Conversation

This Tweet was deleted by the Tweet author. Learn more

Replying to

I think you should distinguish between whether checks like double free detection are 100% reliable deterministic checks or probabilistic ones. Could also distinguish between strength for probabilistic checks but it's less important since the main bypass would be via leaks.

12:38 AM · Aug 22, 2021Twitter Web App

Replying to

and

Similarly, there's a range in what out-of-band metadata can mean. It can be out-of-band but at a standard offset from the data, or it can be in a completely different region with a random base like hardened_malloc. Also whether address space is reused across data / metadata, etc

Replying to

and

Similar for a lot of those things. There's a huge range in what guard pages could mean, etc. A main difference between how these things are done is often not whether they're done but whether it's a weak, sparsely used probabilistic mitigation or a stronger deterministic one, etc.