Who's the culprit?

A memory pointer in a computer program that brought the whole world to a standstill.

What happened?

A minor bug in a kernel driver of one of the most popular Endpoint Detection and Response (EDR) solutions, CrowdStrike caused a Blue Screen also known as BSOD in a large number of computers across the world. The bug led to the crash of systems that used CrowdStrike Falcon EDR installed on Windows OS, causing a massive outage of various crucial services in various industries ranging from hospitals, to the airline industry, etc.

How it happened?

 CrowdStrike updated a Driver 𝐂𝐒𝐀𝐠𝐞𝐧𝐭.𝐬𝐲𝐬 as part of their upgrades. The bug occurred as the driver tried to access an invalid memory address. Upon reviewing the decompiled code in Ghidra, it seemed like the programmer thought a structure variable to be a pointer and tried to dereference it or read the contents of the address pointed by the pointer. Since the structure is not an actual pointer, it led to an access violation.

If the bug had been in user mode it would have crashed only a process, but since it was a bug in a kernel driver it led to a bluescreen as shown below.

Fig: bluescreen (credit economic times)

What is the solution?

The solution to this is removing the faulty driver from the system by booting into safe mode.

How can we avoid this ?

The crash raises several questions on coding practices in the IT industry

1. Wasn’t the code peer-reviewed

2. How did an update in the kernel driver pass the quality check?

Let us understand some of the best practices for programmers

1. Do not blindly copy and paste codes from open-source code snippets which might be buggy.

2. Avoid using ChatGPT-generated code in production as it may have logical errors and vulnerabilities.

3. Always review the libraries found in open-source codes as they can be modified by attackers leading to supply chain attacks.

4. Crucial code like kernel driver or system-level code should be properly peer-reviewed.