[Info-vax] Computing is Complex (was: Re: A meditation on the Antithesis of the VMS Ethos)

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Mon Jul 29 12:58:51 EDT 2024 

On 2024-07-21 09:41:06 +0000, Subcommandante XDelta said:

> A meditation on the Antithesis of the VMS Ethos, and the DEC way.

A heady mix of entertainment and omissions and economically-problematic 
hopes and dreams, that.

Brandolini's Law is always in scope, of course. The bulk of the 
citations first:

CrowdStrike-related:
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
https://forums.rockylinux.org/t/crowdstrike-freezing-rockylinux-after-9-4-upgrade/14041 

https://www.thestack.technology/crowdstrike-bug-maxes-out-100-of-cpu-requires-windows-reboots/ 


Microsoft has had legal entanglements here:
https://www.techtarget.com/searchsecurity/news/450420491/Microsoft-accused-of-blocking-independent-antivirus-competition 

https://www.theregister.com/2024/07/22/windows_crowdstrike_kernel_eu/

Microsoft has been working on security here:
https://www.microsoft.com/en-us/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/ 

https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services- 

https://opensource.microsoft.com/blog/2021/05/10/making-ebpf-work-on-windows/

Other vendors have been moving kernel code to user mode, and reducing 
the apps that can load extensions, which is somewhat helpful for 
security and definitely helpful for avoiding kernel crashes, but then 
attacks against user-mode code with access to kernel APIs can be bad, 
too.
https://developer.apple.com/support/kernel-extensions/
https://www.sweetwater.com/sweetcare/articles/kernel-extensions-on-mac-with-apple-silicon/ 

https://ebpf.io on Linux
https://developer.apple.com/documentation/coreservices/file_system_events 
(and 
https://www.crowdstrike.com/blog/using-os-x-fsevents-discover-deleted-malicious-artifact/ 
and 
https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/ 
)
https://support.apple.com/guide/security/welcome/web
https://developer.apple.com/documentation/endpointsecurity


As for kernel mode APIs and design more generally, OpenVMS has gaps 
here too, with VCI being the not-really-equivalent and 
not-generally-documented API for network interface. And it's a kernel 
API, with all that entails. The closest analog to the file change 
notification API (FSEvents-like) is parsing security alarms arriving 
via an app-declared mailbox, something which I've encountered in only a 
handful of apps. An approach which gets scruffy. The only 
kernel-code-accessing-user-mode mechanism in OpenVMS is the 
ill-documented ACP mechanism, which really isn't an isolation mechanism 
given it's passing around kernel data structure pointers such as I/O 
request packets. Having written various ACPs, that all works pretty 
well, but the APIs are very much set up for mounting and dismounting 
file systems, and areas such as mount and dismount are completely 
lacking customizations, which usually means writing up your own $mount 
and $dismou analog. ACPs aren't a great way to avoid kernel code, and 
are more intended for allowing kernel code to call outer-mode APIs. 
Which is definitely scruffy.  IIRC, the TCP/IP Services package — why 
that's still separately installed, a packaging decision straight out of 
the last millennium — has a kernel callout for packet filtering too, 
but that's still not documented AFAIK.

In short, there's no good place to tie in endpoint security, or tools 
akin to CrowdStrike. There are no endpoint security APIs.

Outside of legal entanglements, biggest issue with APIs and API-level 
changes for Microsoft is app and API compatibility, and there's a 
lineage there from Microsoft back through MICA to OpenVMS and the goal 
of OpenVMS compatibility, too. A laudable goal, with 
occasionally-intractable results. Such as trying to stuff a modern and 
robust password hash into an eight-byte field.

As for the referenced mess, CrowdStrike was basically testing in 
production, and seemingly lacked any sort of continuous integration 
(what they had reportedly returned a "yep" when it wasn't actually 
tested), and given that vendor's other recent issues with other 
platforms, hasn't particularly been learning how to deal with and 
reduce the damages and damage control arising from their own errors. 
Maybe hiring a billionaire former CTO of McAfee as your CEO didn't work 
out?
https://en.wikipedia.org/wiki/Continuous_integration
https://www.businessinsider.com/crowdstrike-ceo-george-kurtz-tech-outage-microsoft-mcafee-2024-7?op=1 


Alternatives to CrowdStrike exist with some vendors, Microsoft has 
Defender (whatever its proper product name is now), Apple has XProtect 
and XProtect Remediator and the Signed System Volume and App 
Notarization. OpenVMS has no analog. (Yeah, I think you can actually 
sign stuff with the long-deprecated CDSA, but I've never seen anybody 
use that mechanism outside of OpenVMS Secure Delivery, which itself 
moved away from CDSA.) There have been third-party apps that tried to 
manage malware and change control on OpenVMS too, and DEC had 
DECinspect.


As for the OpenVMS Ethos, the problems and the systems and the 
interconnections are vastly more complex than is OpenVMS, and the pace 
of required changes in many environments are necessarily far faster 
than OpenVMS has ever managed. Any snarking at billionaires and at 
ever-loquatious newsletter texts aside, this ever-increasing complexity 
is built upon myriad very difficult problems and dependencies. We 
aren't ever going back to the pre-millennial era of simpler and less 
interconnected computing, either.

Ever-increasing complexity? Yeah. There are issues with Secure Boot and 
with self-bricking Intel Raptor Lake 65W+ processors, among many other 
recent problems:
https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/ 

https://www.tomshardware.com/pc-components/cpus/intel-cpu-instability-crashing-bug-includes-65w-and-higher-skus-intel-says-damage-is-irreversible-no-planned-recall 


Yeah, and CrowdStrike absolutely blew it. I expect Microsoft will use 
some of the fallout to push vendors into APIs, though that push won't 
be free of vendor complaints, and not without the possibility of and 
the risks of poorly-secured or poorly-written user-mode code now 
causing mayhem.



-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list