Yes I can introduce myself and my name is Terry only created a student in Georgia Tech. And. So now today I'm going to talk about the how to product a computer systems through as a meeting from their peers. Taking. Out the second story. So today comparison everywhere and. It is affecting every aspect of our life and every day every day I mean you work for your desktop or mobile phone or laptops so every day we are playing with it and all your personal data business related data are in these computers and this is not just about this small device this or do it is. Small but there is big cars and even. Police and they are just the of food computers. And I want to say for Navy it is everywhere because human makes it mistakes and computers are made by humans so you made it to sort of the computing devices computers. In this. Are exploded or abused by attackers. And there's going to be huge problems. So if it was your desktop or mobile or method that or your personal data or P.C. through really data or will belong to someone else and you will lose control over that or even more seriously if we want cars or airplanes. That you were boarded in then it'll be a weird physicality just. An empty for getting into details so how does the system from this sort of people know there is let me step back a bit and first talk about the. How do you come out of the computer systems to the core like so looking at the computer systems that differ ticker view it is the century Tom told the hardware and then we have operating systems and then we have applications adding a little be a little bit more details up this so in the hardware we have C.P.U. and RAM which in which all our competition saloon on then on top of it we have open systems like Windows Linux and it all West. And again on top of it we run the interesting user application that you may use every day like for example where projects. To keep the point I want to emphasize here is that computer components are very very complicated so for example let me show you one example seem to Linux kernel and you know close to stop nine million sly and stop the code taking another example in Chrome and crankiest consist of something similar complexity nine million Some write some code. So considering the sort of the complexity and it is inevitable to help the many many new from their peers every year and deceased excerpt from. The database and they show the Ichiro how many from their videos we are discovering and you can see every year we are in countering more than five thousand for diabetes and you can imagine each of them could have create critically endangered our security and privacy. So now let's think about the how to put out all systems from this from their various obviously I mean one obvious of course you would be trying to discover on the unknown from their biggest However if you really want to do this. To destroy for a porch is doing the men you're called auditing but you know many a court auditing process is. And you can also do the automated program on this but from the program on that assists on literature we know that sound and complete analysis is challenging almost infeasible and the other of course you can think about is that adopting the security oriented design so that we can the last fight even though it is however on lead it could design changes for security cannot be purchased practica and or even small companies to to systems may easily break the key functionality of the underlying systems and most important most importantly I want to point out is that even if we can come up with reasonable solutions for. Problems. Still this is not an easy game for defenders because if the attacker can find the form A tiny. Then using that needed a corner case from there really it can be just enough to bring down the whole system. So in this secluded setting and the security problem might be such a focus is the imports acting the system from from there vs in particular my approach can be described as policy I first to try to grab a compressive on comprehensive understanding of the target system and from there it is next based on this understanding I am at the signing the practical security solutions for come out the system. So to to better introduce my research and. Please let me explain. When there are various and how they are chipped their final call compromises first the from their video First them to perform some on expected actions in a program. So you can see. The or for the unexpected actions. During the exploitation face the. The obvious that the Navy and finally pay for performed the malicious actions. To bury the St this process let me take an example memory corruption for their beauty which is one of the most popular on their way to class and this will be also the focus of this talk. So the first the memory card from the video first two on intentional modify the contents of the memory. So during the exportation face the attacker we try to modify the memory content. Attack or try to enforce the program to use peers previously modified content and then if such modified use was under a very good control over attackers then attackers can find it. So here my research area covers the several facts on India's from their ability exploitation process first by analyzing and finding new for THEIR I try to better understand you security through us and how to fix from their various income our systems such as Conall Chrome Firefox. In addition I have also worked on every meeting popular and emerging from there be it is for example used to free or computers. Last but not least based on the understanding on the exploitation techniques I have prevented a system compromises in from other to systems in many different come out to systems this one. And today's talk I'll be focusing on the second category obvious research research topics from there. So. As I told you before these talks the focus of this talk is the party eliminating from everybody and I believe it has to. Unique and strong security benefits so you make a little noticed at the title. Or the art of expertise is some sort of to strange and I actually borrowed the form that famous book The Art of exportation is just the same and you may wonder how the art and the exploitation can be related but based on my understanding I will say it is because the exploitation is some how about the A.T.V.. And they don't really follow the