Conversation

Dino A. Dai Zovi

Precisely this :). It’s like a whole bunch of people wearing Patagonia talking about how easy it is to climb this mountain vs. another when they’ve never done more than a day hike.

Quote Tweet

David Weston (DWIZZZLE)

Twitter: “exploit mitigations are so easy to bypass” Walking by office of someone who actually writes exploits: “damn, I’m still stuck trying to work around all this annoying shit”

5

8

42

Replying to

So the mitigations are annoying to bypass, yes - but does it stop anybody? No. Is it the same level of annoying when you do it for the 2nd or Nth time? No.

1

3

8

Replying to

and

The people cursing about the mitigations do not have a day job writing attacks against the same targets over and over again; conversely, those that do, do not bitch about mitigations that much. :-)

2

4

Replying to

and

The reality is: Mitigations can be really annoying to bypass the first few times, and mildly annoying even after N times, while being still largely ineffective at stopping any attack.

1

2

7

David Weston (DWIZZZLE)

Replying to

and

Totally depends on the bug you have. The most constrained you are for bugs, the more potential for impact they have. L

1

1

Replying to

and

Yes, I have seen a bug be made unexploitable by a mitigation. Is it the norm? Heck no. Do professional vulndevs look for bugs that fit a pattern that makes exploitation easy? Yes. Do we have evidence that mitigations regularly push bugs into nonexploitable territory? I think not.

3

1

6

Replying to

and

But I agree on one thing: If you are severely bug- and interaction-restrained, mitigations *may* make a difference. But mostly they waste some of the attackers time, and a commensurate amount of defender time, so everybody happily keeps busy to no measurable effect :)

3

1

2

Replying to

and

Also - not all mitigations, not all the time. CFI can provide benefits if not in a modern browser and in a reasonably sandboxes single-threaded server.

1

1

Replying to

and

Memory tagging and SPARC ADI are hugely promising technologies, much more so than any hardware CFI support etc.

2

1

Replying to

and

Memory tagging is a very loose approximation of dynamic memory safety checking though. Can have some nice deterministic guarantees like easily guaranteeing every small / linear heap overflow is caught but for arbitrary read/write it's a very low entropy probabilistic mitigation.

1

1

Replying to

I think one of the major benefits will be that it's essentially like having ASan deployed in production at a very low cost. It will be really good for eliminating large swaths of bugs by detecting them a high percentage of the time in production. Decent chance to bypass though.

9:47 PM · May 5, 2019Twitter Web Client

Replying to

SPARC ADI and ARMv8.5 MTE have 4-bit tags. It's really not a lot of entropy for mitigating arbitrary read/write. Can reserve a tag never used for active heap allocations to mark freed data or maybe other things like a shadow stack as another mitigation. Not a lot of tags though.

1

1

Replying to

I'd really like to see proper efficient hardware support for integer overflow checking by propagating poison values internally and then trapping when attempting to use a value. Main barrier to automatic checking even in many higher level languages is the high performance cost.

2

Show replies