No More Blue Fridays

&gt; Once Microsoft&#x27;s eBPF support for Windows becomes production-ready, Windows security software can be ported to eBPF as well.<p>This doesn’t seem grounded in reality. If you follow the link to the “hooks” that Windows eBPF makes available [1], it’s just for incoming packets and socket operations. IOW, MS is expecting you to use the Berkeley Packet Filter for packet filtering. Not for filtering I&#x2F;O, or object creation&#x2F;use, or any of the other million places a driver like Crowdstrike’s hooks into the NT kernel.<p>In addition, they need to be in the kernel in order to monitor all the other 3rd party garbage running in kernel-space. ELAM (early-launch anti-malware) loads anti-malware drivers first so they can monitor everything that other drivers do. I highly doubt this is available to eBPF.<p>If Microsoft intends eBPF to be used to replace kernel-space anti-malware drivers, they have a long, long way to go.<p>[1]: <a href="https:&#x2F;&#x2F;microsoft.github.io&#x2F;ebpf-for-windows&#x2F;ebpf__structs_8h.html#a0f8242763b15ec665eaa47c6add861a0" rel="nofollow">https:&#x2F;&#x2F;microsoft.github.io&#x2F;ebpf-for-windows&#x2F;ebpf__structs_8...</a>

I hate to dispute with someone like Brendan Gregg, but I&#x27;m hoping vendors in this space take a more holistic approach to investigating the complete failure chain. I personally tend to get cautious when there is a proposal that x will solve the problem that occurred on y date, especially 3 days after the failure. It may be true, but if we don&#x27;t do the analysis we could leave ourselves open to blindspots. There may also be plenty of alternative approaches that should be considered and appropriately discarded.<p>I think the part I specifically dispute is the only negative outcome is wasted CPU cycles. That&#x27;s likely the case for the class of bug, but there are plenty of failure modes where a bad ruleset could badly brick a system and make it hard to recover.<p>That&#x27;s not to say eBPF based security modules isn&#x27;t the right choice for many vendors, just that let&#x27;s understand what risks they do and do not avoid, and what part of the failure chain they particularly address.

This isn&#x27;t right. If I need a system to run <i>with</i> a piece of code, then it shouldn&#x27;t run at all if that piece of code is broken. Ignoring the failure is perverse. Let&#x27;s say that the driver code ensures that some medical machine has safety locks (safeguards) in place to make sure that piece of equipment won&#x27;t fry you to a crisp; I&#x27;d prefer that the whole thing not run at all rather than blithely operate with the safeguards disabled. It&#x27;s turtles all the way down.

&gt; In the future, computers will not crash due to bad software updates, even those updates that involve kernel code. In the future, these updates will push eBPF code.<p>eBPF is fantastic, and it can be used for many purposes and improve a lot of things, but this is IMO overselling it. Assuming that BPF itself it free of bugs, it’s still a rather large sprawl of kernel hooks, and those hooks invoke eBPF code, which can call right back into the kernel. Here’s a list:<p><a href="https:&#x2F;&#x2F;www.man7.org&#x2F;linux&#x2F;man-pages&#x2F;man7&#x2F;bpf-helpers.7.html" rel="nofollow">https:&#x2F;&#x2F;www.man7.org&#x2F;linux&#x2F;man-pages&#x2F;man7&#x2F;bpf-helpers.7.html</a><p>bpf_probe_read_kernel() is particularly heavily used, and it is <i>not</i> safe. It tries fairly hard not to OOPS or crash, but it is definitely not perfect.<p>The rest of that list contains plenty of this that will easily take down a system, even if it doesn’t actually oops or panic in the process.<p>And, of course, any tool that detects userspace “malicious behavior” and stops it can start calling everything malicious, and the computer becomes unusable.<p>Meanwhile, eBPF has no real security model on the userspace side. Actual attachment of an eBPF program goes through the bpf() syscall, not through sensibly permissioned operations on the underlying kernel objects being attached to, and there is nothing whatsoever that confines eBPF to, say, a container that uses it. (See bpf_probe_read_kernel() -- it&#x27;s fundamentally able to read all kernel memory.)<p>So, IMO, most of the benefit of eBPF over ordinary kernel C code is that eBPF is kind of like writing code in a safe language with a limited unsafe API surface. It&#x27;s a huge improvement for this sort of work, but it is not perfect by any means.<p>&gt; The verifier is rigorous -- the Linux implementation has over 20,000 lines of code<p>The verifier is absurdly complex. I&#x27;d rather see something based on formal methods than 20kLOC of hand-written logic.

