Conference: Nov 5-7, 2018
Workshops: Nov 8–9, 2018
Presentation: Control Flow Integrity Using Hardware Counters
Share this on:
What You’ll Learn
- Creativity and research are necessary to solve modern and future security issues.
- What can you take from modern software and hardware development to apply to security?
Abstract
Advanced software exploitation is a rapidly changing field of study. In recent years, clever ways to bypass existing exploit defenses have become mainstream. Reactive defensive solutions based on known exploitation techniques have been proven ineffective, and easily circumvented. In this paper, we discuss a new system for early detection and prevention of unknown exploits. Our system uses Performance Monitoring Unit hardware to enforce coarse-grained Control Flow Integrity (CFI). By using hardware features that exist in modern processor architectures, and real-time CFI policy enforcement, we hope to prove that our approach is effective and suitable for practical use, while staying resistant to bypass.
Interview
Cody is running his team on the research side and coming up with new innovative things that we can do. He and his team came up with what we will present and some of the ideas around it and in some of the decisions we made. I am the CTO and I oversee what we're what we're building in the long run and work with Cody on strategic direction.
We understand security as a nuanced problem. In order to be effective at stopping an attacker when they're trying to perform an attack, you have to stop them very, very early. The later that you you detect them or stop them the more they kind of chip away at the trust and the privilege level and it becomes harder and harder.
How do you do that at the speed of software and the speed that their software changes these days? We found out you know after doing so some research and reading some related prior art that the CPU architecture provides some functions to do this at execution speed and that would be millions of instructions per second. So to solve this in the most effective way we we decided to tap into the hardware and that's really what the premise of the talk. We want to share how we got there and where we think we can go next.
Obviously security researchers would get a lot out of it, but there's there's a lot of people out there that do vulnerability research to think about how to see and prevent attacks or exploits.
Anyone that’s interested in malware or computer security in general I think will take some stuff away from it.
How to think about access and think a little bit outside the box about things that may historically have been just applicable to performance and development which could potentially be applicable to security as well.
What keeps me up is that for me security is a real existential problem for society; everybody on the planet. And so it keeps me up at night that we aren’t doing more and we still have a gap in the individual;s knowledge of security, and behaviors, and the security of your information. In this age, you need to protect your phone because it has your whole life on it. These kind of things keep me up because these are part engineering solutions. It's also part cultural education.
Similar Talks
.
Tracks
-
Architectures You've Always Wondered About
Architectural practices from the world's most well-known properties, featuring startups, massive scale, evolving architectures, and software tools used by nearly all of us.
-
Going Serverless
Learn about the state of Serverless & how to successfully leverage it! Lessons learned in the track hit on security, scalability, IoT, and offer warnings to watch out for.
-
Microservices: Patterns and Practices
Stories of success and failure building modern Microservices, including event sourcing, reactive, decomposition, & more.
-
DevOps: You Build It, You Run It
Pushing DevOps beyond adoption into cultural change. Hear about designing resilience, managing alerting, CI/CD lessons, & security. Features lessons from open source, Linkedin, Netflix, Financial Times, & more.
-
The Art of Chaos Engineering
Failure is going to happen - Are you ready? Chaos engineering is an emerging discipline - What is the state of the art?
-
The Whole Engineer
Success as an engineer is more than writing code. Hear inward looking thoughts on inclusion, attitude, leadership, remote working, and not becoming the brilliant jerk.
-
Evolving Java
Java continues to evolve & change. Track covers Spring 5, async, Kotlin, serverless, the 6-month cadence plans, & AI/ML use cases.
-
Security: Attacking and Defending
Offense and defensive security evolution that application developers should know about including SGX Enclaves, effects of AI, software exploitation techniques, & crowd defense
-
The Practice & Frontiers of AI
Learn about machine learning in practice and on the horizon. Learn about ML at Quora, Uber's Michelangelo, ML workflow with Netflix Meson and topics on Bots, Conversational interfaces, automation, and deployment practices in the space.
-
21st Century Languages
Compile to Native, Microservices, Machine learning... tailor-made languages solving modern challenges, featuring use cases around Go, Rust, C#, and Elm.
-
Modern CS in the Real World
Applied trends in Computer Science that are likely to affect Software Engineers today. Topics include category theory, crypto, CRDT's, logic-based automated reasoning, and more.
-
Stream Processing In The Modern Age
Compelling applications of stream processing using Flink, Beam, Spark, Strymon & recent advances in the field, including Custom Windowing, Stateful Streaming, SQL over Streams.
-
Performance Mythbusting
Real world, applied performance proofs across stacks. Hear performance consideratiosn for .NET, Python, & Java. Learn performance use cases with OpenJ9, Instagram, and Netflix.
-
Tools and Culture: What's Beyond a Stack of Containers?
Containers are not just a techology. It's a platform. Push your knowledge.
-
Web as Platform
All things Browser, from JavaScript Frameworks for animation and AR / VR to Web Assembly and from protocol work to open standards evolution.
-
Beyond Being an Individual Contributor
Beyond being an individual contributor. Building and Evolving managers and tech leadership.
-
Building Great Engineering Cultures
Why engineering culture matters. Track features org scaling, memes as a culture tool, Ally skills, and panels on diversity / inclusion.
-
Hardware Frontiers: Changes Affecting Software Developers Today
Topics around: Quantum computing, NVM, SMR, GPU, custom hardware, self-driving cars, and mobile hardware.