In a significant shift in the security landscape, CrowdStrike appears to be aligning with Microsoft’s demand to reconsider kernel-level access for security vendors after CrowdStrike’s Falcon update sent Windows servers and PCs across the globe into an endless reboot cycle.
While acknowledging the critical role kernel drivers play in providing comprehensive endpoint protection, CrowdStrike expressed its willingness to evolve with the industry and explore alternative approaches.
“Significant work remains for the Windows ecosystem to support a robust security product that doesn’t rely on a kernel driver for at least some of its functionality,” CrowdStrike stated in the root cause analysis (RCA) report. “We are committed to working directly with Microsoft on an ongoing basis as Windows continues to add more support for security product needs in user space.”
Last month, Microsoft blamed its interoperability deal enforced by the European Commission in 2009 for the recent CrowdStrike-led outage that forced the Windows maker to grant security software makers the same access to Windows as Microsoft itself.
CrowdStrike’s latest RCA report, dated August 6, revealed a nuanced stance, emphasizing the critical role kernel-level access plays in their security operations, albeit with a tone of reluctant acceptance.
Industry analysts believe this approach is not without the required logic.
“Certain events must be tapped into at the kernel level and responded to accordingly, but the whole signature matching process doesn’t need to happen there,” Florian Roth, head of research at Nextron Systems, wrote in an X post. “It could reside in another component, limiting the kernel module to essential tasks only.”
Ideally, such privileged access should be governed stringently, ensuring adequately tested, digitally signed software with limited privileges is used,” said Sunil Varkey, advisor at Beagle Security. “Collectively, a new approach to balance between risk and effectiveness is needed.”
Kernel access represents a significant point of vulnerability because it enables deep system-level interactions, which, if exploited, can result in extensive disruptions and breaches. By restricting kernel access, Microsoft aims to minimize the potential for such vulnerabilities.
“The kernel is the most important and deepest part of a system. Abstracting it from third-party software partners and implementing more controlled solutions from Microsoft could reduce potential security vulnerabilities in the most sacred and vulnerable part of the operating system,” said Neil Shah, VP for research and partner at Counterpoint Research.
CrowdStrike, besides showing interest in working with Microsoft to work on the “kernel-level restrictions” development, is also taking a new approach to certify each new sensor release through the “Windows Hardware Quality Labs.”
“The WHQL certification process marks the end of a comprehensive internal testing gauntlet involving functional tests, longevity tests, stress tests with fault injection, fuzzing, and performance tests,” the company said in the report.
“Crowdstrikes’ new approach to certifying each new sensor release through the Windows Hardware Quality Lab program is a welcome move to avoid system outages in the future, but delay in the process could hamper the current edge on proactive timing,” added Varkey.
A move to enhance Windows security
This move comes as Microsoft aims to enhance the robustness of its Windows security architecture by limiting such deep system integrations.
Post the infamous CrowdStrike incident that left over 8.5 million Microsoft Windows systems unusable on July 19, the Redmond-based software major had hinted at restricting kernel-level access to other software applications to strengthen its security architecture.
Microsoft has since proposed a reevaluation of its policy on granting such privileges to third-party security vendors, citing concerns over system stability and security.
“This incident shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience,” John Cable, vice president of program management for Windows servicing and delivery then wrote in a blog post.
“Examples of innovation,” he added, “include the recently announced VBS enclaves, which provide an isolated compute environment that does not require kernel mode drivers to be tamper-resistant, and the Microsoft Azure Attestation service, which can help determine boot path security posture.” While the full implications of Microsoft’s potential policy change remain unclear, CrowdStrike’s statement indicates that the company is prepared to adapt to a new security landscape. This could involve a gradual shift towards greater reliance on user-space technologies while continuing to leverage kernel drivers where absolutely necessary.