[00:00:10] >> Sense for Tony the talk today I want to talk about. My security research how to exploit to program invariants to protect our computer systems so we all know these days we use computers everywhere use computer for work use computer at home and use computer would travel between home and work but unfortunately computers and itself really are human and humans make mistakes so we have a program bugs ever we're so I really use a computer is up but there's no bugs in these systems so this is believed to be the 1st the box found $9747.00 is the real bug. [00:00:59] Her own machine code too and it affected the functionality of this machine. Of course what I care about is security box so this box we were a fact of the program security and attempts to make a me and health system so this bigger issue is the number of security box over the last 20 years so you can say well make a lot of programs and make a lot of bucks so last year over 1000 bucks to report it so among all these box a minute focus on this is called a memory safety box because this bugs in it all the safety box so this figure shows the percentage of a memory simply bogs all of this the security bugs in the Microsoft company so yeah because he's really against the 70 percent of all of all of them if you box and some of them are pretty famous hard to believe it's a ghost. [00:02:04] And a stage fright so you may heard about these I guess the audibly maybe the most famous one. So what is memory seem to bog let me give you a very quick introduction so member c. to just me. Access of memory locations is excess can be read All right so this is a simple Coast Pete this is called is one contains the stack base the buffer overflow so you don't have to read the code going to show you what happened here so basically in the memory space we have a buffer here on the stack and after the buffer is the return address so just next to each other and this function this program want to copy it to the bot so already in the way they're going to use the to fill buff at this point is good is expected by developers but you can see the list of input is so low it exceeded the boundary above and the copy continue sorry. [00:03:12] Seems to how to continue. On the way it will overwrite the return address this is on expected and this is the memory so if you block so so attackers can use this bug to own computer system and this figure shows the money at Los by the sever pecks. [00:03:35] The 2018 we have over $2700000000.00 loss is the strong motivation for me to work on this a reader. So I can use this bug to launch remote a code which means they can't raw material code I am machine you believe this is how much she but it's not only a machine is also a test machine so you can do anything you wanna for them where they can find a bit of coin requires a lot of Computer Associates they can use the machine to launch the u.s. attacks so we'll don't know before you know that attackers have used the machine put others. [00:04:10] Maybe your friends your family so they also monitor your behavior every day so what you do is a computer they know that so I was on code execution a terrorist can also leak of the information. On yourself. Including the pos word private key. And also about the current credit card number ever seen they can leak and sometimes also photos that they do use on a phone so anything is thought on a computer with them so we have a lot of ways to protect of this computer systems to prevent attacks the 1st one you can try to find a box to fix them so the way we fix bugs. [00:04:56] Human effort to look into the code and see whether there is a bug or not this is a useful but unfortunately reward program is huge so it is currently have over 20000000 lines of code it's impossible for humans to chair the code line by line and front of the box and again a human make mistakes so. [00:05:18] Will miss critical box or reports on false alarms. So of course we should use computer to help us fund bugs and fix so while we as we call a static analysis this means we draw all the program control for a graph so this graph shows how the program we were wrong for me sucks into next instruction so ideally we're going to check Ok follow this pos happened and follow this pos have it again and have perfect unfortunately this is the console photograph of the Wii It is the one component of the Chrome browser so ever seen it here is a function. [00:06:00] Call it isn't cheap so I believe it is very hard to see the validity of here because just so many functions and so many calls so the 2nd that I say is about finding is not of. Programs. I know you more than that because thinking that it is does not have a concrete context sometimes you do not know what is the real bottom not because you don't have it do not have a concrete in front of that static analysis you also have that any analysis with me is just a roll of the system and sometimes we find something is wrong and we say this is a real bug let's fix it perfect but again reward system is Sol complicated it's very hard for us to get that I'm going to run all of them and explore all the possible pos in this case if this is a possible never explore and it is a bug that they're going to miss the bog so the dynamic in that is. [00:06:57] Incomplete the result so overall currently would not have any detection solution that can't guarantee to find all the box so it's necessary to use the wrong time protection to detect and prevent attacks the system I work