complete information flow tracking from gates up
play

Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun - PowerPoint PPT Presentation

Mar 27, 2023 •363 likes •1.43k views

Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel, Frederic T Chong, Timothy Sherwood Presented by Mengjia Yan Based on slides from Mohit Tiwari Goal: Non-Interference High Low Low system Sink

  1. Analysis Technique: GLIFT a a b b t t Conservative. If one of a and b is tainted, the output is tainted. o o t AND Shadow AND for labels

  2. Motivation: Require Precise Information Flow 010101… D Q reset clock • Conventional OR-ing of labels monotonic

  3. Motivation: Require Precise Information Flow 010101… D Q reset clock • Conventional OR-ing of labels monotonic

  4. Motivation: Require Precise Information Flow 010101… D Q reset clock • Conventional OR-ing of labels monotonic

  5. Motivation: Require Precise Information Flow 010101… D Q reset clock • Conventional OR-ing of labels monotonic

  6. Motivation: Require Precise Information Flow 010101… D Q reset clock • Conventional OR-ing of labels monotonic

  7. Motivation: Require Precise Information Flow 010101… D Q reset clock • Conventional OR-ing of labels monotonic

  8. Precise Information Flow: AND Gate untainted tainted a b o 0 0 0 0 0 a b o 0

  9. Precise Information Flow: AND Gate untainted tainted a b o 0 1 0 0 0 a b 0 1 0 o 0

  10. Precise Information Flow: AND Gate untainted tainted a b o 0 1 0 0 0 When a=0, b can not affect a b 0 1 0 the value of the output. à no-interference o 0

  11. Precise Information Flow: AND Gate untainted tainted a b o 0 1 0 0 0 When a=0, b can not affect a b 0 1 0 the value of the output. 1 0 0 à no-interference 1 1 1 o 0 0 0 0 0 0 1

  12. Precise Information Flow: AND Gate untainted tainted a b o 0 1 0 0 0 When a=0, b can not affect a b 0 1 0 the value of the output. 1 0 0 à no-interference 1 1 1 o 0 0 0 0 0 0 1 Use both inputs and input labels

  13. Analysis Technique: GLIFT a b t b a t a a b b t t o o t o t

  14. Sound Composition of Shadow Logic a b s t1 t2 o

  15. Sound Composition of Shadow Logic s s a t b t s a s b t t t1 t2 o t

  16. MUX: Gatekeeper of trust b a b a a b s * 1 0 s s o o o

  17. MUX: Gatekeeper of trust b a b a a b s * 1 0 s s o o o

  18. MUX: Gatekeeper of trust b a b a a b s * 1 0 s s o o o

  19. Implicit Information Flows: Taint Explosion +4 PC jump target is jump? Instr Mem R2 Reg File through R1 decode

  20. Implicit Information Flows: Taint Explosion if (secret==1) +4 out = 1 PC tmp = 5 jump target is jump? Instr Mem R2 Reg File through R1 decode

  21. Implicit Information Flows: Taint Explosion if (secret==1) +4 out = 1 PC tmp = 5 jump target is jump? Instr Mem R2 Reg File through R1 decode

  22. Implicit Information Flows: Taint Explosion if (secret==1) +4 out = 1 PC PC tmp = 5 jump target is jump? Instr Mem R2 Reg File through R1 decode Conditional execution taints critical state (PC)

  23. Implicit Information Flows: Taint Explosion if (secret==1) +4 out = 1 PC PC tmp = 5 jump target is jump? Instr Mem R2 Reg File through R1 decode Conditional execution taints critical state (PC)

  24. Implicit Information Flows: Taint Explosion if (secret==1) +4 out = 1 PC PC tmp = 5 jump target is jump? Instr Mem R2 Reg File through R1 decode Conditional execution taints critical state (PC)

  25. Implicit Information Flows: Taint Explosion if (secret==1) +4 out = 1 PC PC tmp = 5 jump target is jump? Instr Mem R2 Reg File through R1 decode Conditional execution taints critical state (PC)

  26. Implicit Information Flows: Taint Explosion if (secret==1) +4 out out = 1 PC PC tmp tmp = 5 jump target is jump? Instr Mem R2 Reg File through R1 decode Conditional execution taints critical state (PC)

  27. Convert Implicit Flow to Explicit Flow if (secret==1) out = 1 +4 tmp = 5 PC jump target is jump? P0 = secret Instr Mem (P0) out = 1 tmp = 5 R2 Reg File through R1 decode 6.888 Fall 2020 22