specific rules when you're launching the exploits so let's go back to disciplinary bearly exploitation process and Suppose someone implemented it I mean something Fender implemented the production techniques over the sexpert so so as an author what you can do you you can do it creativity based on the creativity you can actually find another way to bypass the protection technique and tries to try to achieve your final compromise. Then the defense differ the defense side so you can still come up with another production solution but this game is called is never going to and you can still play this game and the system can be used to compromised. So instead of pointing the exportation my research said eliminating people maybe it is which tries to fix the root cause of the for maybe therefore dupe in no way to bypass in the future based on D.S. from their beauty. I am achieving their goal by transforming a program such that never you could just. So for the rest of his A list of just talk focusing on the following two. Two. Then knowing caver first to let me get started with the cave or thing or which only needs to use step to free when they have it is. So first of all what is your step to free. To course of your step to free involves point it reaches a point or points to a free man region and using or to referencing it then going point to undefined program state so you can carefully many played the input data for the target program then it is possible that he can execute the arbitrary code so this is used up to free because it is using it then Green Porno after the target memory. So to better understand what they used up to free is let's take a look at this you sample cooked on the left. Then across to correlations for cross docked in body and each op that has a member variable pointer child and anyone classiest the base class for Doc and body class on the lie site. If we are going to own the rights that we are going to do this summer pollution suite it cost us a location and then three and then try to use it let's break down the operation to see what's really going on. So first one subsets the locate it the pointed dark everybody will point to Doug OPSEC and body of that respects expectedly then the then the point is poor gated or science so that the. Whole with a laugh and using its member variable child next deal it is the body of that. Here because the body is freed the last Wednesday in the tide is no longer valid and it points to the free to mammal region. Which we call a dangling pointer. Then next could use this distinguishing point which is cool. The USEF to free a day again this is called your step for free because the it is to using the memory after it is freed. So too obvious disused have to free attack is usually placed here on control of the upset. Their own control object that is cornered by distended important and ensures that in using the ten we pointed to control for hijack like. Actions so that it can find a jump to the malicious code and then if it is jumping to the emotions code they can go on to demolish actions. So given this code example you may think that the of finding your step to free will steady on last this would be easy. But it is quite challenging in practice. Indeed there would be the cooldown Not really because it's not really looking like that in reality edge of can see on the right side of discourse are highly connected and scattered so you need to perform heavy in a procedure Narcisse as well as points to a narcissist In other words this implies that constructing the object relationship will be challenging to identify yourself to feel even though if it is. So to address just use that to free issue we developed that then no. Cost of your step to free over all it works in the following two steps first it kicks it keep tracks of object relationship to this so we intercept all occasions and deal the patients in a program and instruments the point of propagation steps one next then in the last. Pointers once the target object is freed because of very intently points there has no semantics we can safely in the last. Later than the last fight point is to referenced. Anyway turning to the. Noted offense but we can safely contain. So first they know UNICEF the locations and deal locations in a long time it maintains a tree which is basically a tree to keep track of information here to know the in the trail who address and the size of your location for your sample Didius a location for that object. To shed or object to the tree and if there is a deal the key then the shadow of that using the base set. Then also keeps track of the point of propagation Since Well it basically maintains the poles in an outbound pointers in separate trees for separate for each to shut off sect of for your sample if there is a point of propagation edge of can see on the left that we first instrument to trace. Trace function and passing the information on how the pointer is propagated because of this propagation dug out beyond the reference to object so it insert the outbound point no to the shadow or. Shadow of a doubt the which a point to the shuttle orbiter to the body on the other way a lot because body object now has even bounded after us from the object in answer to involve pointer to the shadow of what the body which it points back to the shadow of so I walked up. This tracking mechanism used to have a. KING But it is too good enough to identify all dangling point issues so in other words it is that started it it is that it is it is abstracted in a way that the point of semantic track. I cannot answer. Your Step three points two but he can see the answer which the pointer points to it can also answer a settle back corners for a certain object so we say disk is good enough to detect and going pointers because still dilutes costs up then going pointer is in broken object relationships. So the next step is in the last dangling pointers so we know a fight he or backward to pointers to once the target of said is for it so this is because we're pointers that the only point in this case it is OK to arbitrary change the value of pointers because it has no data semantics. So going back to the example code again. Or. Pointer to doc at all child so after us in the fight if it is did I first await the TS to get a line function call it is not going to be used to be a used after three anymore so it is something similar