This presentation is for informational purposes only. MICROSOFT - - PowerPoint PPT Presentation

this presentation is for informational purposes only
SMART_READER_LITE
LIVE PREVIEW

This presentation is for informational purposes only. MICROSOFT - - PowerPoint PPT Presentation

Aug 17, 2023 291 likes •662 views

This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Operating system Hypervisors & Network services System libraries System apps Firmware Boot loaders kernels &

slide-1
SLIDE 1

This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

slide-2
SLIDE 2
slide-3
SLIDE 3

Firmware Boot loaders Operating system kernels & drivers Hypervisors & VMMs Network services (HTTP) System libraries (cryptography) System apps (browsers)

slide-4
SLIDE 4
slide-5
SLIDE 5
slide-6
SLIDE 6

100 200 300 400 500 600 700 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 # of CVEs Patch ch Year Total

~66% of iOS 12 vulnerabilities ~72% of macOS 10.14 vulnerabilities ~60% of high severity vulnerabilities in Chrome ~90% of Android vulnerabilities

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 % of CVEs Patch ch Year Memory safety Not memory safety

~70%

Memory safety is an industry challenge

[2,3,4,5]

slide-7
SLIDE 7

Most systems software is currently written in unsafe languages such as C and C++ And it is easy to make a mistake  These are great languages, but developers need to consciously do the safe thing

slide-8
SLIDE 8

CVE VE-2019 2019-1345 1345

A portable executable (PE) parsing memory safety vulnerability[6] found by @j00ru that I introduced into the Windows kernel in 2016

slide-9
SLIDE 9

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 % of CVEs Patch ch Year Exploited within 30 days of security update Not known to be exploited

Most vulnerabilities are not known to be exploited in the wild* If a vulnerability is exploited, it is most likely to first be exploited as zero day in a targeted attack Broad exploitation has become uncommon Customer safety has meaningfully improved

Exploiting vulnerabilities has become more expensive → Alphabet soup of exploit mitigations, sandboxes, and other controls have increased costs Many attackers have pivoted to alternative tactics with better ROI → Social engineering (phishing for credential theft, ransomware, etc)

For systems software[1] at Microsoft

slide-10
SLIDE 10

we leverage tools[25,26] to help us find vulnerabilities

they do not satisfy the properties outlined earlier

slide-11
SLIDE 11
slide-12
SLIDE 12

The upstream & downstream costs to productivity can be significant

slide-13
SLIDE 13
slide-14
SLIDE 14
slide-15
SLIDE 15

31 31 21 21 18 18 22 22 25 25 10 10 3 10 10 3 1 3 7 6 11 11 37 37 35 35 38 38 43 43 63 63 25 25 28 28 27 27 27 27 59 59 74 74 106 80 80 130 10 10 14 14 17 17 21 21 44 44 57 57 15 15 92 92 184 183 93 93 85 85 102 98 98 4 4 13 13 27 27 19 19 14 14 5 12 12 24 24 23 23 36 36 71 71 81 81 81 81 6 4 7 6 11 11 6 3 6 9 31 31 20 20 93 93 60 60 40 40 1 1 2 4 9 5 4 10 10 16 16 39 39 77 77 88 88 57 57 94 94 39 39 33 33 37 37 35 35 51 51 91 91 34 34 87 87 50 50 132 151 179 222 222 216 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 % of CVEs Patch ch Year Stack Corruption Heap Corruption Use After Free Type Confusion Uninitialized Use Heap OOB Read Other

#1 – heap out-of-bounds #2 – use after free #3 – type confusion #4 – uninitialized use

slide-16
SLIDE 16

Vulnera erabi bili lity ty categ tegor

  • ry

Vulnera erabi bili lity ty class Spati tial l safet ety Heap out-of-bounds read/write Stack out-of-bounds read/write Global out-of-bounds read/write Use gsl::span<T> and do not index raw pointers or perform pointer arithmetic on raw pointers[7]

☺   

Durable le safet ety y solution ion Compl pletene ness? Enfor

  • rceabili

ceability ty? Verif ifia iabi bili lity ty? Develo loper per frict ctio ion? Tempo pora ral l safet ety Heap uninitialized use Stack uninitialized use Always initialize members in constructors[9]

   ☺

Use a memory allocator that initializes by default

☺   ☺

Always initialize members in constructors[9]

   ☺

Always initialize local variables before use[8,18]

☺   ☺

slide-17
SLIDE 17

Tempora poral l safet ety Heap use after free Stack use after free Vulnera erabi bili lity ty categ tegor

  • ry

Vulnera erabi bili lity ty class Durable le safet ety solut ution ion Compl pletene ness? Enfor