  28. Convert Implicit Flow to Explicit Flow if (secret==1) out = 1 +4 tmp = 5 PC jump target is jump? P0 = secret Instr Mem (P0) out = 1 tmp = 5 R2 Reg File through R1 decode 6.888 Fall 2020 22

  29. Convert Implicit Flow to Explicit Flow if (secret==1) out = 1 +4 tmp = 5 PC jump target is jump? P0 = secret Instr Mem (P0) out = 1 P0 tmp = 5 R2 Reg File through R1 decode 6.888 Fall 2020 22

  30. Convert Implicit Flow to Explicit Flow if (secret==1) out = 1 +4 tmp = 5 PC jump target is jump? P0 = secret Instr Mem (P0) out = 1 P0 tmp = 5 R2 Reg out File through R1 decode 6.888 Fall 2020 22

  31. Convert Implicit Flow to Explicit Flow if (secret==1) out = 1 +4 tmp = 5 PC jump target is jump? P0 = secret P0 = secret Instr Mem (P0) out = 1 (P0) out = 1 P0 tmp = 5 tmp = 5 R2 Reg out File through R1 decode 6.888 Fall 2020 22

  32. Convert Implicit Flow to Explicit Flow if (secret==1) out = 1 +4 tmp = 5 PC jump target is jump? P0 = secret Instr Mem (P0) out = 1 5 P0 tmp = 5 R2 Reg out File through R1 decode 6.888 Fall 2020 23

  33. Convert Implicit Flow to Explicit Flow if (secret==1) out = 1 +4 tmp = 5 PC jump target is jump? P0 = secret Instr Mem (P0) out = 1 5 P0 tmp = 5 R2 Reg out File through R1 decode 6.888 Fall 2020 23

  34. Convert Implicit Flow to Explicit Flow if (secret==1) out = 1 +4 tmp = 5 PC jump target is jump? P0 = secret Instr Mem (P0) out = 1 5 P0 tmp = 5 R2 Reg out File tmp through R1 decode 6.888 Fall 2020 23

  35. Convert Implicit Flow to Explicit Flow if (secret==1) out = 1 +4 tmp = 5 PC jump target is jump? P0 = secret P0 = secret Instr Mem (P0) out = 1 (P0) out = 1 5 P0 tmp = 5 tmp = 5 R2 Reg out File tmp through R1 decode 6.888 Fall 2020 23

  36. Similar Mechanisms for Loop/Load/Store • Variable length loops à fixed size loops (bounding) • Indirect loads/stores à Direct loads/stores 6.888 Fall 2020 24

  37. Similar Mechanisms for Loop/Load/Store • Variable length loops à fixed size loops (bounding) • Indirect loads/stores à Direct loads/stores - Harder to program and inefficient + Verifiable system 6.888 Fall 2020 24

  38. Similar Mechanisms for Loop/Load/Store • Variable length loops à fixed size loops (bounding) • Indirect loads/stores à Direct loads/stores - Harder to program and inefficient + Verifiable system • Recommend to read their follow-on work: • Execution Leases: A Hardware-Supported Mechanism for Enforcing Strong Non-Interference ; Tiwari et al.; MICRO’09 6.888 Fall 2020 24

  39. Evaluation + Security - Area overhead/Power consumption - Performance overhead - Programmability 6.888 Fall 2020 25

  40. Evaluation + Security - Area overhead/Power consumption - Performance overhead - Programmability Appropriate use cases: • When critical or sensitive operations need to be performed, a co-processor augmented with these abilities could be an attractive option. 6.888 Fall 2020 25

  41. Discussion Questions

  42. Discussion Questions on Taint Tracking • Who designates an input as untrusted/trusted? Where in the architecture/implementation does an input first get marked as untrustworthy? 6.888 Fall 2020 27

  43. Discussion Questions on Taint Tracking • Who designates an input as untrusted/trusted? Where in the architecture/implementation does an input first get marked as untrustworthy? • Can/should there be a method of promoting data from untrusted to trusted? (from High to Low) 6.888 Fall 2020 27

  44. Discussion Questions on Taint Tracking • Who designates an input as untrusted/trusted? Where in the architecture/implementation does an input first get marked as untrustworthy? • Can/should there be a method of promoting data from untrusted to trusted? (from High to Low) • How does the GLIFT method handle optimizations such as out-of-order execution, speculation etc? Will the proposed architecture be able to detect covert and side channel attacks such as Meltdown and Spectre? 6.888 Fall 2020 27