to the noted F.N.C. here but we see if we contain did they were located and put mapped in the padding in the early execution of the program. So we have implemented the prototype that then learnt based on the error of your compiler sis and to build their security target application we added a one compiler and linker flag for a spec C.P.U. and we added twenty seven lines or the configuration file because the configuration to the cornea. And to vary at the clip that varied out then though we have applied it to the chromium browser and in total we instrumented it less than one percent of the instructions which is about the one hundred forty thousand instructions and then million points to four point eight percent of what has the benchmarks. Fifty three point one percent of what has been rendered benchmarks and this has seemed to render benchmarks was Roger A due to the object relationship relationship tracings. In order to better understand the how this would not factor you just read project experiences we also tested. We also tried to visit the top one hundred websites and it showed the seven percent increase the page loading time. Over has. Also led to believe dot com. It is visiting people with dot com There are no trace to one hundred twenty eight thousand of that and it also traced. Thirty three or thirty two thousand pointers and also performed this seven thousand dollars and I believe this number may give you the last on the complexity of the obsoletion ships. And we also test just every award used after free at least if the day safely prevented it. Did then mercifully prevented it. And so far we've talked about the ten which is a hundred to use up to free so I'm going to move on to the another type of a Navy testing. So people getting into details testing Let me explain to a different type convergence of plus plus static casting and dynamic casting and static casting it's a century compile time conversion and this is fast because there is no extra pair of creation in runtime so because all the fat of creation happens in Kampar time so it has no information on actually are located types in runtime but on the other hand there is another one time we casting instead of is essentially a long time to converge so to perform this dynamic casting. One time. Information is required and because this kind of case team performs the act through verification by parsing R T I. It is quite slow. And from all three in the preliminary evaluation we found that dynamic testing is ninety times and slower than the static so because of this they have the overhead dynamic casting is typically prohibit it in commodities like Chrome and file false. Also depending on the casting operation casting direction there can be up casting and artistic self testing is that conversion from A to live class tree is parent class and the casting is a type conversion in the other way along. For them to suppose we have the following three classes only meant a chairman. Of the mint. And in this case if you did you cast him from S.T.G. and he meant to element that it is called testing because you are going up and India the way along if you cast a form element to H.T.M.L. element that it is called because you go down and here the rule of thumb is that of casting is always safe but downcasting is not so let me get into details on why I did on testing is not always safe so to answer this let's consider the following two classes and used to live the class deep. And each a class that has its some fortress to structure meaning that they are pulling with the classes and also they have virtual function tables Moreover each has its own data member variables underscore P. and underscore D. So next lets see how each of these classes will be represented into memory so first in case of the P. the first to slot of this memory for. Two will be the field table. And Nast there will be the M underscore P. which is to member variable the P. So if there is a point for P. then if access to school we cover this slice. And in case of the D. the first floor will be fed the wait for a function table pointer again as this is also a pull him off a class and the next one is T. in that it's a member variable. On the school people. And finally there will be its own member variable and once called. So given this memory footprint in mind so this fear the how the testing is meet so we first a look at the class as a parent class. And then he tries to down test it into the to live the class into the. This is that. We say desist the casting because of the town test it cost the if not a sub zero P. and C. plus plus ten. This is undefined behavior meaning that after happening this undefined behavior there is no guarantee that the program Extra execution can be quite so the program can be randomly behaved after having just on the five behavior from all over if this bad test point is to reference then can happen and this is because to deference thing did after C. is pointing to the ELSE eighty or the carry class P. and it is sexist thing to do on the on the located memory slot. So to see how this bad casting happens in practice let me introduce the one of your world to back casting example in COM which was also used in point two in contest so content contest is a pretty famous second competition and if you win this point on competition and you can get one hundred thousand U.S. dollars in. Cases. And this from the video was one of the we know I mean it is destroyed over it it was used to win that contest. And at first the cost is so located as a chairman on one element and then it is stopped S.T.D. into the element and finally it is downcast here to the mint here the catch is that this town testing is bad casting because the size of the H.T.M.L. Not only is ninety six but. Is so one sixty byte so you can imagine that up to is that bad casting happens so one sixty minus ninety six price can be corrupted and which a week in which it cannot be used which we which can be abused by the tech or straighter. So because this. Extra memory of beauty and accessibility. To typical tax overriding differential function table pointer by overriding therefore to a function table pointer they can jump to. Their. And more importantly if we can take a look at the complete picture of this to lead a class I have a case in the past casting it is pretty complicated so for you simple there were just seven sibling