Microsoft has promised a "new platform capability" after a secretive meeting with a small number of cybersecurity partners about how they interact with and access its own software, including the Windows kernel.
The discussion followed CrowdStrike's failure to spot a bug that caused its agent running in Windows kernel mode to crash millions of machines.
Speculation had been rife that Microsoft may try to evict Endpoint Detection and Response (EDR) vendors from its kernel in response.
“More capabilities outside of kernel mode”
News to that effect did not immediately emerge after the summit.
But Microsoft’s head of OS security, Dave Weston, said on September 12 that Redmond plans to “provide more security capabilities to solution providers outside of kernel mode” – as at least one attendee, ESET, warned that it “remains imperative that kernel access remains an option.”
Weston did not share more details on what the capabilities outside of kernel mode might entail or how this would be architected, but attending cybersecurity company, Sophos, was swift to weigh-in with a detailed wishlist of the powers they would like outside of the kernel. (More below.)
Kernel summit's Secret 7...
Microsoft quoted just seven “vendors participating” at the Windows Endpoint Security Ecosystem Summit in Weston’s blog, naming Broadcom, CrowdStrike, ESET, SentinelOne, Sophos, Trellix, and Trend Micro.
That limited delegate list left some in the security community mutely frustrated; some of them more vocally. Among the latter was Elastic’s Gabriel Landau, who posted: “Pe-COVID, MS held annual in-person Microsoft Virus Initiative (MVI) meetups in Redmond. There is enough space in Redmond for representatives from all of MVI, yet most of us weren't invited. We specifically asked to come, but were denied.”
So what was discussed?
The summit was not a "decision-making meeting", Weston pointed out.
"We discussed how Microsoft and partners can increase testing of critical components, improve joint compatibility testing across diverse configurations, drive better information sharing on in-development and in-market product health, and increase incident response effectiveness with tighter coordination and recovery procedures," he wrote in his blog.
But finding a way to get third-party endpoint security systems out of the Windows kernel without crippling their capability to act effectively (something highly likely to attract regulatory attention) is clearly a priority.
And Sophos was swift to post a wishlist of capabilities that it would like to see made available via this new Windows security “platform” approach.
"It may be helpful to..."
VP of Engineering for Windows products, Neil Watkiss, said: “It may be helpful to provide a supported mechanism for security vendors to… to examine files and directories accessed by processes and allow/block such access; examine registry keys and values accessed by processes and allow/block such access; monitor the activity of processes on the system and to take appropriate actions. These would mimic the support that the Windows kernel provides to kernel-mode drivers (with some additions)...”
In a detailed blog, Sophos’s Watkiss also called for a “supported mechanism” outside of the kernel “for security vendors to prevent unauthorized drivers. Kernel drivers can terminate any process, including AM-PPL security processes, and this is therefore a common technique used by malware campaigns. It also may be helpful for the Windows platform to provide a supported user space mechanism for security vendors to prevent local and domain administrators from overriding or subverting the security product’s decisions” he wrote on September 12.
Whether Microsoft plans to help deliver new security capabilities via Berkeley Packet Filter (eBPF) capabilities was not immediately clear. (eBPF is a way to run programmes in kernel space, but in a sandboxed way) It has been building out its eBPF offering for Microsoft Defender for Endpoint on Linux, but eBPF for the Windows kernel remains immature and a self-declared "work in progress."
Attendee ESET said it “supports modifications to the Windows ecosystem that demonstrate measurable improvements to stability, on condition that any change must not weaken security, affect performance, or limit the choice of cybersecurity solutions. It remains imperative that kernel access remains an option for use by cybersecurity products to allow continued innovation and the ability to detect and block future cyberthreats. We look forward to the continued collaboration on this important initiative.”