  45. Example MLS System Example Satellite Application. [Tzvetan Metodi, Aerospace Corp.] Interrupt Handlers (Non-sensitive) Command Kernel and Time I/O Mission Mission Crypto Telemetry Diagnostics Keeping Secret Secret Unclass. Interface

  46. Example MLS System Example Satellite Application. [Tzvetan Metodi, Aerospace Corp.] Interrupt Handlers (Non-sensitive) Command Kernel and Time I/O Mission Mission Crypto Telemetry Diagnostics Keeping Secret Secret Unclass. Interface Primary Execution Schedule Execution Time Note: Since this is not a real schedule, the processes are not in any sensible execution order

  47. Example MLS System Example Satellite Application. [Tzvetan Metodi, Aerospace Corp.] Interrupt Handlers (Sensitive) Interrupt Handlers (Non-sensitive) Command Kernel and Time I/O Mission Mission Crypto Telemetry Diagnostics Keeping Secret Secret Unclass. Interface Primary Execution Schedule Execution Time Note: Since this is not a real schedule, the processes are not in any sensible execution order

  48. Example MLS System Example Satellite Application. [Tzvetan Metodi, Aerospace Corp.] Interrupt Handlers (Sensitive) Interrupt Handlers (Non-sensitive) Command Kernel and Time I/O Mission Mission Crypto Telemetry Diagnostics Keeping Secret Secret Unclass. Interface Primary Execution Schedule Execution Time Note: Since this is not a real schedule, the processes are not in any sensible execution order Non-sensitive Sensitive

  49. Example: Satellite System

  50. Example: Satellite System Untrusted & Secret Trusted & Secret Untrusted & Unclassified Trusted & Unclassified

  51. Example: Satellite System Untrusted & Secret Trusted & Secret Untrusted & Unclassified Trusted & Unclassified Kernel, Interrupt Handlers (Unclassified), Time Keeping Programs

  52. Example: Satellite System Untrusted & Secret Trusted & Secret Untrusted & Unclassified Diagnostics, Telemetry Interfaces Trusted & Unclassified Kernel, Interrupt Handlers (Unclassified), Time Keeping Programs

  53. Example: Satellite System Untrusted & Secret Trusted & Secret Untrusted & Unclassified Custom code on Secret data Diagnostics, Telemetry Interfaces Trusted & Unclassified Kernel, Interrupt Handlers (Unclassified), Time Keeping Programs

  54. Example: Satellite System Untrusted & Secret Libraries (e.g. encryption) that operate on Secret data Trusted & Secret Untrusted & Unclassified Custom code on Secret data Diagnostics, Telemetry Interfaces Trusted & Unclassified Kernel, Interrupt Handlers (Unclassified), Time Keeping Programs

  55. Discussion Questions on Use Cases • One specific use case: What if we needed to load in a new firmware blob to compute a new function. Could we send it in encrypted and have a way of validating and then trusting it? 6.888 Fall 2020 30

  56. Discussion Questions on Use Cases • One specific use case: What if we needed to load in a new firmware blob to compute a new function. Could we send it in encrypted and have a way of validating and then trusting it? • In the end, it seems the ISA is the secure step, and the trust bits are just useful in validating the design. (Does the restricted ISA make program secure against side channels?) 6.888 Fall 2020 30

  57. Discussion Questions on Use Cases • One specific use case: What if we needed to load in a new firmware blob to compute a new function. Could we send it in encrypted and have a way of validating and then trusting it? • In the end, it seems the ISA is the secure step, and the trust bits are just useful in validating the design. (Does the restricted ISA make program secure against side channels?) • This kind of processor would be a pain to program. If most applications on it are small, important kernels, such as AES, would it not be better to produce a specially tuned ASIC/IP core? 6.888 Fall 2020 30

  58. Discussion Questions on Use Cases • One specific use case: What if we needed to load in a new firmware blob to compute a new function. Could we send it in encrypted and have a way of validating and then trusting it? • In the end, it seems the ISA is the secure step, and the trust bits are just useful in validating the design. (Does the restricted ISA make program secure against side channels?) • This kind of processor would be a pain to program. If most applications on it are small, important kernels, such as AES, would it not be better to produce a specially tuned ASIC/IP core? • Are there any programs or algorithms that are rendered impossible (or extremely difficult) to write as a result of the limitations that they've placed on loops? 6.888 Fall 2020 30

