首页
社区
课程
招聘
[翻译]微软对 CrowdStrike 事件的技术解析
发表于: 2024-9-6 15:33 2969

[翻译]微软对 CrowdStrike 事件的技术解析

2024-9-6 15:33
2969

原文链接:https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-best-practices-for-integrating-and-managing-security-tools/
 
Windows Security best practices for integrating and managing security toolsWindows

安全最佳实践:集成和管理安全工具

 
Windows is an open and flexible platform used by many of the world’s top businesses for high availability use cases where security and availability are non-negotiable.

Windows 是一个开放且灵活的平台,被全球许多顶级企业用于高可用性场景,在这些场景中,安全性和可用性是不可妥协的。
 
To meet those needs:

为了满足这些需求:

  1. Windows provides a range of operating modes that customers can choose from. This includes the ability to limit what can run to only approved software and drivers. This can increase security and reliability by making Windows operate in a mode closer to mobile phones or appliances.
    Windows 提供了多种操作模式供客户选择。这包括限制只能运行经过批准的软件和驱动程序的能力。这可以通过使 Windows 以更接近手机或家用电器的模式运行来提高安全性和可靠性。

  2. Customers can choose integrated security monitoring and detection capabilities that are included with Windows. Or they can choose to replace or supplement this security with a wide variety of choices from a vibrant open ecosystem of vendors.
    客户可以选择集成在 Windows 中的安全监控和检测功能。或者,他们可以选择用来自充满活力的供应商开放生态系统的各种选择来替换或补充这一安全功能。

In this blog post, we examine the recent CrowdStrike outage and provide a technical overview of the root cause. We also explain why security products use kernel-mode drivers today and the safety measures Windows provides for third-party solutions. In addition, we share how customers and security vendors can better leverage the integrated security capabilities of Windows for increased security and reliability. Lastly, we provide a look into how Windows will enhance extensibility for future security products.
在这篇博客文章中,我们分析了最近 CrowdStrike 的停机事件,并提供了根本原因的技术概述。我们还解释了为什么当今的安全产品使用内核模式驱动程序,以及 Windows 为第三方解决方案提供的安全措施。此外,我们分享了客户和安全供应商如何更好地利用 Windows 的集成安全功能来提高安全性和可靠性。最后,我们展望了 Windows 如何增强未来安全产品的可扩展性。
 

CrowdStrike recently published a Preliminary Post Incident Review analyzing their outage. In their blog post, CrowdStrike describes the root cause as a memory safety issue—specifically a read out-of-bounds access violation in the CSagent driver. We leverage the Microsoft WinDBG Kernel Debugger and several extensions that are available free to anyone to perform this analysis. Customers with crash dumps can reproduce our steps with these tools.
CrowdStrike 最近发布了一份 初步事件后评估报告 分析他们的停机事件。在博客文章中,CrowdStrike 将根本原因描述为内存安全问题,具体为 CSagent 驱动程序中的越界读取访问违规。我们利用 Microsoft WinDBG 内核调试器一些拓展工具 ,这些工具对所有人免费开放,来进行此次分析。拥有崩溃转储的客户可以使用这些工具按照我们的步骤进行复现。
 

Based on Microsoft’s analysis of the Windows Error Reporting (WER) kernel crash dumps related to the incident, we observe global crash patterns that reflect this:
根据微软对与此事件相关的 Windows 错误报告(WER)内核崩溃转储的分析,我们观察到以下全球崩溃模式:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
FAULTING_THREAD:  ffffe402fe868040
  
READ_ADDRESS:  ffff840500000074 Paged pool
  
MM_INTERNAL_CODE:  2
  
IMAGE_NAME:  csagent.sys
  
MODULE_NAME: csagent
  
FAULTING_MODULE: fffff80671430000 csagent
  
PROCESS_NAME:  System
  
TRAP_FRAME:  ffff94058305ec20 -- (.trap 0xffff94058305ec20)
.trap 0xffff94058305ec20
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff94058305f200 rbx=0000000000000000 rcx=0000000000000003
rdx=ffff94058305f1d0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff806715114ed rsp=ffff94058305edb0 rbp=ffff94058305eeb0
 r8=ffff840500000074  r9=0000000000000000 r10=0000000000000000
r11=0000000000000014 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
csagent+0xe14ed:
fffff806`715114ed 458b08          mov     r9d,dword ptr [r8] ds:ffff8405`00000074=????????
.trap
Resetting default scope
  
STACK_TEXT: 
ffff9405`8305e9f8 fffff806`5388c1e4     : 00000000`00000050 ffff8405`00000074 00000000`00000000 ffff9405`8305ec20 : nt!KeBugCheckEx
ffff9405`8305ea00 fffff806`53662d8c     : 00000000`00000000 00000000`00000000 00000000`00000000 ffff8405`00000074 : nt!MiSystemFault+0x1fcf94 
ffff9405`8305eb00 fffff806`53827529     : ffffffff`00000030 ffff8405`af8351a2 ffff9405`8305f020 ffff9405`8305f020 : nt!MmAccessFault+0x29c
ffff9405`8305ec20 fffff806`715114ed     : 00000000`00000000 ffff9405`8305eeb0 ffff8405`b0bcd00c ffff8405`b0bc505c : nt!KiPageFault+0x369
ffff9405`8305edb0 fffff806`714e709e     : 00000000`00000000 00000000`e01f008d ffff9405`8305f102 fffff806`716baaf8 : csagent+0xe14ed
ffff9405`8305ef50 fffff806`714e8335     : 00000000`00000000 00000000`00000010 00000000`00000002 ffff8405`b0bc501c : csagent+0xb709e
ffff9405`8305f080 fffff806`717220c7     : 00000000`00000000 00000000`00000000 ffff9405`8305f382 00000000`00000000 : csagent+0xb8335
ffff9405`8305f1b0 fffff806`7171ec44     : ffff9405`8305f668 fffff806`53eac2b0 ffff8405`afad4ac0 00000000`00000003 : csagent+0x2f20c7
ffff9405`8305f430 fffff806`71497a31     : 00000000`0000303b ffff9405`8305f6f0 ffff8405`afb1d140 ffffe402`ff251098 : csagent+0x2eec44
ffff9405`8305f5f0 fffff806`71496aee     : ffff8405`afb1d140 fffff806`71541e7e 00000000`000067a0 fffff806`7168f8f0 : csagent+0x67a31
ffff9405`8305f760 fffff806`7149685b     : ffff9405`8305f9d8 ffff8405`afb1d230 ffff8405`afb1d140 ffffe402`fe8644f8 : csagent+0x66aee
ffff9405`8305f7d0 fffff806`715399ea     : 00000000`4a8415aa ffff8eee`1c68ca4f 00000000`00000000 ffff8405`9e95fc30 : csagent+0x6685b
ffff9405`8305f850 fffff806`7148efbb     : 00000000`00000000 ffff9405`8305fa59 ffffe402`fe864050 ffffe402`fede62c0 : csagent+0x1099ea
ffff9405`8305f980 fffff806`7148edd7     : ffffffff`ffffffa1 fffff806`7152e5c1 ffffe402`fe864050 00000000`00000001 : csagent+0x5efbb
ffff9405`8305fac0 fffff806`7152e681     : 00000000`00000000 fffff806`53789272 00000000`00000002 ffffe402`fede62c0 : csagent+0x5edd7
ffff9405`8305faf0 fffff806`53707287     : ffffe402`fe868040 00000000`00000080 fffff806`7152e510 006fe47f`b19bbdff : csagent+0xfe681
ffff9405`8305fb30 fffff806`5381b8e4     : ffff9680`37651180 ffffe402`fe868040 fffff806`53707230 00000000`00000000 : nt!PspSystemThreadStartup+0x57
ffff9405`8305fb80 00000000`00000000     : ffff9405`83060000 ffff9405`83059000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x34

