You know that's one of the things. Hi everyone I'm super excited to be there it's lovely. Chris here just for the free food. Nobody interesting to a few OK what I did undergrad students. Master students. And Ph D.'s. Was of working on the work he was in in a security track. OK Nice exciting so I'm super excited to be happy. It seems to be. Kind of more than a coincidence that my group who looks quite similar to. Georgia Tech. They were designed independent from each other I would like to know what we are using hex high for my research group with a nice shades of green showing the like it was just busy bees work hard on different projects and was a slightly aggressive stint on working on tech based research I saw this interesting interesting coincidence and I was amazed seeing all these bees and your logos around here around the campus it was a lot of fun walking around yesterday how are they going to talk about today memory corruption and why protection against memory corruption is hard and if you're looking at this problem. My group for the last three years but I've been looking at it for the last ten hours here so for quite a bit of time and it is a really interesting problem and we as a community of computer scientists have failed to soft as problem for the last thirty years or so given that and the requirement for faculty to find research funding to seems to be a very lucrative project that allows you to continue research for a bout of people have they have for such a long time but. Right it is protecting against memory corruption so hard what the fundamentals are for one we live in the rest of the rocks are pretty much everywhere and I'm just showing a couple of pictures of recent polling to own competition where you get on one hand free hardware and lots of money if you're able to exploit that hardware and gain privileges code execution on the actual hardware and show code execution by popping a calculator because if you can open a calculator program you showed it has pretty much full code execution on the on the system I mean. This this I make was compromised this you're going to machine was compromised popping up a calculator Windows was compromised and last but not least Windows running on top of V.M. there and people exploiters who are being able to pop a calculator on the on the. Host machine running to virtual guest So there are bugs in all our software and they are on the prison attackers will be able to exploit them so we'll have to look at how we can protect against them you may say Well but that's just a short problem writes This is just a short time spent you will detect this attack and then patch it and then you're good right if you install the patches are good now a question you might ask yourself. How quick Will people patch or build the actually patch and people are notoriously bad at patching and we're not just talking about users or end users that never install Java update or an operating system update but also System administrators and security engineers that you'd actually know how to patch and it looks pretty bleak out there I assume many of you remember the Heartbleed well known billeted quick quick show of hands are played so it was a devastating attack. It came out two years ago or three years ago now that allowed an attacker to read out large chunks off memory from a server. That was running Open S.S.L. by implementing this. This heartbeat protocol so it's called heartbeat and we looked at how successful or how quickly people were patching against this one ability if you do have such a clos a full abilities you need to patch your system you need to revoke your private keys and you need to install new private keys and you looked at how quickly or how good people followed this dispatching process. This is published or disjoint work was a large amount of people including Michael Bailey Nick we were. Paxson while I was a U.C. Berkeley. And. We did internet white scans to see which versions off the. Engine X. and Apache servers running were still vulnerable to Heartbleed And surprisingly we found that forty eight hours after the bug was publicly disclosed there were still a large amount of servers all noble so eleven percent off servers remained vulnerable after forty eight hours so a large amount of systems were not patched after two days after the pop patch has been available and the one ability was publicly known as soon as is publicly known you would assume that people just start downloading the private keys and exploiting your your system and people waited for more than forty forty eight hours even worse patching plateaued at four percent even after after weeks of the public knowledge of the vulnerability so this is a really really slow process and it took a long time to actually get there. Even worse only ten percent of the woman will sites replaced or certificates. So it just installed the patch restarted and said everything is fine even though it had a complete loss of security for the systems so only ten percent replaced a certificate but as an interesting site know it from a security usability perspective. Fifteen percent of the people that did replace their certificates replace the certificates vulnerable keys that are easily factorize So the ECT actually made security even worse and allowed others to factorize their keys so this is a terrible result for for updating and for for us as a community if you consider software patches in updates so the update process that we are facing is slow incomplete and faulty. So we need to come up with better mechanisms and ways how we can mitigate these problems and we are living in a world