  59. Discussion Questions on Future Work • Rather than implementing a CPU with this restricted ISA, since this is used only for edge case computation, could an FPGA-based enclave in a traditional CPU be used with this ISA instead as a cost-effective implementation? 6.888 Fall 2020 31

  60. Discussion Questions on Future Work • Rather than implementing a CPU with this restricted ISA, since this is used only for edge case computation, could an FPGA-based enclave in a traditional CPU be used with this ISA instead as a cost-effective implementation? • Rather than apply the concept of gate level flow tracking to the ISA, I envision further work that could apply the same concepts to FPGA tooling. 6.888 Fall 2020 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel,

Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel,

Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel, Frederic T Chong, Timothy Sherwood Presented by Mengjia Yan Based on slides from Mohit Tiwari Goal: Non-Interference Non-Interference: a change in a

604 views • 32 slides
Last Week Logic gates are built out of transistors There are many different logic gates

Last Week Logic gates are built out of transistors There are many different logic gates

10/26/2009 Last Week Logic gates are built out of transistors There are many different logic gates NAND is functionally complete Digital circuits process data using gates Half and full adder 1 10/26/2009 This week

762 views • 37 slides
Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site

Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site

Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks Matthew Van Gundy and Hao Chen University of California, Davis 16th Annual Network & Distributed System Security Symposium

1.08k views • 80 slides
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones William Enck Peter Gilbert Byung-Gon Chun Landon P. Cox Jaeyeon Jung Patrick McDaniel Anmol N. Sheth Presentation by Krzysztof Pawlowski

447 views • 30 slides
RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y.

RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y.

RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking Y. Ji, S. Lee, E. Downing, et.al. CCS17 Presented by: Mohammad A. Noureddine CS563 Fall 2018 No Shortage of Recent Breaches! 1 Investigating

804 views • 28 slides
PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca

PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca

ACM/IEEE CODES+ISSS 2018, Turin, Italy PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled Accelerators Luca Piccolboni, Giuseppe Di Guglielmo and Luca P. Carloni Columbia University, NY, USA Systems-on-Chip (SoCs) Are

851 views • 50 slides
Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan , Michael

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan , Michael

Decoupling Dynamic Information Flow Tracking with a Dedicated Coprocessor Hari Kannan , Michael Dalton, Christos Kozyrakis Computer Systems Laboratory Stanford University Motivation Dynamic analysis help better understand SW behavior

350 views • 24 slides
Information Flow Tracking Andrei Sabelfeld Chalmers https://www.cse.chalmers.se/~andrei EWSCS

Information Flow Tracking Andrei Sabelfeld Chalmers https://www.cse.chalmers.se/~andrei EWSCS

Information Flow Tracking Andrei Sabelfeld Chalmers https://www.cse.chalmers.se/~andrei EWSCS 2019 Language c ::= skip | x:=exp | c;c | if exp then c else c | while exp do c 2 Explicit flows high (secret) l:=h insecure low (public)

555 views • 27 slides
Cross-border Flow of Health Information: is Privacy by Design sufficient to obtain complete

Cross-border Flow of Health Information: is Privacy by Design sufficient to obtain complete

EUropean Best Information through Regional Outcomes in Diabetes Cross-border Flow of Health Information: is Privacy by Design sufficient to obtain complete and accurate data for Public Health in Europe? The case of BIRO/EUBIROD Diabetes

325 views • 20 slides
Building Hardware Systems for Information Flow Tracking Hari Kannan Computer Systems Laboratory

Building Hardware Systems for Information Flow Tracking Hari Kannan Computer Systems Laboratory

Building Hardware Systems for Information Flow Tracking Hari Kannan Computer Systems Laboratory Stanford University The Computer Security Crisis More systems are online, vulnerable Banking, Power, Water, Government

673 views • 56 slides
1. The code that we have written is, as I pointed out already, a complete code that can be

1. The code that we have written is, as I pointed out already, a complete code that can be

1. The code that we have written is, as I pointed out already, a complete code that can be used to solve DNS of Multiphase Flows Simple Front Tracking real problems---or as real as the assumption of a two-dimensional flow allows for.

