This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Operating system Hypervisors & Network services System libraries System apps
Firmware Boot loaders
kernels & drivers VMMs (HTTP) (cryptography) (browsers)
 700 100%

90%
600
80%
500 70%

60%
400

% of CVEs
# of CVEs

50%
300
40%

200 30%

20%
100
10%

0 0%
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Patch Year Patch Year

Total Memory safety Not memory safety

~70%

Memory safety is an ~66% of iOS 12 vulnerabilities ~60% of high severity vulnerabilities in Chrome
industry challenge
[2,3,4,5] ~72% of macOS 10.14 vulnerabilities ~90% of Android vulnerabilities
Most systems software is currently written in
unsafe languages such as C and C++

These are great languages, but developers

need to consciously do the safe thing

And it is easy to make a mistake 

 CVE-2019-1345
A portable executable (PE) parsing memory safety vulnerability[6]
found by @j00ru that I introduced into the Windows kernel in 2016
 100%

90%
For systems software[1] at Microsoft
80%

70% Most vulnerabilities are not known to be

60% exploited in the wild*
% of CVEs

50%

40% If a vulnerability is exploited, it is most likely to

30% first be exploited as zero day in a targeted
20% attack
10%

0%
Broad exploitation has become uncommon
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Patch Year
Customer safety has meaningfully improved
Exploited within 30 days of security update Not known to be exploited

Exploiting vulnerabilities has become more expensive

→ Alphabet soup of exploit mitigations, sandboxes, and other controls have increased costs

Many attackers have pivoted to alternative tactics with better ROI

→ Social engineering (phishing for credential theft, ransomware, etc)
we leverage tools[25,26] to help us find vulnerabilities

they do not satisfy the properties outlined earlier

The upstream & downstream costs to productivity can be significant
 100%

90% 50
35 51
39 33 37 132 179
87 151 216
80% 34 16 222
4 91 9
6 9
70% 1 2 11 24
1
6 4 7 39
4 27 19 88
4 4 10 94
60% 13 31
10 14 3 6 77 57
#1 – heap out-of-bounds
% of CVEs

5 12 23
6 5 40
50% 17 44 93 60
21 14 20
40% 37 15 36 81
184 71 81
#2 – use after free
35 92 183
30% 57
38 43 93 98
63 85
102
20% 28

10% 31 25 130
#3 – type confusion
21 27 74 106
18 22 25 59 80
27
10 3 10 3 7 6 11
0% 1 3
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Patch Year

Stack Corruption Heap Corruption Use After Free Type Confusion Uninitialized Use Heap OOB Read Other
#4 – uninitialized use
Vulnerability Developer
Vulnerability class Durable safety solution Completeness? Enforceability? Verifiability?
category friction?
Heap out-of-bounds
read/write
Use gsl::span<T> and do not index
Spatial safety
Stack out-of-bounds
read/write
raw pointers or perform pointer
arithmetic on raw pointers[7]
☺   
Global out-of-bounds
read/write

Always initialize members in

constructors[9]    ☺
Heap uninitialized use
Use a memory allocator that
initializes by default ☺   ☺
Temporal safety
Always initialize members in
constructors[9]    ☺
Stack uninitialized use
Always initialize local variables
before use[8,18] ☺   ☺
Vulnerability Developer
Vulnerability class Durable safety solution Completeness? Enforceability? Verifiability?
category friction?

Heap use after free

Use RAII, owner<T>,
unique_ptr<T>, and
Temporal safety shared_ptr<T> instead of raw
pointers or references to
   
objects[10, 11, 12]
Stack use after free

Concurrency
safety
Memory access race
condition
Unknown[13]
   

Object lifetime and concurrency vulnerabilities are challenging to categorically eliminate

2nd order vulnerability Developer
Vulnerability class Durable safety solution Completeness? Enforceability? Verifiability?
category friction?

Illegal static down cast

Use dynamic cast or similar
runtime verification[14,17] ☺   
Type confusion

Union field type

confusion
Use std::variant[15]
☺   

Arithmetic errors
Integer overflow or
underflow
Use safe integer manipulation
libraries[16] ☺   

2nd order vulnerability classes can give rise to memory safety vulnerabilities
Observations: making unsafe code safer
C# is a wonderful language, but it is not suitable in many systems contexts
Vulnerability category Vulnerability class C# Completeness Rust Completeness

Heap out-of-bounds read/write ☺ ☺

Spatial safety Stack out-of-bounds read/write ☺ ☺
Global out-of-bounds read/write ☺ ☺
Heap uninitialized use ☺ ☺
Stack uninitialized use ☺ ☺
Temporal safety
Heap use after free ☺ ☺
Stack use after free ☺ ☺
Concurrency safety Memory access race condition  ☺
Illegal static down cast ☺ ☺
Type confusion
Union field type confusion ☺ ☺
Arithmetic errors Integer overflow or underflow ☺ 

unsafe
Observations: transition to safer languages
3

Completeness? Enforceability? Verifiability? Developer friction?

 ☺  ☺
Observations: memory tagging
Unforgeable capabilities enable fine-grained memory access control[22]

Completeness? Enforceability? Verifiability? Developer friction?

 ☺  
Observations: CHERI
✔ Hard to do the unsafe thing
✔ Easy to verify that the safe thing happens
✔ Productivity is maximized
✔ Inherently viable
transitive
A huge THANK YOU to everyone at Microsoft & across the industry
who is working to durably improve systems software security
 https://alexgaynor.net/2019/aug/12/introduction-to-memory-unsafety-for-vps-of-engineering/
https://langui.sh/2019/07/23/apple-memory-safety/
https://security.googleblog.com/2019/11/gwp-asan-sampling-heap-memory-error.html
https://security.googleblog.com/2019/05/queue-hardening-enhancements.html
https://bugs.chromium.org/p/project-zero/issues/detail?id=1909
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#probounds-bounds-safety-profile
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Res-always
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#SS-type
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#SS-lifetime
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#r-resource-management
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Res-deref
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#cp-concurrency-and-parallelism
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Rh-
dynamic_cast
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#Ru-naked
https://github.com/isocpp/CppCoreGuidelines/blob/master/CppCoreGuidelines.md#S-expr
https://clang.llvm.org/docs/ControlFlowIntegrityDesign.html
https://github.com/microsoft/MSRC-Security-
Research/blob/master/presentations/2019_09_CppCon/CppCon2019%20-%20Killing%20Uninitialized%20Memory.pdf
https://developer.arm.com/-/media/Arm%20Developer%20Community/PDF/Arm_Memory_Tagging_Extension_Whitepaper.pdf
 https://github.com/microsoft/MSRC-Security-Research/blob/master/papers/2020/Security%20analysis%20of%20memory%20tagging.pdf
https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-941.pdf
https://www.cst.cam.ac.uk/blog/tmj32/addressing-temporal-memory-safety
https://github.com/microsoft/verona
https://www.microsoft.com/security/blog/2020/05/04/mitigating-vulnerabilities-endpoint-network-stacks/
https://www.youtube.com/watch?v=NlfZG2wTPZU
https://www.rsaconference.com/usa/agenda/collaborating-to-improve-open-source-security-how-the-
ecosystem-is-stepping-up
https://vimeo.com/376177222