I think the burglar sees that it's locked, and opens the next window instead. Can your solution be scaled to lock *all* the windows, or does it get increasingly expensive and complex as you support more and more windows? I think it's the latter.
-
-
Replying to @taviso @dwizzzleMSFT and
I understand your point of view. However, using your analogy I don't think it is realistic to rebuilt entire city where bldgs were built using bad principals. Even if you try that (e.g. change CPU and enforce mem tagging), it take years. Do you want to ignore everyone without it?
1 reply 0 retweets 0 likes -
Additionally, most of the time exploits/attacks are not custom. So if you can detect / stop them it's a big win. If attacker is sophisticated and has resource to do custom exploitation, whatever you do, might be insufficient
1 reply 0 retweets 0 likes -
Replying to @Adam_pi3 @dwizzzleMSFT and
Hmm, I don't think this is a strong argument, it's basically "so long as very few people use it and nobody specifically targets you, it kinda works in practice!", right?
1 reply 0 retweets 3 likes -
Replying to @taviso @dwizzzleMSFT and
I think you simplified it. It makes exploitation process harder and/or less reliable same as any other anti-exploitation / security technologies (including mitigations). (K)ASLR is easy to bypass, but you still use it. Same with NoExecMem, SMEP, RelRO, more
2 replies 0 retweets 0 likes -
Not to mention AV which are trivial to bypass but people still pay money and see value in it. Same with Firewalls or even any sensor (like Capsule8/Crowdstrike/WDATP). Because they are bypassable that's not the reason to disable e.g. firewalls right?
1 reply 0 retweets 1 like -
Replying to @Adam_pi3 @dwizzzleMSFT and
Well, it sounds like we both agree that LKRG is about as effective as antivirus?
I'm happy to agree to that.1 reply 0 retweets 1 like -
Replying to @taviso @dwizzzleMSFT and
You simplified it again ;-) LKRG is doing much more e.g. your ROP must be fast so scheduler() won't preempt you, if you disable SMEP it will bugcheck, and more
3 replies 0 retweets 1 like -
Replying to @Adam_pi3 @dwizzzleMSFT and
I don't think I simplified it, Antivirus also has a long list of things they blacklist, but I guess you think your blacklist is better than theirs. I wonder if they agree ;-)
1 reply 0 retweets 0 likes -
Replying to @taviso @dwizzzleMSFT and
I think that simple credentials overwrite is much more stable and reliable than pure-ROP only exploit, which needs to race with scheduler, pCFI and take care of leaving the kernel in a clean state. Higher complexity == less reliable, prone to error
1 reply 0 retweets 0 likes
That's simply a false dichotomy, do you really argue that creds is the only useful thing to overwrite if you have an arbitrary rw? It is simply not a choice between one nice and clean attack vs unreliable complex attack.
-
-
Replying to @taviso @dwizzzleMSFT and
Of course it's not my point ;-) LKRG has various values and I said before some of the bugs can never give you full R/W (e.g. any 'swapgs' group of bugs, like BadIRET, SysRet, PopSS, etc.). I think we have different views, that's all
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.