my want to charge to detect attacks that are wrong and prevent attacks of compromise all system so I know that there's a pretty general So the way I do that is I'm going to trying to understand how the system will work and why the heavens and the hard headers are going to use the blog to compromise a computer system so once I know this I'm good at these I comprehensive defer is to prevent attacks so what I do is I'm going to identify the environment of the program and try to make sure you're not a changed by attackers at the same time as they can research or we should also know a Pex so that we can deploy defense in advance which means I also is pro new attack vectors so that we can develop a defense in advance before takers can be late what I do is I'm going to corrupt variance to see whether we can build a new attacks to bypass existing defense mechanisms. [00:08:19] So I'm going to show you my projects so this is the memory layout they have the memory space and we know pretty a lot of the pegs so 1st part of my work is trying to use a control flow integrity to prevent these attacks and a mother that also explore new attacks different aspect of the memory space I call it they aren't a tag so I show that is a Texas predicate is express if and if we can even feel it is a tax automatically so I can defense I'm also have effort of trying to find a box including performance box and also interesting work. [00:09:03] Trying to prevent the hinder peckers find a box and also I'm working on a tech service we duck session which means all program is so complicated and so many features but we just need a small portion of the data life so I'm trying to reduce the tax surveys and the last I also use Paul privacy how to protect you the privacy when we report the crash to developers so next I'm going to focus on 2 of these works why it's about control for integrity for defense and otherwise to show the expressiveness of this and they are into Pex So the 1st 2 are going to show how can we develop a new hope to achieve this a complete control for all integrity if you have any questions just feel free to ask. [00:09:57] So 1st the result of this attack is the memory they have a code upon hers. That can be function voters the community address they can be except 100 so called opponents who will decide what is the next instruction to execute. So virtually sorry so basically the program you. [00:10:19] Have in there to call you in there or jump or retain so I will call you this I call to represent all these things functions that are used quite a pointer to the next instruction so your memory may have this acute opponents but virtually create a. Control space that it can only contain. [00:10:42] And this is the rich in all this kind defense happened in current stage so takers we'll use a memory error. Unintentional memory access so you're going to use memory error to modify own hers and they're going to divert of the control flow and to whatever they want to execute for them they can change the return address to some other function is and where the function return is going to return to another function and it will create a shell or even create a remote computer communication with attackers so over the years have been so many attacks so starting from this code injection of our beginning and these days we have our entire program in our people shot and. [00:11:27] Attackers and researchers are to fund so many complicated attacks Meanwhile defenders also try so hard to block. So hard to brook all these attacks so you can see this is the bottom partials all these papers talking about hold the defense so you. 70 these work out of pity that try to brawl can do for the hijack attacks however this days control a peg to post but which means at this stage just to post more attacks happen. [00:12:05] The reason it is. So easy in their recall current defense to say Ok this one holding jump to this x. amount of target and not others but unfortunately this x. is still large enough for attackers to manipulate the control flow and interesting attacks so the idea of protection I do projects is to make sure it is the only won or lost target so in this case have no possibility to manipulate the control flow in that case definitely very safe so let's 1st see example and this is. [00:12:40] Say code don't have to read it again. Let me explain what happened here and the other side is the control flow graph which to me is the whole of the program to ask you to from line to line. Simple example here you can see the line 8 is if condition and it diverged to La and NY on 911 so here just to show this is the box called a buffer overflow and attackers can't use this to change any variable on the stack so when this buffalo a terrorist can affect the function pointer f. So it means this function is expected to function f. at the end of the last 13 but in this case is f. is controlled and can be modified by attackers who wish me as a. [00:13:28] Program jump to any location they want this include a crude critical functions that the system execute function so with me is a terrorist. Memory space as they won't. So how Diprivan it's a this is the purpose of control for low integrity. To prevent the true location which means. [00:13:53] You're going to identify a set of a lot of pocket and at around time they're going to check out to make sure you don't jump to this this function is not others if your target is not always easy is a site going to say Ok is the bug all these attack