How to defend from a Chrome 0day exploit?
-> Use Firefox ASan build.
Linux: firefox-ci-tc.services.mozilla.com/api/index/v1/t
Windows: firefox-ci-tc.services.mozilla.com/api/index/v1/t
Conversation
Replying to
ASan detects memory accesses outside of valid allocations rather than preventing exploitation which involves overwriting data within memory allocations. It adds substantial attack surface too. It's not an exploit mitigation and doesn't provide any kind of actual memory safety.
1
Replying to
You should read newer information including on the value that ASan provides for an attacker, including from people who work on it. There are substantial drawbacks to using it. It's not simply a way of getting some weak memory protections. It causes substantial harm too.
1
2
Replying to
could you please share us further details to support your claims? you mentioned about those 'values' and 'substantial harm'? would that affect the FF ASan build?
2
Replying to
You're proposing doing something that was temporarily adopted by the Tor Project for a variant of the Tor Browser and then later determined to be a mistake. It has been consistently recommended against by researchers and the developers of ASan. You can do what you want though.
Replying to
One of many discussions by researchers, including a response from someone who works on ASan:
seclists.org/oss-sec/2016/q
I'm sure you can find the saga of the Tor Browser trying to use it as a hardening feature.
1
Show replies