240 views • 10 slides
On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang,

On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang,

RAIN: Refinable Attack Investigation with On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang, Mattia Fazzini, Taesoo Kim, Alessandro Orso, and Wenke Lee ACM CCS 2017 Oct 31, 2017 More and more

1.28k views • 88 slides
On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang,

On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang,

RAIN: Refinable Attack Investigation with On-demand Inter-process Information Flow Tracking Yang Ji, Sangho Lee, Evan Downing, Weiren Wang, Mattia Fazzini, Taesoo Kim, Alessandro Orso, and Wenke Lee ACM CCS 2017 Oct 31, 2017 More and more

870 views • 27 slides
IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios

IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios

IntFlow: Integer Error Handling With Information Flow Tracking Marios Pomonis Theofilos Petsios Kangkook Jee Michalis Polychronakis Angelos D. Keromytis December 7, 2014 Columbia University mpomonis@cs.columbia.edu IntFlow Columbia

463 views • 32 slides
Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 5. Tracking information flow in web

641 views • 30 slides
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

1k views • 21 slides
VC Dimension and classification John Duchi Prof. John Duchi Outline I Setting: classification

VC Dimension and classification John Duchi Prof. John Duchi Outline I Setting: classification

VC Dimension and classification John Duchi Prof. John Duchi Outline I Setting: classification problems II Finite hypothesis classes 1 Union bounds 2 Zero error case III Shatter coe ffi cients and Rademacher complexity IV VC Dimension Prof.

445 views • 26 slides
LArSoft vectorization tests: status report Guilherme Lima LArSoft Coordination Meeting June 19,

LArSoft vectorization tests: status report Guilherme Lima LArSoft Coordination Meeting June 19,

Managed by Fermi Research Alliance, LLC for the U.S. Department of Energy Office of Science LArSoft vectorization tests: status report Guilherme Lima LArSoft Coordination Meeting June 19, 2018 Recalling the big picture On my last report

513 views • 9 slides
GVPLS/LPE - Generic VPLS Solution based on LPE Framework Update version 01 Vasile Radoaca/Dinesh

GVPLS/LPE - Generic VPLS Solution based on LPE Framework Update version 01 Vasile Radoaca/Dinesh

GVPLS/LPE - Generic VPLS Solution based on LPE Framework Update version 01 Vasile Radoaca/Dinesh Mohan Nortel Networks Vasile Radoaca Andrew Malis Ananth Nagarajan Alain Vedrenne Javier Achirica Himanshu Shah Muneyoshi Sujuki Pascal

118 views • 10 slides
Machine Learning and Data Mining VC Dimension Kalev Kask Slides based on Andrew Moores

Machine Learning and Data Mining VC Dimension Kalev Kask Slides based on Andrew Moores

+ Machine Learning and Data Mining VC Dimension Kalev Kask Slides based on Andrew Moores Learners and Complexity We ve seen many versions of underfit/overfit trade-off Complexity of the learner Representational Power

639 views • 24 slides
ITU-R Study Group 1 on-going activities on Spectrum Management Webpage

ITU-R Study Group 1 on-going activities on Spectrum Management Webpage

ITU-R Study Group 1 on-going activities on Spectrum Management Webpage www.itu.int/ITU-R/go/rsg1 Wael SAYED Chairman, ITU-R Study Group 1 Philippe AUBINEAU ITU-R SG1 Counsellor Study Group 1 Spectrum Management Spectrum

581 views • 25 slides
Cooperative Positioning in Urban Environments: Opportunities and Challenges Joon Wayn Cheong

Cooperative Positioning in Urban Environments: Opportunities and Challenges Joon Wayn Cheong

Cooperative Positioning in Urban Environments: Opportunities and Challenges Joon Wayn Cheong DSRC Proposed for C-ITS Each vehicle broadcasts its own position . Similar to ADS-B or AIS Assumes that sufficiently accurate position of

619 views • 22 slides
DMLSS and Strategic Sourcing Capability and Pricing Agreements Practical Experience Mr. Ivan

DMLSS and Strategic Sourcing Capability and Pricing Agreements Practical Experience Mr. Ivan

DMLSS and Strategic Sourcing Capability and Pricing Agreements Practical Experience Mr. Ivan Domenech JMLFDC Ms. Katy Furr JMLFDC LCDR Jason Galka, USN DLA-Troop Support Maj Kevin Bourne, USAF DLA-Troop Support CPE Information and

623 views • 21 slides
Applicant Post Award Process Public Assistance (PA) Program FEMA-DR-4512-VA COVID - 19

Applicant Post Award Process Public Assistance (PA) Program FEMA-DR-4512-VA COVID - 19

Applicant Post Award Process Public Assistance (PA) Program FEMA-DR-4512-VA COVID - 19 Presented by the Finance and Recovery Sections of the Virginia Emergency Support Team (VEST) 1 What Happens Post-Award? 2 What happens next?

431 views • 19 slides

More recommend