Lessons from the CrowdStrike Incident: The Case for Open-Sourcing Windows Kernel APIs

For those of you under a rock, or reading this in the far future, on Friday, July 19, 2024, at 04:09 UTC, CrowdStrike released a content configuration update for the Windows sensor. According to CrowdStrike, a bug in their testing process allowed the update to pass validation despite containing problematic content data. When this content was received and loaded by the sensor’s Content Interpreter, it led to an out-of-bounds memory read in Channel File 291, causing an exception. This exception resulted in a Windows operating system crash (BSOD).

The issue affected Windows hosts running sensor version 7.11 and above that were online between 04:09 UTC and 05:27 UTC on July 19, 2024. Mac and Linux hosts were not impacted. CrowdStrike reverted the defective content update at 05:27 UTC the same day. Systems that came online after this time or did not connect during the specified window were unaffected.
In simple terms, CrowdStrike released an update that, due to a bug, was insufficiently tested. This update caused virtually all Windows systems running CrowdStrike to crash.

What CrowdStrike has not disclosed is the number of devices globally affected and the collective recovery cost. Microsoft confirmed that about 8.5 million of its devices were impacted by the outage. While 8.5 million is a relatively small number in the grand scheme, these systems were among the most critical globally, grounding airlines, taking banks offline, and causing various other disruptions. U.S. Fortune 500 companies, excluding Microsoft, are expected to incur $5.4 billion in losses. The global cost will undoubtedly be higher.

A security product has now caused more disruption and financial damage than any malware incident to date, by an order of magnitude. For example, WannaCry impacted roughly 230,000 devices globally, well shy of CrowdStrike’s 8.5 million.

However, there is a more intriguing aspect to this situation.

The Cyber Security Review Board (CSRB) gained prominence in cybersecurity circles with its report on Storm-0558, a group attributed to the People’s Republic of China. This group compromised the Microsoft Exchange Online mailboxes of 22 organisations and over 500 individuals worldwide, including senior U.S. government representatives involved in national security matters. Notable victims included Commerce Secretary Gina Raimondo, U.S. Ambassador to China R. Nicholas Burns, and Congressman Don Bacon.

Risky Business is now reporting that the CSRB might write a report on the recent CrowdStrike incident. CrowdStrike has already disclosed information about the testing process that allowed the faulty update to be released. While a CSRB report will likely provide further insights, the extent of additional information remains unclear. However, CSRB recommendations carry significant weight. Risky Business suggests that the CSRB report might examine the broader ecosystem, going beyond the testing processes of major security vendors to scrutinise specific practices, such as accessing the kernel.

CrowdStrike and many other security vendors require access to the Windows kernel, the core of the operating system, for their products to function. The Windows kernel manages system resources, facilitates hardware-software communication, and ensures system stability and security. It underpins all modern Windows versions, handling critical functions such as process and thread management, memory allocation, and virtual memory. This ensures efficient CPU use and protected memory spaces for each process.

The kernel supports device drivers, managing communication with hardware devices and overseeing their loading and execution. It also handles file system management, organising and managing data on disk drives. Security and access control are enforced to ensure only authorised access to resources, implementing user authentication and protection against malicious software. Additionally, the kernel facilitates inter-process communication (IPC), allowing processes to coordinate and share data efficiently.

Components of the Windows kernel include the Executive, which provides high-level services like process and memory management, security, and I/O operations, and Kernel mode, which operates in a privileged mode with direct access to hardware and memory.

In simple terms, the Windows kernel is the brain of a Windows computer’s operating system. It manages all the critical tasks needed to keep your system running smoothly, ensuring that your applications have the resources they need, maintaining system security, and making sure everything works together efficiently. When you start accessing the computer’s brain, it is not surprising that things can go wrong in a big way.

EDR (Endpoint Detection and Response) vendors like CrowdStrike use kernel drivers to access the kernel for several reasons.
Kernel drivers provide deep system visibility, enabling EDR tools to monitor system activities at a very low level. This allows for detailed insights into the actions of processes, memory usage, and other critical system events.

