Professional Documents
Culture Documents
Operating system Hypervisors & Network services System libraries System apps
Firmware Boot loaders
kernels & drivers VMMs (HTTP) (cryptography) (browsers)
700 100%
90%
600
80%
500 70%
60%
400
% of CVEs
# of CVEs
50%
300
40%
200 30%
20%
100
10%
0 0%
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Patch Year Patch Year
~70%
Memory safety is an ~66% of iOS 12 vulnerabilities ~60% of high severity vulnerabilities in Chrome
industry challenge
[2,3,4,5] ~72% of macOS 10.14 vulnerabilities ~90% of Android vulnerabilities
Most systems software is currently written in
unsafe languages such as C and C++
90%
For systems software[1] at Microsoft
80%
50%
0%
Broad exploitation has become uncommon
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Patch Year
Customer safety has meaningfully improved
Exploited within 30 days of security update Not known to be exploited
90% 50
35 51
39 33 37 132 179
87 151 216
80% 34 16 222
4 91 9
6 9
70% 1 2 11 24
1
6 4 7 39
4 27 19 88
4 4 10 94
60% 13 31
10 14 3 6 77 57
#1 – heap out-of-bounds
% of CVEs
5 12 23
6 5 40
50% 17 44 93 60
21 14 20
40% 37 15 36 81
184 71 81
#2 – use after free
35 92 183
30% 57
38 43 93 98
63 85
102
20% 28
10% 31 25 130
#3 – type confusion
21 27 74 106
18 22 25 59 80
27
10 3 10 3 7 6 11
0% 1 3
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Patch Year
Stack Corruption Heap Corruption Use After Free Type Confusion Uninitialized Use Heap OOB Read Other
#4 – uninitialized use
Vulnerability Developer
Vulnerability class Durable safety solution Completeness? Enforceability? Verifiability?
category friction?
Heap out-of-bounds
read/write
Use gsl::span<T> and do not index
Spatial safety
Stack out-of-bounds
read/write
raw pointers or perform pointer
arithmetic on raw pointers[7]
☺
Global out-of-bounds
read/write
Concurrency
safety
Memory access race
condition
Unknown[13]
Arithmetic errors
Integer overflow or
underflow
Use safe integer manipulation
libraries[16] ☺
2nd order vulnerability classes can give rise to memory safety vulnerabilities
Observations: making unsafe code safer
C# is a wonderful language, but it is not suitable in many systems contexts
Vulnerability category Vulnerability class C# Completeness Rust Completeness
unsafe
Observations: transition to safer languages
3
☺ ☺
Observations: memory tagging
Unforgeable capabilities enable fine-grained memory access control[22]
☺
Observations: CHERI
✔ Hard to do the unsafe thing
✔ Easy to verify that the safe thing happens
✔ Productivity is maximized
✔ Inherently viable
transitive
A huge THANK YOU to everyone at Microsoft & across the industry
who is working to durably improve systems software security
https://alexgaynor.net/2019/aug/12/introduction-to-memory-unsafety-for-vps-of-engineering/
https://langui.sh/2019/07/23/apple-memory-safety/
https://security.googleblog.com/2019/11/gwp-asan-sampling-heap-memory-error.html
https://security.googleblog.com/2019/05/queue-hardening-enhancements.html
https://bugs.chromium.org/p/project-zero/issues/detail?id=1909
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#probounds-bounds-safety-profile
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Res-always
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#SS-type
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#SS-lifetime
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#r-resource-management
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Res-deref
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#cp-concurrency-and-parallelism
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Rh-
dynamic_cast
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Ru-naked
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#S-expr
https://clang.llvm.org/docs/ControlFlowIntegrityDesign.html
https://github.com/microsoft/MSRC-Security-
Research/blob/master/presentations/2019_09_CppCon/CppCon2019%20-%20Killing%20Uninitialized%20Memory.pdf
https://developer.arm.com/-/media/Arm%20Developer%20Community/PDF/Arm_Memory_Tagging_Extension_Whitepaper.pdf
https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Security%20analysis%20of%20memory%20tagging.pdf
https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-941.pdf
https://www.cst.cam.ac.uk/blog/tmj32/addressing-temporal-memory-safety
https://github.com/microsoft/verona
https://www.microsoft.com/security/blog/2020/05/04/mitigating-vulnerabilities-endpoint-network-stacks/
https://www.youtube.com/watch?v=NlfZG2wTPZU
https://www.rsaconference.com/usa/agenda/collaborating-to-improve-open-source-security-how-the-
ecosystem-is-stepping-up
https://vimeo.com/376177222