Conversation

Precisely this :). It’s like a whole bunch of people wearing Patagonia talking about how easy it is to climb this mountain vs. another when they’ve never done more than a day hike.

Quote Tweet

David Weston (DWIZZZLE)

@dwizzzleMSFT

May 4, 2019

Twitter: “exploit mitigations are so easy to bypass” Walking by office of someone who actually writes exploits: “damn, I’m still stuck trying to work around all this annoying shit”

Replying to

So the mitigations are annoying to bypass, yes - but does it stop anybody? No. Is it the same level of annoying when you do it for the 2nd or Nth time? No.

Replying to

and

The people cursing about the mitigations do not have a day job writing attacks against the same targets over and over again; conversely, those that do, do not bitch about mitigations that much. :-)

Replying to

and

The reality is: Mitigations can be really annoying to bypass the first few times, and mildly annoying even after N times, while being still largely ineffective at stopping any attack.

David Weston (DWIZZZLE)

Replying to

and

Totally depends on the bug you have. The most constrained you are for bugs, the more potential for impact they have. L

Replying to

and

Yes, I have seen a bug be made unexploitable by a mitigation. Is it the norm? Heck no. Do professional vulndevs look for bugs that fit a pattern that makes exploitation easy? Yes. Do we have evidence that mitigations regularly push bugs into nonexploitable territory? I think not.

Replying to

and

It depends a lot on whether you're talking about mitigations targeting exploit techniques or mitigations catching the bugs themselves. For example, Android uses a lot of automatic integer overflow checking turning many integer overflows (often heap overflows) into (mild) DoS.

9:36 PM · May 5, 2019Twitter Web Client

Replying to

Even implementing full bounds and temporal safety for C via dynamic checking would only be a mitigation because the memory corruption bugs are still present and still lead to a runtime abort. The attacker can still use it as a DoS, often usable to restart the device / service.