Some more talk about the topic
In my opinion that's an unfounded mischaracterization that equals the "not wanting to hear" you're entitled to because that's part of freedom. Also in my opinion, it has nothing to do with religion or politics, but exclusively with objective facts and logical conclusions. I do not subscribe to any train of thought that would suggest that religion and ideology are at all or mainly based on objective facts and logical conclusions, but I do subscribe to the opinion that religion is but a construct to escape the crushing reality that logical deduction often leads to paradoxical conclusions that are impossible for a single individual or even a large group of individuals to solve, which may lead to despair or unfocused rebellion.
In my opinion, exactly the opposite of what you say is true, because the ONLY element you realistically have to trust closed source code is religion-like belief ("such a big company with so many talent can't be wrong" or "so many people can't be wrong"), whereas in the case of open source code, you can actually not only check the code yourself, but you also have the choice of not executing any and all code you have no interest for or you haven't checked or you have no trust in for whatever reason. Other than that, even if you don't check code, the number of developers from all over the world and the volume of talent is exponentially larger in open source development, to a point where no corporation on earth could actually afford to hire the volume of talent that is invested in even the most basic open source projects, which reduces your trust based on belief into belief in a corporation because of the brand, and not because of the talent pool of that company, because the talent pool of any company is puny in comparison to any open source community.
The hard reality of the AnC attack is that it is a demonstration of the least probable attack vector. Javascript is a high level limited framework, it is the least probable mechanism to exploit the hardware caching problem that allows for reversed engineering of the ASLR safety. If it works on javascript, it works exceptionally well on lower level execution frameworks. So any and all bit of closed source code might just as well be designed to take advantage of this very hardware system, and you wouldn't ever know. The thing about javascript is that third parties can easliy use it to vector their attack over ads and websites. Those ads and this web content, which has javascript in it that is not checked in any way, is executed by default deep inside the system on Windows and default Android machines, because Microsoft and Google have made it so that they can inject those ads and that web content deliberately into the systems of users because it generates income for them, and they have basically buried this faculty deep into the system to prevent easy ways to block this. Now put two and two together: if these companies go to such lengths to compromise the users# systems for simple ads, what other compromises have they engaged in... well, you can't ever tell on Windows and you can't do anything about it on a default Android install. At least on Android you can do something against it, on Windows you could never do that. Now how is it religion or ideology to draw that evident conclusion based upon undeniable facts?
Nice explanation by Steve Gibson, thanks for that post!
I didn't know that Windows was actually using considerably lower entropy in ASLR than linux, making it even easier to attack Windows systems than linux systems with this attack. 4 bits of extra entropy may not sound like a lot, but it's actually a huge difference, requiring a much longer probing array to successfully conduct the attack on a linux system than on a windows system. Steve Gibson also rightfully is more fearful of the attack occurring in native code than in drive-by situations with javascript. Luckily that is not an issue at all with entirely open source linux systems that are untainted by proprietary drivers or sloppy third-party-maintained repos.
1 Like
I only just found the show yesterday thanks another post here with various tech channels in it.
Funny you should mention that because earlier in the same show Steve talks about the Window Nvidia driver being audited and finding 16 exploits, several in the windows kernel side of the code. Nvida was fast to fix them but they did not know they where there until told by a white hat. 56m 38s in.
To be entirely fair though, as the proprietary nVidia driver for Linux is but a port of the Windows driver, the gdi vulnerabilities only apply insofar those have also been ported to the binary blob that is introduced into the Linux kernel on systems that have those proprietary nVidia drivers installed. I'm not so sure most of those bugs would actually be problematic in the same way as on Windows, but then there is also no way to tell because those blobs and drivers are closed source. The worst thing is that it is probably safer to run those buggy proprietary drivers in Windows than it is in Linux because there are no Linux-specific patches and because the use of these drivers - by their obfuscated and fundamentally unsafe nature - require the disabling of important security systems on Linux systems, like for instance SELinux or another MAC/RBAC of choice (except one version of Tomoyo maybe). It's crazy in the light of all the factual material how irresponsibly dangerous it is to use Windows proprietary drivers at all, but especially in Linux. But at least on Linux there is the choice of using the open source drivers, which perform not as well on nVidia cards, but on Intel and AMD cards, there is no performance difference in most use case scenarios any more.