 
Digging in more to this crash dump, we can restore the stack frame at the time of the access violation to learn more about its origin. Unfortunately, with WER data we only receive a compressed version of state and thus we cannot disassemble backwards to see a larger set of instructions prior to the crash, but we can see in the disassembly that there is a check for NULL before performing a read at the address specified in the R8 register:
深入分析这个崩溃转储,我们可以还原发生访问违规时的堆栈帧,以了解更多关于其起因的信息。不幸的是,通过 WER 数据我们只能收到压缩版的状态信息,因此我们无法向后反汇编以查看崩溃前更大范围的指令集,但在反汇编中我们可以看到,在从 R8 寄存器指定的地址进行读取之前,有一个 NULL 检查。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
6: kd> .trap 0xffff94058305ec20
.trap 0xffff94058305ec20
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffff94058305f200 rbx=0000000000000000 rcx=0000000000000003
rdx=ffff94058305f1d0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff806715114ed rsp=ffff94058305edb0 rbp=ffff94058305eeb0
 r8=ffff840500000074  r9=0000000000000000 r10=0000000000000000
r11=0000000000000014 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=000000000000
000
iopl=0         nv up ei ng nz na po nc
csagent+0xe14ed:
fffff806`715114ed 458b08          mov     r9d,dword ptr [r8] ds:ffff8405`00000074=????????
6: kd> !pte ffff840500000074
!pte ffff840500000074
                                           VA ffff840500000074
PXE at FFFFABD5EAF57840    PPE at FFFFABD5EAF080A0    PDE at FFFFABD5E1014000    PTE at FFFFABC202800000
contains 0A00000277200863  contains 0000000000000000
pfn 277200    ---DA--KWEV  contains 0000000000000000
not valid
  
6: kd> ub fffff806`715114ed
ub fffff806`715114ed
csagent+0xe14d9:
fffff806`715114d9 04d8            add     al,0D8h
fffff806`715114db 750b            jne     csagent+0xe14e8 (fffff806`715114e8)
fffff806`715114dd 4d85c0          test    r8,r8
fffff806`715114e0 7412            je      csagent+0xe14f4 (fffff806`715114f4)
fffff806`715114e2 450fb708        movzx   r9d,word ptr [r8]
fffff806`715114e6 eb08            jmp     csagent+0xe14f0 (fffff806`715114f0)
fffff806`715114e8 4d85c0          test    r8,r8
fffff806`715114eb 7407            je      csagent+0xe14f4 (fffff806`715114f4)
6: kd> ub fffff806`715114d9
ub fffff806`715114d9
                          ^ Unable to find valid previous instruction for 'ub fffff806`715114d9'
6: kd> u fffff806`715114eb
u fffff806`715114eb
csagent+0xe14eb:
fffff806`715114eb 7407            je      csagent+0xe14f4 (fffff806`715114f4)
fffff806`715114ed 458b08          mov     r9d,dword ptr [r8]
fffff806`715114f0 4d8b5008        mov     r10,qword ptr [r8+8]
fffff806`715114f4 4d8bc2          mov     r8,r10
fffff806`715114f7 488d4d90        lea     rcx,[rbp-70h]
fffff806`715114fb 488bd6          mov     rdx,rsi
fffff806`715114fe e8212c0000      call    csagent+0xe4124 (fffff806`71514124)
fffff806`71511503 4533d2          xor     r10d,r10d
  
6: kd> db ffff840500000074
db ffff840500000074
ffff8405`00000074  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`00000084  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`00000094  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`000000a4  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`000000b4  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`000000c4  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`000000d4  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
ffff8405`000000e4  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

 
Our observations confirm CrowdStrike’s analysis that this was a read-out-of-bounds memory safety error in the CrowdStrike developed CSagent.sys driver.
我们的观察证实了 CrowdStrike 的分析,这是一个在 CrowdStrike 开发的 CSagent.sys 驱动程序中的越界内存安全错误。
 

We can also see that the csagent.sys module is registered as a file system filter driver commonly used by anti-malware agents to receive notifications about file operations such as the creation or modification of a file. This is often used by security products to scan any new file saved to disk, such as downloading a file via the browser.
我们还可以看到, csagent.sys 模块被注册为一个文件系统过滤驱动程序,通常由反恶意软件代理使用,以接收有关文件操作的通知,例如文件的创建或修改。这通常被安全产品用来扫描保存到磁盘上的新文件,例如通过浏览器下载的文件。
 

File System filters can also be used as a signal for security solutions attempting to monitor the behavior of the system. CrowdStrike noted in their blog that part of their content update was changing the sensor’s logic relating to data around named pipe creation. The File System filter driver API allows the driver to receive a call when named pipe activity (e.g., named pipe creation) occurs on the system that could enable the detection of malicious behavior. The general function of the driver correlates to the information shared by CrowdStrike.
文件系统过滤器还可以用作试图监控系统行为的安全解决方案的信号。CrowdStrike 在其博客中提到,内容更新的一部分是更改传感器与命名管道创建相关的数据逻辑。文件系统过滤驱动程序 API 允许驱动程序在系统上发生命名管道活动(例如,命名管道创建)时接收到调用,从而能够检测恶意行为。该驱动程序的一般功能与 CrowdStrike 分享的信息相符。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
6: kd>!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csagent
  
