• biscuitswalrus@aussie.zone
    link
    fedilink
    English
    arrow-up
    60
    arrow-down
    2
    ·
    4 months ago

    At this point we want antivirus and anticheat out of windows kernel. Microsoft killing access to it will genuinely fix Linux compatibility issues.

    It couldn’t be more win-win.

    Microsoft is trying to test that approach. The company tested restricting kernel access to third party security vendors in the past, with Vista OS in 2006, but had to backtrack the move.

    Symantec and McAfee then claimed Microsoft’s decision to shut off access to the kernel amounts to “anti-competitive behavior.”

    Without kernel access, this software may struggle to perform in-depth behavioral analyses of processes and applications, to meet its objectives, said Varkey. “Blocking this access can limit the software’s ability to detect and prevent sophisticated attacks.”

    They can’t be trusted, kick out everyone’s access to the kernel. Everyone must use API and that can be interpreted.

    • Badabinski@kbin.earth
      link
      fedilink
      arrow-up
      15
      ·
      4 months ago

      They need to do what MacOS and Linux have done. There are safer ways to interact with and inspect the running state of the kernel in those operating systems (eBPF for Linux, a bunch of APIs I don’t know much about for MacOS). Software needs a way to do the shit it’s doing, you can’t just turn it off and provide no alternative.

      If Microsoft provides a safe API, then Wine can translate calls to that API and approximate the same degree of protection for Linux boxen.

      I also agree with the other person, you should still be allowed to fuck around with the kernel on your own box. Major software vendors should be discouraged from writing shit that directly runs in ring 0, but end users should be allowed to do whatever.

    • Pika
      link
      fedilink
      English
      arrow-up
      7
      ·
      4 months ago

      If i understand the protection rings correctly, MS could just force all drivers into ring 1 or 2 instead of ring 0, and moreorless fix the issue as well, as the core system would be on ring 0, and everything else on ring 1-3, its just MS as a whole hasen’t supported ring 1 or 2 since early windows days. This feature being implemented from what I understand is what moreorless allowed the Linux edition of crowdstrike to have less of an impact, as it offered a way of installation that allowed the program to “fail” without doing a hard crash of the system.

    • Corngood@lemmy.ml
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      4 months ago

      You’re suggesting people not be able to run software in kernel mode on their own systems.

      I would never run kernel mode anti-cheat, but going down this road will lead to hardware attestation and the end of open computing for anything with online services.

      • conciselyverbose
        link
        fedilink
        English
        arrow-up
        3
        ·
        4 months ago

        I’m advocating for installing malware (literally anything with kernel access in literally all cases) as part of a game install being the obvious criminal offense it should be, personally.

        Users aren’t able to get kernel access with windows. They’re only able to install software from a small handful of sources, almost all of which are malicious.

      • sorghum
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        4 months ago

        Doesn’t really matter, it was the EU regulators that ultimately nixed the API approach saying it would be anticompetitive. I mostly blame the EU for why crowd strike could happen in the first place and why there’s kernel level anti cheat.

        • aard@kyu.de
          link
          fedilink
          English
          arrow-up
          4
          ·
          4 months ago

          That’s bullshit. Microsoft wanted to force others to use an API, while keep using kernel level access for Defender (which for enterprise use is a paid product). That’s text book anti competitive. Nobody ever had a problem of Microsoft rolling out and enforcing an API for that if they restrict their own security products to that API as well.

          • sorghum
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 months ago

            At this point I don’t want anything to have kernel level access other than the OS and some necessary hardware drivers. I’m not super familiar with MacOS, but do you know if Gatekeeper or XProtect run at ring 0? If they do run at ring 0, would you consider that anticompetitive? I’m almost certain Apple will move or did move to depreciate kernel extensions. Which means it would be the same situation Microsoft wanted to force as you described.

            The other argument with Defender is you could at least have a choice to use it or not.

            • aard@kyu.de
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              4 months ago

              I’m not super familiar with MacOS, but do you know if Gatekeeper or XProtect run at ring 0?

              Gatekeeper does mainly signature checking. XProtect does signature checking on an applications first launch. Both of those things would be pretty stupid to implement in ring 0, so I’m pretty sure they are not.

              If they do run at ring 0, would you consider that anticompetitive?

              No, as they’re not doing any active monitoring. They’re pretty much the “you downloaded this file from the internet, do you really want to run it?” of MacOS.

              I’m almost certain Apple will move or did move to depreciate kernel extensions. Which means it would be the same situation Microsoft wanted to force as you described.

              That is indeed the case, but I’m not aware of any Apple products relying on being a kernel extension. Apple is facing action from the EU for locking down devices from device owners, though - mainly applying to phones/tablets. On Macs you can turn pretty much everything off and do whatever you want.

              The other argument with Defender is you could at least have a choice to use it or not.

              Without providing a proper API Defender (both the free one, and the paid one offering more features) would be able to provide more features than 3rd parties. Microsoft also wouldn’t have an incentive to fix the APIs, as bugs don’t impact them.

              The correct way forward here is introducing an API, and moving Defender to it as well - and recent comments from Microsoft point in that direction. If they don’t they’ll probably be forced by the EU in the long run - back then it was just a decision on fair competition, without looking at the technical details: Typically those rulings are just “look, you need to give everybody the same access you have, but we’ll leave it up to you how to do it”. Now we have a lot of damage, so now another department will get active and say “you’ve proven that you can’t make the correct technical decision, so we’ll make it for you”.

              A recent precedent for that would be the USB-C charger cable mandate - originally this was “guys, agree on something, we don’t care what”, which mostly worked - we first had pretty much everything micro USB, and then everything USB-C. But as Apple refused the EU went “look, you had a decade to sort it out, so now we’re just telling you that you have to use USB-C”