where software is unsafe and insecure the majority of our systems are implemented in low level languages like C. in C. plus plus. Due to some notion of performance or some perceived notion of performance we do have a potential of performance but we give up memory safety and type safety by using these languages and there's an inherent tradeoff that we face here and there are just too many books out there to find and fix manually I'm a big fan of formal very few cation and ideally we would have it everywhere but unfortunately just doesn't scale as far to verify these large pieces of software there is just too much complexity and legacy software out there that we cannot use the system so we have to come up with our ways and just to give you a notion of what I'm kind of complexity I'm talking about if you think about the wonderful software potentially will notice software that you are running Think about Google Chrome What is the total attack surface of the code running Google Chrome So it's on one hand it's Google Chrome itself which is implemented in seventy six million lines of C. plus plus code but it's just as Google Google Chrome you're running if you're running a. Debian or Linux system you're running top of Gnome which is not eight point six million lines of code you're running an excerpt which is another one million lines of code you're using a loop see another one point five million lines of code and a Linux kernel which has not a fourteen million lines of code so your small web page and script is running on top of more than one hundred million lines of code of C. and C. plus plus that all has the potential to contain different forms of one abilities that you have to protect against right so this is this is a large attack surface Now some people may say let's just implemented in a safe language right. I'll show the same same graph for example a nice interpreter clocks in ten million lines of code so you still have twenty to thirty million lines of code or unsafe code even if you're running your pipes an interpreter same for to Java Virtual Machine. So what kind of attacks are being used against our systems oftentimes these are so-called contraflow high tech attack or an attack or redirects contraflow to alternate locations and if you abstract the contraflow graph somehow. For a comparable high tech attack the attacker pretty much influences the contraflow as the program executes if we execute and follow transfer control from NO NO NO number one to number three and one point in time to attacker will modify a code pointer by either learning the target address through an information leak or some other form of the site channel and then using a memory safety violation which is the underlying bug in the obligation to overwrite a code pointer and then transfer control to an alternate location so instead of transferring control from the number three to number four the instead. Note for prying and you have left the programmer to find contraflow and you are now executing a so-called machines that are controversial least a valid graph and the attacker can try to execute injected or modified code or a turn at the flea reuse existing code so how does code injection work according to a simple write we force a memory corruption to set up an attack we modify data on the heap or on the stack and we redirect contraflow to inject a code this is a simple attack that has been used for the last twenty years now fortunately we have defense mechanisms in place if you have mitigations that allow us to configure the page tables accordingly so that this attack is no longer feasible so we have data execution prevention of protect against these forms of attack and prohibits the execution off such code so if the contraflow transfer happens the system will raise a page fault and terminate the application hopefully Why is this important so we do have additional hardware that has been added to our C.P.U.'s that allow us to track this security property on top of it. And people thought this would prohibit against defenses this was in the early to sell isn't this would protect against a form of contraflow attack but attackers are clever right they develop code reuse So instead of injecting new code. We find individual pieces of code that can be used and reused out of the large amount of code that is already in the address space again remember just how much code is running inside the Google Chrome processor seventy six million lines of code plus the loop see plus a whole bunch of other stuff so the attacker just starts looking into the code region and searches for individual small pieces of code that are useful and then the same memory corruption is used to overwrite parts of the heap in on the stick to set up data structures in a way that connects all these different pieces so they can be executed in a chain now this is the attacker to. Redirect contraflow to D's data structures on the heap it on a stack that then in turn execute all these individual pieces of code that has been identified one after the other thereby releasing existing code code reuse attack and executing arbitrary instructions. Now how do we protect against these forms of attacks about ten years ago some folks invent that control flow integrity which is a defense mechanism it's a mitigation that restricts the attacker to a smaller set of targets so the underlying idea of contraflow integrity is to restrict the dynamic control flow off the application to the static control flow graph so we extract some form of static contraflow graph and then restrict. To these few targets that are still allowed this requires two things