&gt; eBPF programs cannot crash the entire system because they are safety-checked by a software verifier and are effectively run in a sandbox.<p>Isn’t one of the purposes of an OS to police software? I get that this has to do with the OS itself, but what does watching the watchers accomplish other than adding a layer which must then be watched?<p>Why not reduce complexity instead of naively trusting that the new complexity will be better long term?

This sounds like a cool technology, but this was the really egregious problem:<p>&gt; There are other ways to reduce risks during software deployment that can be employed as well: canary testing, staged rollouts, and &quot;resilience engineering&quot; in general<p>You don&#x27;t need a new technology to implement basic industry-standard quality control

Maybe we should start taking Fridays off to commemorate the event, which probably would have been less bad if more people spent less time with their nose to the grindstone and had more time to stop and think about how it all was shaping up and how they could influence that shape.

```The verifier is rigorous -- the Linux implementation has over 20,000 lines of code -- with contributions from industry (e.g., Meta, Isovalent, Google) and academia (e.g., Rutgers University, University of Washington). The safety this provides is a key benefit of eBPF, along with heightened security and lower resource usage. ``` Wow, 20k is not exactly encouraging. Besides the extra attack surface, who can vouch for such a large code base?

If the filters are loaded at boot and hook into everything then a bug can still lock down the system to a point where it can&#x27;t be operated or patched anymore (e.g. because you loaded an empty whitelist). So it could end up replacing a boot loop with another form of DoS.<p>If microsoft includes a hardcoded whitelist that covers some essentials needed for recovery that could make a bug in such a tool easier to fix, but could still cause effective downtimes (system running but unusuable) until such a fix is delivered.

The blog post says:<p><pre><code> &gt; eBPF, which is immune to such crashes. </code></pre> I tried to Google about this, but I cannot find anything definitive. It looks like you can still break things. Can an expert on eBPF please comment on this claim? This is the best that I could find: <a href="https:&#x2F;&#x2F;stackoverflow.com&#x2F;questions&#x2F;70403212&#x2F;why-is-ebpf-said-to-be-safer-than-lkm" rel="nofollow">https:&#x2F;&#x2F;stackoverflow.com&#x2F;questions&#x2F;70403212&#x2F;why-is-ebpf-sai...</a>

&quot;These security agents will then be safe and unable to cause a Windows kernel crash.&quot;<p>Unless of course there is a bug in eBPF (<a href="https:&#x2F;&#x2F;access.redhat.com&#x2F;solutions&#x2F;7068083" rel="nofollow">https:&#x2F;&#x2F;access.redhat.com&#x2F;solutions&#x2F;7068083</a>) @brendangregg and the kernel panics&#x2F; BSoDs anyway which you mention later in the article of course.

&gt; <i>In the future, computers will not crash due to bad software updates, even those updates that involve kernel code. In the future, these updates will push eBPF code.</i><p>Assuming every security critical system will be on a recent enough kernel to support this...

Ok. But the good old push code to staging &#x2F; canary it before mainstream updates was a simpler way of solving the same problem.<p>Crowdstrike knows the computers they&#x27;re running on, it is trivial to implement a system where only few designated computers download and install the update and report metrics before the update controller decides to push it to next set.

The implicit assumption of the article is that eBPF code can&#x27;t crash a kernel, but the article itself eventually admits that it can and has done, including last month. eBPF is a safer way of providing kernel-extension functionality, for sure, but presenting it as the perfect solution is just asking to have your argument dismissed. eBPF is not perfect. And there&#x27;s plenty of things it can&#x27;t do. The very sandbox rules that limit how long its programs may run and what they can do also make it entirely inappropriate for certain tasks. Let&#x27;s please stop pretending there&#x27;s a silver bullet.

