Because it isn't. Their Linux sensor also uses a kernel driver, which means they could have just as easily caused a looping kernel panic on every Linux device it's installed on.

[+] ytg@sopuli.xyz -7 points 3 months ago (3 children)

There's no way of knowing that, though. Perhaps their Linux and Darwin drivers wouldn't have paniced the system?

Regardless, doing almost anything at the kernel level is never a good idea

[–] ohmyiv@lemmy.world 8 points 3 months ago (1 children)

It's not impossible. Crowdstrike has done it recently to linux machines.

Kernel panic observed after booting 5.14.0-427.13.1.el9_4.x86_64 by falcon-sensor process:
https://access.redhat.com/solutions/7068083

[–] match@pawb.social 1 points 3 months ago

Paywalled, unfortunately

[–] ricecake@sh.itjust.works 6 points 3 months ago (1 children)

Also, it's less about "their" drivers and more about what a kernel module can do.
Saying "there's no way to know" doesn't fit, because we do know that a malformed kernel module can destabilize a linux or mac system.

"Malformed file" isn't a programming defect or something you can fix by having a better API.

[–] deadbeef79000@lemmy.nz 0 points 3 months ago (1 children)

Having the data exposed to userspace via an API would avoid having to have a kernel module at all... Which when malformed wouldn't compromise the kernel.

[–] ricecake@sh.itjust.works 4 points 3 months ago

I mean, sure. But typically operating systems don't expose that type of information to user space, instead providing a kernel interface with user mode configuration.

It's why they use the same basic approach on mac and Linux.

[–] ricecake@sh.itjust.works 5 points 3 months ago

Security operations being one of the things that is often best done at the kernel level because of the need to monitor network and file operations in a way you can't in user mode.