first of all it requires a static analysis in most of the cases right so you have to figure out what kind of targets are actually feasible which targets are a lot and then in a second step you have a dynamic enforcement mechanism so for every in direct control flow transfer you figure out what R.D. allowed to targets then when you execute this contraflow transfer dynamically you execute an additional check to make sure that the target of zero ft at run time is in the set of allowed to targets and restrict or terminate the application if it is not so. Now this is an interesting property of the code pointers themselves are only very fight we never used so this is different compared to other defenses that inforce the integrity of code pointers for example so you could enforce some form of memory safety policy that make sure that a code pointer cannot be exchanged or overwritten in a malicious way what contraflow integrity does it traits of performance overhead lowering the performance overhead by delaying the check to a later stage so the code pointer is only used so the attacker can happily you used a memory corruption will ability to overwrite this code pointer like a function pointer of the table pointer or something else but the check only happens when the. Code pointer is used in the referenced we only do a check later on and there are two different examples there is forward in there a controversial transfers for virtual calls and function pointers and backward edge calls for function returns for example. So how does this look like ideally if you have in there a contraflow transfers either and indirect function calls are a function pointer or a simple return instruction. Underline eyes or the programming language restricts you to a few set of targets so it into context or introduce cement if the programming language you only have a few allowed targets but the underlying hardware of the eye is a allows you to reach an arbitrary instruction an arbitrary executable address in your in your address space of the process so you can pretty much reach any executable byte So what contraflow integrity does is it adds this dynamic instrumentation and adds an additional check the check then uses this reads to value what is the current value of this pointer and make sure that the value is in the set of allowed targets if it is not in a set of allowed targets it terminates the application same for return instructions it checks is this return instruction is the return target in the set of allow targets if it is it allows it to continue on or wise the system is the process is terminated now we see a slight difference here right so if you run a controversial integrity policy on a forward edge we can run for the precise analysis on the back or ditch it doesn't look as precise So if you think about it. What are legit targets so if you run a purely static analysis you would have to allow all of a return from a function to reach any of the possible callers. If you have a large set of. Callers are if you have functions that have a large amount of callers then you have a large target set and the tech or may be able to abuse this large set of possible targets and this is what we showed in our control flow bending paper Usenix fifteen where we showed that there are functions out there that are called from many different locations and contraflow integrity policy for return instructions is pretty much useless so we need a stronger property like a shadow stack. As for example implemented as part of the. Framework that will come up in a bit so we've looked at three directions for C A five and if you think about the context of see if I The main goal for contraflow integrity is to minimize the target sets the smaller to sets of targets the higher the precision and less opportunities an attacker has to redirect contraflow to alternate locations so we can increase the precision and reduce the attack surface that way and we looked at into three different areas we looked at kernel softer and specific patterns for kernel software that we can enforce We looked at large software systems implemented in C. plus plus like Chrome and Firefox browsers and at Legacy binary only software how can we increase the precision for these pieces of software and I want to quickly highlight. Examples in industry areas so to enforce contraflow integrity for binary This is really hard because we don't have enough information for example type information to figure out what the possible targets are so there has been work that looked at identifying individual functions and identifying functions that are at risk taken now this gives you some additional restrictions so you can instead of being able to target every single address of a byte you can target. Only every single addressable function but this is still a large set if you think about it just the Lipsy has a couple of hundred functions that can be targeted and if you have system in your set of valid targets your C.F.I. policy is pretty much useless as the attacker can execute arbitrary Co months. And so any final green see if i policy relies on the source code to figure out a different function prototypes and other kind of types or some. Some runtime analysis and course grants you fly on the other hand is imprecise. What we're trying to do is the are enforcing a. Binary supporting legacy binary code and want to Larry T. for example loading shared libraries so we do run a dynamic analysis and we want to have low performance overhead assault so to implement this we run a binary translator which runs T V online and ETS checks as to code is being executed. So on one