Alex is right, i promise you if it made sense to do seccomp-bpf like things for Windows we would have done it by now. Windows is a different beast entirely. Hyper-v/WDAG containers are the best way we currently have to abstract away attack kernel surface.https://twitter.com/aionescu/status/1092263015699730437 …
-
Show this thread
-
The real question is when are we going to give HV containers to app developers and when can we get enough density and perf. I believe in
@mamyun ;)1 reply 0 retweets 8 likesShow this thread -
Replying to @dwizzzleMSFT @mamyun
I don't see why it couldn't work, seccomp-bpf doesn't require you to be a libc developer. I think HV containers solve a different problem.
2 replies 0 retweets 2 likes -
Replying to @taviso @dwizzzleMSFT
NT/win32k syscalls are more or less abstracted from the public API. So, exposing syscall filtering at that level would be fragile as we update Windows and as apps evolve. It needs to be exposed at a higher level. We're investigating...
2 replies 0 retweets 1 like
Of course, but that's also true on Linux, and it can be fragile on Linux too - this isn't an easy to use mechanism. It requires good quality tools, documentation and system understanding. Still, it's very effective at reducing attack surface.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.