Conversation

This Tweet was deleted by the Tweet author. Learn more

Replying to

I think you should distinguish between whether checks like double free detection are 100% reliable deterministic checks or probabilistic ones. Could also distinguish between strength for probabilistic checks but it's less important since the main bypass would be via leaks.

Replying to

and

Similarly, there's a range in what out-of-band metadata can mean. It can be out-of-band but at a standard offset from the data, or it can be in a completely different region with a random base like hardened_malloc. Also whether address space is reused across data / metadata, etc

Replying to

and

Similar for a lot of those things. There's a huge range in what guard pages could mean, etc. A main difference between how these things are done is often not whether they're done but whether it's a weak, sparsely used probabilistic mitigation or a stronger deterministic one, etc.

12:41 AM · Aug 22, 2021Twitter Web App