hand we leverage the programs more to Larry loader the more libraries you are using the more granularity of you get from it and if you think about it each of the individual shared libraries has important export tables that specify what kind of functionality you are using by. Looking at these important exports tables off to individual libraries we can decide which off the other functions are actually call of all that is a put this which is exported in the lips so we can only call put as but we know that system for example is never imported so we can it transfer control to to system this is always us to distinguish between allowed contraflow transfers and illegal contraflow transfers and restricted based on this Horace stick that uses to Malta Lera T. off the program to restrict the individual target sets and we've seen for example for Open Office it uses about seventy or eighty different libraries and we get small enough target sets to be precise enough to protect against. Contraflow high tech attacks that are useful for an attacker How does the performance look like we looked at Apache to go to downloaded a sixty fifty six killer file and a one megabyte image file small note these over the Everetts sizes of H.T.M.L. files and image files at the time when we did the study and I was really surprised that images are one megabyte large On average I guess I started looking at pictures on the Internet at a different age when they were much smaller but this seems to be the average image size today we see that we have a performance over had you measured three different configurations single threaded concurrent and concurrent with keeper life connections and we have combined over had off. Two to eight percent to run this dynamic analysis on top of it is this is somewhat reasonable for them again Alice if you want to protect binary only applications. As a quick note to about two source based mechanisms we enforce protection see if I protection on the Linux kernel and this is joint work with Trent Yeager and. Penn State at the time. And protecting the operating system kernel is crucial for System Integrity So what do you want to do is we want to have a S. strict as possible contraflow integrity policy for the kernel Unfortunately the types are not as precise in view you're facing problems off of different. Alternate challenges like interrupt vector and page tables and many other things that need to be protected as well so on on one hand we looked at how programmers are using code pointers in the kernel and being forced to strict pointer problem. So function pointers and be enforced this as part of our compiler based analysis and then make sure that these properties hold at run time so function pointers can only be assigned if you don't read a function pointer and copy it somewhere else you don't. Increment a function pointer so there's no pointer arithmetic on top of function pointers and before bit data pointers to function pointers so this may seem prohibitive but there are very few locations in the kernel where we actually have data pointers pointing to the function pointers we can restricted and then re factored a few like a handful two to three locations in the in a code that actually have to spatter NS and thereby enforce a strong security policy is much more precise the author see if I follow. Cs and thereby enforce a strict protection protection. For contraflow in the kernel. For large software we enforce prototypes to protect C. plus plus which will cause and the are looking at the type hierarchy so instead of just enforcing the that the function prototypes meche we enforce that the function prototypes and to type. So in even if you have a void function think about C. plus plus right you have a ton of constructors. Are void constructors for example under a regular prototype based see if i policy all the different functions that are void would be callable what we additionally add is we look at the class and inforce class integrity assault so you always go to the base class and then enforce that it must be inherited from the front of base class if you have a chain of the targets and make to match data way. This is how is this to enforce the code pointer is. Written for the current class and must be allowed for the process and we do to check not on the code pointer itself but on the table pointer This allows us to push push to check one step further at the actual data pointer that happens earlier to see plus plus your reference to the table pointer to get to the code pointer. A quick note on C. plus plus we're told dispatch just to refresh you and C. plus plus we do have base classes and descendant classes for example we have a parent class and a child class that extends this class and we do have the table pointers on the tables for it depends. And there is one virtual function which contains one single in direct function call for the print function and you have a pointer for the child class of salt so if you allocate a new object the color code that I'm using is blue is read only. And remain is read and write a bill so if you allocate object of type parent on the heap the constructor will initialize to the table pointer and make it point to the read only the table now an attacker Under see if I can overwrite this week table pointer. And for our see if i policy the attacker modified a pointer from the parent class to the child class so it tacked would stay inside to type Pyar Ke because as I mentioned earlier see if I only check the pointer then it is being used it's only when you dereference a pointer to check actually happens so even if you have a precise see if