this presentation is for informational purposes only
play

This presentation is for informational purposes only. MICROSOFT - PowerPoint PPT Presentation

This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Operating system Hypervisors & Network services System libraries System apps Firmware Boot loaders kernels &


  1. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

  2. Operating system Hypervisors & Network services System libraries System apps Firmware Boot loaders kernels & drivers VMMs (HTTP) (cryptography) (browsers)

  3. 700 100% 90% 600 80% 500 70% 60% 400 % of CVEs # of CVEs 50% 300 40% 30% 200 20% 100 10% 0 0% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Patch ch Year Patch ch Year Total Memory safety Not memory safety ~70% Memory safety is an ~60% of high severity vulnerabilities in Chrome ~66% of iOS 12 vulnerabilities industry challenge ~72% of macOS 10.14 vulnerabilities ~90% of Android vulnerabilities [2,3,4,5]

  4. Most systems software is currently written in unsafe languages such as C and C++ These are great languages, but developers need to consciously do the safe thing And it is easy to make a mistake 

  5. CVE VE-2019 2019-1345 1345 A portable executable (PE) parsing memory safety vulnerability[6] found by @j00ru that I introduced into the Windows kernel in 2016

  6. 100% For systems software[1] at Microsoft 90% 80% Most vulnerabilities are not known to be 70% exploited in the wild* 60% % of CVEs 50% If a vulnerability is exploited, it is most likely to 40% first be exploited as zero day in a targeted 30% attack 20% 10% Broad exploitation has become uncommon 0% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Patch ch Year Customer safety has meaningfully improved Exploited within 30 days of security update Not known to be exploited Exploiting vulnerabilities has become more expensive → Alphabet soup of exploit mitigations, sandboxes, and other controls have increased costs Many attackers have pivoted to alternative tactics with better ROI → Social engineering (phishing for credential theft, ransomware, etc)

  7. we leverage tools[25,26] to help us find vulnerabilities they do not satisfy the properties outlined earlier

  8. The upstream & downstream costs to productivity can be significant

  9. 100% 50 50 90% 35 35 51 51 37 37 132 179 33 33 39 39 216 151 87 87 222 222 34 34 16 16 80% 91 91 9 4 9 6 24 24 2 11 11 70% 1 1 4 7 39 39 6 4 88 88 19 19 27 27 4 10 10 4 94 94 60% 13 13 31 31 #1 – heap out-of-bounds 6 57 57 77 77 10 10 3 % of CVEs 14 14 12 12 5 23 23 5 6 40 40 50% 93 93 44 44 17 17 60 60 21 21 14 14 20 20 15 15 81 81 36 36 40% 184 37 37 81 81 71 71 #2 – use after free 35 35 92 92 183 57 57 30% 98 98 38 38 43 43 93 93 63 63 85 85 102 20% 28 28 31 31 130 25 25 10% #3 – type confusion 27 27 21 21 106 74 74 80 80 22 22 18 18 59 59 25 25 27 27 10 10 10 10 3 11 11 0% 3 3 7 6 1 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 Patch ch Year #4 – uninitialized use Stack Corruption Heap Corruption Use After Free Type Confusion Uninitialized Use Heap OOB Read Other

  10. Vulnera erabi bili lity ty Develo loper per Vulnera erabi bili lity ty class Durable le safet ety y solution ion Compl pletene ness? Enfor orceabili ceability ty? Verif ifia iabi bili lity ty? categ tegor ory frict ctio ion? Heap out-of-bounds read/write Use gsl::span<T> and do not index ☺    Stack out-of-bounds Spati tial l safet ety raw pointers or perform pointer read/write arithmetic on raw pointers[7] Global out-of-bounds read/write Always initialize members in    ☺ constructors[9] Heap uninitialized use ☺   ☺ Use a memory allocator that initializes by default Tempo pora ral l safet ety Always initialize members in    ☺ constructors[9] Stack uninitialized use ☺   ☺ Always initialize local variables before use[8,18]

