All writing
Blue Screen of Death
tech
8.5 million computers crashed. I was stuck in an airport. So I started thinking about kernels.
2 min readJuly 10, 2024
At 04:09 UTC on July 19, 2024, CrowdStrike released an update for its Falcon sensor software. A defect in the update caused 8.5 million Windows computers to crash simultaneously.1 Half the S&P 500 runs CrowdStrike. Flights were grounded worldwide. The economic damage exceeded $10 billion.2
I was in an airport terminal when my flight got canceled. So I started thinking about kernels.
Key Takeaways
- The CrowdStrike incident demonstrated the catastrophic risk of kernel-level access—one bad update crashed 8.5 million systems globally.
- Kernel architectures involve tradeoffs between performance, security, and isolation.
- Multi-tier kernel designs could limit the blast radius of security software failures.
What Went Wrong
The root cause was a modification to Channel File 291, which handles screening named pipes. The update triggered an out-of-bounds memory read, causing an invalid page fault. Translation: the program tried to access memory it shouldn't have, crashing the entire operating system.
CrowdStrike's Falcon sensor operates at the kernel level—the deepest layer of the OS—to provide system-wide protection. This access is necessary for comprehensive security monitoring. It's also why a single bug could take down millions of machines.
Kernel Architectures
A kernel is the core of an operating system, providing essential services to all other programs. Different architectures make different tradeoffs:
| Type | How It Works | Tradeoff |
|---|---|---|
| Monolithic | All OS services run in kernel space | Fast but crashes affect everything |
| Microkernel | Most services run in user space | Stable but slower |
| Hybrid | Balance between the two | Moderate on both dimensions |
| Exokernel | Apps get direct hardware control | Fast but complex to develop |
| Nanokernel | Bare minimum for hardware management | Minimal attack surface, limited use |
Windows uses a hybrid kernel. CrowdStrike's driver runs at the kernel level, giving it the same access as the OS itself.
The Multi-Tier Idea
A multi-tier kernel architecture could theoretically prevent applications from having unrestricted kernel access:
- Tier 0: Core OS functions at the most privileged level
- Tier 1: Essential drivers and security software with restricted access
- Tier 2: Applications with minimal kernel access
The goal: prevent a single failure from compromising core OS functions. Security software could still monitor the system but within defined boundaries.
Academic research discusses various multilevel security kernel architectures, each suited to different requirements. The tradeoff is always between isolation (safety) and access (functionality).
SimpleOS
After learning about kernels in the airport, I decided to build one. SimpleOS is a prototype monolithic kernel—the simplest architecture to start with.
Features:
- Interrupt handling with custom handler support
- Memory management with paging and heap allocation
- Basic multitasking using round-robin scheduling
- Essential x86 structures (GDT, IDT)
It's a learning project, not production software. But building something helps understanding stick in ways reading doesn't.
The CrowdStrike incident demonstrated that kernel-level access is a loaded gun. Necessary for certain applications, but the blast radius when something goes wrong is enormous. Understanding how kernels work—and the architectural choices that determine failure modes—seems worth knowing.
In July 2025, Microsoft announced it would remove kernel access for third-party security vendors in future Windows versions—a direct response to the CrowdStrike incident.3 The change will force security software to operate in user mode, significantly reducing the potential blast radius of similar failures.
Footnotes
-
CrowdStrike incident report, July 2024. The 8.5 million figure represents approximately 1% of Windows machines globally, but included a disproportionate number of enterprise systems running critical infrastructure. ↩
-
Estimates vary from $5.4B (Parametrix Insurance) to over $10B (industry analysts). Delta Airlines alone claimed $500M in losses and sued CrowdStrike. The incident affected airlines, hospitals, banks, broadcasters, and government agencies across 78 countries. ↩
-
Microsoft announced at Ignite 2024 that future Windows versions would restrict kernel access for security vendors, requiring them to use user-mode APIs instead. This represents the most significant change to Windows security architecture since Vista introduced driver signing requirements. ↩
Blue Screen of Death
tech
8.5 million computers crashed. I was stuck in an airport. So I started thinking about kernels.
