The problem is that for this to make a difference then attackers must already have r0 rw primitive. One of the things you can do with r0 rw is token swapping, but if you prevent that, people move on to the next thing. Did you make things better or worse?
-
-
Replying to @taviso @dwizzzleMSFT and
You added a lot of complexity, and all you got in return was you made attackers do an afternoon of work to write a new shellcode. I think the answer is you made things worse
4 replies 5 retweets 17 likes -
Replying to @taviso @dwizzzleMSFT and
They can also resign. E.g. metasploit in case of detected LKRG fails some of the exploits like bpf_sign_extension_priv_esc ufo_privilege_escalation af_packet_packet_set_ring_priv_esc af_packet_chocobo_root_priv_esc https://help.rapid7.com/metasploit/release-notes/ …
1 reply 0 retweets 1 like -
The aim of LKRG is not to completely stop exploitation process but to make it harder and/or less reliable. As far as I'm aware, all of the anti-exploitation / security technologies (including mitigations) follow the same path and are bypassable
2 replies 0 retweets 2 likes -
Replying to @Adam_pi3 @dwizzzleMSFT and
We think about it differently. Imagine a building that keeps getting broken into, all reports say the burglars open the unlocked window next to the door and climb in. Someone locks the window, and say they've mitigated the problem and tested it against all previous breakins.
2 replies 2 retweets 3 likes -
I think the burglar sees that it's locked, and opens the next window instead. Can your solution be scaled to lock *all* the windows, or does it get increasingly expensive and complex as you support more and more windows? I think it's the latter.
2 replies 2 retweets 5 likes -
Replying to @taviso @dwizzzleMSFT and
I understand your point of view. However, using your analogy I don't think it is realistic to rebuilt entire city where bldgs were built using bad principals. Even if you try that (e.g. change CPU and enforce mem tagging), it take years. Do you want to ignore everyone without it?
1 reply 0 retweets 0 likes -
Additionally, most of the time exploits/attacks are not custom. So if you can detect / stop them it's a big win. If attacker is sophisticated and has resource to do custom exploitation, whatever you do, might be insufficient
1 reply 0 retweets 0 likes -
Replying to @Adam_pi3 @dwizzzleMSFT and
Hmm, I don't think this is a strong argument, it's basically "so long as very few people use it and nobody specifically targets you, it kinda works in practice!", right?
1 reply 0 retweets 3 likes -
Replying to @taviso @dwizzzleMSFT and
I think you simplified it. It makes exploitation process harder and/or less reliable same as any other anti-exploitation / security technologies (including mitigations). (K)ASLR is easy to bypass, but you still use it. Same with NoExecMem, SMEP, RelRO, more
2 replies 0 retweets 0 likes
Those technologies force the attacker to find additional bugs, grouping them together as "bypasses" is inaccurate. You're blacklisting a few of the things you can do with arbitrary r0 rw, a more accurate technology comparison would be antivirus, right?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.