Hive         ffff84059ca7b000
KeyNode      ffff8405a6f67f9c
  
[SubKeyAddr]         [SubKeyName]
ffff8405a6f683ac     Instances
ffff8405a6f6854c     Sim
  
 Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details
  
[ValueType]         [ValueName]                   [ValueData]
REG_DWORD           Type                          2
REG_DWORD           Start                         1
REG_DWORD           ErrorControl                  1
REG_EXPAND_SZ       ImagePath                     \??\C:\Windows\system32\drivers\CrowdStrike\csagent.sys
REG_SZ              DisplayName                   CrowdStrike Falcon
REG_SZ              Group                         FSFilter Activity Monitor
REG_MULTI_SZ        DependOnService               FltMgr\0
REG_SZ              CNFG                          Config.sys
REG_DWORD           SupportedFeatures             f

 
We can see the control channel file version 291 specified in the CrowdStrike analysis is also present in the crash indicating the file was read.
我们可以看到在 CrowdStrike 的分析中提到的控制通道文件版本 291 也出现在崩溃中,表明该文件已被读取。

Determining how the file itself correlates to the access violation observed in the crash dump would require additional debugging of the driver using these tools but is outside of the scope of this blog post.
确定文件本身如何与崩溃转储中观察到的访问违规相关,需要使用这些工具对驱动程序进行进一步的调试,但这超出了这篇博客文章的范围。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
!ca ffffde8a870a8290
  
ControlArea  @ ffffde8a870a8290
  Segment      ffff880ce0689c10  Flink      ffffde8a87267718  Blink        ffffde8a870a7d98
  Section Ref                 0  Pfn Ref                   b  Mapped Views                0
  User Ref                    0  WaitForDel                0  Flush Count                 0
  File Object  ffffde8a879b29a0  ModWriteCount             0  System Views                0
  WritableRefs                0  PartitionId                0 
  Flags (8008080) File WasPurged OnUnusedList
  
      \Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000032.sys
  
1: kd> !ntfskd.ccb ffff880ce06f6970
!ntfskd.ccb ffff880ce06f6970
  
   Ccb: ffff880c`e06f6970
 Flags: 00008003 Cleanup OpenAsFile IgnoreCase
Flags2: 00000841 OpenComplete AccessAffectsOplocks SegmentObjectReferenced
  Type: UserFileOpen
FileObj: ffffde8a879b29a0
  
(018)  ffff880c`db937370  FullFileName [\Windows\System32\drivers\CrowdStrike\C-00000291-00000000-00000032.sys]
(020) 000000000000004C  LastFileNameOffset
(022) 0000000000000000  EaModificationCount
(024) 0000000000000000  NextEaOffset
(048) FFFF880CE06F69F8  Lcb
(058) 0000000000000002  TypeOfOpen

 
We can leverage the crash dump to determine if any other drivers supplied by CrowdStrike may exist on the running system during the crash.
我们可以利用崩溃转储来确定在崩溃时运行的系统上是否存在由 CrowdStrike 提供的其他驱动程序。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
6: kd> lmDvmCSFirmwareAnalysis
lmDvmCSFirmwareAnalysis
Browse full module list
start             end                 module name
fffff806`58920000 fffff806`5893c000   CSFirmwareAnalysis   (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\CSFirmwareAnalysis.sys
    Image name: CSFirmwareAnalysis.sys
    Browse all global symbols  functions  data  Symbol Reload
    Timestamp:        Mon Mar 18 11:32:14 2024 (65F888AE)
    CheckSum:         0002020E
    ImageSize:        0001C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:
6: kd> lmDvmcspcm4
lmDvmcspcm4
Browse full module list
start             end                 module name
fffff806`71870000 fffff806`7187d000   cspcm4     (deferred)            
    Image path: \??\C:\Windows\system32\drivers\CrowdStrike\cspcm4.sys
    Image name: cspcm4.sys
    Browse all global symbols  functions  data  Symbol Reload
    Timestamp:        Mon Jul  8 18:33:22 2024 (668C9362)
    CheckSum:         00012F69
    ImageSize:        0000D000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:
6: kd> lmDvmcsboot.sys
lmDvmcsboot.sys
Browse full module list
start             end                 module name
  
Unloaded modules:
fffff806`587d0000 fffff806`587dc000   CSBoot.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  0000C000
  
6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csboot
!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csboot
  
Hive         ffff84059ca7b000
KeyNode      ffff8405a6f68924
  
[ValueType]         [ValueName]                   [ValueData]
REG_DWORD           Type                          1
REG_DWORD           Start                         0
REG_DWORD           ErrorControl                  1
REG_EXPAND_SZ       ImagePath                     system32\drivers\CrowdStrike\CSBoot.sys
REG_SZ              DisplayName                   CrowdStrike Falcon Sensor Boot Driver
REG_SZ              Group                         Early-Launch
6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csdevicecontrol
!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csdevicecontrol
  
Hive         ffff84059ca7b000
KeyNode      ffff8405a6f694ac
  
[SubKeyAddr]         [VolatileSubKeyName]
ffff84059ce196c4     Enum
  
 Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details
  
[ValueType]         [ValueName]                   [ValueData]
REG_DWORD           Type                          1
REG_DWORD           Start                         3
REG_DWORD           ErrorControl                  1
REG_DWORD           Tag                           1f
REG_EXPAND_SZ       ImagePath                     \SystemRoot\System32\drivers\CSDeviceControl.sys
REG_SZ              DisplayName                   @oem40.inf,%DeviceControl.SVCDESC%;CrowdStrike Device Control Service
REG_SZ              Group                         Base
REG_MULTI_SZ        Owners                        oem40.inf\0!csdevicecontrol.inf_amd64_b6725a84d4688d5a\0!csdevicecontrol.inf_amd64_016e965488e83578\0
REG_DWORD           BootFlags                     14
6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csagent
!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csagent
  
Hive         ffff84059ca7b000
KeyNode      ffff8405a6f67f9c
  
[SubKeyAddr]         [SubKeyName]
ffff8405a6f683ac     Instances
ffff8405a6f6854c     Sim
  
 Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details
  
[ValueType]         [ValueName]                   [ValueData]
REG_DWORD           Type                          2
REG_DWORD           Start                         1
REG_DWORD           ErrorControl                  1
REG_EXPAND_SZ       ImagePath                     \??\C:\Windows\system32\drivers\CrowdStrike\csagent.sys
REG_SZ              DisplayName                   CrowdStrike Falcon
REG_SZ              Group                         FSFilter Activity Monitor
REG_MULTI_SZ        DependOnService               FltMgr\0
REG_SZ              CNFG                          Config.sys
REG_DWORD           SupportedFeatures             f
  
6: kd> lmDvmCSFirmwareAnalysis
lmDvmCSFirmwareAnalysis
Browse full module list
start             end                 module name
fffff806`58920000 fffff806`5893c000   CSFirmwareAnalysis   (deferred)            
    Image path: \SystemRoot\system32\DRIVERS\CSFirmwareAnalysis.sys
    Image name: CSFirmwareAnalysis.sys
    Browse all global symbols  functions  data  Symbol Reload
    Timestamp:        Mon Mar 18 11:32:14 2024 (65F888AE)
    CheckSum:         0002020E
    ImageSize:        0001C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4
    Information from resource tables:
6: kd> !reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csfirmwareanalysis
!reg querykey \REGISTRY\MACHINE\system\ControlSet001\services\csfirmwareanalysis
  
Hive         ffff84059ca7b000
KeyNode      ffff8405a6f69d9c
  
[SubKeyAddr]         [VolatileSubKeyName]
ffff84059ce197cc     Enum
  
 Use '!reg keyinfo ffff84059ca7b000 <SubKeyAddr>' to dump the subkey details
  
[ValueType]         [ValueName]                   [ValueData]
REG_DWORD           Type                          1
REG_DWORD           Start                         0
REG_DWORD           ErrorControl                  1
REG_DWORD           Tag                           6
REG_EXPAND_SZ       ImagePath                     system32\DRIVERS\CSFirmwareAnalysis.sys
REG_SZ              DisplayName                   @oem43.inf,%FirmwareAnalysis.SVCDESC%;CrowdStrike Firmware Analysis Service
REG_SZ              Group                         Boot Bus Extender
REG_MULTI_SZ        Owners                        oem43.inf\0!csfirmwareanalysis.inf_amd64_12861fc608fb1440\0
6: kd> !reg querykey \REGISTRY\MACHINE\system\Controlset001\control\earlylaunch
!reg querykey \REGISTRY\MACHINE\system\Controlset001\control\earlylaunch

 
As we can see from the above analysis, CrowdStrike loads four driver modules. One of those modules receives dynamic control and content updates frequently based on the CrowdStrike Preliminary Post-incident-review timeline.
从上述分析中可以看出,CrowdStrike 加载了四个驱动模块。根据 CrowdStrike 初步事后审查的时间线,其中一个模块频繁接收动态控制和内容更新。
 

We can leverage the unique stack and attributes of this crash to identify the Windows crash reports generated by this specific CrowdStrike programming error. It’s worth noting the number of devices which generated crash reports is a subset of the number of impacted devices previously shared by Microsoft in our blog post, because crash reports are sampled and collected only from customers who choose to upload their crashes to Microsoft. Customers who choose to enable crash dump sharing help both driver vendors and Microsoft to identify and remediate quality issues and crashes.
我们可以利用这次崩溃的独特堆栈和属性来识别由这个特定的 CrowdStrike 编程错误生成的 Windows 崩溃报告。值得注意的是,生成崩溃报告的设备数量是之前 Microsoft 在我们的博客文章中分享的受影响设备数量的一部分,因为崩溃报告仅从选择将崩溃上传到 Microsoft 的客户中采样和收集。选择启用崩溃转储共享的客户帮助驱动程序供应商和 Microsoft 识别和修复质量问题和崩溃。

img

Figure 1 CrowdStrike driver associated crash dump reports over time
图 1 随时间变化的 CrowdStrike 驱动关联崩溃转储报告
 

We make this information available to driver owners so they can assess their own reliability via the Hardware Dev Center analytics dashboard. As we can see from the above, any reliability problem like this invalid memory access issue can lead to widespread availability issues when not combined with safe deployment practices. Let’s dig into why security solutions leverage kernel drivers on Windows.
我们将这些信息提供给驱动程序所有者,以便他们可以通过 硬件开发中心分析 仪表板评估自己的可靠性。如上所述,任何可靠性问题,如这种无效内存访问问题,如果不结合安全部署实践,都可能导致广泛的可用性问题。让我们深入探讨为什么安全解决方案在 Windows 上利用内核驱动程序。
 

Why do security solutions leverage kernel drivers?

为什么安全解决方案要利用内核驱动程序?

Many security vendors such as CrowdStrike and Microsoft leverage a kernel driver architecture and there are several reasons for this.
许多安全供应商,如 CrowdStrike 和 Microsoft,都利用内核驱动程序架构,这有几个原因。
 

Visibility and enforcement of security related events

安全相关事件的可见性与执行力

Kernel drivers allow for system wide visibility, and the capability to load in early boot to detect threats like boot kits and root kits which can load before user-mode applications. In addition, Microsoft provides a rich set of capabilities such as system event callbacks for process and thread creation and filter drivers which can watch for events like file creation, deletion, or modification. Kernel activity can also trigger call backs for drivers to decide when to block activities like file or process creations. Many vendors also use drivers to collect a variety of network information in the kernel using the NDIS driver class.
内核驱动程序允许系统范围的可见性,并且能够在早期启动时加载,以检测诸如boot kits and root kits之类的威胁,这些威胁可以在用户模式应用程序之前加载。此外,Microsoft 提供了一系列丰富的功能,例如用于进程和线程创建的系统事件回调以及可以监视文件创建、删除或修改等事件的过滤驱动程序。内核活动还可以触发回调,以便驱动程序决定何时阻止文件或进程创建等活动。许多供应商还使用驱动程序通过 NDIS 驱动程序类在内核中收集各种网络信息。
 

Performance

性能

Kernel drivers are often utilized by security vendors for potential performance benefits. For example, analysis or data collection for high throughput network activity may benefit from a kernel driver. There are many scenarios where data collection and analysis can be optimized for operation outside of kernel mode and Microsoft continues to partner with the ecosystem to improve performance and provide best practices to achieve parity outside of kernel mode.
内核驱动程序通常被安全供应商用于潜在的性能优势。例如,对于高吞吐量网络活动的分析或数据收集,内核驱动程序可能会有所帮助。在许多情况下,数据收集和分析可以在内核模式之外进行优化,Microsoft 继续与生态系统合作,以提高性能并提供最佳实践,以在非内核模式下实现同等性能。
 

