←back to thread

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)
158 points kenjackson | 3 comments | 22 Jul 24 02:22 UTC | HN request time: 0.583s | source
1. red_admiral ◴[22 Jul 24 08:15 UTC] No.41031943[source]
In princple, yes, if you have third-party Ring 0 kernel-mode drivers, they could crash a POSIX system as well as a windows one.

But that doesn't seem to be what happened here.

Random idea that I haven't fully thought through: continue to run the kernel at Ring 0 and userland at Ring 3, but move "tools" like this to Ring 1.

replies(2): >>41032087 #>>41032193 #
2. doikor ◴[22 Jul 24 08:40 UTC] No.41032087[source]
Problem with that is the tool can’t protect the system from any bad actor who gets ring 0 access.

And even if it has ring 0 access it can’t really verify anything without secureboot or something like it verifying that nothing else started before it. This is also why Riots anti cheat runs as ring 0 as it has to protect the game against the owner/admin of the machine.

(And after that there is still bios or firmware level exploits)

3. ahazred8ta ◴[22 Jul 24 08:56 UTC] No.41032193[source]
Windows has an official ELAM Early Launch AntiMalware framework, which Crowdstrike complies with. The Crowdstrike driver is right where it's supposed to be, according to Microsoft.