I check that is a very off the underlying objects you are restricted to the targets you cannot call an other print function which has the same. Same arguments or same name but you're still allow it as an attacker to switch between these two. So as an addition to see if i policy we came up with the table integrity idea which prohibits the contraflow high checking at a step earlier which is pushing it to make it context and flow sensitive or socket to see a fight so we can still do see a fly at a later step against data only attacks but if you are using or enforcing integrity off the. Underlying memory objects that are being allocated at a at a higher level so. Interesting really this is allows us to enforce a simple object integrity policy what do you observe is the simplest class dynamic this patch every time you do a dispatch for each object has a single target there's only one single valid target even if the most precisely if i policy which we showed before and this is actually been implemented in. So it is to see if i policy was to different classes that I showed you before it's the same as it is now implemented in L E M C if I but this is not precise enough instead of having these two targets that are allowed at runtime C. plus plus in any dispatch would only have a single target. And you do have to tail type information available during the compilation process an interesting leaf or c plus plus plus plus specification only the C. plus plus. Class constructor is allowed to write to the table pointer and any deallocation invalidates the table pointer. The dispatch only did this batch function is using to the table pointer so the underlying idea that we have is reinforce the integrity of the table pointer and to replace these three types was our own implementation so we modified a constructor to require to through type of an object in a protected space very inforce integrity protection. The instrument allocation to remove this additional meta data and the modify dynamic this patch to use the true type of the object in our safe area. This ensures that you're always using a correct object so you're always using the. The valid object is and the table pointer to has been written it doesn't protect against data only attacks you can still modify data pointers and that's why I see if I still useful but it is complementary to see if I sit in forced integrity of the object and if you do a dispatch on a single object you cannot change it yes please. Let me instrument the constructor. That only the constructor is allowed to modify the other data. There's different ways you can enforce it on one hand we use N.P. X. in an interesting way where we make sure that only our instructions in the constructor are allowed to modify this data so the instrument every single writes. In the program you know all the non constructor rights and the instrument all the non constructor rights was a bone check and make sure that the bone check doesn't go into this area. Yes. Yes So this is a this was a very interesting problem and developed on this for a while so you can you can either do mosque which forces you to change the whole address space and this is a very interesting topic right so how do you make sure that you have a protected memory area somewhere in your address space that only your special instructions can access this is a really hard problem so you can you can eat or allocate the safe memory area at the top off yet or a space or at the bottom of the outer space and then do Maschine you can mask every single single memory access. And just restrict the power of two so every single memory read or memory or write your instrument was an end instruction to make sure that you blind out the memory area but this has rather high overhead it's about seven to eight percent for the Maschine of all the instructions because it's expensive and you have to change the whole address space of your application which if you do been utilities and spec that's easy but as soon as you look at complex program good luck changing the outer space for Google Chrome that allocates widely and has different forms of assumptions so this will not scale Also we want to have flexibility so we want to have to the safe memory area or just protect that memory area somewhere in memory in a very particular like location that we choose now you don't get that much flexibility. And if you want to use M P X M P X A lousy you to do a check that make sure your pointer is in a specific area but the check we would like to do is is our pointer outside this area we want to make sure that the all the other writes can only write outside of his protected area so what we do is we allocate the safe memory area in a particular location and for each memory. If we shift transposed to address space by using a load instruction to shift the address so that it is a benign location it is at the top or at the bottom and then we can use a simple bone check to make sure it is it is in this area that remains valid for it is under. Order instructions and this is a very neat trick it reduces the amount of bone chips if you have to do to one you only need to bone check the lower another lower in Ivanchuk upper and we can test if it is in this area so if it is not in that safe area now overhead is obviously interesting for this for this approach and. We compare just our mechanism our mechanism this empirics and additional overhead for L D M C A file on top of it so our Make an ism clocks in at a geometric mean of about two percent for the. Benchmarks. And if the at M.P. X.. Based integrity protection it's about four and a half four point eight percent