It depends if you are in the security industry, or in the security product industry ;). I have insufficient insight into what it does, but I suspect the prime effect will be “even more protected processes” because existing protected processes weren’t a bad enough idea yet.
-
-
Replying to @halvarflake @taviso and
On the plus side, this is progress along the axis of turning security into a DRM-style cat & mouse game with jobs for attackers & defenders (and users losing ;).
2 replies 1 retweet 6 likes -
Replying to @halvarflake @taviso and
In general, it goes back to the choice of making things secure by making them simple and obviously correct, or making things appear secure by making stuff crazy complicated so nobody except silent attackers bother specializing enough in it enough to find the flaws.
1 reply 13 retweets 39 likes -
Replying to @halvarflake @taviso and
(Lots of opinion on very thin factual basis, as I am not a silent attacker paid to look at complicated stuff :)
1 reply 0 retweets 3 likes -
Replying to @halvarflake @taviso and
I'm not particularly silent, but as someone who gets paid to attack complicated stuff, this can kind of work, at least until it doesn't
1 reply 0 retweets 6 likes -
Replying to @IanColdwater @halvarflake and
Me more interesting who are these attackers who use rootkit for token swap. Haven't seen it in any of Sednit, Wingbird, Finfisher, EquationDrug, GrayFish and others. It is an old stuff iirc.
1 reply 1 retweet 3 likes -
Replying to @artem_i_baranov @IanColdwater and
I think he means it finds exploits, not rootkits necessarily
1 reply 0 retweets 0 likes -
Replying to @daveaitel @artem_i_baranov and
This debate happened at least 3x i know of (iOS KPP, Patchguard, LKRG) and people are split despite a shared view on limitations. I guess if you believe that we can simply prevent attackers from ever getting RW in kernel than you don't think this is worth the trade off
1 reply 0 retweets 1 like -
Replying to @dwizzzleMSFT @daveaitel and
The problem is that for this to make a difference then attackers must already have r0 rw primitive. One of the things you can do with r0 rw is token swapping, but if you prevent that, people move on to the next thing. Did you make things better or worse?
1 reply 1 retweet 3 likes -
Replying to @taviso @dwizzzleMSFT and
You added a lot of complexity, and all you got in return was you made attackers do an afternoon of work to write a new shellcode. I think the answer is you made things worse
4 replies 5 retweets 17 likes
The argument is definitely not about thinking we can prevent kernel rw - It's about accepting that kernel rw is pretty bad and that there isn't an easy solution to that!
-
-
Replying to @taviso @daveaitel and
Dude i fully accept that. If your interested you should check any of my recent talks where i literally say the words "RW is really hard and we don't have tons of solid solutions" Your acting like i'm divorced from reality or something.
2 replies 0 retweets 5 likes -
Replying to @dwizzzleMSFT @daveaitel and
Sorry, I was just responding to what you said, "if you believe that we can simply prevent attackers from ever getting RW in kernel than you don't think this is worth the trade off". I guess I don't know what you mean then, can you explain?
1 reply 0 retweets 0 likes - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.