The language is a bit confusing. It's not clear if they're saying they want to detect any EPROCESS patching (including from exploits) or just malicious drivers that tamper with it.
-
-
I guess I'm not sure if I like the idea. If attacker is at the point they can do a token swap, they've won. Adding complex detection for that will force attacker to do something else instead...but so what? Is added complexity worth that? I'm not sure.
//cc @halvarflake1 reply 0 retweets 10 likes -
It depends if you are in the security industry, or in the security product industry ;). I have insufficient insight into what it does, but I suspect the prime effect will be “even more protected processes” because existing protected processes weren’t a bad enough idea yet.
1 reply 0 retweets 12 likes -
Replying to @halvarflake @taviso and
On the plus side, this is progress along the axis of turning security into a DRM-style cat & mouse game with jobs for attackers & defenders (and users losing ;).
2 replies 1 retweet 6 likes -
Replying to @halvarflake @taviso and
In general, it goes back to the choice of making things secure by making them simple and obviously correct, or making things appear secure by making stuff crazy complicated so nobody except silent attackers bother specializing enough in it enough to find the flaws.
1 reply 13 retweets 39 likes -
Replying to @halvarflake @taviso and
(Lots of opinion on very thin factual basis, as I am not a silent attacker paid to look at complicated stuff :)
1 reply 0 retweets 3 likes -
Replying to @halvarflake @taviso and
I'm not particularly silent, but as someone who gets paid to attack complicated stuff, this can kind of work, at least until it doesn't
1 reply 0 retweets 6 likes -
Replying to @IanColdwater @halvarflake and
Me more interesting who are these attackers who use rootkit for token swap. Haven't seen it in any of Sednit, Wingbird, Finfisher, EquationDrug, GrayFish and others. It is an old stuff iirc.
1 reply 1 retweet 3 likes -
Replying to @artem_i_baranov @IanColdwater and
I think he means it finds exploits, not rootkits necessarily
1 reply 0 retweets 0 likes -
Replying to @daveaitel @artem_i_baranov and
This debate happened at least 3x i know of (iOS KPP, Patchguard, LKRG) and people are split despite a shared view on limitations. I guess if you believe that we can simply prevent attackers from ever getting RW in kernel than you don't think this is worth the trade off
1 reply 0 retweets 1 like
The problem is that for this to make a difference then attackers must already have r0 rw primitive. One of the things you can do with r0 rw is token swapping, but if you prevent that, people move on to the next thing. Did you make things better or worse?
-
-
Replying to @taviso @dwizzzleMSFT and
You added a lot of complexity, and all you got in return was you made attackers do an afternoon of work to write a new shellcode. I think the answer is you made things worse
4 replies 5 retweets 17 likes -
Replying to @taviso @daveaitel and
I think its fair to argue how hard it is to bypass. That has always applied to Patchguard or Google's SafetyNet and similar features I fully understand its limitations.
1 reply 0 retweets 1 like - 5 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.