the fact that a third party was able to affect Windows at such a deep technical level. It’s interesting that Microsoft has pointed out the fact this stems from a 2009 EU anti-competition ruling that means Microsoft must give other security companies the same access to the Windows kernel as they have themselves.”

Gibbons believes that given the 2009 interoperability ruling means it is possible for other organisations to disrupt Windows in the same way the CrowdStrike kernel device driver did, Microsoft may use the catastrophe to push-back on EU intervention.

“Will Microsoft use the CrowdStrike situation to push back on this ruling and/or future such rulings around interoperability of Microsoft products, and will it use this as an additional lever to move customers towards their own security products?” he questioned.

What is clear is that prior to CrowdStrike, Microsoft had not publicly raised security concerns over the security risks of providing the access to the same application programming interfaces (APIs) that Microsoft uses internally.

It is understood that Linux servers experienced a similar issue in April with CrowdStrike, which, according to some industry commentators, highlighted a failure in quality control that neither CrowdStrike nor Microsoft adequately addressed.

Apple MacOS was not affected by Friday’s crash, as it runs Apple Endpoint Security Framework, an API that anti-virus providers use to obtain telemetry information from the core MacOS operating system. This means that they do not need to have their code running within the core MacOS at Ring Zero, which is where the Windows version of CrowdStrike’s Falcon needed to run.

There are questions over why Microsoft has not provided something similar. Part of the problem is that Windows, unlike MacOS, offers backwards compatibility, spanning many years. But anti-competition regulations may also have had a role to play.

According to former Windows developer David Plummer, Microsoft does, in fact, offer a number of APIs for third-party antivirus security. “CrowdStrike defaults to kernel mode, presumably because it needs to do things that can’t be done from user mode,” Plummer said in a YouTube video.

“And to me, that’s where Microsoft could be responsible, because on the Windows platform, to the best of my knowledge, some of the CrowdStrike security functionality requires deep integration with the operating system that can only be currently achieved on the kernel side.”

Microsoft has a number of APIs including Windows Defender Application Control API and the Windows Defender Device Guard, which Plummer said provide mechanisms for controlling application execution and ensuring that only trusted code runs on the operating system.

He said that the Windows Filtering Platform (WFP) allows applications to interact with the network stack without requiring kernel level code. However, quoting sources within Microsoft, Plummer claimed that the company had actually “tried to do the right thing” by developing an advanced API designed specifically for security applications such as that from CrowdStrike.

“This API promised deeper integration with the Windows operating system, offering enhanced stability, performance and security,” he added.

But the EU 2009 ruling effectively prevented such integration as it could potentially have given Microsoft an unfair advantage.

However, Ian Brown, an independent consultant on internet regulation, argued that Microsoft should have better security controls, rather than attempting to put the blame of the CrowdStrike crash on the EU anti-competition commission.

In a blog, he wrote: “For technology-dependent societies’ resilience, OS kernel-level software and equivalents on socially critical infrastructure systems (like travel, healthcare and banking) need to be very carefully tested (and ideally run on top of a formally verified microkernel) and controlled. But OS monopolists shouldn’t be making the final decisions about precisely what those controls look like, where they have implications for competition.”



Source link