CrowdStrike’s Falcon software uses a special driver that allows it to run at a lower level than most apps so it can detect threats across a Windows system. Microsoft tried to restrict third parties from accessing the kernel in Windows Vista in 2006 but was met with pushback from cybersecurity vendors and EU regulators. However, Apple was able to lock down its macOS operating system in 2020 so that developers could no longer get access to the kernel.
Now, it looks like Microsoft wants to reopen the conversations around restricting kernel-level access inside Windows.
Can someone more knowledgeable explain to me this? Why do certain security software require access to the kernel? To keep malware from getting to the kernel or something? Doesn’t restricting access to the kernel offer more security? Wouldn’t malware also be unable to access the kernel? Or is that not the case? (Kernel is what connects software and hardware, correct? Just to be sure)
Security software doesn’t necessarily NEED access to the kernel, but kernel-level access provides the maximum amount of access and visibility to the rest of the system. The only thing higher then kernel-level is hardware-level.
In the case of CrowdStrike, kernel-level access provides their software to have the highest privileges which yields in the most effective defense against malware (in theory). However third-party, kernel-level access is never a good idea. Software that has kernel-level access can be, and has been, exploited before. In the case of CrowdStrike, it was a faulty update that screwed over Windows systems. The more access you have in a system, the more you screw it over when something fails.
Yes! You are correct. If implemented correctly of course, restricted access to the kernel provides a higher amount of security.
In theory, the more restricted the kernel is, the more difficult it is for malware to access the kernel.
Yes. A function of the kernel is providing a way for software and hardware to communicate with each other.