Share this page!

Johnathan Norman Profile picture
Twitter logo
4 Aug, 9 tweets, 2 min read
Happy to share a little experiment we are trying. microsoftedge.github.io/edgevr/posts/S… I am not sure if it will stick but we will see. Here is how I personally think about the matter 1/?
The impact of security bugs today is far different than it was 10 years ago. Entities like NSO Group and their customers have leveraged these bugs to do some horrible things to journalists, human rights activists, and others. 2/?
So it is worth reconsidering previously held ideas about the compromises made when building software. The JIT is a great example of a performance improvement that is nice but not required for most of the web to work. It also introduces a lot of attack surface 3/?
and forces us to disable some security protections. So we should ask is it worth it? I personally prefer security improvements over the performance gains. Although I am not sure the broader market shares that view. Either way I think giving users more choice is a good idea. 4/?
My hope is that we can find a better way to balance the trade-offs. In our early testing we find that users often don't notice the difference. I would encourage people to try the feature in Edge Beta to see for yourself. edge://flags/#edge-enable-super-duper-secure-mode 5/?
At the moment we are disabling JIT and enabling CET in the renderer process. ACG enablement is next after we do some testing. We also have plans for Android and Mac as well. Android being the most interesting since mobile is such a key target 6/?
I'm not sure if this will land as a feature. But I think this experiment is worth a shot. If you try it please share your feedback in Edge (click the 3 dots -> feedback) or post on the forum techcommunity.microsoft.com/t5/microsoft-e… . We are curious to see if this is something users want. 7/?
Also .. taking suggestions for the feature name as well :) Although we enjoy saying "Super Duper" in meetings at some point that needs to change. 8/8
One more thing I didn't mention here (but discussed in the blog) WASM does not work in this mode currently. It is something we're working on addressing.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Johnathan Norman

Johnathan Norman Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @spoofyroot

Johnathan Norman Profile picture
7 Apr
Lets chat V8 and perf. One of the most common exploit primitives is to abuse the fact that WASM jit pages are RWX. You ever wonder why? Ironically it's because of asm.js! (yes that old stuff) , you see asm.js code is translated to WebAssembly by V8.. Thread 1/?
This code is compiled to WASM bytecode. In the past permissions were flipped on the W^X memory but this operation was expensive. So for performance reasons those pages are RWX. JS runs faster and exploits are easier. yay! 2/?
recently V8 introduced Sparkplug docs.google.com/document/d/13c…, another performance improvement that ran info the same problem. So it seems we're getting more RWX memory.. 3/?
Read 7 tweets
Johnathan Norman Profile picture
26 Jan
The most interesting aspect of this was the exploitation of trust in the security research community. We often take for granted the unique relationship we have with our 'adversaries'. Thread..
If you have worked in this industry long enough you likely have friends who are both blackhats and whitehats. We all play 'spot the fed' at Defcon and at times we share ideas with each other. I've shared drinks with exploit brokers, government employees and
of course my peers in industry. It's something I love about this work. These guys approached my team back in October suggesting they wanted help with research and also to report security bugs. Fortunately we are cautious and nobody got owned.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @spoofyroot has new unrolls!

Check out other threads from @spoofyroot!

Read all threads by @spoofyroot

:(