—
Discussion & Comments:
—
Presentation Slides, PDFs, Source Code and other presenter materials are available at:
—
Are you interested in what goes in to creating and shipping vulnerability mitigations to over 600 million devices?
Between 2017 to mid-2018, security researchers found and reported over 100 vulnerabilities in Windows resulting from uninitialized memory either leaking across a security boundary or uninitialized memory being used. These types of issues have also been used in several real world exploits. Clearly something needed to be done, but what?
One potential solution to the problem was automatically initializing variables in C/C++ code, however, this comes with potentially significant performance and compatibility problems. In this talk, we’ll walk you through the journey of prototyping, building, and shipping a mitigation named InitAll which does exactly that. Along the way we’ll look at specific vulnerabilities, mitigation implementation details, performance problems, compiler optimizations, application compatibility issues, and more.
We’ll finish up by sharing some cool bugs this mitigation has already killed and share our thoughts on the future of safer C/C++ code.
—
Joe Bialek
Software Security Engineer, Microsoft
Joe Bialek is a security engineer in the Microsoft Security Response Center's Vulnerability & Mitigations team. Joe spends his time eliminating vulnerability classes, creating exploit mitigations, and finding security bugs.
Shayne Hiet-Block
Software Engineer, Microsoft
Shayne is a software engineer working on the Microsoft Visual C++ team, where I've worked for over 13 years. Most of my focus has been on C/C++ code generation. I've worked on general feature work for back-end code generation, optimizations and security.
—
Videos Filmed & Edited by Bash Films:
0 Comments