Announcement

Collapse
No announcement yet.

WireGuard Sees Native, High-Performance Port To The Windows Kernel

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by linner View Post
    There us just something about a product like WireGuard being built in to the kernel that makes me uneasy. At least OpenVPN can run as "nobody".

    An exploit in WG could mean remote root access, no? :/
    And while only some part of wireguard is in the kernel, perhaps this is a perfect example of why using rust in the kernel could be a very good approach to address at least a common exploit path (there are a couple of wireguard implementations in rust). So lets move to including rust (and LLVM) faster?

    Comment


    • #12
      Originally posted by aspen View Post
      It's just that context switching between kernelspace and userspace is expensive, and therefore it's more performant to offload some of it to kernelspace.
      That was probably Microsoft's motivation in implementing Windows GUI, fonts and printing[1] as kernel components too :P

      [1] - The Graphics Device Interface is responsible for tasks such as drawing lines and curves, rendering fonts and handling palettes. The Windows NT 3.x series of releases had placed the GDI component in the user-mode Client/Server Runtime Subsystem, but this was moved into kernel mode with Windows NT 4.0 to improve graphics performance.

      Comment


      • #13
        Originally posted by linner View Post
        There us just something about a product like WireGuard being built in to the kernel that makes me uneasy. At least OpenVPN can run as "nobody".

        An exploit in WG could mean remote root access, no? :/
        while I cannot comment on the exploitability of the WG driver. It could be a potential attack avenue. any driver that is exploited can give a hacker ring 0/1 privileges to a remote hacker. not that it matters, there are so many potential exploits everywhere, an exploit also needs a method to attack it. any time you click yes on that annoying pop up window (UAC) you give it admin privs. so for every app you run, that is a potential app that can be exploited.

        that being said, connecting to a malicious wireguard VPN that (assuming there is a potential exploit, which is good safety practice) it is entirely possible that they could form malicious packets that could corrupt it. but honestly don't see it being a great issue.

        Comment

        Working...
        X