happened I'm going to put all your execution so just so many control flow integrity solution proposed Leslie destress one by one so our resume is no if this is no c.e.o. and the techs can jump to any location and there's an infinite number of target here and a famous production is a test based analysis Pema business if I mean we require the targets of the function the function should have the same tab at the function pointer the phone supporter is f. and the target should be the same as f. So if you are familiar with c. code you see from the code on the left side a b. c. d. and e. function to have the same pair as the function pointer f. So the pebble business will all jump to the 5 possible target and a litter we have have a paper in the C.C.'s 19 because the mother layer temp analyses to fund target and we get the best award if interested go ahead and check it. [00:15:13] So I was that person that is we also have this program stating that it is like a data flow analysis to any analysis so you this case I deal with a perfect state and I say this we all all for targets so if you check this function carefully you can see the line not the function can be assigned to d.. [00:15:34] It can be assigned to any element of this array. F. can be a.b.c. and. So sudden that is to me as a lie as it is the one pos son is a value to f. if you are Lloyd Of course it's not accurate so later we have the per improved step by which to me is a full current pos. [00:15:56] Only in for a was a current packet of this function for them but if we know the inductees Why here we go to 11 line is that of the line 9 so in this case it allows 3 target because all the elements of these are e can be used. [00:16:17] So you can see just how many production but it is low more than one target is not educate us so what I'm going to show you is my solution I call to use if I wish them good the force is only one target it will consider the current pos and also the current context so if you say there is one definite those who go to law 11 and retrieve the 2nd element of this rate which is the address of be. [00:16:44] So in this case to be only one party to be here and others are not a lot. So I called is probably unique code targeted probably Which means for you to evocation of when there were a call there should be one while out the gate so if Ok you forced this a terrorist have no flexibility to modify all can do for all and all code is good enough. [00:17:09] So as I saw in the previous slice if you want to hear false further you need a gate when you 2 party information why is the current pos another one in context so let me bring the example back here again so if we know the control flow is the go to. [00:17:30] Line 9 because you for the effort should be the address of the is only one target but this is not enough if it go to the line 11 in this case if we only know this pos So the possible target is 3 a.b. and c. and if we know the index number then we came for it has to be so it means the context is necessary here for the Unicode gate so we have a challenge to to calculate the Unicode targets any false 8 the 1st why is the whole county collect to code a pos. [00:18:07] The solution is we have a harder primitive tell process of tracing. So you tell Peter we automatically collected the control information which means what is a pod door to call off all condition of Brown and he's picking this branch I think another branch so is the Intel p t became we can reconstruct the can do from the p.d. trace but the problem is the trace is efficient but if we want to reconstruct the control flow it's versatile so. [00:18:41] That is the most that can be up to 30 percent slowdown for some programs so it means we cannot use this one for real time protection unless we have a solution for this problem we have other challenges so can do it for information we can use p.t. to Dom but how about is context information. [00:19:03] So that put challenges here the 1st one is hope would know what is the necessary context of the program have a soul company formation like all the register all the members them shot we can all use the can of the dump all of them there's too much so what is the unique else or what is the necessary contact information that is required that you need to coat pocket in the 1st challenge and 2nd a one even when no with the information is necessary this in the way for us in the early. [00:19:33] Fall analysis remembering tell p.t. only record control data and contact information is believed to be. So he's my solution the 1st one if you want to fund it is necessary contact information I define. Define you. Question it data so it's not. That you a 5 to control. So let me show you I'll do it for this so this. [00:20:04] Is the by this definition so 1st I want to find the control data in the 1st place so Control Data is the funniest are all pointer of one control data so it's a recursive definition so you know. We have this really it contains so many pointers is the control data and is f. is a function pointer and is also controlled with and also other the a.b.c. and the control did I hear the 1st step so 2nd that if I the control instruction is so contrary instructions is the instruction that operate on manipulate control data so in this case there is a line 56911213 all control instructions so this is when manipulate the control data and finally reached the right function call. [00:20:55] So the last step So among all of this control instructions and in one