&quot;The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at and repair.&quot;<p>- Douglas Adams

I don&#x27;t do any kernel stuff so I&#x27;m out of my element, but doesn&#x27;t the fact that Crowdstrike &amp; Linux kernel eBPF already caused kernel crashes[1] sort of downplay the rosiness of the state of things?<p>[1]: <a href="https:&#x2F;&#x2F;access.redhat.com&#x2F;solutions&#x2F;7068083" rel="nofollow">https:&#x2F;&#x2F;access.redhat.com&#x2F;solutions&#x2F;7068083</a>

Lets suppose that eBPF solves this particular problem, eventually, for Windows. Doesn&#x27;t sidestepping the entire class of Crowdstrike-style fubars require that Microsoft then mandate that no, backward compatibility will not be offered?<p>Back compat seems to be such a shibboleth in the Windows world, but comes at an incredible price. The reasons cited all seem to boil down to keeping some imagined customers&#x27; obscure LOB app running for decades. But that seems like an excuse to me. Surely Microsoft would <i>like</i> to shake out the last diehards running some VB5 app on a patched up PC in a factory. Isn&#x27;t it more beneficial to everyone to start sunsetting acres of ancient NT code and approaches and streamline the entire attack surface?

So many problems though! including commercial monocultures, lack of update consent, blast radius issues, etc etc. There&#x27;s a commons in our pockets but that is very difficult to regulate for. The will keep putting the gun to your head until you keep choosing the monoculture.

WebAssembly is a better choice for sandboxing kernel code. It has a full formal specification with a mechanized proof of type safety, many high-performance implementations, broad toolchain support, is targetable from many languages, and a capability security model.

&gt; The worst thing an eBPF program can do is to merely consume more resources than is desirable, such as CPU cycles and memory.<p>This is obviously not true. It might be the worst it can do, by itself, to the currently running kernel. It&#x27;s not the worst it can do to the machine or its user(s).<p>There are infinite harmful things an eBPF program can do. As can programs solely in user-space. There is a specific class of vulnerabilities being mitigated by moving code from kernel to BPF. That does not mean that eBPF programs are in general safe.

Does anyone know how far along the eBPF implementation for Windows actually is? In the sense that it could start feasibly replacing existing kernel drivers.

Even if Microsoft rolls out eBPF and mainstreams it - it will be years before everything is ported over and it still won&#x27;t address legacy windows versions (which appear to be a good chunk of what was impacted).<p>It&#x27;s a move in the right direction but it probably won&#x27;t fully mitigate issues like this for another 5+ years.

&gt; an unprecedented example of the inherent dangers of kernel programming<p>I take issue with that. Kernel programming was not to blame; looking up addresses from a file and accessing those memory locations without any validation is. The same technique would yield the same result at any Ring.

Can someone tell me what&#x27;s the advantage of eBPF over a user mode driver? The article makes it look it eBPF is have your cake and eat it too solution which is too good to be true? Can you run graphics drivers in eBPF for example?

1. How does eBPF solve this? It makes it more difficult, sure, but it&#x27;ll almost always be <i>possible</i> to cause a crash, if you try hard enough. 2. More importantly, the problem is rarely fixable by changing technology, because typically, problems are caused by people and their connections: social&#x2F;corporate pressures, profit-seeking, mental health being treated as unimportant, et cetera. eBPF can&#x27;t fix those, and as long as corporations have social structures that penalize thoroughness and caution, and incentivize getting &#x27;the most stuff&#x27; done, this will persist as a problem.

I don&#x27;t buy it... didn&#x27;t a bug from RedHat + Crowdstrike have a similar panic issue? I understand in that case it was because of RedHat, but still. I don&#x27;t think this, by itself will change much.

eBPF == extended Berkeley Packet Filter<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Berkeley_Packet_Filter" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Berkeley_Packet_Filter</a>

So eBPF is giving us eBFP (enhanced Blue Friday Protection)?