overhead Yes. You. Can use it again. Yeah. It's a look up so you do a look up the test it's a large amount of data structures so you can do so you need to get from the address of the object to the actual type off the object you need so. Yes we used to address a key and we studied axis patterns for different benchmarks and we figured that it's pretty much your X. is heap you X.. Stack and you axes a couple of other regions so we end up just allocating a large virtual address space. To based look up table. Like you go from one to second and then it's a large virtual address space that we are using but only very few pages are actually mapped so this is this is very low memory actual memory overhead but view based on virtual address space but a forty eight bit address spaces as large enough so we can easily use some parts of the outer space too to filter that out. And for Chrome we have two percent on octane two percent on Krock and said a few over had for you in four. Browsers is reasonably low. So let me summarize see if I see if I is available it makes it harder it has been deployed in Visual Studio in a form in she's a C. in a somewhat better form and in L. M. in a rather precise form it's deployed in Microsoft and Google Chrome makes exploitation harder we are hoping to get a stronger defense mechanisms in there for that and force the integrity off the underlying objects because there are specific limitations like these large. Classes that can lead to different different attacks interesting really no deployed solution has a good story for backward edge protection so many of them ignored of Anchorage like the ones that are actually deployed. Obviously precision and metrics are ongoing work here now let me quickly talk about type Confucian assault type confusion is a very interesting attack vector that enables you to compromise memory I said this is one of the initial bucks and most frequently used to compromise browsers. Type confusion arises through illegal dumping cost and I know that there has been here in India security groups before. On type confusion protection type confusion arises really don't cause for example you're converting a base class pointer to the right class so for example you have allocated a Dom note and you costed into Dom text node then the size of these objects will be different and this problem is very common in large software and stare there are many different C.V.S. with their debt show whole software can be compromised through this attack quicker but let me give you a more concrete example we have classes bus and first. Bus has a B. and B. integer Foz has a C. integer and also a virtual function in there if you allocate a bus object. The. Memory allocator will happily create you a small object for you all of science for the integer right if you allocate a fuzzy object. Objects ice will be sixteen bytes on a sixty four bit platform eight bytes for the table pointer four bytes for the first integer and four bytes for a second into a tree so the class system memory layout of these classes is different. Now if we continue with the code we allocate the buzz object and call it the pointer to a new you buzz and we didn't do a static cost and cost into into fuzz object this will lead to confusion. And steady costs for to see programmers out here steady costs are purely done as a compile time check so this is a clever optimization off to C. compiler and it says our classes buzz and the clock the type of object that is being passed in our day. Compatible and that should actually be the pointer here in the US Sorry about the typo so are these two are these two classes compatible compiler looks or this is the this is the first class first clause extends the bus class so does cost is valid everything is done everything is perfect right so there is no runtime check to look at the actual runtime type of the object and at runtime this can be of any particular type and there's. Therefore the potential that the wrong type is being used and this is exactly what happens here so we now have an F. pointer point somewhere above the be pointed at we have allocated before and as soon as we try to access the C. integer or do you reference the D. function. The type confusion happened and an attacker may have been able to overwrite these memory areas or control these memory areas and thereby This will result in a contraflow high check attack or indeed a corruption of the edges an object and this is what is being used to exploit your browsers in your systems how can you protect against this attack vector Well we can enforce some form of type safety and make sure that you protect against these legal costs static costs that are happening at runtime as I just told you a static cost is checked all neatly at compile time which is very fast so you have Ciro runtime overhead because you're not executing a check you're only doing the check at compile time to make sure that these two classes are actually related but you don't enforce any additional checks at run time. On the other hand you would have the opportunity in C. plus plus to execute then I make cost which are checked at runtime but there's some drawbacks it so dynamic costs have high. Overhead they are very costly because the dynamic costs will go to our teacher information try to look up to Colossus Kiri several data structures and then do a comparison so this is very cost that's why people are not using it also the dynamic costs are limited to Paul and morphic objects What is appalling morphic object polymorphic object is an object that has at least one were chill function. Why is it limited to pull the