Control Data is believed to be constrained. So in this case if we discount all this. Control instruction this will fund is only one that is not abated. Here index is identified as the necessary minimal constraint of data so once we have the information of a question of the next day I want to dumb with the ball analysis but only recall the Control Data is the problem so the solution is in code. [00:21:31] Into Control Data through this way he did the. So here's what I do for this case you want to download the index so what I do is add one plus this index into a base pointer to create a new function pointer and then perform in direct function call and this base function will point to is this verbal You pointed to a chair last number all the routine structures so that when they were to call we all. [00:22:02] In their call will jump to this routine structure and immediately return but is it would treat very unhealthy to recall this base class index into memory space and when necessary we can restore. From p.t. trace through this to get a p.d. packet we will get a one p.c. packet to from the trace and then his function will have to restart Dex so this only creates a primitive I call the right data so this is. [00:22:31] The dummy any data we want so this is another challenge is a remember possibly construction from Intel p.d.f. versa lol So my solution is to avoid it the full possible construction. What I do is this is the regional program I'm going to assign. Each instruction I mean interesting and use this to read did a primitive to id to p.d. trace and all and that is this is pretty straightforward so would the code of the p.d. trace if the idea is one. [00:23:04] Of the punctuation ship in memory which means that the 1st for them if it is they do you want the 1st element of this book to be the address of a something like this they are the last if we see the id 5 we know this is the article happening we're going to check whether the real target in the Petris is meche was always speculation not so you can measure we have 2 executions in parallel Why is the risk another way is safe and want to compare why the target is the more not so I design is the system call you see if I can to component one as a competitor which means that need to recompile the source code to generate a sieve copy of the program and add a runtime I'm going to execute the program on the right side on this large side and meanwhile you automatically get. [00:24:01] Information and me well I'm going to need to process is a monitor we. Decoded to trace the points relationship and also check whether the c.f.i. is correct or not so this implementation is open source so if I interested I want to try this you don't know the source code online and see whether it works on system lot so evaluate a solution you see if I. [00:24:30] Spend a bunch of Marc and web server in jacks and if our server. It turns out this solution is a pretty success if you force the uni the target of all every interactive function calls. All the test programs so here are some examples for the gold bunch Mark for some either a call with all of this the contact information you can jump to 4798 but always also Lucian is only one gate and same reduction have been in 2 other programs to see how this happened I'm going to show you. [00:25:06] This is a function so 1st rate function pointers is there it is $78.00 and here it is that you want to call it will use f. so f. is a retrieved from history so without all solution this is 7 Puggy all possible so take those countries anyone to jump and decide. [00:25:27] To see whether they can compromise their system on all but it was all protection is only one target so it has have no flexibility to manipulate it can do for the animal and also is. Efficient is the comparison between our solution you see if and the previous work pet so every inch overhead is less than 80 percent to the spec benchmark and a full web server is about a 4 percent overhead and a full after file server is less than one person even so Also she is a practical one. [00:26:04] So in summary the solution could you see if I incorporated this information from data space to complete the protection in a controlled space and finally we turned into the wall between attackers and defenders and here comes to the end. So it is not easy but to find the rich here seems that this attack and defense but really I really really support and no know what had to happen in the future remember the takers they will never stop they always trying to find new ways to buy pass' defense money steal continue to compromise all system. [00:26:43] And a good the bugs still exist just to prevent a wind tech in Mr and so as a security researcher we should think about what could be the next attack a mess or. So in this is because we're sure to check what is left in memory. Remember the memory error we alone change all memory and then we should check what is left so the control space is protected but the list you have data space to me is that we have so many programs and the question is. [00:27:18] Is this space can be the new attack a vector is the 2nd part of my talk today a coded spike so they're going to use the data or into the tags to compromise all system game so a code is that they are in the pack so what do we know about that aren't tech they told attack it to say attack us will not change the control for. [00:27:47] Those the the same as before but say they're going to manipulate the security critical data to