2 min readJuly 10, 2024
computing
At 04:09 UTC on July 19, 2024, CrowdStrike released an update for its Falcon sensor software. A defect in the update caused 8.5 million Windows computers to crash simultaneously.1 Half the S&P 500 runs CrowdStrike. Flights were grounded worldwide. The economic damage exceeded $10 billion.2
I was in an airport terminal when my flight got canceled. So I started thinking about kernels.
Key Takeaways
- The CrowdStrike incident demonstrated the catastrophic risk of kernel-level access—one bad update crashed 8.5 million systems globally.
- Kernel architectures involve tradeoffs between performance, security, and isolation.
- Multi-tier kernel designs could limit the blast radius of security software failures.
What Went Wrong
The root cause was a modification to Channel File 291, which handles screening named pipes. The update triggered an out-of-bounds memory read, causing an invalid page fault. Translation: the program tried to access memory it shouldn't have, crashing the entire operating system.
CrowdStrike's Falcon sensor operates at the kernel level—the deepest layer of the OS—to provide system-wide protection. This access is necessary for comprehensive security monitoring. It's also why a single bug could take down millions of machines.
Kernel Architectures
A kernel is the core of an operating system, providing essential services to all other programs. Different architectures make different tradeoffs:
| Type | How It Works | Tradeoff |
|---|---|---|
| Monolithic | All OS services run in kernel space | Fast but crashes affect everything |
| Microkernel | Most services run in user space | Stable but slower |
| Hybrid | Balance between the two | Moderate on both dimensions |
| Exokernel | Apps get direct hardware control | Fast but complex to develop |
| Nanokernel | Bare minimum for hardware management | Minimal attack surface, limited use |
Windows uses a hybrid kernel. CrowdStrike's driver runs at the kernel level, giving it the same access as the OS itself.
The Multi-Tier Idea
A multi-tier kernel architecture could theoretically prevent applications from having unrestricted kernel access:
- Tier 0: Core OS functions at the most privileged level
- Tier 1: Essential drivers and security software with restricted access
- Tier 2: Applications with minimal kernel access
The goal: prevent a single failure from compromising core OS functions. Security software could still monitor the system but within defined boundaries.
Academic research discusses various multilevel security kernel architectures, each suited to different requirements. The tradeoff is always between isolation (safety) and access (functionality).
SimpleOS
After learning about kernels in the airport, I decided to build one. SimpleOS is a prototype monolithic kernel—the simplest architecture to start with.
Features:
- Interrupt handling with custom handler support
- Memory management with paging and heap allocation
- Basic multitasking using round-robin scheduling
- Essential x86 structures (GDT, IDT)
It's a learning project, not production software. But building something helps understanding stick in ways reading doesn't.
The CrowdStrike incident demonstrated that kernel-level access is a loaded gun. Necessary for certain applications, but the blast radius when something goes wrong is enormous. Understanding how kernels work—and the architectural choices that determine failure modes—seems worth knowing.
In July 2025, Microsoft announced it would remove kernel access for third-party security vendors in future Windows versions—a direct response to the CrowdStrike incident.3 The change will force security software to operate in user mode, significantly reducing the potential blast radius of similar failures.
Footnotes
-
CrowdStrike incident report, July 2024. The 8.5 million figure represents approximately 1% of Windows machines globally, but included a disproportionate number of enterprise systems running critical infrastructure. ↩
-
Estimates vary from $5.4B (Parametrix Insurance) to over $10B (industry analysts). Delta Airlines alone claimed $500M in losses and sued CrowdStrike. The incident affected airlines, hospitals, banks, broadcasters, and government agencies across 78 countries. ↩
-
Microsoft announced at Ignite 2024 that future Windows versions would restrict kernel access for security vendors, requiring them to use user-mode APIs instead. This represents the most significant change to Windows security architecture since Vista introduced driver signing requirements. ↩