This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Vulnerabilities and exploitation are on the rise, Microsoft needs to protect customers
CFG Development Starts
Compile time void Foo(...) { // SomeFunc is address-taken // and may be called indirectly Object->FuncPtr = SomeFunc; }
Metadata is automatically added to the image which identifies functions that may be called indirectly void Bar(...) { // Compiler-inserted check to // verify call target is valid _guard_check_icall(Object->FuncPtr); Object->FuncPtr(xyz); }
A lightweight check is inserted prior to indirect calls which will verify that the call target is valid at runtime
Runtime Process Start
Image Load
Indirect Call
•Map valid call target data
•Update valid call target data with metadata from PE image
•Perform O(1) validity check •Terminate process if invalid target •Jmp if target is valid
•If process enables RFG: patch NOP’s with RFG prolog/epilog
cmp rcx, [rsp] jne _fast_fail ret
Function Calls
•Prolog: Push return address to shadow stack •Epilog: Fast fail if return address on stack and shadow stack are mismatched
0xABCD: […] //Remainder of parent function
WorkerThread()
Stack
Sleep()
Safe Overwrite Time
GetLength()
RET Pointer
StrnLen() Dangerous Time
Time
Sleep()
Safe Overwrite Time
GetLength() RET Pointer
StrnLen() Dangerous Time
• Broker only allows executable pages to be unmapped when safe Race Conditions • Unwinder needs to be out-of-process • CFG check race killed with “code replacement attack” mitigation X86 Stack Misbalancing & Generic Stack Address Leaks • Mitigated by CET Read-Only Memory Attacks • Certain regions must be permanently read-only and not unmappable. Broker decides when it is safe to allow unmap • Operations that require write access to this memory (i.e. when delay loading a DLL) must be OOP Coarse Grained CFI Limitations • Look for opportunities to make CFG more fine grained
X86 Stack Misbalancing & Generic Stack Address Leaks. ⢠Mitigated by CET. Read-Only Memory Attacks. ⢠Certain regions must be permanently read-only and not unmappable. Broker decides when it is safe to allow unmap. ⢠Operations that require write access to this memory (i.e. when delay loading a DLL) must be OOP.
Small software development projects for local companies. EDUCATION ... Java (6 years professional experience, 10+ years total). ⢠Javascript (4 years ...
Sep 26, 2011 - into an application used by nearly a million people to store over two million code ... âContinuous Integration is a software development practice ...
user interference channel with time-varying channel coeffi- cients. Since then, interference management schemes based on IA have been further developed and analyzed in various wireless network environments: multiple-input multiple-output. (MIMO) inte
Then, their performance is analyzed in terms of degrees- of-freedom (DoFs). ..... For user j in the i-th cell, the user scheduling metric Li j is finally given by (2), ...
to say that Computer Science departments do a better job of teaching it â they don't [1] and in fact Software Engineering really should be taught as ... This was a nal year project for the ... gineering degree carried out by the authors. The aim of
Jun 25, 2016 - 2.1.10 a.10 ECNIAN . ...... 1The pdf was created with noweb, the literate programming tool: ânoweb ... plan to morph it into the R software environment for statistical ...... 2.9.30 i.30 RCAR: New car loan rate at finance companies.
browser engine, Rust, Servo, concurrency, parallelism. 1. INTRODUCTION .... grams, Rust programs are memory safe by default, only allowing ..... that in the more than two years since Servo has been under devel- opment ..... Technical Report.
Nov 7, 2013 - The purpose of the call center would be to explain what is going on ... communications channels should exist with ICANN and the call center.
Mitigation deterrence and the moral hazard of solar.pdf. Mitigation deterrence and the moral hazard of solar.pdf. Open. Extract. Open with. Sign In. Main menu.
Our Top Windows 7 Themes. ... Strike Source Dedicated Server\cstrike". ... 100%;">. style which contains the CSS rules that will overridethe default pdf.css.
Nov 7, 2013 - pertaining to registry and registrar services). SSAC ... and risk analysis of the Internet naming and address allocation services to assess where.
AbstractâSecurity threats in the Internet have been ever increasing, in number, type and means used for attacks. In the face of large-scale attacks, such as DDoS attacks, networks take unacceptable time to respond and mitigate the attacks, resultin
Professor of Sustainable Energy, Massey University ... Figure 2. Global emissions of the family of greenhouse gases, including CO2 from agriculture, forests and ...
Sustainable Energy Forum ... Co-âordinating Lead Author, IPCC Working Group 3. .... choice for a country depending on its circumstances and resources.
Mar 13, 2015 - provided for all required duties outside of the Nashville office. Interns ... Assist TSMP project managers with the assessment, maintenance and ...
Aug 22, 2006 - Search engines have become key media for our scientific, eco- nomic, and social activities by enabling people to access informa- tion on the web despite its ... not support this conclusion; popular sites receive far less traffic than p
Nov 7, 2013 - In the context of top level domains, the term âname collisionâ refers to the ... Domain (gTLD) Program Committee (NGPC) of the ICANN Board of ...
Timeframe: May-âAugust 2015 (Flexible). Application Deadline: March 13, 2015 ... A company vehicle will be provided for all required duties outside of the ...
Input file: A.in. Output file: A.out. Time limit: 1 second. Memory limit: 64 megabytes. There is an interesting queue. Cashier of this queue is not a good one. In fact ...