CrowdStrike IT Outage Explained by a Windows Developer

00:00

hey I'm Dave welcome to my shop I'm Dave

00:03

plumber a retired software engineer from

00:04

Microsoft going back to the MS DOS at

00:06

Windows 95 days and thanks to my time as

00:09

a Windows developer today I'm going to

00:11

explain what the crowd strike issue

00:12

actually is the key difference in curdle

00:14

mode and why these machines are blue

00:16

screening as well as how to fix it if

00:18

you come across one now I've got a lot

00:21

of experience working up to blue screens

00:22

and having them set the tempo of my day

00:25

but this Friday was a little different

00:26

however first off I'm retired now so I

00:28

don't debug a lot of blue screens and

00:31

second I was traveling in New York City

00:32

which left me temporarily stranded as

00:34

the airlines sorted out the digital

00:36

Carnage but that downtime gave me plenty

00:39

of time to pull out the old MacBook and

00:40

figure out what was happening to all the

00:42

windows machines around the world as far

00:45

as we know the crowd strike blue screens

00:47

that we've been seeing around the world

00:48

for the last several days are the result

00:50

of a bad update to the crowd strike

00:52

software but why so today I want to help

00:55

you understand three key things first

00:58

why the crowd strike software is on the

00:59

machines at all and second what happens

01:02

when a kernel driver like crowd strike

01:04

fails and finally we'll look at

01:06

precisely why the crowd strike code

01:08

fults and brings the machines down and

01:10

how and why this update caused so much

01:12

Havoc as systems developers at Microsoft

01:15

in the 1990s handling crashies like this

01:17

was part of our normal bread and butter

01:19

every Dev at Microsoft at least in my

01:21

area had two machines for example when I

01:24

started in Windows NT I had a Gateway

01:26

486 dx250 as my main Dev machine and

01:29

then some old 386 box as a debug machine

01:33

normally you'd run your test or debug

01:34

bits on the debug machine while

01:36

connected to it as the debugger from

01:37

your good machine on nights and weekends

01:40

however we did something far more

01:41

interesting we ran a process called

01:44

anti-stress now anti-stress was a bundle

01:46

of tests that would automatically

01:48

download to the test machines and run

01:50

under the debugger and so every night

01:52

every test machine along with all the

01:53

machines in the various labs around

01:55

campus would run anti stress and put it

01:58

through the gauntlet the stress tests

02:00

were normally written by our test

02:01

Engineers who were software developers

02:03

specially employed back in those days to

02:06

find and catch bugs in the system so as

02:08

an example they might write a test to

02:10

Simply allocate and use as many GDI

02:12

brush handles as possible if doing so

02:14

causes the drawing subsystem to become

02:16

unstable or causes some other program to

02:19

crash then it would be caught and

02:20

stopped in the debugger immediately the

02:23

following day all of the crashes and

02:25

assertions will be tabulated and

02:26

assigned to an individual developer

02:28

based on the area of code in which the

02:30

problem occurred as the developer

02:32

responsible that you would then use

02:34

something like telnet to connect to the

02:35

Target machine debug it and sorted out

02:38

what went wrong all this debugging was

02:40

done in Assembly Language whether it was

02:42

Alpha myips power PC or x86 and with

02:45

minimal symbol table information so it's

02:47

not like we had Visual Studio connected

02:49

still it was enough information to sort

02:51

out most crashes find the code

02:53

responsible and either fix it or at

02:54

least enter a bug to track it in our

02:57

database the hardest issues to sort out

02:59

were the ones on that took place deep

03:00

inside the operating system kernel which

03:02

executes at ring zero on the CPU you see

03:05

the operating system uses a ring system

03:07

to bifurcate code into two distinct

03:09

types kernel mode for the operating

03:11

system itself and user mode where your

03:14

applications run kernel mode does tasks

03:16

such as talking to the hardware and the

03:18

devices managing memory scheduling

03:20

threads and all of the really core

03:22

functionality that the operator system

03:24

provides application code never runs in

03:26

kernel mode and kernel code never runs

