Responsible or not, I am kinda of the opinion that CFG is an expensive boondoggle, with little security value but lots of complexity overhead and weird interactions.
-
-
Replying to @taviso @BruceDawson0xB and
Low opinion of CFG set in early and seems widely held. Yet evidence and analysis have been strikingly thin. Microsoft has the first responsibility, but our security industry might have looked closer. Are the incentives not there? We need a good account. CFG makes us all look bad.
1 reply 0 retweets 0 likes -
Replying to @geoffchappell @BruceDawson0xB and
I'm not sure I've seen a vulnerability that was rendered unexploitable by CFG. That would be my minimum bar for evidence of being useful! The problem is that even the simplest Windows program has 100ks of whitelisted indirect branch targets, when would that not be good enough?
1 reply 0 retweets 0 likes -
Replying to @taviso @BruceDawson0xB and
There's its usefulness, or not, as a security feature. Then there's its cost. I suspect this is the bigger driver of a poor reputation, yet it's where the evidence and analysis is thin. If CFG's cost isn't studied because CFG's dismissed as not useful, I'd say we look even worse.
1 reply 0 retweets 1 like -
Replying to @geoffchappell @BruceDawson0xB and
Ah-ha, agreed. I have no useful performance stats, but it does bring a tear to my eye seeing how expensive indirect branches are for so little benefit
1 reply 0 retweets 0 likes -
Replying to @taviso @BruceDawson0xB and
The cost of each indirect branch is about as small as you could want, even relative to seeing little benefit: page faults aside, there's just a quick diversion to NTDLL to test a bitmap. The big cost is in the preparation and maintenance - and not entirely as designed trade-offs.
1 reply 0 retweets 1 like -
Replying to @geoffchappell @taviso and
We have in addition, very plausibly, some inadequately anticipated side-effects and, certainly, at least one silly coding error. If you're correct that CFG does no good at any cost, let alone at a high surprise cost, then why does anyone recommend it not be disabled? Kill it off?
1 reply 0 retweets 1 like -
Replying to @geoffchappell @BruceDawson0xB and
Sure, but those quick diversions are cumulative, we can't just add an unlimited number and expect everything to stay performant. It doesn't harm security, but it provides so little benefit that I wouldn't (as a security guy) object to someone disabling it.
1 reply 0 retweets 0 likes -
Replying to @taviso @BruceDawson0xB and
Cumulative, but nothing relative to the overhead you add by rewriting a C++ program in C#. Less flippantly, each diversion is roughly comparable to a WPP trace when nobody's consuming - and although I wrote somewhere long ago that this all adds up, nobody even talks about it now.
2 replies 0 retweets 0 likes -
Replying to @geoffchappell @taviso and
Not to interrupt this interesting discussion but I just read a paper from Trend Micro on how CFG validates indirect calls. I found it slightly expensive in the cases where it discovers the indirect addresses as invalid. I wonder how common that path is.
1 reply 0 retweets 0 likes
Hmm, it immediately terminates the program if the target is invalid. It is unlikely to ever happen without some kind of accidental memory corruption. A real exploit and a correct program will never branch to an invalid address.
-
-
Replying to @taviso @geoffchappell and
Indeed. Sorry, I hadn't reached that part of the paper yet. In any case, what else can you do if an indirect address is detected. It's not like the application can muddle along anyway...
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.