Shawn Webb<p>If I were a developer for <a href="https://bsd.network/tags/Crowsdstrike" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Crowsdstrike</span></a>, I would also learn the importance of doing the parsing heavy lifting in userland, preferably in a capabilities-enabled process (read: <a href="https://bsd.network/tags/FreeBSD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FreeBSD</span></a> <a href="https://bsd.network/tags/Capsicum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Capsicum</span></a> like capabilities.)</p><p>It is far better to see an event log entry for a failed-to-parse update than to panic the kernel.</p><p>The ring0 code definitely needs to still apply reasonableness and sanity checks on the data passed in from the userland process.</p><p><a href="https://bsd.network/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a></p>