It's a general problem with that kind of approach and others that try to detect compromise after it already happened or through piecemeal blacklist checks. Knowing the limitations on asynchronous, expensive checks gives smart attackers a guide to bypassing them pretty generally.
It's frustrating, because while I'm happy to discuss the problems with blacklisting, I don't want to keep explaining why it's not in the same class as ASLR, DEP and fixing vulnerabilities in security boundaries.
-
-
Here is a question for you, I think the market value of a kernel memory corruption is quite high. Conversely, I think the market value of the name of a struct or whatever you can corrupt with an arbitrary r0 rw is zero, how do you explain that disparity?
-
Twitter not being the best medium for discussions, I don't want you to get frustrated further, so I'll try again for personal clarity: Mitigations and vulns in boundaries are one thing; detection technologies are something different entirely. I'm not trying to confuse the two.
- 16 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
