Re: Computing is Complex (was: Re: A meditation on the Antithesis of the VMS Ethos)

On 2024-07-21 09:41:06 +0000, Subcommandante XDelta said:

A meditation on the Antithesis of the VMS Ethos, and the DEC way.

A heady mix of entertainment and omissions and economically-problematic hopes and dreams, that.
Brandolini's Law is always in scope, of course. The bulk of the citations first:
CrowdStrike-related:
https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/
https://forums.rockylinux.org/t/crowdstrike-freezing-rockylinux-after-9-4-upgrade/14041 https://www.thestack.technology/crowdstrike-bug-maxes-out-100-of-cpu-requires-windows-reboots/ Microsoft has had legal entanglements here:
https://www.techtarget.com/searchsecurity/news/450420491/Microsoft-accused-of-blocking-independent-antivirus-competition https://www.theregister.com/2024/07/22/windows_crowdstrike_kernel_eu/
Microsoft has been working on security here:
https://www.microsoft.com/en-us/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/ https://learn.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services- https://opensource.microsoft.com/blog/2021/05/10/making-ebpf-work-on-windows/
Other vendors have been moving kernel code to user mode, and reducing the apps that can load extensions, which is somewhat helpful for security and definitely helpful for avoiding kernel crashes, but then attacks against user-mode code with access to kernel APIs can be bad, too.
https://developer.apple.com/support/kernel-extensions/
https://www.sweetwater.com/sweetcare/articles/kernel-extensions-on-mac-with-apple-silicon/ https://ebpf.io on Linux
https://developer.apple.com/documentation/coreservices/file_system_events (and https://www.crowdstrike.com/blog/using-os-x-fsevents-discover-deleted-malicious-artifact/ and https://www.crowdstrike.com/blog/i-know-what-you-did-last-month-a-new-artifact-of-execution-on-macos-10-13/ )
https://support.apple.com/guide/security/welcome/web
https://developer.apple.com/documentation/endpointsecurity
As for kernel mode APIs and design more generally, OpenVMS has gaps here too, with VCI being the not-really-equivalent and not-generally-documented API for network interface. And it's a kernel API, with all that entails. The closest analog to the file change notification API (FSEvents-like) is parsing security alarms arriving via an app-declared mailbox, something which I've encountered in only a handful of apps. An approach which gets scruffy. The only kernel-code-accessing-user-mode mechanism in OpenVMS is the ill-documented ACP mechanism, which really isn't an isolation mechanism given it's passing around kernel data structure pointers such as I/O request packets. Having written various ACPs, that all works pretty well, but the APIs are very much set up for mounting and dismounting file systems, and areas such as mount and dismount are completely lacking customizations, which usually means writing up your own $mount and $dismou analog. ACPs aren't a great way to avoid kernel code, and are more intended for allowing kernel code to call outer-mode APIs. Which is definitely scruffy.  IIRC, the TCP/IP Services package — why that's still separately installed, a packaging decision straight out of the last millennium — has a kernel callout for packet filtering too, but that's still not documented AFAIK.
In short, there's no good place to tie in endpoint security, or tools akin to CrowdStrike. There are no endpoint security APIs.
Outside of legal entanglements, biggest issue with APIs and API-level changes for Microsoft is app and API compatibility, and there's a lineage there from Microsoft back through MICA to OpenVMS and the goal of OpenVMS compatibility, too. A laudable goal, with occasionally-intractable results. Such as trying to stuff a modern and robust password hash into an eight-byte field.
As for the referenced mess, CrowdStrike was basically testing in production, and seemingly lacked any sort of continuous integration (what they had reportedly returned a "yep" when it wasn't actually tested), and given that vendor's other recent issues with other platforms, hasn't particularly been learning how to deal with and reduce the damages and damage control arising from their own errors. Maybe hiring a billionaire former CTO of McAfee as your CEO didn't work out?
https://en.wikipedia.org/wiki/Continuous_integration
https://www.businessinsider.com/crowdstrike-ceo-george-kurtz-tech-outage-microsoft-mcafee-2024-7?op=1 Alternatives to CrowdStrike exist with some vendors, Microsoft has Defender (whatever its proper product name is now), Apple has XProtect and XProtect Remediator and the Signed System Volume and App Notarization. OpenVMS has no analog. (Yeah, I think you can actually sign stuff with the long-deprecated CDSA, but I've never seen anybody use that mechanism outside of OpenVMS Secure Delivery, which itself moved away from CDSA.) There have been third-party apps that tried to manage malware and change control on OpenVMS too, and DEC had DECinspect.
As for the OpenVMS Ethos, the problems and the systems and the interconnections are vastly more complex than is OpenVMS, and the pace of required changes in many environments are necessarily far faster than OpenVMS has ever managed. Any snarking at billionaires and at ever-loquatious newsletter texts aside, this ever-increasing complexity is built upon myriad very difficult problems and dependencies. We aren't ever going back to the pre-millennial era of simpler and less interconnected computing, either.
Ever-increasing complexity? Yeah. There are issues with Secure Boot and with self-bricking Intel Raptor Lake 65W+ processors, among many other recent problems:
https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/ https://www.tomshardware.com/pc-components/cpus/intel-cpu-instability-crashing-bug-includes-65w-and-higher-skus-intel-says-damage-is-irreversible-no-planned-recall Yeah, and CrowdStrike absolutely blew it. I expect Microsoft will use some of the fallout to push vendors into APIs, though that push won't be free of vendor complaints, and not without the possibility of and the risks of poorly-secured or poorly-written user-mode code now causing mayhem.
--
Pure Personal Opinion | HoffmanLabs LLC