classes or near for the H.T.M.L. element. If you're counting all of these different classes in the classes in the SO IF going to be very very hard to have a complete picture or how the cost is. So because of this complicated case it would be very different kurta for first two to two to manually verify typecasting is correct or not and that's why I believe the casting will pollutions can be very very very at a problem. So to only. It is better testing for there is we developed a caver. Sign is composed of two parts first it traces to run time type information and then it verifies or casting operations. So basically trying to verify whether the given static casting is correct so at the time of the thread casting we want to know what I did true obs that type or where that P.T. are points to so caver collapsed all runtime type information so that it can answer what is the object type that points to. Next the object type that points to in this case he is going to B.P. And then we need to know whether P. can be cast to it to be cross because the class D.. So cable maintains costume issue information in type our kit table which we call th people so in the in the following are we first to explain about the th table first and then I will move on to the runtime type tracing. So so teach table contains a set of legitimate cost is that can be converted into an inside to teach table or cross names to hash it for fast completion and. Kiss on the road to to avoid recursive traverse So for example just a few years to show kitchen table or P. and the. A You can see all the cost names to hash it so there caver can operate the expensive operations. And the cross cross the hierarchies on note so that the caver can simply enumerate them over to find out the hierarchy. And it trace the type information on object caver first instruments to new function call trace right after the or location site. Once dysfunction once dysfunction is called then if first to create the matter data which it points to the quest for the th table. And create the internal mapping from object to matter data so that we can find D.T.H. table later given any pointers we use to different mapping schemes for different location mechanisms to arise to rock three data structures so first he believes that we have used base to data. And for step we used to put red black tree and the four global offset we used to read tree. So finally table for forms to verification once the feast is casting. So the men were you when you footprint will be something like this with the health of the th table and type tracing so to verify to the first to locate the matter data associated with the object second in a case the associated associated teach table form the matter of data that we enumerate each table to see if class to be cast it even just. In this example because the class D. does not exist in the quest for the. Cake cave or can confirm that this is CAD static casting is a bad casting. And we have implemented the prototype caver based on the Evian compiler assist and to be able to build that security good application we added one compiler and linker flag to build the spec C.P.U. and add it twenty one Lions to the configuration configuration file for and change it to ten Alliance for farfel. And three very tricky for we have quieted to chromium and five for process and in total are we. About the fifteen thousand and seventy one thousand casting operations in terms of the runtime of what has imposed a seven point six over us in call and sixty four point six percent of what I have seen five Falls and to listen why five fourth was pretty slow compared to the core it's because that. Was using a lot of that will location seven percent and caver is support from worst in the. Kitchen. And we also tested the five we'll work best casting expose to see if caver can safely prevent it and in did cavers to safely prevent it and during the variation in the new one interesting point here is to cave it discovered eleven new Bad cast and when they have it is to form five folks and nine from leap C. standard. And all of this fun out of it is already reported and a face to via quest for the inventors. So now let me wrap up did anyone cleaver and introduce the potential applications for as a present as I have presented in this talk. Can be used for from their video editing nation and there would be no way to appears to from their view it is so more for the also can be used for back end for their video deduction because tender and capered to not rely on the side effects so from from their view it is it has potential to better and all they did your step to free or casting from their view it is in some pieces. And my research impacted D.D.D. secret communists in various ways and the first we have identified identified as how to fix more than one hundred twenty of it is including indeed in the. Firefox and stuff already and war for Google and deployed as part of their security tools also. Has been awarded the best to apply. Such paper by C. est W. caver awarded the Internet defense by price from Facebook and Usenet. And in my research shame that protecting the system to emulating it from there is. That I introduced it to any nation to their knowing. And then therefore used up to free and a caver for bad casting. So thank you very much for your attention. And I'm happy to take any questions. Yes. Or those who question the question is about the our performance this life seventy percent so twenty years here for a long time or for debugging. So in the paper I mean when we are writing the paper I mean I really want to post it as a runtime detection too because I think the seventy percent in some cases I think it's OK but some some other people have different opinions seventy percent you can really use it for the a production binary. And the so we can only get the did this debugging purposes so there's a caveat so little used by five for Sky's as a second in the Russian testing tool so for the debugging it is slowly I mean it is to show lead is OK but for the wrong time I think we need to do more walk that is a many people don't like the seventy percent now it's not what. They're. Yes it's. Something you can. Work. On. Challenge. People could. Show so the question is how to optimize to cave or. To most of us so why not did we actually try it is to. Study one artist so using to study on our sister you can