Abstract

"Perfect" (bug-free) software is impractically expensive and slow to produce, and so the vast bulk of consumer and enterprise software products are shipped when they are "good enough" but far from bug-free. As a consequence, there has been a constant struggle to keep attackers from exploiting these chronically inevitable bugs. Much of that attention has been on memory corruption attacks against type-unsafe C/C++ programs, but in recent years has expanded to the web, where most development is done in dynamically typed scripting languages. This talk will review the evolution of increasingly sophisticated memory corruption defenses followed by attackers discovering how to bypass them, and how the mitigations have caused attackers to choose to exploit other, non-memory-corruption threats, and some surprising similarities between the memory corruption issue and the scripting issues.

Speaker

Crispin Cowan entered the security arena in 1998 at the Seventh USENIX Security Symposium with the StackGuard paper, which introduced stack canaries for buffer overflow protection, a technique now used on nearly all platforms. From 1999 to 2007 he was the founding CTO of Immunix, which was acquired by Novell in 2005 to incorporate AppArmor into SUSE Linux. Since 2008, Crispin has worked for Microsoft, continuing his work adding security value to existing operating systems, but now doing it for Windows. Crispin is especially interested in usable security and effective sandboxing, and so has contributed to improving usability in UAC and to building the app container feature to allow users to run Windows Store Apps with confidence. Crispin’s contribution to the recent Windows 8.1 release has been enhancing the systematic security reviews to ensure that all Windows features ship with appropriate security considerations in mind. He holds a Ph.D. from the University of Western Ontario and a Master's in Mathematics from the University of Waterloo.

About the WATCH series:

Transforming today's trusted but untrustworthy cyberinfrastructure into one that can meet society's growing demands requires both technical advances and improved understanding of how people and organizations of many backgrounds perceive, decide to adopt, and  actually use technology. WATCH aims to provide thought-provoking talks by innovative thinkers with ideas that illuminate these challenges and provide signposts toward solutions. The series is jointly organized by NSF's Computer Science and Engineering (CISE) and Social, Behavioral, and Economic (SBE) Directorates and sponsored by the CISE Secure and Trustworthy Cyberspace (SaTC) Program. Talks will be recorded and made available over the Internet.

About NSF
The National Science Foundation (NSF) is an independent federal agency that supports fundamental research and education across all fields of science and engineering. In fiscal year (FY) 2009, its budget is $9.5 billion, which includes $3.0 billion provided through the American Recovery and Reinvestment Act. NSF funds reach all 50 states through grants to over 1,900 universities and institutions. Each year, NSF receives about 44,400 competitive requests for funding, and makes over 11,500 new funding awards.MORE