In the browser at least, the technological advance of exploit mitigations has stalled at both reverse edges (protecting returns) and data-based attacks.
-
-
Show this thread
-
And based on that I'd argue that the state-of-the-art for exploit development is ahead of the curve for now, we have generic approaches to exploiting browsers that are unlikely to be resolved in the near future.
Show this thread -
Intel CET will presumably help (assuming that you have an out-of-process JIT process), but it could be many years until broad adoption. For data-based attacks, stronger sandboxing and site isolation appear to be the best investments.
Show this thread -
But note: no browser is likely to have all of these things implemented all together in one place, at least not any time soon. So it's the acceptance that we can't exclusively engineer our way out of the problem with mitigations and sandboxing alone that I find significant here.
Show this thread -
Limiting the supply of good vulnerabilities has to be part of any mid-term solution, alongside mitigations and sandboxing. Microsoft have always known this (i.e. nothing I'm saying here is conceptually new), but I do read this presentation as a rebalancing of sorts.
Show this thread -
Regardless, even if my interpretation of the presentation isn't exactly spot on, this work tracks very close with Projects Zero's experiences/observations over the past couple of years. Great work as always from
@epakskape and the rest of Microsoft security!Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.