News Windows 3.1 saves the day during CrowdStrike outage — Southwest Airlines scrapes by with archaic OS

[Eximo]

Is Southwest still flying Boeing 737s? If so, enough said...

Pretty much every airline is, only a few exceptions. They've been making the things since 1969 with iterations, engine upgrades, etc.

 

[bit_user]

I don't think eBPF is such a panacea as you describe it.

From your wiki link I see that it's static code analysis and it only checks whether pointers are checked before dererferencing and whether loops are guaranteed to have an exit condition -- if it passes then executable doesn't have any further restrictions and can still cause havoc because static code analysis most certainly is bound to have some unhandled corner case hiding somewhere.

eBPF uses a custom intermediate representation, which avoids some of the ambiguity of a language like C. If the verifier can't conclude that the program is safe, it's not allowed to run. Unlike normal programmer static analysis tools, it's not a "best-effort" sort of affair and no ambiguity is tolerated.

As for pointer dereferencing, it's described this way:

"One thing that differs significantly between typical userspace C programs and eBPF programs, is the safety guarantees of operations. When writing a user-space C program, invalid memory accesses are caught as segmentation faults. In eBPF programs, invalid memory accesses must not happen in any circumstances.

Programs that do not have the necessary safeguards will not be accepted by the verifier. To follow a pointer, for example, the program must use the bpf_probe_read() function. This function will verify that the pointer is valid and copy the desired memory space before continuing the program execution."

Source: https://hed.am/papers/2021-EBPF.pdf
​

Also, it doesn't seem to be of much use for stuff not related to networking and EDR solution also needs access to pipes, IOCTLs of other drivers, and file handles.

It started out as a glorified solution for writing firewall rules and then got generalized from there. A lot of the earlier stuff written about it might mention limitations which no longer exist or fail to list capabilities that have been added more recently.

There's even a version for Windows if you are interested on GitHub.

The question is whether Windows executes it in kernel, which I doubt. I think the kernel would have to natively support it, in order to attain the performance benefits that native execution can provide.

 

[bit_user]

Of course, this article is completely wrong in its entire premise.

Yes, these ancient versions of Windows aren't getting updates, but since it wasn't a Windows Update that caused the problem, that's immaterial.

I think the mention of no updates was in reference to fixing the security flaws that are surely rife, in such old versions of Windows. Therefore, not immaterial.

 

[danny009]

Using Intel 4th gen CPU Hells Canyon, Witcher 3, Cyberpunk 2077, 1060 6GB, WD 2TB, Stock fans. All is good since 2010s.

Windows 10 Pro for Workstations. Never upgraded nor updated a thing. Bitdefender AV. Gpedit.msc is my oldest and best friend.

"All our problems is there because we don't think much." Thinkpad Laptops creator.

 

[CmdrShepard]

It started out as a glorified solution for writing firewall rules and then got generalized from there. A lot of the earlier stuff written about it might mention limitations which no longer exist or fail to list capabilities that have been added more recently.

I have checked the official docs and enums for hooks and didn't see anything but packet stuff. Source for additional functionality please.

The question is whether Windows executes it in kernel, which I doubt.

Well it says you have to install a driver. I don't see how it could work otherwise.

I still think that some years from now someone will find a clever exploit for it, and I am not at all convinced it is useful except for firewalls.

 

[bit_user]

I have checked the official docs and enums for hooks and didn't see anything but packet stuff. Source for additional functionality please.

... I am not at all convinced it is useful except for firewalls.

Here are a few developments that might be of interest.

Thread scheduling extensions, via eBPF:

https://www.phoronix.com/news/Linux-Scheduler-eBPF-v2-sched
​

Device driver extensions, enabling device-specific customizations of HID (Human Interface Devices, like mouse, wheel, game controller, etc.) to be added via eBPF:

https://www.phoronix.com/news/Linux-6.11-More-HID-BPF
​

Here's an older effort, but it shows a more expansive vision. Walmart created a project to establish an online marketplace for eBPF functions:

https://www.phoronix.com/news/Walmart-L3AF-eBPF
​

I have no idea if it's still a going concern, but it furthers the idea that eBPF is useful for a lot more than firewall rules.

 

[guyonearth]

This is complete nonsense. All these so-called computer experts and no one can tell when someone was trolling. Neither Win 3.1 or Win 95 can even boot on hardware made in the last 20 years, there's no device drivers. Southwest was unaffected because they don't use Crowdstrike, simple as that.