03:28

in user mode kernel mode is more

03:30

privileged meaning it can see the entire

03:32

system memory map and what's in memory

03:34

at any physical page in any instance

03:37

user mode only sees the memory map pages

03:39

that the colel wants you to see so if

03:41

you're getting the sense that the kernel

03:42

is very much in control that's an

03:44

accurate picture even if your

03:46

application needs a service provided by

03:47

the kernel it won't be allowed to just

03:49

run down inside the kernel and execute

03:51

it instead your user thread will reach

03:53

the kernel boundary and then raise an

03:55

exception and wait a kernel thread on

03:57

the Kernel side then looks at the

03:59

specified ARG ments fully validates

04:01

everything and then runs the required

04:03

kernel code when it's done the kernel

04:05

thread Returns the results to the user

04:06

thread and let it continue on its merry

04:08

way there is one other substantive

04:10

difference between kernel mode and user

04:12

mode when application code crashes the

04:15

application crashes when kernel mode

04:17

crashes the system crashes it crashes

04:20

because it has to imagine a case where

04:22

you had a really simple bug in the

04:24

kernel that freed memory twice when the

04:26

kernel code detects that it's about to

04:28

free already freed memory it can just

04:29

detect that this is a critical failure

04:31

and when it does it bluec screens the

04:33

system because the Alternatives could be

04:36

worse consider a scenaria where this

04:38

double freed code is allowed to continue

04:40

maybe with an airror message maybe even

04:41

allowing you to save your work the

04:43

problem is that things are so corrupted

04:45

at this point that saving your work

04:47

could do more damage erasing or

04:48

corrupting the file Beyond repair worse

04:51

since it's the kernel system that's

04:52

experiencing the issue application

04:54

programs are not protected from one

04:56

another in the same way the last thing

04:58

you want is Solitaire during a kernel

05:00

bug that damages your GI enlistment and

05:03

that's why when an unexpected condition

05:04

occurs in the kernel the system is just

05:06

halted this is not a Windows Thing by

05:08

any stretch it is true for all modern

05:10

operating systems like Linux and Mac OS

05:12

as well in fact the biggest difference

05:14

is the color of the screen when the

05:16

system goes down on Windows it's blue

05:18

but on Linux it's black and on Mac OS

05:20

it's usually pink but as on all systems

05:22

a kernel issue is a reboot at a minimum

05:25

now that we know a bit about kernel mode

05:27

versus user mode Let's talk about what

05:29

spefic specifically runs in kernel mode

05:31

and the answer is very very little the

05:33

only things that go in the kernel mode

05:35

are things that have to like the thread

05:37

schedule and the Heap manager and

05:38

functionality that must access the

05:40

hardware such as the device driver that

05:42

talks to a GPU across the pcie bus and

05:46

so the totality of what you run in

05:47

curdle mode really comes down to the

05:49

operating system itself and device

05:50

drivers and that's where crowd strike

05:53

enters a picture with their Falcon

05:55

sensor Falcon is a security product and

05:57

while it's not just simply an antivirus

05:59

it's is not that far off the mark to

06:01

look at it as though it's really anti-

06:02

maware for the server but rather than

06:05

just looking for file definitions it

06:06

analyzes a wide range of application

06:09

Behavior so that it can try to

06:10

proactively detect new attacks before

06:13

they're categorized and listed in a

06:14

formal definition and to be able to see

06:17

that application behavior from a clear

06:19

vantage point that code needed to be

06:21

down in the kernel without getting too

06:23

far into the weeds of what crowd strike

06:25

Falcon actually does suffice it to say

06:27

that it has to be in the kernel to do it

06:29

and so crowd strike wrote a device

06:31

driver even though there's no Hardware

06:32

device that it's really talking to but

06:35

by writing their code as a device driver

06:36

it lives down with the kernel in ring

06:38

zero and has complete and unfettered

06:40

access to the system data structures and

06:42

the services that they believe it needs

06:44

to do its job now everybody at Microsoft

06:46

and probably at crowd strike is aware of

06:49

the stakes when you run code in kernel

