[mrpippy]

> Once Microsoft's eBPF support for Windows becomes production-ready, Windows security software can be ported to eBPF as well.

This doesn’t seem grounded in reality. If you follow the link to the “hooks” that Windows eBPF makes available [1], it’s just for incoming packets and socket operations. IOW, MS is expecting you to use the Berkeley Packet Filter for packet filtering. Not for filtering I/O, or object creation/use, or any of the other million places a driver like Crowdstrike’s hooks into the NT kernel.

In addition, they need to be in the kernel in order to monitor all the other 3rd party garbage running in kernel-space. ELAM (early-launch anti-malware) loads anti-malware drivers first so they can monitor everything that other drivers do. I highly doubt this is available to eBPF.

If Microsoft intends eBPF to be used to replace kernel-space anti-malware drivers, they have a long, long way to go.

[1]: https://microsoft.github.io/ebpf-for-windows/ebpf__structs_8...

[brendangregg]

Yes, we know eBPF must attach to equivalent events to Linux, but given there are already many event sources and consumers in Windows, the work is to make eBPF another consumer -- not to invent instrumentation frameworks from scratch.

Just to use an analogy: Imagine people do their banking on JavaScript websites with Google Chrome, but if they use Microsoft Edge it says "JavaScript isn't supported, please download and run this .EXE". I'm not sure we'd be asking "if" Microsoft would support JavaScript (or eBPF), but "when."

[surajrmal]

This assumes eBPF becomes the standard. It's not clear Microsoft wants that. They could create something else which integrates with dot net and push for that instead.

Also this problem of too much software running in the kernel in an unbounded manner has long existed. Why should Microsoft suddenly invest in solving it on Windows?

[wongarsu]

Microsoft has invested in solving this for at least two decades, probably longer. They are just using a different (arguably worse) approach to this than the Unix world.

In Windows 9x anti-malware would just run arbitrary code in the kernel that hooked whatever it wanted. In Windows XP a lot of these things got proper interfaces (like the file system filter drivers to facilitate scanning files before they are accessed, later replaced by minifilters), and the 64 bit edition of XP introduced PatchGuard [1] to prevent drivers from modifying Microsoft's kernel code. Additionally Microsoft is requiring ever more static and dynamic analysis to allow drivers to be signed (and thus easily deployed).

This is a very leaky security barrier. Instead of a hardware-enforced barrier like the kernel-userspace barrier it's an effort to get software running at the same protection level to behave. PatchGuard is a cat-and-mouse game Microsoft is always loosing, and the analysis mostly helps against memory bugs but can't catch everything. But MS has invested a lot of work over the years in attempts to make this path work. So expecting future actions isn't unreasonable.

[1] https://en.wikipedia.org/wiki/Kernel_Patch_Protection

[Analemma_]

This is a weird reading of history. Microsoft has spent tons of effort getting as much code out of the kernel as possible: Windows drivers used to be almost all kernel-mode, now they're nearly all in userspace and you almost never need to write a kernel-mode Windows driver unless you're doing something with deep OS hooks (like CS was, although apparently even that wasn't actually necessary). The safeguards on kernel code are for the tiny sliver of use cases left that need it, it is not Microsoft patching individual holes on the leaky ship.

They haven't yet gone as far as Apple in banning third-party kernel-mode code entirely, but I wouldn't be surprised if it's coming.

[tptacek]

A thing I think a lot of people don't include in their premises about Crowdstrike is that they're probably the most significant aftermarket endpoint security product in the world (they are what Norton and McAfee were in 2000), which means they're more than large enough for malware to target their code directly, which creates interesting constraints for where their code can run.

I'm not saying I'd run it (I would not), just that I can see why they have a lot of kernel-resident code.

[jolux]

> I'm not saying I'd run it (I would not), just that I can see why they have a lot of kernel-resident code.

What would you run instead, or is there a different way of thinking about the problem it addresses that obviates the need?

[roenxi]

Microsoft made the reasonable point that locking 3rd parties out of the kernel might have resulted in legal challenges in the EU [0]. It is an interesting case where everyone is certain in hindsight that they would have been ok with MS blocking access, but it is less obvious that they would have taken that view if MS had pressured a bunch of security products out of the kernel with no obvious prompting.

[0] https://www.theregister.com/2024/07/22/windows_crowdstrike_k...

[Archelaos]

The 2009 agreement with the EU mentioned in the article seems to be the one about the integration of the Internet Explorer (IE) into MS Windows.[1] But it only applied to IE and the commitment was limited to 5 years.[2]

Or is the article referring to something else?

