Alex is right, i promise you if it made sense to do seccomp-bpf like things for Windows we would have done it by now. Windows is a different beast entirely. Hyper-v/WDAG containers are the best way we currently have to abstract away attack kernel surface.https://twitter.com/aionescu/status/1092263015699730437 …
-
-
NT/win32k syscalls are more or less abstracted from the public API. So, exposing syscall filtering at that level would be fragile as we update Windows and as apps evolve. It needs to be exposed at a higher level. We're investigating...
-
It’s worse than that. You have NtUserMessageCall and the like which have dozens or hundreds of sub functions based on message type. Many APIs generate implicit messages. Blocking at the entry point level is way to coarse to get comparable security value to seccomp
- 6 more replies
New conversation -
-
-
The number of syscalls alone is disparate. Personally I'd worry that clueless devs would leave something esoteric on the edge case misconfigured and we'd have semi-borked software all over the place
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.