06:51

mode and that's why Microsoft offers the

06:53

whql certification which stands for

06:55

Windows Hardware quality Labs drivers

06:58

labeled this whql certified have been

07:01

thoroughly tested by the vendor and then

07:02

have passed the windows Hardware lab kit

07:04

testing on various platforms and

07:06

configurations and are signed digitally

07:08

by Microsoft as being compatible with

07:10

the Windows operating system by the time

07:13

a driver makes it through the whql lab

07:15

test and certifications you can be

07:17

reasonably assured that the driver is

07:19

robust and trustworthy and when it's

07:21

determined to be so Microsoft issues

07:23

that digital certificate for that driver

07:26

as long as the driver itself never

07:27

changes the certificate remain remains

07:29

valid but what if you're crowd strike

07:31

and you're agile ambitious and

07:33

aggressive and you want to ensure that

07:34

your customers get the latest protection

07:36

as soon as new threats emerge every time

07:39

something new pops up on the radar you

07:40

could make a new driver and put it

07:42

through the hardware quality Labs get it

07:44

certified signed and release the updated

07:46

driver and for things like video cards

07:48

that's a fine process I don't actually

07:51

know what the whql turnaround time is

07:53

like whether that's measured in days or

07:55

weeks but it's not instant and so you'd

07:57

have a Time window where a zero day

07:59

could propagate and spread simply

08:02

because of the delay in getting an

08:03

updated crowd strike driver built and

08:05

signed what crowd strike often to do

08:07

instead was to include definition files

08:10

that are processed by the driver but not

08:13

actually included with it so when the

08:15

crowd strike driver wakes up it

08:16

enumerates a folder on the machine

08:18

looking for these dynamic definition

08:19

files and it does whatever it is that it

08:21

needs to do with them but you can

08:23

already perhaps see the problem let's

08:26

speculate for a moment that the crowd

08:27

strike dynamic definition files are not

08:29

mer

08:29

malware definitions but complete

08:31

programs in their own right written in a

08:33

PE code that the driver can then execute

08:36

in a very real sense then the driver

08:38

could take the update and actually

08:40

execute the PE code within it in curdle

08:42

mode even though that update itself has

08:44

never been signed the driver becomes the

08:47

engine that runs the code and since the

08:48

driver hasn't changed the sech is still

08:50

valid for the driver but the update

08:52

changes the way the driver operates by

08:54

virtue of the P code that's contained in

08:56

the definitions and what you've got then

08:58

is unsigned code of unknown provenance

09:01

running in full kernel mode all it would

09:03

take is a single little bug like a null

09:05

point of reference and the entire Temple

09:06

would be torn down around us put more

09:08

simply while we don't yet know the

09:10

precise cause of the bug executing

09:12

untrusted PE code in the kernel is Risky

09:14

Business at best and could be asking for

09:16

trouble we can get a better sense of

09:18

what went wrong by doing a little

09:19

postmortem debugging of our own first we

09:22

need to access a crash dump report the

09:24

kind you used to get in the good old an

09:26

days but are now hidden behind the happy

09:28

face blue screen

09:29

depending on how your system is

09:31

configured though you can still get the

09:32

crash dump info and so there was no real

09:34

shortage of dumps around to look at

09:36

here's an example from Twitter so let's

09:37

take a look about a third of the way

09:40

down you can see the offending

09:41

instruction that caused the crash it's

09:43

an attempt to move data to register nine

09:45

by loading it from a memory pointer in

09:47

register 8 couldn't be simpler the only

09:49

problem is that the pointer in register

09:51

8 is garbage it's not a memory addressed

09:53

at all but a small integer of 9 C hex

09:56

which is likely the offset of the field

09:58

they're actually interested in with in

09:59

the data structure but they almost

10:01

certainly started with a null pointer

10:03

then added 9C to it and then just

10:04

dereferenced it now debugging something

10:06

like this is often an incremental

10:08

process where you wind up establishing

10:10

okay so this bad thing happened but what

10:11