Tamper resistance

防篡改

A second benefit of loading into kernel mode is tamper resistance. Security products want to ensure that their software cannot be disabled by malware, targeted attacks, or malicious insiders, even when those attackers have admin-level privileges. They also want to ensure that their drivers load as early as possible so that they can observe system events at the earliest possible time. Windows provides a mechanism to launch drivers marked as Early Launch Antimalware (ELAM) early in the boot process for this reason. CrowdStrike signs the above CSboot driver as ELAM, enabling it to load early in the boot sequence.
加载到内核模式的第二个好处是防篡改。安全产品希望确保其软件不能被恶意软件、针对性攻击或恶意内部人员禁用,即使这些攻击者拥有管理员级权限。他们还希望确保其驱动程序尽早加载,以便能够尽早观察系统事件。为此,Windows 提供了一种机制,可以在启动过程中尽早启动标记为 早期启动反恶意软件 (ELAM) 的驱动程序。CrowdStrike 将上述 CSboot 驱动程序标记为 ELAM,使其能够在启动序列中尽早加载。
 

In the general case, there is a tradeoff that security vendors must rationalize when it comes to kernel drivers. Kernel drivers provide the above properties at the cost of resilience. Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are by nature constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode.
在一般情况下,安全供应商在使用内核驱动程序时必须权衡利弊。内核驱动程序以韧性为代价提供了上述特性。由于内核驱动程序在 Windows 的最受信任级别运行,其中隔离和恢复能力本质上受到限制,安全供应商必须仔细平衡可见性和防篡改等需求与在内核模式下运行的风险。
 

All code operating at kernel level requires extensive validation because it cannot fail and restart like a normal user application. This is universal across all operating systems. Internally at Microsoft, we have invested in moving complex Windows core services from kernel to user mode, such as font file parsing from kernel to user mode.
所有在内核级别运行的代码都需要进行广泛的验证,因为它不能像普通用户应用程序那样失败并重新启动。这在所有操作系统中都是普遍的。在 Microsoft 内部,我们已不断投入将复杂的 Windows 核心服务从内核转移到用户模式,例如将字体文件解析从内核转移到用户模式
 

It is possible today for security tools to balance security and reliability. For example, security vendors can use minimal sensors that run in kernel mode for data collection and enforcement limiting exposure to availability issues. The remainder of the key product functionality includes managing updates, parsing content, and other operations can occur isolated within user mode where recoverability is possible. This demonstrates the best practice of minimizing kernel usage while still maintaining a robust security posture and strong visibility.
如今,安全工具可以平衡安全性和可靠性。例如,安全供应商可以使用在用户模式下运行的最小传感器进行数据收集和执行,从而限制可用性问题的暴露。其余的关键产品功能,包括管理更新、解析内容和其他操作,可以在用户模式下隔离进行,其中可恢复性是可能的。这展示了在保持强大的安全态势和强可见性的同时,最小化内核使用的最佳实践。

img

Figure 2 Example security product architecture which balances security and reliability
图 2 平衡安全与可靠性的安全产品架构示例
 

Windows provides several user mode protection approaches for anti-tampering, like Virtualization-based security (VBS) Enclaves and Protected Processes that vendors can use to protect their key security processes. Windows also provides ETW events and user-mode interfaces like Antimalware Scan Interface for event visibility. These robust mechanisms can be used to reduce the amount of kernel code needed to create a security solution, which balances security and robustness.
Windows 提供了几种用户模式防篡改方法,如基于虚拟化的安全(VBS) Enclaves受保护的进程,供应商可以使用这些方法来保护他们的关键安全进程。Windows 还提供了ETW 事件和用户模式接口,如反恶意软件扫描接口,用于事件可见性。这些强大的机制可以用来减少创建安全解决方案所需的内核代码量,从而平衡安全性和稳健性。
 

How does Windows help ensure the quality of security related third-party products?

Windows 如何确保第三方安全相关产品的质量?

Microsoft engages with third-party security vendors through an industry forum called the Microsoft Virus Initiative (MVI). This group consists of Microsoft and Security Industry and was created to establish a dialogue and collaboration across the Windows security ecosystem to improve robustness in the way security products use the platform. With MVI, Microsoft and vendors collaborate on the Windows platform to define reliable extension points and platform improvements, as well as share information about how to best protect our customers.
微软通过一个名为微软病毒倡议(MVI)的行业论坛与第三方安全供应商合作。这个组织由微软和安全行业组成,旨在建立一个跨Windows安全生态系统的对话和合作,以提高安全产品使用该平台的方式的稳健性。通过MVI,微软和供应商在Windows平台上合作,定义可靠的扩展点和平台改进,并分享如何最好地保护我们客户的信息。
 

Microsoft works with members of MVI to ensure compatibility with Windows updates, improve performance, and address reliability issues. MVI partners actively participating in the program contribute to making the ecosystem more resilient and gain benefits including technical briefings, feedback loops with Microsoft product teams, and access to antimalware platform features such as ELAM and Protected Processes. Microsoft also provides runtime protection such as Patch Guard to prevent disruptive behavior from kernel driver types like anti-malware.
微软与MVI的成员合作,确保与Windows更新的兼容性,提升性能,并解决可靠性问题。积极参与该计划的MVI合作伙伴有助于使生态系统更具弹性,并获得包括技术简报、与微软产品团队的反馈循环以及访问如ELAM和受保护进程等反恶意软件平台功能在内的益处。微软还提供如Patch Guard的运行时保护,以防止如反恶意软件等内核驱动类型的破坏性行为。
 

In addition, all drivers signed by the Microsoft Windows Hardware Quality Labs (WHQL) must run a series of tests and attest to a number of quality checks, including using fuzzers, running static code analysis and testing under runtime driver verification, among other techniques. These tests have been developed to ensure that best practices around security and reliability are followed. Microsoft includes all these tools in the Windows Driver Kit used by all driver developers. A list of the resources and tools is available here.
此外,所有由微软Windows硬件质量实验室(WHQL)签名的驱动程序必须通过一系列测试,并证明通过了多项质量检查,包括使用模糊测试、运行静态代码分析以及在运行时驱动验证下进行测试,以及其他技术。这些测试旨在确保遵循安全性和可靠性的最佳实践。微软将所有这些工具包含在所有驱动开发者使用的Windows驱动工具包中。资源和工具的列表可在此处获取
 

All WHQL signed drivers are run through Microsoft’s ingestion checks and malware scans and must pass before being approved for signing. Additionally, if a third-party vendor chooses to distribute their driver via Windows Update (WU), the driver also goes through Microsoft’s flighting and gradual rollout processes to observe quality and ensure the driver meets the necessary quality criteria for a broad release.
所有WHQL签名的驱动程序在获得签名批准之前,都必须通过微软的摄取检查和恶意软件扫描。此外,如果第三方供应商选择通过Windows更新(WU)分发他们的驱动程序,该驱动程序还需经过微软的飞行测试和逐步推出过程,以观察其质量并确保驱动程序符合广泛发布所需的必要质量标准。
 

Can customers deploy Windows in a higher security mode to increase reliability?