I see no reason why the EU should object to Microsoft's adoption of eBPF as long as MS Defender simply uses the same API that is available to all competitors.

[1] Here is the original text: https://ec.europa.eu/competition/antitrust/cases/dec_docs/39...

[2] See section 4, paragraph 20.

[philistine]

Apple took the lead on this front. It has closed easy access to the kernel by apps, and made a list of APIs to try and replace the lost functionality. Anyone maintaining a kernel module on macOS is stuck in the past.

Of course, the target area of macOS is much smaller than Windows, but it is absolutely possible to kick all code, malware and parasitic security services alike, from accessing the kernel.

The safest kernel is the one that cannot be touched at runtime.

[nullindividual]

I don't think Microsoft has a choice with regards to kernel access. Hell, individuals currently use undocumented NT APIs. I can't imagine what happens to backwards compat if kernel access is closed.

Apple's closed ecosystem is entirely different. They'll change architectures on a whim and users will go with the flow (myself included).

[becurious]

But Apple doesn’t have the industrial and commercial uses that Linux and Windows have. Where you can’t suddenly switch out to a new architecture without massive amounts of validation costs.

At my previous job they used to use Macs to control scientific instrumentation that needed a data acquisition card. Eventually most of the newer product lines moved over to Windows but one that was used in a validated FDA regulated environment stayed on the Mac. Over time supporting that got harder and harder: they managed through the PowerPC to Intel transition but eventually the Macs with PCIe slots went away. I think they looked at putting the PCIe card in a Thunderbolt enclosure. But the bigger problem is guaranteeing supply of a specific computer for a reasonable amount of time. Very difficult to do these days with Macs.

[nullindividual]

> validated FDA regulated environment stayed on the Mac

Given how long it takes to validate in a GxP environment, and the cost, this makes sense.

[adolph]

Sounds like they need a nice Hackintosh for that validated FDA regulation app-OS-HW combo.

[philistine]

See Satya Nadella has recently said that Microsoft will now put security above any other value at Microsoft. He specifically even singled out backwards compatibility.

https://blogs.microsoft.com/blog/2024/05/03/prioritizing-sec...

Microsoft is a big boat. It takes a long time to turn if the captain orders it. But the captain has ordered it. I expect the sacrosanct nature of back compat to eventually die. Windows will never turn into the moving target that macOS is, but I expect a lot of old stuff to just stop working, when security concerns dictate they should be removed.

[Xunjin]

> The safest kernel is the one that cannot be touched at runtime.

Can you expand what you mean here? Because depending on the application you are running, you will need at least talk with some APIs to get privileged access?

[Agingcoder]

Being allowed to talk to the kernel to get info and running with the same privileges ( basically being able to read / write any memory ) is different.

[odo1242]

Yeah, Apple doesn’t allow any user code to run in kernel mode without significant hoops (the kernel is code signed) and tries to provide a user space API (e.g. DriverKit) as an alternative for the missing functionality.

Some things (FUSE) are still annoying though.

[duskwuff]

> Some things (FUSE) are still annoying though.

That should get much easier in macOS Sequoia with FSKit.

https://developer.apple.com/documentation/fskit/

[brendangregg]

Microsoft have been driving the work to make eBPF an IETF industry standard.

[riskable]

...just like they did with Kerberos! And just like with Kerberos they'll define a standard then refuse to follow it. Instead, they will implement subtle changes to the Windows implementation that make solutions that use Windows eBPF incompatible with anything else, making it much more difficult to write software that works with all platforms eBPF (or even just its output).

Everything's gotta be different in Windows land. Otherwise, migrating off of Windows land would be too easy!

In case you were wondering what Microsoft refused to implement with its Kerberos implementation it's the DNS records. Instead of following the standard (they wrote!) they decided that all Windows clients will use AD's Global Catalog to figure out which KDC to talk to (e.g. which one is "local" or closest to the client). Since nothing but Windows uses the Global Catalog they effectively locked out other platforms from being able to integrate with Windows Kerberos implementation as effectively (it'll still work, just extremely inefficiently as the clients won't know which KDC is local so you either have to hard-code them into the krb5.conf on every single device/server/endpoint and hope for the best or DNS-and-pray you don't get a Domain Controller/KDC that's on an ISDN line in some other country).