happened Upstream beforehand to cause

10:13

the bad thing and in this case it

10:15

appears that the cause is the dynamic

10:17

data file downloaded as a Cy file

10:20

instead of containing pcode or a malware

10:22

definition or whatever was supposed to

10:23

be in the file it was all just zeros we

10:26

don't know yet how or why this happened

10:28

as crowd strike hasn't publicly released

10:30

that information yet what we do know to

10:33

an almost certainty at this point

10:34

however is that the crowd strike driver

10:36

that processes and handles these updates

10:38

is not very resilient and appears to

10:40

have inadequate air checking and

10:41

parameter

10:42

validation parameter validation means

10:45

checking to ensure that the data and

10:46

arguments being passed to a function and

10:48

in particular to a kernel function are

10:50

valid and good if they're not it should

10:53

fail the function call not cause the

10:55

entire system to crash but in the

10:57

crowdstrike case they've got a bu they

10:59

don't protect against and because their

11:01

code lives in ring zero with the kernel

11:03

a bug and crowd strike will necessarily

11:05

bug check the entire machine and deposit

11:07

you into the very dreaded recovery blue

11:10

screen now even though this isn't a

11:12

Windows issue or a fault with Windows

11:14

itself many people have asked me why

11:15

Windows itself isn't just more resilient

11:17

to this type of issue for example if a

11:19

driver fails during boot why not try to

11:21

boot next time without it and see if

11:23

that helps and windows in fact does

11:25

offer a number of facilities like that

11:27

going back as far as booting n with last

11:29

KN and good registry Hive but there's a

11:31

catch and that catch is that crowd

11:33

strike marked their driver as what's

11:35

known as a boot driver a boot driver is

11:38

a device driver that must be installed

11:40

to start the Windows operating system

11:43

most boot drivers are included in driver

11:45

packages that are in the box with

11:47

Windows and windows automatically

11:48

installs these boot start drivers during

11:50

their first boot of the system my guess

11:52

is that crowd strike decided they didn't

11:54

want you booting at all without their

11:56

protection provided by their system but

11:58

when it crashes as it does now your

12:00

system is completely borked fixing a

12:03

machine with this issue is fortunately

12:04

not a great deal of work but it does

12:06

require physical access to the machine

12:09

to fix a machine that's crashed due to

12:11

this issue you need to boot it into safe

12:13

mode because safe mode only loads a

12:15

limited set of drivers that mercifully

12:17

can still contend without this boot

12:18

driver you'll still be able to get into

12:20

at least a limited system then to fix

12:23

the machine use the console or the file

12:25

manager and go to the path window like

12:28

Windows and then system through 32

12:29

drivers crowd strike in that folder find

12:33

the file matching the pattern C and then

12:35

a bunch of zeros 2 91. cist and delete

12:38

that file or anything that's got the 291

12:41

in it with a bunch of zeros when you

12:43

reboot your system should come up

12:45

completely normal and operational the

12:47

absence of the update file fixes the

12:49

issue and does not cause any additional

12:51

ones it's a fair bet that the update 291

12:53

won't ever be needed or used again so

12:55

you're fine to Nuke it if you found

12:57

today's episode to be any combination of

12:59

informative or entertaining remember I'm

13:01

mostly in this for the subs and likes so

13:03

I'd be honored if you consider

13:04

subscribing to my channel and leaving a

13:06

like on this video and if you're already

13:08

subscribed thank you please consider

13:10

sending this video to a friend if you

13:12

think it covered the subject well and

13:14

please do check out the free sample of

13:15

my new book on Amazon the non-visible

13:17

part of the autism spectrum it's

13:19

intended for folks that don't have ASD

13:21

but who suspect they might have a few

13:23

characteristics that put them somewhere

13:25

on the autism spectrum it's everything I

13:27

know now about living a successful life

13:29

on the spectrum that I wish I'd known

13:31

long ago check it out at the link in the

13:33

video description in the meantime and in

13:35

between time hope to see you next time

13:37

right here in Dave's Garage