compromise our computer system for them but here they have this they use id verbal p.w. id so if attackers change this variable change this one to 0 then they can obtain the root the privilege it didn't change anything to follow but if you get a privilege on the system and similarly this is a browser this is a flag you know you brought the call the safe mode if attackers can use a memory error to flip it is a safe mode they can load obsolete code into a memory space to execute and you don't know anything about this so that we know some data are in that attacks happened but these attacks require some particular special showing in the program so they don't crop of the launch attacks so the question left is how expressive and hard general it is that they touch on that attack. [00:28:45] So my work comes I'm going to show you this I tell you can be super powerful and it has can do anything they want and ignore me any particular data or functions so even though that is it has come built a touring company that tax your memory space So again let's start from example and again you don't have to read it in now. [00:29:06] So this phone programs do you have an ability a buffalo as you. Have a bug again but this program does not have any critical data you can see and it contains very basic operation like a loop while. Some memory access the question is if we have a bug in this program what can touch do to remember in this case we assume the control flow is protected by stand by and it cannot of money put on a control flow so it will sing about what context to use this simple program so say can we achieve this a money issue is computed So this part is this condition will walk the list and trying to add some value to the field on this list so this is a very popular way to attack only just kernel so all question is if we have an ability on the left side can use it kind of takers use it to simulate this operation like the right side if you can do because you can pick all kernel so let's see what is possible. [00:30:11] So using this calculation we say the basic operation is that it has a loop this has a for loop. But if we can see it is are going to program the is also a well and again this. Is a condition that would check whether this is not an either or original program and also have a check of the line 8. [00:30:32] And it continues he has this little condition. There which is the memory access going to reach for the next son to list a new direction of honor and program and learn Pintos have a memory read operation and the last this or have this additional permission and the same See the original program you also have edition so let's see whether to use the left to simulate a right side so here we go so it is a memory layout here this is the memory space and it contains so many variables and our body is here this is the bar phrase of honorable and attackers can overflow this ball change all the variable operate position the bar and also we have other variables in the memory space I'm going to show you how this works one by one so I say this attack happens 1st attacks will execute is a while loop so of course it can take a use of the well move to simulate it is for loop so this component can be simulated and later he treated his box so he used this part of the crowd in memory up above and I'm going to change the value of these variables in this particular way so there is can have full control of this verbals so we can change its variables in any way he wants so we'll continue to this align whether the memory hole is about tapped is no not so in this case if you check the memory layout the pad is a pointing to list so actually this operation is effectively Checa why the list is known not successfully simulate the loop condition and if it is a continue and we can make sure this one is. [00:32:19] Not satisfied and ask us and we'll read some line of this allow we will say they are going to retrieve the memory point about pep and assign to the element t. here. So the s. is appointed to a structure and I'm going to show you this is the expected layout of this structure the 1st element is Max 2nd one total loss. [00:32:42] But in this case a key element of s. is actually the s. itself and pebble is pointing to list and if we execute is a line of 12 so effectively or we do is. We're going to assign next to us. Because our people point to lace a list they will be assigned to that of s. so no obvious operation s. Will pointed to to the next element so again we continue this operation we will turn to plus the value point of s. element remember ss pawn into this memory location and it's a function structure this is exactly the memory Delta game and total is actually the problem in this case and of size he's pointed to at Int so if we execute this instruction it effectively simulate operation on the right side Ok so far so good we have emulated 3 components on the right side just the one left right. [00:33:51] Let's go to the game and above all another tech So in this case the testimony changes the memory layout not the particular way and this time we would all make sure it is that satisfies condition to reach the line pane instead and again. To save time I'm going to skip this so effectively this one will make sure the operation we assign the next to list and the list that will point the next item many disarray So finally we can make sure we can use the left side of honorable code to simulate in the bottom of code to simulate a malicious competition