But the point here is that userspace can use this to bypass kernel protections that would otherwise prevent it from mutating R^X pages for example, not that the kernel can bypass its own.
Those protections are mainly about preventing well intentioned people from accidentally shooting themselves in the foot though, right? So it's not really a big deal that there is a way around it.
No, page table write access allows arbitrary memory access because I can map any PFN I want. It's certainly a vector to execute arbitrary code in ring 0.
not entirely, IOMMU is a thing, that is IIRC how Amazon and other hyperscalers can promise you virtual machines whose memory cannot be touched even in the case the host is compromised (and, by extension, also if the feds arrive to v& your server).
>how Amazon and other hyperscalers can promise you virtual machines whose memory cannot be touched even in the case the host is compromised (and, by extension, also if the feds arrive to v& your server).
Even if we take those promises at face value, it practically doesn't mean much because every server still needs to handle reboots, which is when they can inject their evil code.
This is excellent. The ability to trick remote servers into believing our computers are "trusted" despite the fact we are in control will be a key capability in the future. We need stuff like this to maintain control over our computers.
Well, it kind of is actually. The previous iteration of the design didn't have that vulnerability but it was slower because managing IVs within the given constraints adds an additional layer of complexity. This is the pragmatic compromise so to speak.
Does it count as a conceptual problem when technical challenges without an acceptable solution block your goal?
Hosting tor outbound server at home is stupid idea.
Your home is gonna be raided by Police and you will wait months or year to get your shit back and then if nothing, gonna be charged for having pirated windows and Photoshop lol
These days, every American's threat model should include being v& by the feds, and here in Germany, the situation isn't much better, you can get v& for saying the Minister of Interior is a dick [1].
Yes, this was later on ruled unconstitutional, but it doesn't change the facts, and, worse, Germany doesn't have a "fruit of the forbidden tree" rule.
Not really, of the security measures on Windows, is exactly to control how kernel can access secure process memory, as possible mitigation to attacks by rogue drivers.
Naturally it is the kind of stuff that requires Windows 11 vlatest with the nice Pluton security CPU, as part of CoPilot+ PCs design.
But the point here is that userspace can use this to bypass kernel protections that would otherwise prevent it from mutating R^X pages for example, not that the kernel can bypass its own.
Those protections are mainly about preventing well intentioned people from accidentally shooting themselves in the foot though, right? So it's not really a big deal that there is a way around it.
No, page table write access allows arbitrary memory access because I can map any PFN I want. It's certainly a vector to execute arbitrary code in ring 0.
It’s a huge deal. It’s a trivial gadget for building a larger exploit chain
> The kernel owns the page tables.
not entirely, IOMMU is a thing, that is IIRC how Amazon and other hyperscalers can promise you virtual machines whose memory cannot be touched even in the case the host is compromised (and, by extension, also if the feds arrive to v& your server).
>how Amazon and other hyperscalers can promise you virtual machines whose memory cannot be touched even in the case the host is compromised (and, by extension, also if the feds arrive to v& your server).
Even if we take those promises at face value, it practically doesn't mean much because every server still needs to handle reboots, which is when they can inject their evil code.
MK-TME allows having memory encrypted at run time, and the platform TPM signs an attestation saying the memory was not altered.
Malicious code can't be injected at boot without breaking that TPM.
Subject to the huge caveat that the attacker does not have physical access. https://tee.fail/
This is excellent. The ability to trick remote servers into believing our computers are "trusted" despite the fact we are in control will be a key capability in the future. We need stuff like this to maintain control over our computers.
An interesting implementation flaw, but not a conceptual problem with the design.
Well, it kind of is actually. The previous iteration of the design didn't have that vulnerability but it was slower because managing IVs within the given constraints adds an additional layer of complexity. This is the pragmatic compromise so to speak.
Does it count as a conceptual problem when technical challenges without an acceptable solution block your goal?
If your threat model is being v& by feds, maybe you should keep your server at home behind Tor.
Proper OPSEC dictates that the server be located as far away from home as possible, ideally in a location with zero ties to your person.
Hosting tor outbound server at home is stupid idea.
Your home is gonna be raided by Police and you will wait months or year to get your shit back and then if nothing, gonna be charged for having pirated windows and Photoshop lol
real story
lmao please tell more
Not even two years ago, see https://www.golem.de/news/nach-hausdurchsuchung-deutscher-to...
And it's not just a one off occurrence either. Tor exit node operators getting v& has been a thing for decades: https://www.heise.de/news/Anonymisierungsserver-bei-Razzia-b...
These days, every American's threat model should include being v& by the feds, and here in Germany, the situation isn't much better, you can get v& for saying the Minister of Interior is a dick [1].
Yes, this was later on ruled unconstitutional, but it doesn't change the facts, and, worse, Germany doesn't have a "fruit of the forbidden tree" rule.
[1] https://www.spiegel.de/panorama/justiz/hamburg-wohnungsdurch...
Not really, of the security measures on Windows, is exactly to control how kernel can access secure process memory, as possible mitigation to attacks by rogue drivers.
Naturally it is the kind of stuff that requires Windows 11 vlatest with the nice Pluton security CPU, as part of CoPilot+ PCs design.