CrowdStrike agrees Microsoft Windows can be secured without kernel-level access

CrowdStrike is aligning with Microsoft’s demand to reconsider kernel-level access for security vendors after CrowdStrike’s Falcon update sent Windows servers and PCs across the globe into an endless reboot cycle. 

While acknowledging the critical role kernel drivers play in providing comprehensive endpoint protection, CrowdStrike expressed its willingness to evolve with the industry and explore alternative approaches. 

“Significant work remains for the Windows ecosystem to support a robust security product that doesn’t rely on a kernel driver for at least some of its functionality,” CrowdStrike stated in its root cause analysis (RCA) report, published August 6. “We are committed to working directly with Microsoft on an ongoing basis as Windows continues to add more support for security product needs in user space.” 

The issue of whether kernel access is required has become a political as well as a technical one. Last month, Microsoft blamed the CrowdStrike outage on an interoperability deal enforced by the European Commission in 2009 that forced the Windows maker to grant security software makers the same access to Windows as Microsoft. 

Industry analysts believe that limiting kernel access where possible makes sense. 

“Certain events must be tapped into at the kernel level and responded to accordingly, but the whole signature matching process doesn’t need to happen there,” Florian Roth, head of research at Nextron Systems, wrote in an X post. “It could reside in another component, limiting the kernel module to essential tasks only.” 

Ideally, such privileged access should be governed stringently, ensuring adequately tested, digitally signed software with limited privileges is used,” said Sunil Varkey, advisor at Beagle Security. “Collectively, a new approach to balance between risk and effectiveness is needed.” 

Kernel access represents a significant point of vulnerability because it enables deep system-level interactions, which, if exploited, can result in extensive disruptions and breaches. By restricting kernel access, Microsoft aims to minimize the potential for such vulnerabilities. 

“The kernel is the most important and deepest part of a system. Abstracting it from third-party software partners and implementing more controlled solutions from Microsoft could reduce potential security vulnerabilities in the most sacred and vulnerable part of the operating system,” said Neil Shah, VP for research and partner at Counterpoint Research. 

A move to enhance Windows security

Microsoft aims to enhance the robustness of its Windows security architecture by limiting such deep system integrations — and there is some evidence from other platforms that they are not necessary, say analysts. 

After the infamous CrowdStrike incident that left over 8.5 million Microsoft Windows systems unusable on July 19, the Redmond-based software giant had hinted at restricting kernel-level access to other software applications to strengthen its security architecture. 

“I foresee the security landscape evolving with Microsoft’s push to limit kernel-level access and in the near term, we do not anticipate a significant shift in the security landscape due to Microsoft’s push to limit kernel-level access,” said Arjun Chauhan, senior analyst at Everest Group. “Many current endpoint solutions that operate effectively on Windows devices with kernel-level access also perform well on Mac devices, which do not permit such access. Therefore, we expect minimal immediate changes in the security ecosystem.” 

Microsoft has since proposed a re-evaluation of its policy on granting such privileges to third-party security vendors, citing concerns over system stability and security. 

“This incident shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience,” John Cable, vice president of program management for Windows servicing and delivery then wrote in a blog post. 

“Examples of innovation,” he added, “include the recently announced VBS enclaves, which provide an isolated compute environment that does not require kernel mode drivers to be tamper-resistant, and the Microsoft Azure Attestation service, which can help determine boot path security posture.”  

While the full implications of Microsoft’s potential policy change remain unclear, CrowdStrike’s statement indicates that the company is prepared to adapt to a new security landscape. This could involve a gradual shift towards greater reliance on user-space technologies while continuing to leverage kernel drivers where absolutely necessary.