on the right side Ok it's not easy but it's doable. [00:34:33] So based on this observation I propose this new attack a mess or a car that they aren't paid up programming so it is a virgin or a way to a tax so this is a tax cutter require any particular. Function just use very basic operations and to build the real poll for tax memory space so it has to component wired. [00:34:56] Sorry yet definite is the goal of my tech to build expressive attacks so this attack have to component Why is the code did it get this otherwise that gives it its pressure I'm going to show you what does this mean so aren't again just simple as I see the 16 struction sequences several instructions but this is sorted issue to show you know what you can order to sort of conform to control flow integrity. [00:35:22] And this instructions should have this behavior so basically we're going to load of the all print from memory to the operation and to save the result in memory again so here's an example so this is the dish and get it to me 1st they can say they loaded the argument from memory and also argument from. [00:35:44] Memory and also they do this edition of The Dish and they're going to save the resulting into memory so similar to have another component another gadget this is the load operation so I have so many because it is doing is very basic operation and how would a meaningful attacks you just make sure this to address is the same this way we can deliver immediate connection results between get it so a test will do is there going to crop these pointers. [00:36:14] Here and then they can deter me you can determine which memory access they want to read. So get you to perform basic operation and we're still needed some way to connect them together which is the pose of this pressure so this pressure is going to change to the gadget to build a meaningful attacks so we have to component the 1st one is the loop so make sure that you go over the edge of that again and again and it's to let her interest in the loop it will select the particular gadget so I'm going to show you this attack happened this way so for the 1st iteration it's going to go to one pos and it will execute it 123 and $4.00 but the selector will only able to the wine is 3 so for the next round it a may go through the same pos but to select a different get it and a phone other round it goes to a different pos honest evil something to get it so again and again we just go through all these gadgets and he's pretty good once and finally become puter real meaningful attacks so far the prison previous example is so well here is the loop and it's a bug here is the selector that's what we can build a Pex we can build is a malicious computer in the previous example and. [00:37:34] I have a paper showing that this message is to complete but I guess I'm going to skip this because it is the time limit so hot it is attack serious steps 1st why is that going to identify get it from this program so I have a pool that is based on v.m. to identify the basic operations and the 2nd step I want to fund a gadget of these pressures which is the loops contain e a lot of get it in the last step I'm just trying to connect to all of them and see where that can be with me for a tax on not so the last part is due a menu f. or by the previous 2 automatically identification. [00:38:16] Level. So we tried in this attack on a reward program to see what is possible to boot attacks and by puzzle this defense. Is a real threat at all computers so I pledge is technique on 9 programs this premise contains the it's web service for servers it's all popular attack target and among these 9 programs on the large number of. [00:38:42] Them to get this and a large number of these pressures so you can say. More than 144-0100 these pages can be used by attackers So this much shows there is a large number of possibilities to build attacks but Israel attacks happens. So when this is pesters many verify. [00:39:09] Supported through incomplete competition and 3 attacks so this including a test can reach to the predicate from the memory and you can simulate an enemy board as you can even. So next I'm going to show you this private key retreat attack so this is taken the. File server. [00:39:34] Is vulnerable and this server will use the Open to say Hello boss in the kitchen and this shows hold all the case study in memory so this key is the memory but a study and run them as a location so we don't know where it is but of course it is that we have one variable at the face and location known to us but in the middle we can see this the pointer is in shape so basically if we follow the chain from this pointer fund this element and this is the contains another pointer point to this adamant and 7 steps from the Fix address we can find is a private key so only the 1st the why is that a fixed location This is the location. [00:40:15] So what I do is 1st. I want to find the kids at these pictures from program so desperate very interesting gadget here the 1st one is a move which means the attackers control the pointers on this move they can move any value they can move any location to another one from. [00:40:36] Here and a 2nd way is the addition gadget which means they can add any value into a fix the location and is lost always the low the gadget is a musical Hello the memory at a fixed location to another thing some of. This pressure is. Infinite a while loop just accept you the inputs and one of the Crest So what it can do is up by