Analyzing the report from CrowdStrike

Finally, CrowdStrike released a full report of what happened and you can find it here. There are quite a few interesting topics there. Firstly we will check what is interesting in this report.

1. “Rapid Response Content is delivered through Channel Files and interpreted by the sensor’s Content Interpreter, using a regular expression based engine”.  If this is a true regular-expression engine, then it is really bad. As you probably know, Windows drivers are typically written in C, and I would never put a C-based regular expression engine into the driver. It is just too risky.

There are multiple issues with regular expression libraries. Firstly, it is hard to prove that it is working correctly. Typically there are many memory allocations and a lot of internal structures that are quite tricky. As a result, there could be all sorts of issues typical to C programs: accessing freed memory, out-of-bounds access, stack overflow, etc.

Secondly, except a trivial cases, it is really hard to understand what a particular expression does. For example, I asked ChatGPT to generate a regex that validates email address and I was provided with this expression:
^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$

It does not look too bad and I can understand what’s going on here. But then I started asking it again and found out that the dash symbol cannot be at the beginning or end of the hostname. For example, test@-test.com is not a valid email and ChatGPT provided a new expression:
^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+$

Well, this one is really hard to tell if it is valid or not. But then I found that test@test..com is also not a valid email and ChatGPT provided a new version:

^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z]{2,})+(?<!\.\.)$

This one is even harder and I’m pretty sure not many people can tell if this is a valid regex to validate email or not.

This is one of the biggest dangers of regex. It looks easy and simple at the beginning but quickly turns into an unreadable and unsupportable mess that nobody understands. And as a result, it is often possible to craft invalid input that will be treated as a valid one. And they are confirming this: “In part, this was due to the use of wildcard matching criteria”.

And as a result, it should not be used in a driver because it is simply not possible to validate this extremely complex piece of code.

2. “Therefore, the attempt to access the 21st value produced an out-of-bounds memory read beyond the end of the input data array and resulted in a system crash”. This is also quite bad. It is the driver we are talking about, and every array access must be checked for out-of-bounds access. Also, this could potentially be a security vulnerability caused by the driver that is supposed to keep your system safe. Quite ironic.

3. In my previous post about this topic I wrote “Preliminary reports show that I was correct in my assumption that they don’t have a correct deployment policy”. And their report confirmed this issue: “6. Template Instances should have staged deployment”. It took only billions in damages to understand it.

4. And they still cannot resist from redirecting at least partial blame to Microsoft: “Significant work remains for the Windows ecosystem to support a robust security product that doesn’t rely on a kernel driver for at least some of its functionality”.

And now I would like to state what I didn’t see in this report. And I definitely don’t see anything that will prevent exactly the same situation from happening again. Yes all these mitigations are nice and they will help to reduce the chance but it can still happen. And if this happens again, the result will be exactly the same – millions of computers bricked.

In conclusion, CrowdStrike nicely explained why this problem happened and how they want to fix it. But they didn’t fix the main issue: how to prevent it from happening again. Their driver is quite a complex piece of code and there is still a chance that it will crash at startup.

Yes, they hopefully reduced that chance but it is still far from zero. And if this happens again then millions of computers will stop working and will require manual work to restore them. So to me, the root problem is still not fixed and it is still a ticking bomb and waiting to explode.

And after reading this report, I still stick to my original assessment that this company does not look like a professional one because I’m a person who is far away from being a security expert and yet I see too many security issues and concerns.