this post was submitted on 26 Jul 2024
304 points (99.0% liked)

Linux Gaming

15912 readers
6 users here now

Gaming on the GNU/Linux operating system.

Recommended news sources:

Related chat:

Related Communities:

Please be nice to other members. Anyone not being nice will be banned. Keep it fun, respectful and just be awesome to each other.

founded 4 years ago
MODERATORS
 

CrowdStrike’s Falcon software uses a special driver that allows it to run at a lower level than most apps so it can detect threats across a Windows system. Microsoft tried to restrict third parties from accessing the kernel in Windows Vista in 2006 but was met with pushback from cybersecurity vendors and EU regulators. However, Apple was able to lock down its macOS operating system in 2020 so that developers could no longer get access to the kernel.

Now, it looks like Microsoft wants to reopen the conversations around restricting kernel-level access inside Windows.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 4 months ago (1 children)

Can someone more knowledgeable explain to me this? Why do certain security software require access to the kernel? To keep malware from getting to the kernel or something? Doesn't restricting access to the kernel offer more security? Wouldn't malware also be unable to access the kernel? Or is that not the case? (Kernel is what connects software and hardware, correct? Just to be sure)

[–] [email protected] 1 points 4 months ago* (last edited 4 months ago)

Why do certain security software require access to the kernel? To keep malware from getting to the kernel or something?

Security software doesn't necessarily NEED access to the kernel, but kernel-level access provides the maximum amount of access and visibility to the rest of the system. The only thing higher then kernel-level is hardware-level.

In the case of CrowdStrike, kernel-level access provides their software to have the highest privileges which yields in the most effective defense against malware (in theory). However third-party, kernel-level access is never a good idea. Software that has kernel-level access can be, and has been, exploited before. In the case of CrowdStrike, it was a faulty update that screwed over Windows systems. The more access you have in a system, the more you screw it over when something fails.

Doesn’t restricting access to the kernel offer more security?

Yes! You are correct. If implemented correctly of course, restricted access to the kernel provides a higher amount of security.

Wouldn’t malware also be unable to access the kernel?

In theory, the more restricted the kernel is, the more difficult it is for malware to access the kernel.

Kernel is what connects software and hardware, correct?

Yes. A function of the kernel is providing a way for software and hardware to communicate with each other.