[xp84]

This to me ascribes way too much to mustache-twirling villainy at Microsoft, but to me fails to account for the fact that engineers surely make many of these implementation-detail decisions. These engineers aren’t incentivized to create lock-in. I think it’s more likely that sometimes for a feature to play well with other existing parts of the Windows ecosystem, compromises are made to the standards-compliance. Microsoft may have shipped those related interfaces before this standard had been hashed out, so they have a choice to break everything or to not perfectly follow the standard.

Note: I’m not a Windows dev so I can’t speak to specifics of anything like your Kerberos example. I just don’t believe MS is full of evil engineers, nor that Satya Nadella visits cubicles to promote lock-in practices.

[CRConrad]

> These engineers aren’t incentivized to create lock-in.

Ever heard of something called “money”?

> I think it’s more likely that sometimes for a feature to play well with other existing parts of the Windows ecosystem, compromises are made to the standards-compliance.

So you're basically saying that you're too young to remember the “good” old days of Embrace, Extend, Extinguish, right...?

[MawKKe]

Embrace, extend, ...

[jrockway]

This doesn't really seem like their strategy anymore. It's not like Edge directly interprets Typescript, for example. While they embraced and extended Javascript, any extinguishing seems to be on the technical merits rather than corporate will.

In the case of security scanners that run in the kernel, we learned this weekend that a market need exists. The mainstream media blamed Crowdstrike's bugs on "Windows". Microsoft would likely like to wash its hands of future events of this class. Linux-like eBPF is a path forward for them that allows people to run the software they want (work-slowers like Crowdstrike) while isolating their reputation from this software.

[numbsafari]

> Why should Microsoft suddenly invest in solving it on Windows?

If they can continue to avoid commercial repercussions for failing to provide a stable and secure system, then society should begin to hold them to account and force them to.

I’m not necessarily advocating for eBPF here, either. If they want to get there through some “proprietary” means, so be it. Apple is doing much the same on their end by locking down kexts and providing APIs for user mode system extensions instead. If MS wants to do this with some kind of .net-based solution (or some other fever dream out of MSR) then cool. The only caveat would seem to be that they are under a number of “consent decree” type agreements that would require that their own extensions be implemented on a level playing field.

So what. Windows Defender shouldn’t be in the kernel any more than CrowdStrike. Add an API. If that means being able to send eBPF type “programs” into kernel space, cool. If that means some user mode APIs, cool.

But lock it down already.

[safety1st]

Not necessarily disagreeing with you, but as far as 'avoiding commercial repercussions' goes... Windows' share of the desktop OS has market has been declining for almost 20 years at the rate of about 1% per year. And about 70% of the global installed base is still on Windows 10.

They have a long way to fall, but I'm not sure that if I'm a regulator I look at that and say there needs to be some kind of intervention by society apart from what market forces are gradually doing anyway.

[doctorpangloss]

Windows development on eBPF is slower than Linux development on eBPF, so it will never be supported. A source code user licensee could develop it faster, but who licenses Windows source and already has great eBPF experience?

[nullindividual]

Microsoft already has an extensible file system filter capability in place, which is what current AV uses. Does it make sense to add eBPF on top of that and if so, are there any performance downsides, like we see with file system filters?

[mauvehaus]

They've done a technology transition once already from legacy file system filter drivers to the minifilter model. If they see enough benefit to another change, it wouldn't be unprecedented.

Mind you, it looks like after 20-ish years Windows still supports loading legacy filter drivers. Given the considerable work that goes into getting even a simple filesystem minifilter driver working reliably, it's safe to assume that we'd be looking at a similarly protracted transition period.

As to the performance, I don't think the raw infrastructure to support minifilters is the major performance hit. The work the drivers themselves end up doing tends to be the bigger hit in my experience.

Some background for the curious:

https://www.osr.com/nt-insider/2019-issue1/the-state-of-wind...

[shahahqq]

I hope though that Microsoft will double down on their eBPF support for Windows after this incident.

[benfortuna]

Keep in mind they don't just allow any old code to execute in the kernel.

They do have rigorous tests (WHQL), it's just Crowdstrike decided that was too burdensome for their frequent updates, and decided to inject code from config files (thus bypassing the control).

The fault here is entirely with Crowdstrike.

[capitainenemo]

Is there any evidence that the config files had arbitrary code in them? The only analysis I'd seen so far indicated a parsing error loading a viral signature database that was routinely updated, but in this case was full of garbage data.