By using kernel drivers, EDR tools can bypass many limitations and restrictions inherent to user-mode applications. This access to all parts of the system memory and hardware resources is essential for comprehensive security monitoring. Kernel drivers intercept system calls made by applications to the OS, detecting and preventing malicious activities such as unauthorised file access, process creation, and network communications.

In the realm of EDR, having more information is crucial. If something malicious is operating below the EDR’s detection level, it will not be seen. Therefore, the lower the EDR can operate within the system, the better its detection capabilities.

In 2020, Apple began removing third-party access to the kernel from macOS, granting access via an API instead. This means EDR can access all the information it needs without direct kernel access, reducing the risk of faulty updates crashing the device.

Microsoft, however, has not implemented API access to the kernel. According to Microsoft, this stems from a 2009 European Commission ruling that requires Microsoft to ensure third-party products can interoperate with Microsoft’s software products as effectively as Microsoft’s own products. This ruling mandates that everyone must be on equal footing.

If Microsoft were to restrict EDR vendors from accessing the kernel directly, it would also have to restrict its own EDR software, Microsoft Defender. Although Microsoft could build Microsoft Defender to use an API and then require other vendors to use the same API, they have not done so to date.

Even if Microsoft were to create API access for itself and other vendors, there are concerns. Patrick Gray, host of Risky Business, expressed the following concerns.

“The thing that I’m concerned about is that they’ll write or improve their APIs so that Defender will work OK without kernel-level access, but they won’t document all of this stuff properly and it’s going to be a nightmare for the other security companies that are trying to fulfill this function.”

Microsoft has suggested that they are considering some options in a recent blog post, but nothing concrete has been announced yet. A CSRB report, coupled with pressure from U.S. government elements, might force them to act.

An API could be a viable solution, but its implementation raises questions. One approach to facilitate a possible Windows kernel API could be to open-source it.

Or better yet, open-source Windows.

In some countries, the suggestion to open-source the operating system that runs the majority of public and private services might seem radical. However, this idea is not universally outlandish.

Switzerland, for example, passed legislation in April this year requiring all public bodies to open source the source code of software developed by or for them, unless precluded by third-party rights or security concerns. This mandate aims to ensure greater transparency, security, and efficiency in government operations by promoting the use of open-source software, which allows for public scrutiny and contributions to the software code.

Similarly, in April, the German state of Schleswig-Holstein decided to transition away from Microsoft products to open-source alternatives. Their reasons include data sovereignty, improved IT security, cost-effectiveness, and seamless collaboration between different systems.

There have been other notable moves in favour of open-source software, such as the EU-FOSSA project (Free and Open Source Software Auditing), launched by the European Commission after the discovery of the Heartbleed bug in 2014. The EU-FOSSA project supported open-source software auditing to improve the security of widely-used open-source software, benefiting the global commons.

The argument against open-sourcing some of Microsoft’s products often revolves around potential profit impacts. However, it is not uncommon for legislation to require the private sector to act counter to financial incentives. One of the main functions of legislation is to mitigate the worst elements of the free market.

Reflecting on the CSRB report on Storm-0558’s compromise of Exchange inboxes, it emphasised the critical nature of cloud service providers (CSPs). While this blog focuses on the Microsoft kernel, the principles apply broadly to computing infrastructure.

“It is not an exaggeration to say that cloud computing has become an indispensable resource to this nation, and indeed, much of the world. Numerous companies, government agencies, and even some entire countries rely on this infrastructure to run their critical operations, such as providing essential services to customers and citizens. Driven by productivity, efficiency, and cost benefits, adoption of these services has skyrocketed over the past decade, and, in some cases, they have become as indispensable as electricity. As a result, cloud service providers (CSPs) have become custodians of nearly unimaginable amounts of data. Everything from Americans’ personal information to communications of U.S. diplomats and other senior government officials, as well as commercial trade secrets and intellectual property, now resides in the geographically-distributed data centers that comprise what the world now calls the “cloud.”

