Twitter | Search | |
Alex Ionescu
Windows Internals Expert, Security Ninja, and Embedded ARM Kernel Guru.
4,718
Tweets
1,068
Following
26,656
Followers
Tweets
Alex Ionescu 1h
Replying to @aionescu
t8200 is way more fun than DxgkSubmitPresentToHwQueue
Reply Retweet Like
Alex Ionescu 4h
Replying to @aionescu
How does this work again...
Reply Retweet Like
Alex Ionescu 4h
I'm bored of Windows. I will play with x619 next, I think.
Reply Retweet Like
Alex Ionescu 6h
Yep and there’s even more changes such as remapping UR^X
Reply Retweet Like
Alex Ionescu 15h
Replying to @WithinRafael
Lol so WIP can send acks and checkin notifications when features are added but MSRC can’t do that for fixes? not everything has to be a CVE.
Reply Retweet Like
Alex Ionescu 16h
I gave Dave a list. A list you do not want to be on. Soon the Davestappo will come in an RS5 build and take them away.
Reply Retweet Like
Alex Ionescu 24h
Replying to @taviso @dwizzzleMSFT
I was addressing specifically why we haven’t seen Windows in the wild. I don’t have the necessary data to make reasonable assumptions about Linux.
Reply Retweet Like
Alex Ionescu 24h
Replying to @taviso @dwizzzleMSFT
Meltdown should give you next to nothing useful for messing with a coresident VM in a Hyper-V system unless you already have an info leak as to where useful hyperV structures are, and even then you’d still need an actual write primitive. I think Windows is a special case here.
Reply Retweet Like
Alex Ionescu 24h
Replying to @taviso @dwizzzleMSFT
Which if you have, a read primitive wasn’t what you were looking for in the first place, imo. I think the big deal here is that people underestimated the foresight of Windows not mapping RAM in Kernel/Hypervisor VA and this mitigating (imo) most of the Meltdown “benefits”.
Reply Retweet Like
Alex Ionescu 24h
Replying to @taviso @dwizzzleMSFT
If it’s not useful for privesc, then the only remaining thing I can think of is a hypervisor escape. But all it gives you is a read primitive so you still need hypervisor ASLR leak and an actual write primitive to do anything useful.
Reply Retweet Like
Alex Ionescu 24h
Replying to @dwizzzleMSFT @taviso
To clarify this is my theory in why we haven’t really seen this in the wild on Windows at least.
Reply Retweet Like
Alex Ionescu 24h
Replying to @dwizzzleMSFT @taviso
There’s countless easier ways to elevate to medium IL without relying on obscure CPU sidechannels, and once there, there’s architectural Windows KASLR infoleaks and known medium->high elevation issues. Once at High there’s APIs for dumping kernel memory, at Gbit/s.
Reply Retweet Like
Alex Ionescu 24h
Replying to @dwizzzleMSFT @taviso
Meltdown itself is really only useful operationally when combined with KASLR infoleak — which if you have, Meltdown only removes the need to reuse for subsequent reads. Apart from the whole “reading kernel secrets” issue (which requires a lot of finicky grooming), it’s hype imo.
Reply Retweet Like
Alex Ionescu Apr 21
Tel Aviv-bound once again. I hope the weather is better this time around :)
Reply Retweet Like
Alex Ionescu Apr 21
Timestamping and attestation services require ME.
Reply Retweet Like
Alex Ionescu Apr 21
I don’t understand this love for SGX. It has its own set of limitations and “trust” you must put into components that are even harder to audit than firmware.
Reply Retweet Like
Alex Ionescu Apr 21
Given mandatory conscription it’s even more hilarious.
Reply Retweet Like
Alex Ionescu Apr 21
Both and have previously talked about future SMM mitigations similar and complimentary to STM such as running SMM in a hypervisor/under IOMMU+EPTE as well. That is still years away but would address most of those concerns.
Reply Retweet Like
Alex Ionescu Apr 21
Replying to @dtm609
No Daniel, there’s a third. The type that will reformat the entire file to their preferred style first.
Reply Retweet Like
Alex Ionescu Apr 21
Replying to @i0n1c @SingaporeAir
Yes but the private room is amazing :)
Reply Retweet Like