undefined | Better HN

0 pointsSayrus1y ago0 comments

Apple did, Microsoft is working on eBPF for Windows[1] but I doubt they'll sunset their kernel modules support. At the very least, it means there are safer ways to load third-party code in the kernel without allowing them to crash your entire system by mistake. Even if kernel modules are still supported, a compliance framework may introduce a "No kernel module" requirement, just like they require a CrowdStrike-like software to be installed.

However, doing so is no easy feat. The first version of eBPF was released over 10 years ago.

[1] https://github.com/microsoft/ebpf-for-windows

0 comments

4 comments · 1 top-level

alephnerd1y ago· 3 in thread

> Apple did

Apple did not have to sign a settlement with the EU, which Microsoft did in 2009.

The terms of the settlement state:

"Microsoft shall make available to interested undertakings Interoperability Information that enables non-Microsoft server Software Products to interoperate with Windows Server Operating System on an equal footing with other Microsoft Server Software Products." [0]

"Microsoft shall ensure on an ongoing basis and in a Timely Manner that the APIs in the Windows Client PC Operating System and the Windows Server Operating System that are called on by Microsoft Security Software Products are documented and available for use by third-party security software products that run on the Windows Client PC Operating System and/or the Windows Server Operating System. These APIs will be documented on the Microsoft Developer Network, unless open publication would create security risks. In such circumstances, Microsoft will provide third-party security vendors with access to such APIs pursuant to a royalty-free license and on fair, reasonable and non-discriminatory terms." [0]

This means that by offering Microsoft Defender for Endpoint, Microsoft needs to give similar access to the underlying kernel to competing vendors like CRWD and S1.

> At the very least, it means there are safer ways to load third-party code in the kernel without allowing them to crash your entire system by mistake

An eBPF or a similar technology wouldn't necessarily enhance stability when probing kernel-land from user-land, as any interaction with a kernel can cause kernel panics.

Plenty of endpoint vendors have had issues with PTrace (MacOS), kprobes (Linux), eBPF (Linux, K8s), etc.

The reality is that $))&#( happens, and a lot of comments on HN about this bug are really dumb.

[0] - https://news.microsoft.com/download/archived/presskits/eu-ms...

SayrusOP1y ago

> Plenty of endpoint vendors have had issues with PTrace (MacOS), kprobes (Linux), eBPF (Linux, K8s), etc.

Nothing is perfect, latest generation of Intel CPUs are unstable, bugs are part of all kernels, and so on and so forth. But eBPF does allow for less crashes than a kernel module and these crashes are usually sandboxing error rather than an error made by the third-party provider.

As a matter of fact, the eBPF Linux version of Crowdstrike did create kernel panics on some distros.

> This means that by offering Microsoft Defender for Endpoint, Microsoft needs to give similar access to the underlying kernel to competing vendors like CRWD and S1.

Absolutely, and that's a good thing. This doesn't seem to prevent them from moving Defender to another set of security APIs or from creating another set of security APIs for anyone to hook on.

thefz1y ago

> Apple did not have to sign a settlement with the EU, which Microsoft did in 2009.

Apple is also irrelevant in the corporate world, where the Crowdstrike shitshow happened, as they produce mostly consumer devices.

alephnerd1y ago

> Apple is also irrelevant in the corporate world

MacOS endpoints are a prominent market as well. There's a reason CRWD, S1, Tanium, and others offer MacOS protection as well.

And anyhow, it seems you are ignoring my point - the settlement with the EU tied MS's hands.

1 more reply

j / k navigate · click thread line to collapse