find it in the order of operations you can actually identify or a pair of statically that some set up the study will put static casting or pollutions cannot be done that all right I mean if you actually follow it through any. Passes leaching to it is certain static cast then you can static statically verify that bad casting should never happen for this state testing. What this means is that A you don't need to actually follow I mean you don't really need to check the static casting for distort the SAT in runtime so you can really do a very good study on asses and then to optimize out this sort of a static Castille pollution that I think we believe is going to be way faster and the other aspect is that it is source now we still have the problems to disturb over several locations because time is a step over so all the cases that I mentioned that we are using prior to at our regular tree and if you could. First back. So. Please So the stack Stagg is per threat because the you know I mean to see if it is this if. There can be two different execution context so you cannot really maintained that sort of the information in the global data structure you need Iraq to actually separate them up so that's why we used to put to read the letter tree but using the regular tree is pretty slow because you know essentially it is a tree and so if you're actually inserting a lot of the elements and it's going to need. Who actually did try to search a lot of tell us it's going to be in some India and it's going to be very very slow it's not so we still believe there's some way to to better performance this by changing the optimizing L.T. data structure as well. Yes. Yes So the question is about whether our solution of fax to usability or. You just in software. So we also do it is so we called the compatibility testing so after we instrumented the program we run the program where it can still deal on the program as expected so it is first for the it there are no cases we're on the unit testing in commune browser so unit testing is actually found off I went to your implementation and your implementation assisted in the right track so unit testing is. I believe. I don't precisely remember the number but you should feel like three thousand cases and we passed we passed them on and then they also have a day of testing so they are testing it some more like and two and testing so based on their rendering the result of the common problems are they actually compared to how the the pros are actually represent the G.D. so to a pages and they actually change it check the weather. Page is correct one and we pass them on and there's a one hundred to three days strong point that I want to emphasize here is that we want are we what are we were able to run the. D.D.J. basket benchmark which is doing very very happy hopefully that you may never be able to see when you're doing the usurer project. Chops project types and then this is and then at the other evidence instead of because we were able to run D.M. to sort of have each of us could enter entering benchmarks always complain compatibility is pretty good and a post here I mean we stood up to a corner. Which is creating the negative are forced past it but clearly for deep a person and we but I want what I can see here is sort of the first never to force positive cases are pretty layer in practice. And we never stand in cases. Yes it's. All. For. What. Yes I can go back to this light then I'm in. Awe. So the question is of either what. I was doing to handle it is sort of on their greatest. So yes I'm in a for here so you can imagine that this sort of detect and I mean that I mentioned as a is some sort of. Bad case this is this what Google is doing I mean nothing that is bad that is dead is very very effective in some sense but the problem is that there is to state a way to bypass it so for you some. B.S.. Like. Yes it's a very grand Google has address and. They have it is all set up here sanitizer set up the techniques and the one thing you need to know is that they're actually making the compromises you need to make you need to make some techniques to actually make your money on the commercial systems and in case of the very ground it isn't it is pretty. Hard to be. Hard to be in on time to tension tools because there's a lot of the force cost of cases so you can simply run the communities so you can if you want to run the very point you need to have some sort of. Practice so that you can actually do something false positive and of course to actually come up with the best you need to manually learn over and over and over again and in case of data center which is also made by who and what the problem is that. The have you have to measure techniques to make it faster and applied and the other issue I will say is that it is not really poor from the. Technique I think it is on that it is actually transferred at a standard procedure and as. Orders from them are caution for their readers so it is not really Per from the. Defense Tacony but it's more like memory safety technique for when is to see when we safe to take. So there is a walk we are actually this is some sort of we had lifting distort the process and then we are trying to push the detection face so that we can. Identify people they vary as slowly as possible and dead and so that ensuring that there is no way to bypass the. Obvious and different from their beauty. Yes. Yes. So the question is So you're mentioning. I think I cannot easily answer that but. In this. Post work I'll say call me as to most the complicated. And the most popular one so this is one of the very good examples where there nor caver can be applied and then to answer your question. Still there's a lot to shoot for of course applications that I know of and not as strong as tested for first application is developed under the paradigm. Yes but think about it if you're really writing the program with the paradigm object we're into paradigm and also if you're using a lot of the event driven programming thirty years the city you're always and where disruptive complicated classes are right and there is another Actually problem of the OPI I mean there's some people say that's why I don't like Whoopie because you essentially are making a decision making the program is complicated. Any more questions. So I think. I'm done with the question thank you very much for the attention.