Twitter | Search | |
Alex Ionescu
Windows 17035 Kernel ASLR/VA Isolation In Practice (like Linux KAISER). First screenshot shows how NtCreateFile is not mapped in the kernel region of the user CR3. Second screenshot shows how a 'shadow' kernel trap handler, is (has to be).
Reply Retweet Like More
Aaron Friel Nov 14
Replying to @aionescu
Wasn't Kaiser shown to be ineffective and with a rather large cost to syscalls?
Reply Retweet Like
Alex Ionescu Nov 14
Replying to @AaronFriel
Source? :-)
Reply Retweet Like
Aaron Friel Nov 14
Replying to @aionescu
Did not find the lwn article on Kaiser's inefficacy that I read, but I did find this:
Reply Retweet Like
Alexander Riccio Nov 14
Replying to @aionescu
Aaaand I got today's reading g set out for me
Reply Retweet Like
Volodymyr Pikhur Nov 14
Replying to @aionescu
Surprise surprise :)
Reply Retweet Like
Alex Ionescu Nov 14
Replying to @AaronFriel
Well, I’m sure the perf costs (especially on modern hardware with PASID/PCID) will be weighed against the security benefits, and people that care about loopback perf can turn it off in the registry. Remember this is WIP so it may never ship.
Reply Retweet Like
Aaron Friel Nov 14
Replying to @aionescu
Reasonable. Can't imagine Microsoft will ship it if the perf hit on syscalls is ~40%.
Reply Retweet Like
Alex Ionescu Nov 14
Replying to @AaronFriel
I could easily measure it but MS gets mad if I ruin features ahead of time. I do quite like this one though and have nothing to bitch about :)
Reply Retweet Like
Wikinger Nov 14
Replying to @aionescu
cant wait to the OS be 50% slower!!
Reply Retweet Like
Dennis Ahagon Nov 14
Replying to @aionescu @AaronFriel
KAISER is shipping in one of the next Chrome OS releases on existing Chromebooks.
Reply Retweet Like
Aaron Friel Nov 14
Replying to @D2KX_ @aionescu
That's not the sort of workload I think Microsoft would be worried about. Browsers? Meh. SQL Server? Would be very surprised to see Microsoft accept a perf hit there.
Reply Retweet Like
Alex Ionescu Nov 14
Fonts are now userspace and appcontainerized. Shit is getting real/hard/real hard.
Reply Retweet Like
Aaron Friel Nov 14
Replying to @aionescu
*joke about real mode vs protected mode*
Reply Retweet Like
lordx86 Nov 14
Replying to @aionescu
I don't know but some security French dude said while back ago that CR3 is the most important register :)
Reply Retweet Like
Ahiezer Alvares Nov 14
Replying to @aionescu @NoxOner
awesome!
Reply Retweet Like
grsecurity Nov 14
Replying to @aionescu @AaronFriel
PCID doesn't really help that much, and I don't think AMD has anything equivalent. But yeah, the MS/Linux timing of the same magically appearing solution with no public involvement makes it painfully obvious there's something else influencing this choice
Reply Retweet Like
Roi Perez Nov 15
Replying to @aionescu
Nice find !
Reply Retweet Like
Eliannuminas Nov 15
Replying to @wikinger7 @aionescu
I thought ASLR has virtually no impact on performance?
Reply Retweet Like
Alex Ionescu Nov 15
We’re talking about dual page tables here :)
Reply Retweet Like