Twitter | Search | |
Alex Ionescu
Windows 17035 Kernel ASLR/VA Isolation In Practice (like Linux KAISER). First screenshot shows how NtCreateFile is not mapped in the kernel region of the user CR3. Second screenshot shows how a 'shadow' kernel trap handler, is (has to be).
4:30 AM - 14 Nov 2017
Twitter
by: Alex Ionescu @aionescu
Reply Retweet Like More
Aaron Friel Nov 14
Replying to @aionescu
Wasn't Kaiser shown to be ineffective and with a rather large cost to syscalls?
View conversation · Reply Retweet Like
Alex Ionescu Nov 14
Replying to @AaronFriel
Source? :-)
View conversation · Reply Retweet Like
Aaron Friel Nov 14
Replying to @aionescu
Did not find the lwn article on Kaiser's inefficacy that I read, but I did find this:
View conversation · Reply Retweet Like
Alexander Riccio Nov 14
Replying to @aionescu
Aaaand I got today's reading g set out for me
View conversation · Reply Retweet Like
Volodymyr Pikhur Nov 14
Replying to @aionescu
Surprise surprise :)
View conversation · Reply Retweet Like
Alex Ionescu Nov 14
Replying to @AaronFriel
Well, I’m sure the perf costs (especially on modern hardware with PASID/PCID) will be weighed against the security benefits, and people that care about loopback perf can turn it off in the registry. Remember this is WIP so it may never ship.
View conversation · Reply Retweet Like
Aaron Friel Nov 14
Replying to @aionescu
Reasonable. Can't imagine Microsoft will ship it if the perf hit on syscalls is ~40%.
View conversation · Reply Retweet Like
Alex Ionescu Nov 14
Replying to @AaronFriel
I could easily measure it but MS gets mad if I ruin features ahead of time. I do quite like this one though and have nothing to bitch about :)
View conversation · Reply Retweet Like
Wikinger Nov 14
Replying to @aionescu
cant wait to the OS be 50% slower!!
View conversation · Reply Retweet Like
Dennis Martin Herbers Nov 14
Replying to @aionescu @AaronFriel
KAISER is shipping in one of the next Chrome OS releases on existing Chromebooks.
View conversation · Reply Retweet Like
Aaron Friel Nov 14
Replying to @D2KX_ @aionescu
That's not the sort of workload I think Microsoft would be worried about. Browsers? Meh. SQL Server? Would be very surprised to see Microsoft accept a perf hit there.
View conversation · Reply Retweet Like
Alex Ionescu Nov 14
Fonts are now userspace and appcontainerized. Shit is getting real/hard/real hard.
View details · Reply Retweet Like
Aaron Friel Nov 14
Replying to @aionescu
*joke about real mode vs protected mode*
View conversation · Reply Retweet Like
lordx86 Nov 14
Replying to @aionescu
I don't know but some security French dude said while back ago that CR3 is the most important register :)
View conversation · Reply Retweet Like
Ahiezer Alvares Nov 14
Replying to @aionescu @NoxOner
awesome!
View conversation · Reply Retweet Like
grsecurity Nov 14
Replying to @aionescu @AaronFriel
PCID doesn't really help that much, and I don't think AMD has anything equivalent. But yeah, the MS/Linux timing of the same magically appearing solution with no public involvement makes it painfully obvious there's something else influencing this choice
View conversation · Reply Retweet Like
Roi Perez Nov 15
Replying to @aionescu
Nice find !
View conversation · Reply Retweet Like
Eliannuminas Nov 15
Replying to @wikinger7 @aionescu
I thought ASLR has virtually no impact on performance?
View conversation · Reply Retweet Like
Alex Ionescu Nov 15
Replying to @Eliannuminas @wikinger7
We’re talking about dual page tables here :)
View conversation · Reply Retweet Like