Microsoft shifts focus to kernel-level security after CrowdStrike incident

The CrowdStrike incident that affected more than 8.5 million Windows PCs worldwide and forced users to face the “Blue Screen of Death,” made Microsoft sit down and revisit the resilience of its operating system.

The company is now prioritizing the reduction of kernel-level access for software applications, a move designed to enhance the overall security and resilience of the Windows operating system, as part of its post-CrowdStrike attempt to make its security architecture more resilient and robust.

“This incident shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience,” John Cable, vice president of program management for Windows servicing and delivery wrote in a blog post.

“Examples of innovation,” he added, “include the recently announced VBS enclaves, which provide an isolated compute environment that does not require kernel mode drivers to be tamper-resistant, and the Microsoft Azure Attestation service, which can help determine boot path security posture.”

Microsoft emphasized the implementation of VBS enclaves and the Microsoft Azure Attestation service as key innovations. These technologies provide isolated compute environments and help determine the security posture of boot paths, all without requiring kernel mode drivers. This modern zero-trust approach minimizes security risks by reducing the attack surface accessible to potential threats.

CrowdStrike, in its preliminary post-incident review, mentioned a bug in its testing software that resides in the kernel of the operating system as the culprit.

Experts have pointed out the drawbacks of providing kernel-level access to software companies. “While kernel-level access is critical to detect advanced threats by monitoring and intercepting system calls and low-level operations, it comes with the risk of OS stability if not managed effectively,” said Sunil Varkey, advisor at Beagle Security.

Will Microsoft succeed with this approach?

Kernel access is a critical point of vulnerability because it allows deep system-level interactions, which, if compromised, can lead to widespread disruptions and breaches. By limiting kernel access, Microsoft wants to reduce the potential for such vulnerabilities.

Isolated environments and attestation services ensure that even if an application or service is compromised, the core system remains secure, significantly enhancing overall resilience.

However, this is not the first time Microsoft is trying to test that approach.  The company tested restricting kernel access to third party security vendors in the past, with Vista OS in 2006, but had to backtrack the move.

Symantec and McAfee then claimed Microsoft’s decision to shut off access to the kernel amounts to “anti-competitive behavior.”

Without kernel access, this software may struggle to perform in-depth behavioral analyses of processes and applications, to meet its objectives, said Varkey. “Blocking this access can limit the software’s ability to detect and prevent sophisticated attacks.”

Ideally, such privileged access should be governed stringently, ensuring adequately tested, digitally signed software with limited privileges is used,” Varkey added.  “It is also important for the OS vendor to be transparent to its partners on their potential vulnerabilities and risks, which could impact the stability of the Kernel.”

However, the CrowdStrike incident, with its catastrophic impact, seems to have given enough push for Microsoft to bring that conversation back to the table.

“Now, Microsoft’s decision to block kernel-level access to third parties could reduce the potential risk of such incidents,” said Varkey. “However, all third-party vendors currently having kernel access privileges may have to find a new approach in collaboration with OS vendors to achieve their objective.” Otherwise, security solutions offered by OS vendors may become the default and the only solution, Varkey added.

However, the software giant, it seems, has already taken a stand.

“We will continue to develop these capabilities, harden our platform, and do even more to improve the resiliency of the Windows ecosystem, working openly and collaboratively with the broad security community,” Cable wrote in the blog.