You added a lot of complexity, and all you got in return was you made attackers do an afternoon of work to write a new shellcode. I think the answer is you made things worse 
-
-
Replying to @taviso @dwizzzleMSFT and
They can also resign. E.g. metasploit in case of detected LKRG fails some of the exploits like bpf_sign_extension_priv_esc ufo_privilege_escalation af_packet_packet_set_ring_priv_esc af_packet_chocobo_root_priv_esc https://help.rapid7.com/metasploit/release-notes/ …
1 reply 0 retweets 1 like -
The aim of LKRG is not to completely stop exploitation process but to make it harder and/or less reliable. As far as I'm aware, all of the anti-exploitation / security technologies (including mitigations) follow the same path and are bypassable
2 replies 0 retweets 2 likes -
Replying to @Adam_pi3 @dwizzzleMSFT and
We think about it differently. Imagine a building that keeps getting broken into, all reports say the burglars open the unlocked window next to the door and climb in. Someone locks the window, and say they've mitigated the problem and tested it against all previous breakins.
2 replies 2 retweets 3 likes -
I think the burglar sees that it's locked, and opens the next window instead. Can your solution be scaled to lock *all* the windows, or does it get increasingly expensive and complex as you support more and more windows? I think it's the latter.
2 replies 2 retweets 5 likes -
Replying to @taviso @dwizzzleMSFT and
I understand your point of view. However, using your analogy I don't think it is realistic to rebuilt entire city where bldgs were built using bad principals. Even if you try that (e.g. change CPU and enforce mem tagging), it take years. Do you want to ignore everyone without it?
1 reply 0 retweets 0 likes -
Additionally, most of the time exploits/attacks are not custom. So if you can detect / stop them it's a big win. If attacker is sophisticated and has resource to do custom exploitation, whatever you do, might be insufficient
1 reply 0 retweets 0 likes -
Replying to @Adam_pi3 @dwizzzleMSFT and
Hmm, I don't think this is a strong argument, it's basically "so long as very few people use it and nobody specifically targets you, it kinda works in practice!", right?
1 reply 0 retweets 3 likes -
Replying to @taviso @dwizzzleMSFT and
I think you simplified it. It makes exploitation process harder and/or less reliable same as any other anti-exploitation / security technologies (including mitigations). (K)ASLR is easy to bypass, but you still use it. Same with NoExecMem, SMEP, RelRO, more
2 replies 0 retweets 0 likes -
Not to mention AV which are trivial to bypass but people still pay money and see value in it. Same with Firewalls or even any sensor (like Capsule8/Crowdstrike/WDATP). Because they are bypassable that's not the reason to disable e.g. firewalls right?
1 reply 0 retweets 1 like
Well, it sounds like we both agree that LKRG is about as effective as antivirus?
I'm happy to agree to that.
-
-
Replying to @taviso @dwizzzleMSFT and
You simplified it again ;-) LKRG is doing much more e.g. your ROP must be fast so scheduler() won't preempt you, if you disable SMEP it will bugcheck, and more
3 replies 0 retweets 1 like -
Replying to @Adam_pi3 @dwizzzleMSFT and
I don't think I simplified it, Antivirus also has a long list of things they blacklist, but I guess you think your blacklist is better than theirs. I wonder if they agree ;-)
1 reply 0 retweets 0 likes - 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.