CrowdStrike's Blue Screen blunder: Could eBPF have saved the day?
Interview The CrowdStrike chaos was caused by software running riot in the Windows kernel after an update tripped up the code. eBPF is a useful tool for kernel tracing and observability, but could it have mitigated the CrowdStrike incident?
"It's interesting," Tom Wilkie, CTO of observability specialist Grafana Labs tells The Register, "because there was a vulnerability in the eBPF runtime that caused a similar outage that was also triggered by CrowdStrike in a certain Red Hat kernel."
Wilkie is referring to an incident in June, where Red Hat warned its customers of an issue related to CrowdStrike's Falcon Sensor. The problem paled into insignificance compared to what happened to a few short weeks later, when a CrowdStrike update left 8.5 million Windows computers across the world stuck in a blue screen boot loop.
eBPF allows software to run in a virtual machine (VM) in the Linux kernel, permitting developers to add capabilities at runtime. The theory goes that an eBPF program can't crash the kernel because it runs in a sandbox and is safety-checked by a verifier. Because of the low level at which some programs run, it's a popular way of implementing observability and security.