客户能否在更高安全模式下部署 Windows 以提高可靠性?

Windows at its core is an open and versatile OS, and it can easily be locked down for increased security using integrated tools. In addition, Windows is constantly increasing security defaults, including dozens of new security features enabled by default in Windows 11.
Windows 的核心是一个开放且多功能的操作系统,通过内置工具可以轻松加强其安全性。此外,Windows 不断增强安全默认设置,包括在 Windows 11 中默认启用的数十项新安全功能。
 
Security features enabled by default in Windows 11

Area Feature
Hardware Security Baseline TPM2.0 Secure boot Virtualization-based security (VBS) Memory integrity (Hypervisor-protected Code Integrity (HVCI)) Hardware-enforced stack protection Kernel Direct Memory Access (DMA) protection HW-based kernel protection (HLAT) Enhanced sign-in security (ESS) for built-in biometric sensors
Encryption BitLocker (commercial) Device Encryption (consumer)
Identity Management Credential Guard Entra primary refresh token (PRT) hardware protected MDM deployed SCEP certs hardware protected MDM enrollment certs hardware protected Local Security Authority (LSA) PPL prevents token/credential dumping Account lockout policy (for 10 failed sign-ins) Enhanced phishing protection with Microsoft Defender Microsoft Defender SmartScreen NPLogonNotification doesn’t include password WDigest SSO removed to reduce password disclosure AD Device Account protected by CredGuard*
Multi-Factor Authentication (Passwordless) MSA & Entra users lead through Hello enablement by default MSA password automatically removed from Windows if never used Hello container VSM protected Peripheral biometric sensors blocked for ESS enabled devices Lock on leave integrated into Hello
Security Incident Reduction Common Log File Systems run from trusted source Move tool-tip APIs from kernel to user mode Modernize print stack by removing untrusted drivers DPAPI moved from 3DES to AES TLS 1.3 default with TLS 1.0/1.1 disabled by default NTLM-less*
OS lockdown Microsoft Vulnerable Driver Blocklist 3P driver security baseline enforced via WHCP Smart App Control*
  • Feature available in the Windows Insider Program or currently off by default and on a path for default enablement
  • 功能在 Windows Insider 计划中可用,或当前默认关闭,并处于默认启用的路径上
     
    Windows has integrated security features to self-defend. This includes key anti-malware features enabled by default, such as:
    Windows 集成了安全功能以自我防御。这包括默认启用的关键反恶意软件功能,例如:
  1. Secure Boot, which helps prevent early boot malware and rootkits by enforcing signing consistently across Windows boots.
    安全启动,通过在整个 Windows 启动过程中强制执行签名一致性,有助于防止早期启动恶意软件和 Rootkit。
  2. Measured Boot, which provides TPM-based hardware cryptographic measurements on boot-time properties available through integrated attestation services such as Device Health Attestation.
    测量启动,它通过集成证明服务(如设备健康证明)提供基于 TPM 的硬件加密启动时属性测量。
  3. Memory integrity (also known as hypervisor-protected code integrity or HVCI), which prevents runtime generation of dynamic code in the kernel and helps ensure control flow integrity.
    内存完整性(也称为超虚拟化保护代码完整性或 HVCI),防止内核中运行时生成动态代码,并有助于确保控制流完整性。
  4. Vulnerable driver blocklist, which is on by default, integrated into the OS, and managed by Microsoft. This complements the malicious driver block list.
    易受攻击的驱动程序阻止列表,默认开启,集成于操作系统中,并由微软管理。这补充了恶意驱动程序阻止列表。
  5. Protected Local Security Authority is on by default in Windows 11 to protect a range of credentials. Hardware-based credential protection is on by default for enterprise versions of Windows.
    受保护的本地安全机构在 Windows 11 中默认启用,以保护一系列凭证。基于硬件的凭证保护在 Windows 的企业版本中默认启用。
  6. Microsoft Defender Antivirus is enabled by default in Windows and offers anti-malware capabilities across the OS.
    Microsoft Defender 防病毒在 Windows 中默认启用,并为操作系统提供反恶意软件功能。

These security capabilities provide layers of protection against malware and exploitation attempts in modern Windows. Many Windows customers have leveraged our security baseline and Windows security technologies to harden their systems and these capabilities collectively have reduced the attack surface significantly.
这些安全功能为现代 Windows 系统提供了多层防护,抵御恶意软件和攻击尝试。许多 Windows 用户已利用我们的安全基线和 Windows 安全技术来强化其系统,这些功能共同显著减少了攻击面。
 
Using the integrated security features of Windows to prevent adversary attacks such as those displayed in the MITRE ATT&CK® framework increases security while reducing cost and complexity. It leverages best practices to achieve maximum security and reliability. These best practices include:
利用 Windows 的集成安全功能来防止诸如MITRE ATT&CK®框架中展示的敌对攻击,既增强了安全性,又降低了成本和复杂性。它采用最佳实践以实现最高的安全性和可靠性。这些最佳实践包括:

