I guess I'm not sure if I like the idea. If attacker is at the point they can do a token swap, they've won. Adding complex detection for that will force attacker to do something else instead...but so what? Is added complexity worth that? I'm not sure.
//cc @halvarflake
-
-
I think its fair to argue how hard it is to bypass. That has always applied to Patchguard or Google's SafetyNet and similar features I fully understand its limitations.
-
If you look at where we went with Patchguard (attestationm) -> HyperGuard (enfrocement) Async detection gives us not only some short term detection value but the ability to demarque a future "hard enforcement" line with RO memory. Apple did the same thing with KPP becoming AMCC
- 3 more replies
New conversation -
-
-
The argument is definitely not about thinking we can prevent kernel rw - It's about accepting that kernel rw is pretty bad and that there isn't an easy solution to that!
-
Dude i fully accept that. If your interested you should check any of my recent talks where i literally say the words "RW is really hard and we don't have tons of solid solutions" Your acting like i'm divorced from reality or something.
- 3 more replies
New conversation -
-
-
They can also resign. E.g. metasploit in case of detected LKRG fails some of the exploits like bpf_sign_extension_priv_esc ufo_privilege_escalation af_packet_packet_set_ring_priv_esc af_packet_chocobo_root_priv_esc https://help.rapid7.com/metasploit/release-notes/ …
-
The aim of LKRG is not to completely stop exploitation process but to make it harder and/or less reliable. As far as I'm aware, all of the anti-exploitation / security technologies (including mitigations) follow the same path and are bypassable
- 13 more replies
New conversation -
-
-
the real shame here is that even Winn Schwartau wrote an entire book on this basic concept ages ago, and it was not a new thing in a fledgling infosec industry back then... that speaks to "time tradeoffs". and tons have written about it since.
-
we're in a forget yesterday culture
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
