undefined | Better HN

0 pointsconcerned_user1y ago0 comments

Yes it is a driver which is signed and tested by Microsoft. Driver allows to run arbitrary unsigned code. Why is that allowed?

0 comments

cyberpunk1y ago

The driver is some kind of AV/Signature detection hook. E.g check every open() for this list of checksums and refuse to open known viruses style system. The 'update' was a borked definition file which triggered a bug in that system.

It's not code execution without signing, and I think probably they do want these files to be updated hands free.

The real problem was the lack of testing, rather than the actual mechanism I think.

shadowgovt1y ago

This is the nugget of the issue. The code-signing process, in this case, was abused to verify something that, fundamentally, cannot give the guarantee "Doesn't crash your OS" because it is allowed to run arbitrary code in the form of novel commands in what is essentially a DSL. So if code-signing is supposed to be a guarantee from MS that "this code can't crash your system," it should never have been signed... But then MS would have been on hooks for blocking a competitor.

There is no guarantee the law is written soundly.

wolpoli1y ago

To get a driver signed by Microsoft, the developer of the driver is required to provide a full cert pass log from the Windows Hardware Lab Kit to dev center [0]. Do you have any article that says the CrowdStrike driver has been tested by Microsoft?

[0]: https://learn.microsoft.com/en-us/windows-hardware/drivers/i...

rtkwe1y ago

To avoid going through the full cert process the sensor was certified but it loaded code from an uncertified module too so that it could be quickly updated to catch new threats. It's a tough corner to be in, to function properly it needs to update very quickly but the cert process takes a while to complete so they went with this work around of a signed module loading uncertified code.

Joker_vD1y ago

...you want Microsoft to forbid you from running certain kinds of programs on your own machine, even if you really, really insist on it, do I understand you correctly?

hpen1y ago

More like: "...you want Microsoft to forbid you from running certain kinds of programs (with gaping security holes / processes) on your own machine" YES

Sohcahtoa821y ago

> (with gaping security holes / processes)

The problem is that you're assuming you can prove a program doesn't having security holes and bad processes.

1 more reply

Sohcahtoa821y ago

The Crowdstrike failure was not caused by running unsigned code.

j / k navigate · click thread line to collapse

0 comments

cyberpunk1y ago

It's not code execution without signing, and I think probably they do want these files to be updated hands free.

The real problem was the lack of testing, rather than the actual mechanism I think.

shadowgovt1y ago

There is no guarantee the law is written soundly.

wolpoli1y ago

[0]: https://learn.microsoft.com/en-us/windows-hardware/drivers/i...

rtkwe1y ago

Joker_vD1y ago

...you want Microsoft to forbid you from running certain kinds of programs on your own machine, even if you really, really insist on it, do I understand you correctly?

hpen1y ago

More like: "...you want Microsoft to forbid you from running certain kinds of programs (with gaping security holes / processes) on your own machine" YES

Sohcahtoa821y ago

> (with gaping security holes / processes)

The problem is that you're assuming you can prove a program doesn't having security holes and bad processes.

1 more reply

Sohcahtoa821y ago

The Crowdstrike failure was not caused by running unsigned code.

j / k navigate · click thread line to collapse