  11. Vulnera erabi bili lity ty Develo loper per Vulnera erabi bili lity ty class Durable le safet ety solut ution ion Compl pletene ness? Enfor orceabili ceability ty? Verif ifia iabi bili lity ty? categ tegor ory frict ctio ion? Heap use after free Use RAII, owner<T>, unique_ptr<T>, and     Tempora poral l safet ety shared_ptr<T> instead of raw pointers or references to objects[10, 11, 12] Stack use after free     Concu curr rrenc ncy y Memory access race Unknown[13] safet ety condition Object lifetime and concurrency vulnerabilities are challenging to categorically eliminate

  12. nd order 2 nd er vulnerab erabil ilit ity y Develo lope per r Vulnera erabi bili lity ty class Durable le safet ety y solution ion Compl pletene ness? Enfor orceabili ceability ty? Verif ifia iabi bili lity ty? categ tegor ory frict ctio ion? ☺    Use dynamic cast or similar Illegal static down cast runtime verification[14,17] Type pe confusion ion ☺    Union field type Use std::variant[15] confusion ☺    Integer overflow or Use safe integer manipulation Arith thmeti etic c errors ors underflow libraries[16] 2 nd order vulnerability classes can give rise to memory safety vulnerabilities

  13. Observations: making unsafe code safer

  14. C# is a wonderful language, but it is not suitable in many systems contexts

  15. Vulnerab rability ty cate tegory Vulnerab rability ty class C# Completene teness Rust t Completeness ☺ ☺ Heap out-of-bounds read/write ☺ ☺ Spati tial al safety ty Stack out-of-bounds read/write ☺ ☺ Global out-of-bounds read/write ☺ ☺ Heap uninitialized use ☺ ☺ Stack uninitialized use Temporal ral safety ty ☺ ☺ Heap use after free ☺ ☺ Stack use after free  ☺ Concurr rrency cy safety ty Memory access race condition ☺ ☺ Illegal static down cast Type confus usion ☺ ☺ Union field type confusion ☺  Arithm hmeti tic erro rors Integer overflow or underflow unsafe

  16. Observations: transition to safer languages

  17. 3 Compl pletene ness? Enfor orceabili ceability ty? Verif ifia iabi bili lity ty? Develo loper per frict ction ion?  ☺  ☺

  18. Observations: memory tagging

  19. Unforgeable capabilities enable fine-grained memory access control[22] Compl pletene ness? Enfor orceabili ceability ty? Verif ifia iabi bili lity ty? Develo loper per frict ction ion?  ☺  

  20. Observations: CHERI

  21. ✔ Hard to do the unsafe thing ✔ Easy to verify that the safe thing happens ✔ Productivity is maximized ✔ Inherently viable

  22. transitive

  23. A huge THAN ANK K YOU OU to everyone at Microsoft & across the industry who is working to durably improve systems software security

  24. https://alexgaynor.net/2019/aug/12/introduction-to-memory-unsafety-for-vps-of-engineering/ https://langui.sh/2019/07/23/apple-memory-safety/ https://security.googleblog.com/2019/11/gwp-asan-sampling-heap-memory-error.html https://security.googleblog.com/2019/05/queue-hardening-enhancements.html https://bugs.chromium.org/p/project-zero/issues/detail?id=1909 https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#probounds-bounds-safety-profile https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Res-always https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#SS-type https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#SS-lifetime https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#r-resource-management https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Res-deref https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#cp-concurrency-and-parallelism https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Rh- dynamic_cast https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Ru-naked https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#S-expr https://clang.llvm.org/docs/ControlFlowIntegrityDesign.html https://github.com/microsoft/MSRC-Security- Research/blob/master/presentations/2019_09_CppCon/CppCon2019%20-%20Killing%20Uninitialized%20Memory.pdf https://developer.arm.com/-/media/Arm%20Developer%20Community/PDF/Arm_Memory_Tagging_Extension_Whitepaper.pdf

  25. https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Security%20analysis%20of%20memory%20tagging.pdf https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/ https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-941.pdf https://www.cst.cam.ac.uk/blog/tmj32/addressing-temporal-memory-safety https://github.com/microsoft/verona https://www.microsoft.com/security/blog/2020/05/04/mitigating-vulnerabilities-endpoint-network-stacks/ https://www.youtube.com/watch?v=NlfZG2wTPZU https://www.rsaconference.com/usa/agenda/collaborating-to-improve-open-source-security-how-the- ecosystem-is-stepping-up https://vimeo.com/376177222

Recommend


More recommend