Readit News logoReadit News
shahahqq commented on No More Blue Fridays   brendangregg.com/blog/202... · Posted by u/moreati
xyzzy123 · a year ago
So many problems though! including commercial monocultures, lack of update consent, blast radius issues, etc etc. There's a commons in our pockets but that is very difficult to regulate for. The will keep putting the gun to your head until you keep choosing the monoculture.
shahahqq · a year ago
worrisome indeed that now the world knows how many users are affected by crowdstrike so the bad guys just need to poke deeper there
shahahqq commented on No More Blue Fridays   brendangregg.com/blog/202... · Posted by u/moreati
mrpippy · a year ago
> Once Microsoft's eBPF support for Windows becomes production-ready, Windows security software can be ported to eBPF as well.

This doesn’t seem grounded in reality. If you follow the link to the “hooks” that Windows eBPF makes available [1], it’s just for incoming packets and socket operations. IOW, MS is expecting you to use the Berkeley Packet Filter for packet filtering. Not for filtering I/O, or object creation/use, or any of the other million places a driver like Crowdstrike’s hooks into the NT kernel.

In addition, they need to be in the kernel in order to monitor all the other 3rd party garbage running in kernel-space. ELAM (early-launch anti-malware) loads anti-malware drivers first so they can monitor everything that other drivers do. I highly doubt this is available to eBPF.

If Microsoft intends eBPF to be used to replace kernel-space anti-malware drivers, they have a long, long way to go.

[1]: https://microsoft.github.io/ebpf-for-windows/ebpf__structs_8...

shahahqq · a year ago
I hope though that Microsoft will double down on their eBPF support for Windows after this incident.
s

u/shahahqq

KarmaCake day8October 30, 2020View Original