Give me a guesstimate how much it would cost to turn speckhammer into a profitable professional azure compromise - $1M? You need staff, dev, ops, etc and it's risky. But once you patched it, seems really hard to recoup that. Instrumentation only measures opportunistic attempts.
-
-
Replying to @taviso
agree measurement has tons of limitations and also agree with costs. So let’s not measure anything?
1 reply 0 retweets 0 likes -
Replying to @dwizzzleMSFT
I want the data as much as you do, I just don't see how to get it. Is the popemobile useless because nobody has tried to shoot it? No, that doesn't prove the threat was overblown, if it wasn't there, someone could have tried...right?
2 replies 0 retweets 5 likes -
Replying to @taviso @dwizzzleMSFT
I think you're saying that because some random places aren't patched, we would have seen evidence of attacks there. My point is that isn't true, targeted attacks care about who the victim is, by definition.
1 reply 0 retweets 2 likes -
Replying to @taviso
Nope I’m not asserting this at all. I’m saying it’s interesting we haven’t and I’m wondering the reasons why
1 reply 0 retweets 1 like -
Replying to @dwizzzleMSFT @taviso
Meltdown itself is really only useful operationally when combined with KASLR infoleak — which if you have, Meltdown only removes the need to reuse for subsequent reads. Apart from the whole “reading kernel secrets” issue (which requires a lot of finicky grooming), it’s hype imo.
1 reply 0 retweets 0 likes -
There’s countless easier ways to elevate to medium IL without relying on obscure CPU sidechannels, and once there, there’s architectural Windows KASLR infoleaks and known medium->high elevation issues. Once at High there’s APIs for dumping kernel memory, at Gbit/s.
1 reply 1 retweet 5 likes -
To clarify this is my theory in why we haven’t really seen this in the wild on Windows at least.
1 reply 0 retweets 0 likes -
Replying to @aionescu @dwizzzleMSFT
I think you're saying it's not especially useful for privesc on Windows. I agree, but that was never the major concern, right?
1 reply 0 retweets 1 like -
Replying to @taviso @dwizzzleMSFT
If it’s not useful for privesc, then the only remaining thing I can think of is a hypervisor escape. But all it gives you is a read primitive so you still need hypervisor ASLR leak and an actual write primitive to do anything useful.
2 replies 0 retweets 0 likes
Yes, I think the major problem is attacking (not necessarily "escaping") co-resident vms.
-
-
Replying to @taviso @dwizzzleMSFT
Meltdown should give you next to nothing useful for messing with a coresident VM in a Hyper-V system unless you already have an info leak as to where useful hyperV structures are, and even then you’d still need an actual write primitive. I think Windows is a special case here.
0 replies 0 retweets 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.