[benfortuna]

Perhaps not verified, but some smart people do have convincing arguments:

https://youtu.be/wAzEJxOo1ts?si=UNNxAN27VV1E6mcP&t=505

[capitainenemo]

Any article/blog/text-that-can-be-read?

[alecco]

Don't bother. He just repeats a tweet saying a null+offset dereference and also the speculation of that null picked from the sys file.

[remram]

How rigorous are the tests if faulty data can brick the machine?

[dwattttt]

Not rigorous enough to have detected this flaw in the kernel sensor, although effectively any bug in this situation (an AV driver) can brick a machine. I imagine WHQL isn't able to find every possible bug in a driver you submit to them, they're not your QA team.

[stackskipton]

Doubt it. Microsoft is clearly over Windows. They continue to produce it but every release feels like "Ugh, fine, since you are paying me a ton of money."

Internally, Microsoft is running more and more workloads on Linux and externally, I've had .Net team tell me more than once that Linux is preferred environment for .Net. SQL Server team continues to push hard for Linux compatibility with every release.

EDIT: Windows Desktop gets more love because they clearly see that as important market. I'm talking more Windows Server.

[mosburger]

> SQL Server team continues to push hard for Linux compatibility with every release.

It's kinda funny that the DB that was once a fork of Sybase that was ported to Windows is trying to make its way back to Unix.

[throwaway2037]

This claim about SQL Server: Is it due to disk access being slower from NT kernel compared to Linux kernel?

[riskable]

I had read previously from an unverified SQL Server engineer that the thing they wanted most (with Linux support) was proper containerization (from a developer perspective). Apparently containers on Windows just don't cut it (which is why nobody uses them in production). Take it with a grain of salt though.

I don't think they'd ever admit that filesystem performance was an issue (though we all know it is; NTFS is over 30 years old!).

[shawnz]

> though we all know it is; NTFS is over 30 years old!

ext2, which is forwards compatible with ext3 and ext4, is slightly older than NTFS

[nrr]

It's my understanding, having done benchmarks on file access on Windows, that NTFS itself is not the problem. It's old, but the revision of the on-disk structure that we use today hails from Windows XP, and it's about on par in terms of feature parity (and backwards compatibility, given that I can still read native NT 3.51 volumes on Windows 11) with ext4.

A lot of the weirdly bad performance comes from all of the machinery that Windows wraps around file access for things like filter drivers. As long as you don't, say, indiscriminately follow every CreateFile() with a CloseHandle() and instead treat handle closure like garbage collection, you can actually eke out pretty good performance.

That all said, yeah, Windows containers are less than great for what I'd argue is one strikingly glaring flaw: Docker container images are built from smss.exe upward. That makes them not immediately portable between ntoskrnl.exe releases.

[stackskipton]

It's just easier for everyone involved (outside Windows GUI clicker admins) if it runs on Linux. Containerization is easier, configuration is easier and operating system is much more robust.

[psd1]

Operating system can be more robust, depending on admin skill. Let idiots configure and operate your rhel and you may not get those five nines.

There are costs to it, in the form of architectural baggage and slower iteration, but what windows brings to the table is a deck swept mostly clear of footguns. That can give you a different form of robustness.

[marcosdumay]

There's something very wrong with Windows disk access, you can see it easily by trying to run a Windows desktop with rotating disks.

But SQL Server is in the unique position of being able to optimize Windows for their own needs. So they shouldn't have this kind of problem.

[devbent]

The file system is almost 30 years old.

When NTFS came out it was way better than anything on Linux. Heck even in 2006 NTFS was better.

But Linux keeps getting new file systems while Windows keeps NTFS.

[marcosdumay]

AFAIK, NTFS is a perfectly ok design. But the Windows file system never performed well. This is probably not for architectural reasons.

And no, it didn't perform better at NT4, XP, or Win7 times.

[kevincox]

They aren't over windows. They continue to be incredibly interested in and actively developing how much money they can suck from their users. Especially via various forms of ads.

But yeah, kernel features are few and far between.

[queuebert]

I believe the term you are looking for is "rent seeking". Other than visual changes, what new functionality does Windows 11 actually have that Windows XP didn't have? (I'm being generous with XP, because actually 95 was already mostly internet ready.) Yet how many times have many of us paid for a Windows license on a new computer or because the old version stopped getting updates?

[pcwalton]

> Other than visual changes, what new functionality does Windows 11 actually have that Windows XP didn't have?

Off the top of my head, limiting myself to just NT kernel stuff: WSL and Hyper-V, pseudo-terminals, condvars, WDDM, DWM, elevated privilege programs on the same desktop, font driver isolation, and limiting access to win32k for sandboxing.