combining this move a gadget. [00:41:03] Guy did it you can create a primitive this primitive low this value from y. location into this fix the location so this is the very basic primitive we compute we disguise it as I'm here. We can load this sort back into the location and there's a continuous attack going to get Again the program memory space and finally we can load the value here into this fix in the middle so the value is the real pointer of this a private key so in the other staff use this. [00:41:38] Gadget to find the name of the memory. Into the network so high level what to do is we just send a lot of appended to the program memory space this so I will try this program to do calculation to dinner for is to cut it off site and find the way they're going to send the predicate protectors so if I'm interested I have a demo on line and you can check. [00:42:00] Its track to the key of the monitor program. So in summary this is a new attack upon a detente of programming so this shows the peckers tree action is to attack all system and all current to control flow defense cannot prevent is that hex so. Prevent it is a parent's yes or no so basically we have some proposals saying we can prevent attacks but a knowledge of them is practically it for them full member safety memory safety to say we want to prevent a memory errors in the 1st place so no errors no attacks. [00:42:43] The latest overhead is pretty high which means the operand executes at least one time slower and know. This. And also we have integrity trying to make sure the data flow is correct and again this is not a predicate due to the high overhead and we have a recommendation which means you go into hiding this information into the large memory space so attackers who in all know where is this data so they cannot of crop date but says that it does a lot of a peg to showing no matter hall fun going to randomise hall for you remember eyes of hers can always use the society channel to infer with your critical data so finally the last hope I believe is the how do we have solution so it means we need to co-design a hot or even a soft router to protect the protection against. [00:43:35] Attacks but it turns out to steal this knoll practical solution yet. But don't worry I'm still here. So my future work is planned to sever Plus the 1st why is that going to develop solutions to prevent They aren't attacks so the 1st idea scuse me the 1st idea to find waste in a program is more important than others. [00:44:04] That I tried to show you. Use id is important it is a critical leg it's important but a lot of other data less important for security so if we can find some data is the particular critical deploy heavy and complete the protection to make sure this tape is secure and for other legacy less critical data you can use a lighter weight but efficient solution to protect them so the idea is going to use a static a can do for low and get a from that I say this to you for this a critical data and they used to confirm it definitely real critical data and a 2nd step is I want to use how do we are to protect all computer system for the good news is that risk all this hard trying to propose or even deploy somehow to a new primitives to make sure programs are secure for them we have this a pointer on occasion code which is already available in the i Phone the latest version of i Phone so we can use this one to protect a call to porters to prevent that hacks and also we have this a future. [00:45:11] Feature called a memory peg station this is what I mean is that I'm going to give each memory cell a peg see in this memory should be a Quarter Pounder is a member this would be a data pointer this one should not be a pointer so in this case we can find some inconsistency pointer is use that data pointer and of course I'm trying to develop or know how do we have primitives. [00:45:34] To boost these the protection that they are in the packs so but this is all this companies are interested in the wood in to develop a new solution is to prevent attacks so the next the direction I'm going to explore is I want to see whether we can automatically find a new attack a mess or so this a day thousands of programming and you attack a mess but is funded by Humana for that matter for I want to say whether take out a market fund is the tech on a lot. [00:46:04] So the observation is the all programming contains a lot of features some features is expected about develop purse some pieces are not so programmed bugs attackers can trigger this spec and features and they can even form a new machine on your virtue programming language there is that they are into programming so you factor we have so many different ways to program the cola program the box like a return on how to program me they tell you the programming Conniff you'd object and program me on a printer for and program so maybe you know Pranav Pranab is the printer function and research showed that pretty have function the self is to incomplete So what are present to do I want to you for this and you are better is automatically so the place I want to search in program to see how to find some weird behavior is that is not expected by developers and I am going to evaluate the a secret a consequence to find a new attack vectors so written that way we have a proposal awarded by our that will support me to work on this with our action so in the long future what I want to do is I want to use the computers to do security research automatically so