morphic objects. And ideas. Why do you have to use to the table pointer. Right right you don't know what the object type this plus plus right it's a low level language it's just untyped memory anything can be any anything right and delete table pointer is a unique identifier for the object type that's why it only works for pool and morphic object otherwise you don't have an identifier of the actual object type so you can only do it for polymorphic object it has high overhead for every single check so nobody's doing it everybody is using just static cost or even verse just C. style costs which if you're if you're writing C. plus plus programs and you ever use a C. style cost you should get a slap on your head because that's a verse type of costed you can use a C. plus plus programmers it's pretty much telling the compiler try everything so you try is all the different valid C. plus plus costs and anything goes in the end it is this reinterpret cost even if the underlying types are incompatible even at compile time so there is one form that's even Vicodin a static cost and that's a C. cost. So what we are trying to enforce with hex type we conceptually check every single cost and amicably so we record the true type of every object in a similar data structure that allows us to keep track of every single allocated object pulled a morphic or not. And we do every single cost results in an actual runtime check now this would have terrible overhead that's why the aggressively optimize boasted design and the implementation of our approach to reduce as many of these checks as we can while still keeping the guarantees of conceptually checking all the costs and amicably. There has been prior work to have been to prior systems on on that key for which was developed to develop here Georgia Tech type sanitizer. Or which was developed by us to get are with a university in Amsterdam and Hicks type will come out. This year that further extends to systems. So we text typed on one hand we extend the coverage compared to the previous systems so we call for all kinds of new object allocations and previous systems trouble following up secure allocation cases for example every. Different forms on a stack and a call what it thinks is mostly bug fixing or fixing things that our systems did not look at. Support placement new which often custom allocators use so placement you knew if you are C. plus plus programmers allows you to on one hand a map a large memory area and then see tell a C. plus plus runtime system this is an object of this type is an uptick of this type is an object of that type so it's an extension of the often new system and it allows you to say I want to create a new object here and then call the constructor so we support placement us all and we also support reenter print cost and C. style cost is reinterpret costs you can repurpose and revive existing objects it's like it's a it's like a sledgehammer where you're changing the type of the object and you're supporting these kind of off the naming all protect changes assault. Or suddenly you have to aggressively optimize now that you have vastly extended coverage by several orders of magnitude we need to optimize to reduce the overhead so that we're actually fostered in these other systems so a very clever way how we can do this is by limiting object tracing like which objects we keep track off when they are allocated and deallocated to unsafe objects because as we found out the main. Objects are allocated deallocated and never see a single cost and we try to figure out how can we know if this object will never be caught because it is never going to be cost we don't need to record the true type because we will never use this information so this optimization the whole program analysis and make sure or chicks which types are never used in any costing operation. And as it turns out under a spec C.P.U. for several benchmarks none of the types are being used for costing so we get rid of all the different information that he would have to track and for Chrome which is the more interesting use case you still get rid of about thirty percent of all the objects that you need to no longer track. The also limits checking to unsafe costs so the underlying idea here is if you allocate an object on the stack and you deallocated when you leave the stack frame and you don't have any deep function calls we can statically very fly every single cost in this in this function and all the functions or messages that are being called If You Can statically vary fight a safety of all the. All the checks we don't have to instrument and we don't have to execute any dynamic checks so this removes another bunch of costs. And if you read write dynamic costs to no longer use the expensive R.T.I. look ups but use our quick look up so we implemented costs to use OUR me to data which is already there and has much lower overhead so we use these optimizations to aggressively optimize our system. So if you look at coverage these are the different. Specs plus plus benchmarks and you look at Firefox is octane Romeo and two of those benchmarks Yes. For this one reinterpret cost is used to change the runtime type of the object and as we found in some patterns. The Firefox for example takes an old off checked uses reinterpret cost and then continues using that object us to new type so we changed the runtime type of the object and allow it to be used later on otherwise does leads to to a loss of precision. Yes Yes we pretty much record this new information. This is joint work with young young by the way so he is working on that as well. So coverage. Compared to type