I'm not particularly silent, but as someone who gets paid to attack complicated stuff, this can kind of work, at least until it doesn't
-
-
Replying to @IanColdwater @halvarflake and
Me more interesting who are these attackers who use rootkit for token swap. Haven't seen it in any of Sednit, Wingbird, Finfisher, EquationDrug, GrayFish and others. It is an old stuff iirc.
1 reply 1 retweet 3 likes -
Replying to @artem_i_baranov @IanColdwater and
I think he means it finds exploits, not rootkits necessarily
1 reply 0 retweets 0 likes -
Replying to @daveaitel @artem_i_baranov and
This debate happened at least 3x i know of (iOS KPP, Patchguard, LKRG) and people are split despite a shared view on limitations. I guess if you believe that we can simply prevent attackers from ever getting RW in kernel than you don't think this is worth the trade off
1 reply 0 retweets 1 like -
Replying to @dwizzzleMSFT @daveaitel and
The problem is that for this to make a difference then attackers must already have r0 rw primitive. One of the things you can do with r0 rw is token swapping, but if you prevent that, people move on to the next thing. Did you make things better or worse?
1 reply 1 retweet 3 likes -
Replying to @taviso @dwizzzleMSFT and
You added a lot of complexity, and all you got in return was you made attackers do an afternoon of work to write a new shellcode. I think the answer is you made things worse
4 replies 5 retweets 17 likes -
Replying to @taviso @daveaitel and
I think its fair to argue how hard it is to bypass. That has always applied to Patchguard or Google's SafetyNet and similar features I fully understand its limitations.
1 reply 0 retweets 1 like -
Replying to @dwizzzleMSFT @taviso and
If you look at where we went with Patchguard (attestationm) -> HyperGuard (enfrocement) Async detection gives us not only some short term detection value but the ability to demarque a future "hard enforcement" line with RO memory. Apple did the same thing with KPP becoming AMCC
1 reply 0 retweets 1 like -
Replying to @dwizzzleMSFT @taviso and
Getting to hard RO with no gaps in code integrity is pretty much the only thing that will be more than a speedbump. TDL4 went flying past Patchguard simply by sticking to documented extensibility points.
1 reply 0 retweets 2 likes -
I don’t agree there will be an infinite supply of corruption targets in the kernel and we can’t RO everything. Should we all just give up on doing anything?
3 replies 0 retweets 2 likes
Hmmm, I don't think the supply is *infinite* just very big. I guess I think we should find solutions that scale to "very big", rather than creating a lot of technical debt just to nudge attackers along a bit. Nobody argues for giving up.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.