[recursive]

> what new functionality does Windows 11 actually have that Windows XP didn't have? (

Off the top of my head, built-in bluetooth support, an OS-level volume mixer, and more support for a wider variety of class-compliant devices. I'm sure there are a lot more, and if you actually care about the answer, I don't think it would be hard to find.

[queuebert]

All of this could've been added to XP, right?

[vitus]

> Other than visual changes, what new functionality does Windows 11 actually have that Windows XP didn't have?

Modern crypto ciphersuites that aren't utterly broken? Your best options for symmetric crypto with XP are 3DES (officially retired by NIST as of this year) and RC4 (prohibited in TLS as of RFC 7465).

(And if you think 3DES isn't totally broken by itself, you're right... except for the part where the ciphersuite in question is in CBC mode and is vulnerable to BEAST. Thanks, mandated ciphersuites.)

[wolrah]

> Other than visual changes, what new functionality does Windows 11 actually have that Windows XP didn't have?

XP->Vista alone brought a bunch of huge changes that massively improved security (UAC), capability (64 bit desktops), and future-proofing (UEFI) among many many other things.

Some helpful Wikipedia editors have answered this question in excessive detail, so I'm just going to link those for more info. Also I'm going to start with what XP changed from 2003 both because it makes a good comparison and I'd argue 2000/NT 5.0 is the root of the modern Windows era. Your next sentence after the quote implies you probably won't have a problem with that.

* XP/2003: https://en.wikipedia.org/wiki/Features_new_to_Windows_XP

* 2003R2: https://en.wikipedia.org/wiki/Windows_Server_2003#Windows_Se...

* Vista: https://en.wikipedia.org/wiki/Features_new_to_Windows_Vista

* 2008: https://en.wikipedia.org/wiki/Windows_Server_2008#Features

* 7: https://en.wikipedia.org/wiki/Features_new_to_Windows_7

* 2008R2: https://en.wikipedia.org/wiki/Windows_Server_2008_R2#New_fea...

* 8: https://en.wikipedia.org/wiki/Features_new_to_Windows_8

* 2012: https://en.wikipedia.org/wiki/Windows_Server_2012#Features

* 8.1: https://en.wikipedia.org/wiki/Windows_8.1#New_and_changed_fe...

* 2012R2: https://en.wikipedia.org/wiki/Windows_Server_2012_R2#Feature...

* 10: https://en.wikipedia.org/wiki/Features_new_to_Windows_10

* 2016: https://en.wikipedia.org/wiki/Windows_Server_2016#Features

* 2019: https://en.wikipedia.org/wiki/Windows_Server_2019#Features

* 2022: https://en.wikipedia.org/wiki/Windows_Server_2022#Features

* 11: https://en.wikipedia.org/wiki/Features_new_to_Windows_11

* 2025: https://learn.microsoft.com/en-us/windows-server/get-started...

Obviously some of this will be "fluff" and that's up to your own personal definitions, but to act like there haven't been significant changes in every major revision is just nonsense.

[queuebert]

Well that Windows 11 article is laughably short, considering it's a major version. But I appreciate you taking the time to compile all those links.

My point is the vast majority of this stuff is either "fluff" or cosmetic changes or random things that 99% of users don't use OR they are security and bug patches. HN users are not typical, so I'm sure some of the Windows updates are very important for people like us.

Maybe to Microsoft this is a significant rewrite: "The Calculator has been completely rewritten in C# and includes several new features." (Just picked at random.) Ok, but like why? Who cares? What was wrong with the last calculator? Absolutely nothing. Also who even uses Windows calculator instead of Excel or their phone? Was calculator rewritten to justify an FTE somewhere at Microsoft?

I'm not trying to troll, but I am trying to be contrarian. I honestly feel like a majority of desktop users don't really think too hard about their OS. None of the existing OSes should be significantly rewritten unless they are just completely flawed. Like say Apple decides to ditch the microkernel or Linux goes to Rust. Most people need stability and security, not new calculator features or different button shading. I'm singling out Microsoft for being the only one that rent seeks for superfluous changes. Apple is notoriously bad about wasting users time with constant updates for dumb stuff, but at least it's free, except for the cost of time while your computer slowly reboots and updates.

[rob74]

See also: https://en.wikipedia.org/wiki/Cash_cow

[WatchDog]

SQL Server has supported Linux since 2017