I call it inside extraction for security so the vision is that all secure research will follow a common pattern like the funding so we want to fund a box what we do is we're going to menu to check a lot of these things out box. [00:47:39] Free and they want to find a common pattern and then we implement a pool limited pool to search for the pet in that we find is. The problem is all this effort is a human effort and many effort is harder working all the researchers so I'm thinking how to automate this effort But above here. [00:48:07] Anyway want I want to automate it is a research funded by automatic so to make it fun to compare is I don't know automatic automatically build a tool to search for these patterns so this is heaven impossible we need we need a lot decide a lot of spirits and I also want to explore mission Lanie which is why I knew him to be good at the fun compared is I believe. [00:48:30] What is possible in the near future Ok great so your summary this talk I present to all my work. Why is that to show that how can a protected control space with the help of data space and another to show that a tax is also possible you did a space to build a tax so security is basically competition between techs and defenders and the wall will never end the exploit both side to prevent attacks if I interested I have more work and you can see why they are interested I'm happy to commune with you offline so this is the end of the talk but that is not the end of the wall between text defenders and hopefully we can have a secure system with secure research Thank you. [00:49:23] I'm ready for questions yeah. Ok the question is is he running but if the Arbitron forward program is configurable so you can specify the. Person's name you can specify the process address in either case if you specify it it will only trigger. If that I think the process is running yet too to make sure all the production growth and you make sure it always working for the protected program. [00:50:18] Yeah which means that the solution requires a speed c.p.u. running the monitor to protect the c.p.u. Yeah so if you combine them together the overhead is much higher but when a point is to become a can run in parallel. So for the personal computer most time I believe we have specific issues and definitely use the specific to protect our computers. [00:50:42] Yeah go ahead. I've got a question the question is whether the production is a real time on all. Else is real time but with some delays basically a program is running on a c.p.u. is changing trace trenches deliberated to another moan in the process the person who built the code the trace and we. [00:51:26] Pointed to analysis and we check the whether the it is a real or not there's some delay in the middle but the question is this amount of the process will require the program to stop if you trigger some critical execution point which means that that is not upon the attack may happen so this morning I will request if you respond to him to wait for me let me check everything is a clear go ahead otherwise what had happened so this evaluation of the overhead of all the included delays which means 80 percent overhead for the program to spend a bunch of marks and less than 4 percent in Jax and less than one person into file servers so this include the delays between the time to reach a critical point to attack it may happen to be stopped by the monitor once there which is correct and then let it go again so this is the overhead includes a pause then or we see you so yeah. [00:52:55] Ok the question is do we have false positive a false false negative of all prediction system. No even if it was all what you can imagine just the 2 execution you can imagine virtually to execution Why is the real discussion an otherwise very safe Iranian parallel. Although we just do analysis about Israel as because you have all the context but there is a virtue of a particular need to borrow can go from information and contact information from the real situation. [00:53:22] But this is this China is very limited at this kind of bypasses channel so this was different secure to run in parallel and compare it so because you have all the context so it always seemed for that you need a target. Here yet another question yeah maybe. So the question is does do we assume attackers have privilege to launch Ok I got a question so the simple answer is no so this was to manipulate memory so I received the memory space of the press yes there's no isolation no privilege required meaning the memory space to be safe you can't as a memory you this is all the variables in a memory there's no boundary here is the within the boundary of a process process is the real bond reinforce the buy by the less so obviously you side of the process is equal so what you can assess one variable is missing it's all of them there's no hierarchy all privileged and all here is the problem so once you have a memory or a times concept anything of a program it was Are you the same process if you have we have solutions use a process to isolate critical data from non-critical data this is the creative process boundary in that case they can protect it but it has some other issues and I can buy the issue compatibility issue all performance overhead issue but come to steal our business is a monolithic process ever since I gather. [00:55:42] Anything they want you could have on a data point or you the other c. is. Ok thanks and other questions Great thank you thanks for coming.