&gt; If your company is paying for commercial software that includes kernel drivers or kernel modules, you can make eBPF a requirement. It&#x27;s possible for Linux today, and Windows soon. While some vendors have already proactively adopted eBPF (thank you), others might need a little encouragement from their paying customers.<p>How about Microsoft&#x27;s large government and commercial customers make it a requirement that MS does not develop a single new feature for the next two fucking years or however long it takes to go through the entirety of the Windows+Office+Exchange code base and to make sure there are no security issues in there?<p>We don&#x27;t need ads in the start menu, we don&#x27;t need telemetry, we don&#x27;t need desktop Outlook becoming a rotten slow and useless web app, we don&#x27;t need AI, we certainly don&#x27;t need Recall. We need an OS environment that doesn&#x27;t need a Patch Tuesday where we have to check if the update doesn&#x27;t break half the canary machines.<p>And while MS is <i>at that</i> they can also take the goddamn time and rework the entire configuration stack. I swear to god, it drives me nuts. There&#x27;s stuff that&#x27;s only accessible via the registry (and there is no comprehensive documentation showing exactly what <i>any</i> key in the registry can do - large parts of that are MS-internal!), there&#x27;s stuff only accessible via GPO, there&#x27;s stuff hidden in CPLs dating back to Windows 3.11, and there&#x27;s stuff in Windows&#x27; newest UI&#x2F;settings framework.

Here&#x27;s an idea for an interesting hack: a piece of kernel resident code that feeds fake data into eBPF so that an eBPF-based antimalware will see nothing bad as the malware goes about it&#x27;s merry way.<p>Sandboxes are safe, but are ultimately virtual machines, and virtual machines can be made to live in a world that&#x27;s not real.

Title reminds me of when microsoft promised no more UAEs back in 92. They just renamed them to GPFs in windows 3.1.

One option to prevent this is to not run corporate spyware. But I guess for some industries this isn&#x27;t an option.

It is great that we need a linux kernel feature to be ported to Windows so we don’t have blue Fridays

&gt; If your company is paying for commercial software that includes kernel drivers or kernel modules, you can make eBPF a requirement.<p>Are they saying that device drivers should be written in eBPF?<p>Or maybe their drivers should expose an eBPF API?<p>I assume <i>some</i> driver code still needs to reside in the actual kernel.

Hey Brendan,<p>&gt; If your company is paying for commercial software that includes kernel drivers or kernel modules, you can make eBPF a requirement.<p>Windows soon, may still be atleast a year ahead. Would that be a fair statement? atleast being the operating keyword here.<p>Specifically in the context of network security software, for eBPF programs to be portable across windows&#x2F;linux, we would need MSFT to add a lot more hooks and expose internal kernel stucts. Hopefully via a common libbpf definition. Otherwise, I fear, having two versions of the same product, across two OSs would mean more secuirty and quality issues.<p>I guess the point I am trying to make is, we would get there, but we are more than a few years away. I would love to see something like cilium on vanilla windows for a Software defined Company Wide network. We can then start building enterprise network secutiry into it. Baby steps!<p>---<p>btw, your talks and blog posts about bpftools is godsent!

Yep, another fix to all our problems, a new bandwagon to be jumped on by wall EDR vendors, until ...<p>Here I am using the term &quot;EDR&quot;. Until this CrowdStrike debacle I&#x27;d never heard it.<p>Only tells how seriously you should take my opinions.

Meta:<p>&gt; <i>eBPF (no longer an acronym)</i> […]<p>Any reason why the official acronym was done away with?

So a couple of questions<p>1) Is CrowdStrike Falcon using eBPF for their Linux offering?<p>2) Would the faulty patch update get caught by the eBPF verifier?

&gt; the company behind this outage was already in the process of adopting eBPF, which is immune to such crashes<p>Oh I&#x27;m sure they&#x27;ll find a way.

This puts an awful lot of stock in the robustness of eBPF.<p>Which is odd, given there’s been a bunch of kernel privesc bugs using eBPF…

&gt; In the future, computers will not crash due to bad software updates<p>I&#x27;m still waiting on my flying car...

