There’s so much cool stuff coming down the pike. ARM pointer authentication: MACs for pointers. Can’t wait to see how people defeat that.
-
-
Replying to @matthew_d_green
They need to fit within the unused pointer bits so brute force works. A typical Linux system (three-level page tables) will have 24-bit ASLR and 24-bit pointer signatures. That's the middle ground since more address space means more ASLR bits but fewer MAC bits.
1 reply 1 retweet 6 likes -
Replying to @CopperheadOS @matthew_d_green
*so brute force works unless mitigated by the system
1 reply 0 retweets 1 like -
Replying to @tehjh @matthew_d_green
Could say the same about ASLR and stack canaries on 32-bit but mainstream operating systems didn't deploy those mitigations, probably because they come with drawbacks.
1 reply 0 retweets 2 likes -
Have you tried using brute force protection on a desktop with Chromium as your browser? If a tab crashes, you're not just stuck waiting for the timeout to open another, the browser is probably going to stall completely too. It's not very usable.
2 replies 0 retweets 1 like -
Replying to @CopperheadOS @matthew_d_green
deployability of crash-throttled PAC, compared to doing the same with ASLR, probably depends on ratio of "benign" crashes that trigger it? random derefs of entirely invalid memory might be more common than crashes on pointers that are valid apart from PAC?
2 replies 0 retweets 2 likes -
Replying to @tehjh @matthew_d_green
That's true, but they didn't need to trigger brute force protection on all random accesses to cover the most important part, only no-execute violations. PAC violations triggered in regular use aren't necessarily going to be less common than that.
1 reply 0 retweets 1 like -
It's just a bit frustrating that they're making more of these probabilistic mitigations. They could be adding hardware support for integer overflow checks, fine-grained deterministic CFI, etc. At least it seems it would be really hard to leak the keys for this, if crypto is good.
1 reply 0 retweets 2 likes
it seems to me like probabilistic mitigations are good enough, as long as an attacker can't shift the probabilities, the success probability is somewhere <1% or so, and bruteforcing is prevented and/or signalled to the user (and optionally the vendor)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.