sent which already increased coverage compared to K. for the increased coverage for one. Benchmark for Firefox benchmarks the increased coverage between two and six X.. So getting to seventy three eighty eighty eight percent of the benchmarks of the total amount of costs. We also look as soon as we have all the optimizations there is likely we are transparent here is likely a book in one of the optimizations here that we didn't find before the final deadline that's here support printing the version I saw but we will update until the C.C.'s presentation so this will this will change. Let me summarize for type safety type confusion is fundamental into these exploits the existing solutions are incomplete partial and slow and programmers are using programming patterns that are inherently vulnerable for forty's kind of type confusion exploits that's why we need a runtime mechanism that enforces these types a few properties and we have almost full coverage was a two to six X. increase increase in coverage compared to the second best system and reasonable overhead for spec C.P.U. we have between zero and sort of two X. improvement Thanks to our musician it only tracks objects that are actually cost so we can drastically reduce the overhead here due to does very simple optimization and for Firefox because we have a six X. increase we get up to zero point five X. slow down so we increase the coverage by six X. and get a zero point five X. slowdown which is which is reasonable us all future work we're working on the remaining coverage and more optimizations to get to get additional remaining. Missing. Objects one hundred percent. So let me conclude. We are working in. An environment where applications have vulnerabilities so we have to develop mechanisms that protect systems despite these will abilities and. Force strong security policies. That if a combi acceptable to be used at runtime we have to support both source code and wineries that are out there because sometimes you'll have a legacy binary is that you will have to support assault or if you do kernel support there's machine code or machine code sequences in there inline assembly that you will have to look at where you don't have any high level type information as you have in source code otherwise we discuss different forms of control for hi tech protection precise see if I look at the T. and object type integrity and for D.S. defenses the context of Earnest is key for its effectiveness to make sure that it actually forces the strong security policy. The systems I've talked about are low overhead and we follow a policy of always open sourcing our system so that other people can try them out and used them to build other systems and top of it and some ongoing work is on lightweight stateful defenses better type safety getting the remaining coverage and data only attack protection and as this I would like to end my talk thank you for your attention and I'm happy to take any remaining questions. Thank you. Questions I don't quite believe. They might cause them to hear me. Think Yes thanks. To those users can see the sea advice to give them the calls going to standby by the say I was a little busy so where is the boundary between the old way it is going to be and what have you there you know that would be the end of the story if I really say we. Can begin to choose to buy and it will be the problem there right thank you for this question I will happily point you to our journal article that recently wrote this topic where we look at many difference here five implementation or see if I make an is on one hand I'm super unhappy about the distinction in two of course going in fine grained so this is this is a very fuzzy because the rate so first I will see if I write and then a couple of papers were published that said. Screen see if only because we are not precise enough and then everybody else started calling the papers fine grained sci fi if they were just better then of course going to fight these terms are not clearly defined so in our journal article we try to look at metrics how we can define precision off see if I make an isms and India end it boils down to the amount of different targets it said you have on a per location basis and the size of these targets so as as your metric to evaluate see if I make an isms you will have to look at. Both the number of targets it said you have in the size of these targets is so yes G R Ver King on ever more precise systems Ideally you boil down to one single target because if you would have a runtime mechanism it would be just a single target. And there are runtime mechanisms developed here as well the pity pot for example that looks at. The. Trace to make sure that it actually is just a single target but this comes as they make analysis cost which which results in higher overhead so for you are using a different core to heights almost this analysis cost but ideally you would like to have a single system that runs inside a process and enforces one single target negligible overhead that it bears a lot of potential to for further improvement especially for. Static policy so you can make it a context of where and. Control flow where there's more opportunities there so far all the mechanisms use function prototypes which from a programming languages perspective is very very imprecise and people have looked into these type systems and context around us for a long long time you know we just need to transfer all that knowledge into there's a cure to the world and make it scale to full programs to increase the precision I hope that answers your question someone. Thank you thank you.