undefined | Better HN

0 pointsacdha1y ago0 comments

It couldn't happen on macOS: Apple stopped letting third-parties run code in the kernel after years of failures like this.

It also wouldn't happen on Linux: they use eBPF there which was designed by grownups and validates its inputs.

0 comments

mynameisvlad1y ago

eBPF exists on Windows, too: https://microsoft.github.io/ebpf-for-windows/

They’re just not using it. They could have not used it for Linux too. The presence of the feature is not enough to guarantee this would’ve never happened in a hypothetical.

acdhaOP1y ago

No, the fact that they’re actually using eBPF on Linux is what makes it safer. None of this is magic, it’s just a question of following decades of engineering experience.

Similarly, Microsoft clearly sees the benefits but note that they themselves say that’s not production ready yet. I’m certain that this incident will cause people to consider migrating as soon as that changes.

mynameisvlad1y ago

You’re responding to a hypothetical, not what happened.

Let’s say Linux is the leading OS around the world. How can we be sure that they would actually use eBPF if this was the case?

They would likely choose the fastest option in order to support the platform as quickly as possible. Perhaps eBPF didn’t even exist if they prioritized Linux support and implemented that first, since Falcon was first released in 2013 and eBPF in 2014.

Switching from kernel mode to eBPF would be quite a lift, so if it wasn’t baked in from the start it likely wouldn’t have been added in after the fact.

A decade worth of changes is a lot to confidently say what would have happened. If Linux and MacOS were more popular than Windows, it could have been completely different.

This doesn’t even touch on the massive Debian incident CS had earlier this year, which is not a hypothetical.

1 more reply

j16sdiz1y ago

Kext still exist on macos

acdhaOP1y ago

Kind of: they’ve been deprecated for 4 years and you have to disable SIP to load them.

https://developer.apple.com/support/kernel-extensions/

They’ve added system extension mechanisms for the most common needs trying to balance the various things people use kexts for against the impact on security, performance, and reliability many kexts had.

j / k navigate · click thread line to collapse

0 comments

mynameisvlad1y ago

eBPF exists on Windows, too: https://microsoft.github.io/ebpf-for-windows/

They’re just not using it. They could have not used it for Linux too. The presence of the feature is not enough to guarantee this would’ve never happened in a hypothetical.

acdhaOP1y ago

No, the fact that they’re actually using eBPF on Linux is what makes it safer. None of this is magic, it’s just a question of following decades of engineering experience.

mynameisvlad1y ago

You’re responding to a hypothetical, not what happened.

Let’s say Linux is the leading OS around the world. How can we be sure that they would actually use eBPF if this was the case?

Switching from kernel mode to eBPF would be quite a lift, so if it wasn’t baked in from the start it likely wouldn’t have been added in after the fact.

A decade worth of changes is a lot to confidently say what would have happened. If Linux and MacOS were more popular than Windows, it could have been completely different.

This doesn’t even touch on the massive Debian incident CS had earlier this year, which is not a hypothetical.

1 more reply

j16sdiz1y ago

Kext still exist on macos

acdhaOP1y ago

Kind of: they’ve been deprecated for 4 years and you have to disable SIP to load them.

https://developer.apple.com/support/kernel-extensions/

j / k navigate · click thread line to collapse