The cloud creates enormous efficiencies and benefits but, precisely because of its ubiquity, it is now a high-value target for a broad range of adversaries, including nation-state threat actors. An attacker that can compromise a CSP can quickly position itself to compromise the data or networks of that CSP’s customers. In effect, the CSPs have become one of our most important critical infrastructure industries. As a result, these companies must invest in and prioritize security consistent with this “new normal,” for the protection of their customers and our most critical economic and security interests.”

The Windows kernel, while not historically likened to the cloud, now shares similar criticality. When a vendor ships an update that crashes 8.5 million Windows machines controlling vital societal functions, the supply chain issues of the cloud, giving access to so many things, parallel those of computing in general. Thus, legislation to open-source the Windows kernel to facilitate better EDR paradigms — and ultimately better computing paradigms — warrants exploration.

A more extreme argument posits that open-sourcing Windows would bankrupt Microsoft, as everyone would download free Microsoft software. This perspective misunderstands Microsoft’s business model.

Microsoft is more than Windows; it is an extensive ecosystem of products. No other vendor matches the breadth of Microsoft’s offerings. A critical part of this ecosystem is Active Directory and its variants. Anyone wishing to move away from Microsoft must address identity management across their environment at scale. Open-sourcing some or all of Microsoft’s ecosystem does not diminish its utility.

The complexity of maintaining and managing such a large ecosystem ensures a continued strong business model in ongoing licensing fees, covering implementation, professional services, and support. Additionally, Microsoft’s substantial cloud business and other offerings ensure its financial stability. Open-sourcing Windows would not lead to Microsoft’s demise.

The best way to create lasting change is gradually. Microsoft is not going to open source the entire Windows operating system and associated products in response to a CSRB report. However, regardless of the CSRB report’s conclusions or Microsoft’s response, some facts remain:

• Microsoft has become a monoculture across both the public and private sectors in many countries.
• This monoculture is currently financially incentivised to perpetuate itself.
• Monocultures present a single point of failure.
• Pushing updates into the kernel always carries the risk of bringing the entire monoculture, along with all vital services built upon it, to a halt.

These are significant issues, but a path forward might begin with open-sourcing the APIs that interact with the Windows kernel. This step would enhance Windows’ resilience, comply with legal requirements, and foster competition.

Once the likelihood of another CrowdStrike-like incident is sufficiently lowered through open-sourcing APIs, we can address the remaining problems.

https://risky.biz/SRB87/

https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/

https://www.cnbc.com/2024/07/20/microsoft-says-about-8point5-million-of-its-devices-affected-by-crowdstrike-related-outage.html

https://www.theguardian.com/technology/article/2024/jul/24/crowdstrike-outage-companies-cost

https://abcnews.go.com/US/american-airlines-issues-global-ground-stop-flights/story?id=112092372

https://www.cisa.gov/resources-tools/resources/cyber-safety-review-board-releases-report-microsoft-online-exchange-incident-summer-2023

https://www.theverge.com/2024/7/26/24206719/microsoft-windows-changes-crowdstrike-kernel-driver

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-resiliency-best-practices-and-the-path-forward/ba-p/4201550

https://www.computerweekly.com/news/366598838/Why-is-CrowdStrike-allowed-to-run-in-the-Windows-kernel

https://datenrecht.ch/en/bundesgesetz-ueber-den-einsatz-elektronischer-mittel-zur-erfuellung-von-behoerdenaufgaben-embag-in-schlussabstimmung-angenommen/

https://commission.europa.eu/about-european-commission/departments-and-executive-agencies/digital-services/eu-fossa-2-free-and-open-source-software-auditing_en

https://www.zdnet.com/article/german-state-ditches-microsoft-for-linux-and-libreoffice/

https://joinup.ec.europa.eu/collection/open-source-observatory-osor/news/new-open-source-law-switzerland

https://www.kaspersky.com/resource-center/threats/ransomware-wannacry