this post was submitted on 19 Jul 2024
131 points (100.0% liked)

TechTakes

1266 readers
105 users here now

Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.

This is not debate club. Unless it’s amusing debate.

For actually-good tech, you want our NotAwfulTech community

founded 1 year ago
MODERATORS
dgerard@awful.systems
131
Crowdstrike takes out last remaining threat vector (the users) (infosec.exchange)
submitted 1 month ago* (last edited 1 month ago) by pyrex@awful.systems to c/techtakes@awful.systems
32 comments fedilink hide all child comments
 

The machines, now inaccessible, are arguably more secure than before.

you are viewing a single comment's thread
view the rest of the comments
[–] sailor_sega_saturn@awful.systems 30 points 1 month ago* (last edited 1 month ago) (28 children)

Fair warning that I'll be ranty because I hate losers talking about DEI hires.

So why is memory address 0x9c trying to be read from? Well because... programmer error.

So what happened is that the programmer forgot to check that the object it's working with isn't valid, it tried to access one of the objects member variables...

This is a huge assumption. ~~The last rumor I've read from actual cybersecurity people is that Crowdstrike's update files were corrupt~~ (update: disproven by Crowdstrike's blog post). If this is true it's likely still from programmer error at some level, but maybe not as simple as "whoopsie I forgot an if (data == nullptr) teehee".

He, like the rest of us that don't work at Crowdstrike, has no idea what happened. I have seen computers do the weirdest gosh darn things. I know better than to assume anything at this point. I wouldn't even rule out weird stuff like the data getting corrupted between release qualification and release yet.

It turns out that C++, the language crowdstrike is using, likes to use address 0x0 as a special value to mean "there's nothing here", don't try to access it or you'll die.

This thread is full of these sorts of small technical inaccuracies and oversimplifications so I won't point out all of them, but nothing in the C++ standard requires null pointers to refer to memory address 0x0. Nor does it require that dereferencing a null pointer terminates the program.

Windows died not because C++ asked it nicely to, but because a driver tried to access an address which wasn't paged in.

Crowdstrike should have set up automated testing using address sanitizer and thread sanitizer that runs on every code update.

The funny thing about accessing into non-paged memory in kernel space:

  1. It will crash regardless of if it's running under Asan or not, sanitizers are literally irrelevant based on what we know so far
  2. The Asan version he linked to is for user-space. In the windows kernel you'd need KASAN instead.

(If this was a simple nullptr dereference on bad input data then perhaps a fuzzer would have helped. Fuzzers are great though I have no idea how hard they are to use with kernel drivers)

C++ is hard. Maybe they have a DEI engineer that did this

Dude would probably call me a "DEI hire"; but I bet I could beat him in a C++ deathmatch so neener neener.

[–] within_epsilon@beehaw.org 6 points 1 month ago (4 children)

"DEI hire" is arrogant. That's a great way to other people instead of owning the flaw. I appreciate the call for maturity in the field. Own your flaws.

[–] mawhrin@awful.systems 19 points 1 month ago (3 children)

the use of “DEI hire” is a shorthand for “i'm a massive racist shitweasel”

[–] alm@awful.systems 17 points 1 month ago

It actually blows my mind that these people can see a bad thing happen, know exactly zero about it, and conclude “must have been a (insert slur) who did that”. They did the same shit with the Baltimore bridge collapse.

load more comments (2 replies)
load more comments (2 replies)
load more comments (25 replies)