this post was submitted on 20 Jul 2024
422 points (98.0% liked)

Programmer Humor

19187 readers
1188 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
422
imagine if the crowsstrike bug was malicious... (sopuli.xyz)
submitted 2 months ago by lseif@sopuli.xyz to c/programmer_humor@programming.dev
17 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[โ€“] Mikina@programming.dev 1 points 1 month ago (1 children)

I might be wrong, but from how I understand it it probably wouldn't help. Kernel drivers have a rigorous QA and cert by Microsoft if you want to get them signed, which is a process that may take a long time - longer than you can afford when pushing updates to AV/EDR to catch emerging threats. What Crowdstrike does to bypass this requirement is that the CS Falcon is just an engine, that loads, interprets and executes code from definition files. The kernel driver code then doesn't need to change, so no need for new MS cert, and they can just push new definition files. So, they kind of have to deal with unsafe in this case, since you are executing a new code.

[โ€“] zaphod@sopuli.xyz 3 points 1 month ago

What Crowdstrike does to bypass this requirement is that the CS Falcon is just an engine, that loads, interprets and executes code from definition files.

If Microsoft really has "rigorous QA and cert" for kernel drivers then they shouldn't have certified this, because now it's a certified bypass for the certification.