Recent CrowdStrike Outage Emphasizes the Need for eBPF-Based Sensors

In the rapidly evolving landscape of cybersecurity, even industry leaders like CrowdStrike are not immune to disruptions. On July 19th, 2024, a significant IT outage was attributed to CrowdStrike's endpoint protection sensor update.

This incident has caused an outage impacting various sectors such as finance, healthcare, education, government services, and has caused major delays in flights all over the world.

The outage seems to be caused by a failed attempt to deploy a new kernel driver during the sensor’s update, which also raises important questions about the lack of a gradual updating mechanism that can help prevent incidents such as this.

A Temporary Workaround To The CrowdStrike Sensor Issue

For users affected by the recent CrowdStrike outage, here’s a step-by-step guide to mitigate the issue:

1. Boot into the Windows Recovery Console:

• Restart your computer and press the appropriate key (usually F8) to access the recovery options.

2. Navigate to the drivers directory:

• Once in the recovery console, run this command: cd C:\Windows\System32\Drivers\CrowdStrike

3. Locate and delete the impacted driver:

• Then run this command to delete the faulty driver: delete C-00000291*.sys

4. Exit the recovery console

• Exit the recovery console and restart your computer. This should temporarily resolve the issue until a permanent fix is deployed by CrowdStrike.

The Challenge of Kernel Drivers

Kernel drivers are software components that operate at the heart of an operating system, interacting directly with hardware and managing critical system resources. While kernel drivers are essential for many functionalities, including security software like CrowdStrike's Falcon platform, they also pose significant risks.

Developing and deploying a kernel driver is a complex and delicate operation that can easily go wrong. A minor error in the driver code can lead to system instability, kernel crashes, and in some cases, complete system outages.

eBPF: A Safer, More Flexible Alternative

While the recent CrowdStrike outage specifically impacted their Windows sensor, Linux based sensors are able to benefit from the inherent safety of using eBPF, which is not yet fully implemented into the Windows kernel.

eBPF (extended Berkeley Packet Filter) is a revolutionary technology that has recently become mature and is transforming the way we develop security and observability tools. With eBPF, we can write programs that run safely in the Linux kernel without the need for kernel modules or kernel recompilation.

Unlike traditional kernel drivers, eBPF programs are sandboxed and verified by the kernel to ensure they cannot harm the system. This makes eBPF a much safer and more reliable option for security and observability tasks. Moreover, eBPF programs are incredibly flexible and can be dynamically loaded and unloaded without requiring system reboots.

eBPF-Based Sensors: The Future of Security Sensors

In the wake of the CrowdStrike outage, it is clear that we need to rethink our approach to endpoint security. The legacy model of relying on kernel drivers is full of risks and is no longer sustainable in today's dynamic threat landscape.

eBPF-based sensors offer a compelling alternative. They are safer, more flexible, and easier to deploy and manage than traditional kernel-based sensors. By leveraging the power of eBPF, we can build security solutions that are more resilient, adaptable, and better equipped to protect our systems from the ever-evolving threats we face.

While eBPF's current limitation is that it's only available for Linux systems, the concept itself exemplifies the future of secure, adaptable, and less intrusive monitoring technologies. Efforts to develop similar capabilities for Windows can transform endpoint security and prevent outages like the recent CrowdStrike incident.

Conclusion

The recent CrowdStrike outage serves as a reminder of the inherent risks associated with kernel drivers. It is time for the security industry to embrace the power of eBPF and build a new generation of runtime security solutions that are safer, more flexible, and better suited to the challenges of the modern world.