The article mentions Windows and Linux. Does anyone know if there will be eBPF for FreeBSD?

How much extra security does this provide on top of HLK?

<i>In the future, computers will not crash due to bad software updates, even those updates that involve kernel code.</i><p>100% BS. Even if they don&#x27;t &quot;crash&quot; they will &quot;stop functioning as intended&quot; which is just the same. It&#x27;s absolutely disgusting how this industry is now using this one outage as a talking point to further their totalitarian agenda.<p>It reminds me of how Google went after adblockers with their new extension model that also promised more &quot;security&quot;. It&#x27;s time we realised what they&#x27;re really trying to do. In fact, I wonder whether this outage was not accidental after all.

First io_uring, now eBPF. Kind of wild.

Is there a reason for the lack of naming+shaming Crowdstrike in this blogpost? Was it to not give them any more publicity, good or bad?

eBPF will be an improvement, I’m sure, but does not mean the end of bugs&#x2F;DoS in software.

&quot;The verifier is rigorous&quot;<p>But the appeal-to-authority evidence that the article presents is not.<p>&quot;-- the Linux implementation has over 20,000 lines of code -- with contributions from industry (e.g., Meta, Isovalent, Google) and academia (e.g., Rutgers University, University of Washington). The safety this provides is a key benefit of eBPF, along with heightened security and lower resource usage.&quot;

Sorry, but neither eBPF nor Rust nor formal verification nor ... is going to solve that problem. Repeat after me: there are no technical solutions to social problems. As long as the result of such an outage is basically a &quot;oh, a software problem! <i>shrug</i>&quot;, _nothing_ will change.

I wonder if microkernels ever had this kind of bullshit. Had it been a microkernel, would we all be sitting twiddling our thumbs on friday? Hot take: No.

From the article:<p>&gt; If the verifier finds any unsafe code, the program is rejected and not executed. The verifier is rigorous -- the Linux implementation has over 20,000 lines of code [0] -- with contributions from industry (e.g., Meta, Isovalent, Google) and academia (e.g., Rutgers University, University of Washington).<p>[0] links to <a href="https:&#x2F;&#x2F;github.com&#x2F;torvalds&#x2F;linux&#x2F;blob&#x2F;master&#x2F;kernel&#x2F;bpf&#x2F;verifier.c">https:&#x2F;&#x2F;github.com&#x2F;torvalds&#x2F;linux&#x2F;blob&#x2F;master&#x2F;kernel&#x2F;bpf&#x2F;ver...</a> which has this interesting comment at the top:<p><pre><code> &#x2F;* bpf_check() is a static code analyzer that walks eBPF program * instruction by instruction and updates register&#x2F;stack state. * All paths of conditional branches are analyzed until &#x27;bpf_exit&#x27; insn. * * The first pass is depth-first-search to check that the program is a DAG. * It rejects the following programs: * - larger than BPF_MAXINSNS insns * - if loop is present (detected via back-edge) ... </code></pre> I haven&#x27;t inspected the code, but I thought that checking for infinite loops would imply solving the halting problem. Where&#x27;s the catch?

I used to work for an EDR vendor and this post glosses over two major and important things. 1. There’s no need for eBPF on windows, it has the ETW framework (event tracing) which is much more powerful and provides applications subscribing to a class of events almost too detailed insights. the issue most AV vendors have with it though is speed. Leading to … 2. eBPF lets you watch. Congrats. It’s something, but it’s not the reason why these tools are deployed. Orgs deploy these tools to <i>prevent</i> or <i>stop</i> potentially bad stuff from executing. The only place this can be done in our operating systems is usually the kernel - for that you need kernel level drivers or various other filter drivers.<p>Crowdstrike screwed the pooch here, yes. But after a couple of days I feel like I haven’t read enough blog posts and articles that crap on Microsoft. It’s their job to build a secure operating system, instead they deliver Windows and because they themselves cannot secure windows, they ship defender… and we use tools like falcon like a bandaid for Microsofts bad security practices

Thank God some superheros have finally come along to make sure code never crashes any computers ever again! &#x2F;s