I don’t think that rust would have prevented this one, since this isn’t a compile time error (for the code loader).The address dereferencing would have been inside an unsafe block. What was missing was a validity check of the CI build artifacts and payload check on the client side.
I do however, think that the ‘fingers-crossed’ approach to memory safety in C and C++ must stop. Rust is a great fit for this use case.
I might be wrong, but from how I understand it it probably wouldn’t help. Kernel drivers have a rigorous QA and cert by Microsoft if you want to get them signed, which is a process that may take a long time - longer than you can afford when pushing updates to AV/EDR to catch emerging threats. What Crowdstrike does to bypass this requirement is that the CS Falcon is just an engine, that loads, interprets and executes code from definition files. The kernel driver code then doesn’t need to change, so no need for new MS cert, and they can just push new definition files. So, they kind of have to deal with unsafe in this case, since you are executing a new code.
What Crowdstrike does to bypass this requirement is that the CS Falcon is just an engine, that loads, interprets and executes code from definition files.
If Microsoft really has “rigorous QA and cert” for kernel drivers then they shouldn’t have certified this, because now it’s a certified bypass for the certification.
Rust makes sense though.
I don’t think that rust would have prevented this one, since this isn’t a compile time error (for the code loader).The address dereferencing would have been inside an unsafe block. What was missing was a validity check of the CI build artifacts and payload check on the client side.
I do however, think that the ‘fingers-crossed’ approach to memory safety in C and C++ must stop. Rust is a great fit for this use case.
Well, modern c++ with smartpointers is quite good IMO.
C on the ither hand is like swimming with sharks, with a nosebleed.
I might be wrong, but from how I understand it it probably wouldn’t help. Kernel drivers have a rigorous QA and cert by Microsoft if you want to get them signed, which is a process that may take a long time - longer than you can afford when pushing updates to AV/EDR to catch emerging threats. What Crowdstrike does to bypass this requirement is that the CS Falcon is just an engine, that loads, interprets and executes code from definition files. The kernel driver code then doesn’t need to change, so no need for new MS cert, and they can just push new definition files. So, they kind of have to deal with unsafe in this case, since you are executing a new code.
If Microsoft really has “rigorous QA and cert” for kernel drivers then they shouldn’t have certified this, because now it’s a certified bypass for the certification.