agree measurement has tons of limitations and also agree with costs. So let’s not measure anything?
-
-
Replying to @dwizzzleMSFT
I want the data as much as you do, I just don't see how to get it. Is the popemobile useless because nobody has tried to shoot it? No, that doesn't prove the threat was overblown, if it wasn't there, someone could have tried...right?
2 replies 0 retweets 5 likes -
Replying to @taviso @dwizzzleMSFT
I think you're saying that because some random places aren't patched, we would have seen evidence of attacks there. My point is that isn't true, targeted attacks care about who the victim is, by definition.
1 reply 0 retweets 2 likes -
Replying to @taviso
Nope I’m not asserting this at all. I’m saying it’s interesting we haven’t and I’m wondering the reasons why
1 reply 0 retweets 1 like -
Replying to @dwizzzleMSFT @taviso
Meltdown itself is really only useful operationally when combined with KASLR infoleak — which if you have, Meltdown only removes the need to reuse for subsequent reads. Apart from the whole “reading kernel secrets” issue (which requires a lot of finicky grooming), it’s hype imo.
1 reply 0 retweets 0 likes -
There’s countless easier ways to elevate to medium IL without relying on obscure CPU sidechannels, and once there, there’s architectural Windows KASLR infoleaks and known medium->high elevation issues. Once at High there’s APIs for dumping kernel memory, at Gbit/s.
1 reply 1 retweet 5 likes -
To clarify this is my theory in why we haven’t really seen this in the wild on Windows at least.
1 reply 0 retweets 0 likes -
Replying to @aionescu @dwizzzleMSFT
I think you're saying it's not especially useful for privesc on Windows. I agree, but that was never the major concern, right?
1 reply 0 retweets 1 like -
Replying to @taviso @dwizzzleMSFT
If it’s not useful for privesc, then the only remaining thing I can think of is a hypervisor escape. But all it gives you is a read primitive so you still need hypervisor ASLR leak and an actual write primitive to do anything useful.
2 replies 0 retweets 0 likes -
Which if you have, a read primitive wasn’t what you were looking for in the first place, imo. I think the big deal here is that people underestimated the foresight of Windows not mapping RAM in Kernel/Hypervisor VA and this mitigating (imo) most of the Meltdown “benefits”.
1 reply 0 retweets 3 likes
I like Windows privescs as much as anyone else, but reading data from co-resident vms on ec2 or whatever seems like a pretty legit attack dude.
-
-
Replying to @taviso @dwizzzleMSFT
I was addressing specifically why we haven’t seen Windows in the wild. I don’t have the necessary data to make reasonable assumptions about Linux.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.