  1. Using App Control for Business (formerly Windows Defender Application Control), you can author a security policy to allow only trusted and/or business-critical apps. Your policy can be crafted to deterministically and durably prevent nearly all malware and “living off the land” style attacks. It can also specify which kernel drivers are allowed by your organization to durably guarantee that only those drivers will load on your managed endpoints.
    使用企业应用控制(原名 Windows Defender 应用程序控制),您可以制定安全策略,仅允许受信任和/或业务关键的应用程序运行。您的策略可以精心设计,以确定性地并持久地阻止几乎所有恶意软件和“利用系统工具”式的攻击。此外,它还能指定哪些内核驱动程序被贵组织允许,从而持久确保只有这些驱动程序能在您管理的终端上加载。
  2. Use Memory integrity with a specific allow list policy to further protect the Windows kernel using Virtualization-based security (VBS). Combined with App Control for Business, memory integrity can reduce the attack surface for kernel malware or boot kits. This can also be used to limit any drivers that might impact reliability on systems.
    使用内存完整性特定允许列表策略,通过基于虚拟化的安全性(VBS)进一步保护 Windows 内核。结合企业应用控制,内存完整性可以减少内核恶意软件或引导工具包的攻击面。这还可以用于限制可能影响系统可靠性的任何驱动程序。
  3. Running as Standard User and elevating only as necessary. Companies that follow the best practices to run as standard user and reduce privileges mitigate many of the MITRE ATT&CK® techniques.
    标准用户身份运行,仅在必要时提升权限。遵循最佳实践以标准用户身份运行并减少权限的公司,能够有效缓解许多MITRE ATT&CK®技术带来的风险。
  4. Use Device Health Attestation (DHA) to monitor devices for the right security policy, including hardware-based measurements for the security posture of the machine. This is a modern and exceptionally durable approach to ensure security for high availability scenarios and uses Microsoft’s Zero Trust architecture.
    使用设备健康证明(DHA)监控设备,确保其符合正确的安全策略,包括基于硬件的安全态势测量。这是一种现代且极为耐用的方法,旨在确保高可用性场景下的安全性,并采用微软的零信任架构

 
What is next?

下一步是什么?

Windows is a self-protecting operating system that has produced dozens of new security features and architectural changes in recent versions. We plan to work with the anti-malware ecosystem to take advantage of these integrated features to modernize their approach, helping to support and even increase security along with reliability.
Windows 是一款具备自我保护功能的操作系统,在近期版本中引入了众多新的安全特性和架构变革。我们计划与反恶意软件生态系统合作,充分利用这些集成功能,推动其方法的现代化,从而在提升可靠性的同时,支持并增强安全性。
 
This includes helping the ecosystem by:
这包括通过以下方式帮助生态系统:

  1. Providing safe rollout guidance, best practices, and technologies to make it safer to perform updates to security products.
    提供安全部署指南、最佳实践和技术,以确保安全产品更新过程更加安全。
  2. Reducing the need for kernel drivers to access important security data.
    减少内核驱动程序访问重要安全数据的需要。
  3. Providing enhanced isolation and anti-tampering capabilities with technologies like our recently announced VBS enclaves.
    提供增强的隔离和防篡改功能,采用我们最近宣布的 VBS enclaves等技术。
  4. Enabling zero trust approaches like high integrity attestation which provides a method to determine the security state of the machine based on the health of Windows native security features.
    启用零信任方法,如高完整性证明,它提供了一种基于 Windows 原生安全特性的健康状况来确定机器安全状态的方法。

 
As we move forward, Windows is continuing to innovate and offer new ways for security tools to detect and respond to emerging threats safely and securely. Windows has announced a commitment around the Rust programming language as part of Microsoft’s Secure Future Initiative (SFI) and has recently expanded the Windows kernel to support Rust.
随着我们不断前进,Windows 持续创新,提供新的安全工具来安全有效地检测和应对新兴威胁。Windows 已宣布围绕 Rust 编程语言的承诺,作为微软安全未来计划(SFI)的一部分,并最近扩展了Windows 内核以支持 Rust
 
The information in this blog post is provided as part of our commitment to communicate learnings and next steps after the CrowdStrike incident. We will continue to share ongoing guidance on security best practices for Windows and work across our broad ecosystem of customers and partners to develop new security capabilities based on your feedback.
本博客文章中的信息是我们承诺在 CrowdStrike 事件后传达学习成果和下一步措施的一部分。我们将继续分享有关 Windows 安全最佳实践的持续指导,并根据您的反馈,与广大客户和合作伙伴生态系统合作,开发新的安全功能。


Hacker News用户评论节选

链接:https://news.ycombinator.com/item?id=41095530

rdtsc:

We plan to work with the anti-malware ecosystem to take advantage of these integrated features to modernize their approach, helping to support and even increase security along with reliability.
我们计划与反恶意软件生态系统合作,利用这些集成功能来现代化他们的方法,帮助支持甚至提高安全性和可靠性。
Providing safe rollout guidance, best practices, and technologies to make it safer to perform updates to security products.
提供安全的推出指导、最佳实践和技术,以使安全产品的更新更安全。
 
Reducing the need for kernel drivers to access important security data.
减少内核驱动程序访问重要安全数据的需求。

They are being as diplomatic as they can, but it's definitely a slap to CS. Read as "they don't know how to roll things out, they need guidance on basic QA practices, we'll happily teach them...". Then, they list a set of facilities running in user-mode to avoid needing to run as many things in kernel mode.
他们尽可能地表现得很外交,但这绝对是对 CS 的一记耳光。可以理解为“他们不知道如何推出产品,他们需要基本的 QA 实践指导,我们很乐意教他们...”。然后,他们列出了一系列在用户模式下运行的设施,以避免需要运行太多内核模式下的东西。
 
I would be interested what the water cooler discussion about CS was like inside Microsoft. Especially in teams needed to respond to customers about "Your windows OS is broken, our hospital patients are suffering...".
我很想知道微软内部关于计算机科学在水冷器旁的讨论是怎样的。特别是在需要回应客户关于“你的 Windows 操作系统坏了,我们医院的病人正在受苦……”的团队中。

dmattia:
I suppose I was expecting something more authoritative here. They confirm that there was an attempted read-out-of-bounds, as CrowdStrike said, but that's not really new information at this point. I suppose we'll need to wait for more detailed analysis from CrowdStrike at some point.
我想我原本期待这里会有更权威的说法。他们证实了 CrowdStrike 所言的越界读取尝试,但这一点在此刻并不算新信息。或许我们得等待 CrowdStrike 日后更详尽的分析。
 
This post explains why security software has historically run in kernel-mode, and really seems to be pushing new technology that Microsoft has that would push security vendors into user-mode (with APIs that attempt to assist with many of the reasons why they have historically used kernel-mode).
本文阐述了安全软件为何历来在核心模式下运行,并似乎在推广微软的新技术,该技术将推动安全厂商转向用户模式(通过 API 尝试解决他们历史上使用核心模式的诸多原因)。
 