  • rceabili

ceability ty? Verif ifia iabi bili lity ty? Develo loper per frict ctio ion? Use RAII, owner<T>, unique_ptr<T>, and shared_ptr<T> instead of raw pointers or references to

  • bjects[10, 11, 12]

   

Concu curr rrenc ncy y safet ety Memory access race condition Unknown[13]

   

Object lifetime and concurrency vulnerabilities are challenging to categorically eliminate

slide-18
SLIDE 18

Type pe confusion ion Illegal static down cast Union field type confusion 2nd

nd order

er vulnerab erabil ilit ity y categ tegor

  • ry

Vulnera erabi bili lity ty class Durable le safet ety y solution ion Compl pletene ness? Enfor

  • rceabili

ceability ty? Verif ifia iabi bili lity ty? Develo lope per r frict ctio ion? Use dynamic cast or similar runtime verification[14,17]

☺   

Use std::variant[15]

☺   

Arith thmeti etic c errors

  • rs

Integer overflow or underflow Use safe integer manipulation libraries[16]

☺   

2nd order vulnerability classes can give rise to memory safety vulnerabilities

slide-19
SLIDE 19

Observations: making unsafe code safer

slide-20
SLIDE 20

C# is a wonderful language, but it is not suitable in many systems contexts

slide-21
SLIDE 21

Vulnerab rability ty cate tegory Vulnerab rability ty class C# Completene teness Rust t Completeness Spati tial al safety ty Heap out-of-bounds read/write

☺ ☺

Stack out-of-bounds read/write

☺ ☺

Global out-of-bounds read/write

☺ ☺

Temporal ral safety ty Heap uninitialized use

☺ ☺

Stack uninitialized use

☺ ☺

Heap use after free

☺ ☺

Stack use after free

☺ ☺

Concurr rrency cy safety ty Memory access race condition

 ☺

Type confus usion Illegal static down cast

☺ ☺

Union field type confusion

☺ ☺

Arithm hmeti tic erro rors Integer overflow or underflow

☺  unsafe

slide-22
SLIDE 22
slide-23
SLIDE 23

Observations: transition to safer languages

slide-24
SLIDE 24
slide-25
SLIDE 25

Compl pletene ness? Enfor

  • rceabili

ceability ty? Verif ifia iabi bili lity ty? Develo loper per frict ction ion?

 ☺  ☺

3

slide-26
SLIDE 26

Observations: memory tagging

slide-27
SLIDE 27

Unforgeable capabilities enable fine-grained memory access control[22]

Compl pletene ness? Enfor

  • rceabili

ceability ty? Verif ifia iabi bili lity ty? Develo loper per frict ction ion?

 ☺  

slide-28
SLIDE 28

Observations: CHERI

slide-29
SLIDE 29

✔ Hard to do the unsafe thing ✔ Easy to verify that the safe thing happens ✔ Productivity is maximized ✔ Inherently viable

slide-30
SLIDE 30
slide-31
SLIDE 31

transitive

slide-32
SLIDE 32
slide-33
SLIDE 33

A huge THAN ANK K YOU OU to everyone at Microsoft & across the industry who is working to durably improve systems software security

slide-34
SLIDE 34

https://alexgaynor.net/2019/aug/12/introduction-to-memory-unsafety-for-vps-of-engineering/ https://langui.sh/2019/07/23/apple-memory-safety/ https://security.googleblog.com/2019/11/gwp-asan-sampling-heap-memory-error.html https://security.googleblog.com/2019/05/queue-hardening-enhancements.html https://bugs.chromium.org/p/project-zero/issues/detail?id=1909 https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#probounds-bounds-safety-profile https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Res-always https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#SS-type https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#SS-lifetime https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#r-resource-management https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Res-deref https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#cp-concurrency-and-parallelism https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Rh- dynamic_cast https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Ru-naked https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#S-expr https://clang.llvm.org/docs/ControlFlowIntegrityDesign.html https://github.com/microsoft/MSRC-Security- Research/blob/master/presentations/2019_09_CppCon/CppCon2019%20-%20Killing%20Uninitialized%20Memory.pdf https://developer.arm.com/-/media/Arm%20Developer%20Community/PDF/Arm_Memory_Tagging_Extension_Whitepaper.pdf

slide-35
SLIDE 35

https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Security%20analysis%20of%20memory%20tagging.pdf https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/ https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-941.pdf https://www.cst.cam.ac.uk/blog/tmj32/addressing-temporal-memory-safety https://github.com/microsoft/verona https://www.microsoft.com/security/blog/2020/05/04/mitigating-vulnerabilities-endpoint-network-stacks/ https://www.youtube.com/watch?v=NlfZG2wTPZU https://www.rsaconference.com/usa/agenda/collaborating-to-improve-open-source-security-how-the- ecosystem-is-stepping-up https://vimeo.com/376177222