Hacker News new | ask | show | jobs
by acdha 699 days ago
It couldn't happen on macOS: Apple stopped letting third-parties run code in the kernel after years of failures like this.

It also wouldn't happen on Linux: they use eBPF there which was designed by grownups and validates its inputs.
2 comments
mynameisvlad 699 days ago
eBPF exists on Windows, too: https://microsoft.github.io/ebpf-for-windows/

They’re just not using it. They could have not used it for Linux too. The presence of the feature is not enough to guarantee this would’ve never happened in a hypothetical.

link
acdha 699 days ago
No, the fact that they’re actually using eBPF on Linux is what makes it safer. None of this is magic, it’s just a question of following decades of engineering experience.

Similarly, Microsoft clearly sees the benefits but note that they themselves say that’s not production ready yet. I’m certain that this incident will cause people to consider migrating as soon as that changes.

link
mynameisvlad 699 days ago
You’re responding to a hypothetical, not what happened.

Let’s say Linux is the leading OS around the world. How can we be sure that they would actually use eBPF if this was the case?

They would likely choose the fastest option in order to support the platform as quickly as possible. Perhaps eBPF didn’t even exist if they prioritized Linux support and implemented that first, since Falcon was first released in 2013 and eBPF in 2014.

Switching from kernel mode to eBPF would be quite a lift, so if it wasn’t baked in from the start it likely wouldn’t have been added in after the fact.

A decade worth of changes is a lot to confidently say what would have happened. If Linux and MacOS were more popular than Windows, it could have been completely different.

This doesn’t even touch on the massive Debian incident CS had earlier this year, which is not a hypothetical.

link
acdha 698 days ago
They are using eBPF right now. That suggests that they, like everyone else, see benefits in using a platform feature when it exists.
link
kchr 698 days ago
Last time I checked, CS primarily runs in kernel mode on Linux and only fall back to eBPF if the kernel version is not supported. When in eBPF mode, they call it "Reduced Functionality Mode (RFM)".

Has this changed?

link
j16sdiz 699 days ago
Kext still exist on macos
link
acdha 699 days ago
Kind of: they’ve been deprecated for 4 years and you have to disable SIP to load them.

https://developer.apple.com/support/kernel-extensions/

They’ve added system extension mechanisms for the most common needs trying to balance the various things people use kexts for against the impact on security, performance, and reliability many kexts had.

link