Crowdstrike already runs in user-mode on both Mac and Linux (from what I can tell), and it seems like running in user-mode on Windows would significantly lessen the risk of catastrophic failures like a blue-screen-of-death. I know the bulk of the failures here belong to CrowdStrike, but I can't help but think about the fact that Apple kicked security vendors out of kernel-mode a ways back, and that if Windows had done similarly, an issue like this probably wouldn't have been possible. By even offering kernel-mode options to external vendors, I believe Microsoft is creating risk for themselves.
Crowdstrike 已经在 Mac 和 Linux 的用户模式下运行(据我所知),而在 Windows 上采用用户模式运行似乎能显著降低诸如蓝屏死机等灾难性故障的风险。我明白这里的大多数故障归咎于 CrowdStrike,但我忍不住想到,苹果公司早在之前就将安全供应商从内核模式中排除,如果 Windows 也采取类似措施,类似的问题可能就不会发生。微软甚至向外部供应商提供内核模式选项,我认为这实际上是在为自己制造风险。

 
 
Rinzler89:

I can't help but think about the fact that Apple kicked security vendors out of kernel-mode a ways back, and that if Windows had done similarly, an issue like this probably wouldn't have been possible
我不禁想到苹果公司很久以前就将安全供应商赶出了内核模式,如果 Windows 也这样做了,像这样的问题可能就不会发生了

Like others already said, Microsoft already tried to do that with PatchGuard in 2006 with the launch of Windows Vista and the likes of Symantec and McAfee complained to the EU about this would harm the sales of their products, so the EU told Microsoft to not do it in 2009[1].
正如其他人已经说过的,微软在 2006 年推出 Windows Vista 时已经尝试过使用 PatchGuard,赛门铁克和迈克菲等公司向欧盟投诉这将损害他们的产品销售,因此欧盟在 2009 年告诉微软不要这样做[1]。
 
Apple has the luxury of a small market share on the desktop PC space to not attract the attention of the regulators, plus a user base that's used to Apple constantly rewriting the OS, deprecating APIs, switching CPU architectures, etc. without giving a fuck about breaking backwards compatibility or cutting off developers access to OS features their products use and getting away with it, luxuries that Microsoft doesn't have.
苹果在桌面电脑市场上拥有较小的市场份额,这使得它没有吸引监管机构的注意,再加上用户群体已经习惯了苹果不断重写操作系统、弃用 API、切换 CPU 架构等,而不在乎破坏向后兼容性或切断开发者对其产品使用的操作系统功能的访问,并且能够逍遥法外,这些是微软所没有的奢侈。
 
IMHO, sticking with Window's default security and not using third party anit-malware has made Windows vastly more secure and rulabile than it was in the days when you'd be looking on installing the likes of Symantec or McAfee for your "protection" which ended up acting like malware after a while throwing dark patterns at you to milk more subsection fees, so as much as it hurts their sales, it's important for the regulators to understand that security is far more important than the regulations they put on Windows for Internet Explorer and Media Player and just like Apple's apps-store, it's sometimes better to let the original product maker handle security and not leave the product open at all points just so some of these bandits can make a living selling security for it. It's like foxes complaining to regulators how chicken wire is a threat to their existence.
在我看来,坚持使用 Windows 的默认安全设置,而不是使用第三方反恶意软件,已经使 Windows 比过去安装 Symantec 或 McAfee 等“保护”产品时更安全、更可靠,这些产品最终表现得像恶意软件,向你投掷黑暗模式,以获取更多的子项费用。因此,尽管这损害了他们的销售,但对监管者来说,理解安全比他们对 Windows 的 Internet Explorer 和 Media Player 施加的监管更为重要,就像苹果的应用商店一样,有时最好让原始产品制造商处理安全问题,而不是让产品在所有点上都开放,以便这些强盗可以靠出售安全产品为生。这就像狐狸向监管者抱怨鸡网对他们的生存构成威胁一样。

[1] https://stratechery.com/2024/crashes-and-competition/

mort96:

The EU requires MS to provide kernel-level access to security vendors due to their crazy anti-compete provisions

欧盟要求微软向安全供应商提供内核级访问权限,因为它们疯狂的反竞争条款

 
 
binkHN:

This seems to be only partially true when I read into it. The EU said that Microsoft would need to move their security tools into user-space (or at least to use the same APIs as are available in user-space). If they did that (like Apple has done), they could kick everyone out of kernel-space if they wanted.

这似乎只是部分正确,当我深入阅读时。欧盟表示,微软需要将他们的安全工具移入用户空间(或至少使用用户空间中可用的相同 API)。如果他们这样做了(就像苹果已经做的那样),他们就可以在他们想要的时候将所有人踢出内核空间。

whiplash451
Or maybe crowdstrike is dealing with the hardest threats and hence ends up having to rollout stuff rapidly against zero-days?
或许 CrowdStrike 正在处理最棘手的威胁,因此不得不迅速推出针对零日漏洞的解决方案?
 
Not a CS fanboy, but just wanted to suggest an alternative to sheer incompetence
不是计算CS的粉丝,但只是想建议一个替代纯粹的无能
 
 
7bit:
I like the positivity that led to your suggestion. But I find it hard to follow the argumentation.
我喜欢导致你建议的积极态度。但我觉得很难跟上论证。
 
They know that mistakes can take out thousands and thousands of devices, therefore it is imperative they prioritize stability over rollout speed. They have more direct access to devices, than any 0-day would ever have, therefore there is a significant risk that they do more damage with an update than any 0-day ever could.
他们知道错误可能导致成千上万的设备失效,因此他们必须优先考虑稳定性而非推出速度。他们对设备的直接访问权限比任何 0-day 漏洞都要多,因此他们通过更新造成的损害可能比任何 0-day 漏洞都要大。
 
You have to remember, a 0-day could come to existence that threatens every system, but that usually happens once every couple of years (last one of that category was probably Blaster/I LOVE YOU). But CS risks of damaging the system every couple of hours with an update. Therefore, it should be tested to make absolutely sure it doesn't cause crashes.
你必须记住,一个 0-day 漏洞可能会出现,威胁到每个系统,但这种情况通常每几年才发生一次(上一个这类漏洞可能是 Blaster/I LOVE YOU)。但 CS 更新的风险在于,它可能在每几个小时就通过更新破坏系统。因此,应该对其进行测试,以确保它不会导致系统崩溃。
 
IMHO, it was sheer negligence and incompetence.
依我之见,这完全是疏忽和无能。


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2024-9-6 15:46 被_air编辑 ,原因:
收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//