You said measures kiddies wasn’t useful.
-
-
Replying to @dwizzzleMSFT
I meant isn't useful in this context - how many kiddies there are doesn't have any relationship to how bad things would have been if we didn't invest the effort into cleaning up rowhammer, but the instrumentation only measures how many kiddies there are.
1 reply 0 retweets 6 likes -
Replying to @taviso @dwizzzleMSFT
Give me a guesstimate how much it would cost to turn speckhammer into a profitable professional azure compromise - $1M? You need staff, dev, ops, etc and it's risky. But once you patched it, seems really hard to recoup that. Instrumentation only measures opportunistic attempts.
1 reply 0 retweets 2 likes -
Replying to @taviso
agree measurement has tons of limitations and also agree with costs. So let’s not measure anything?
1 reply 0 retweets 0 likes -
Replying to @dwizzzleMSFT
I want the data as much as you do, I just don't see how to get it. Is the popemobile useless because nobody has tried to shoot it? No, that doesn't prove the threat was overblown, if it wasn't there, someone could have tried...right?
2 replies 0 retweets 5 likes -
Replying to @taviso @dwizzzleMSFT
I think you're saying that because some random places aren't patched, we would have seen evidence of attacks there. My point is that isn't true, targeted attacks care about who the victim is, by definition.
1 reply 0 retweets 2 likes -
Replying to @taviso
Nope I’m not asserting this at all. I’m saying it’s interesting we haven’t and I’m wondering the reasons why
1 reply 0 retweets 1 like -
Replying to @dwizzzleMSFT @taviso
Meltdown itself is really only useful operationally when combined with KASLR infoleak — which if you have, Meltdown only removes the need to reuse for subsequent reads. Apart from the whole “reading kernel secrets” issue (which requires a lot of finicky grooming), it’s hype imo.
1 reply 0 retweets 0 likes -
There’s countless easier ways to elevate to medium IL without relying on obscure CPU sidechannels, and once there, there’s architectural Windows KASLR infoleaks and known medium->high elevation issues. Once at High there’s APIs for dumping kernel memory, at Gbit/s.
1 reply 1 retweet 5 likes -
To clarify this is my theory in why we haven’t really seen this in the wild on Windows at least.
1 reply 0 retweets 0 likes
I think you're saying it's not especially useful for privesc on Windows. I agree, but that was never the major concern, right?
-
-
Replying to @taviso @dwizzzleMSFT
If it’s not useful for privesc, then the only remaining thing I can think of is a hypervisor escape. But all it gives you is a read primitive so you still need hypervisor ASLR leak and an actual write primitive to do anything useful.
2 replies 0 retweets 0 likes -
Replying to @aionescu @dwizzzleMSFT
Yes, I think the major problem is attacking (not necessarily "escaping") co-resident vms.
1 reply 0 retweets 2 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.