SlideShare a Scribd company logo

Digital Security by Design: Security and Legacy at Microsoft - Matthew Parkinson, Microsoft

KTN
KTN

Following the Collaborators' Workshop held on 26th Sept (presentations available on KTN's SlideShare account), EPSRC/ESRC are running a Collaboration Development workshop on 22nd November 2019 in London to facilitate academia-industry and academia-academia collaboration ahead of the closing dates for the EPSRC and ESRC ISCF Digital Security by Design calls. The calls need to be led by academic institutions. Industrial involvement, while not mandatory, is highly desirable and will be required for future competitions. Hence this workshop aims to have a mix of academic and industrial participants. The Digital Security by Design challenge was announced in July. This challenge, amounting to £70 million of government funding over 5 years, will be delivered by UK Research and Innovation (UKRI) through the Industrial Strategy Challenge Fund (ISCF). Find out more: https://ktn-uk.co.uk/news/iscf-digital-security-by-design-collaboration-development-workshop

Design
1 of 30
Download to read offline
Security and Legacy at Microsoft MATTHEW PARKINSON PRINCIPAL RESEARCHER, CONFIDENTIAL COMPUTING, MICROSOFT RESEARCH
Motivation Microsoft cares about security Microsoft cares about legacy
Fixing individual bugs not scaling 130 109 141 163 234 224 155 305 317 474 417 603 600 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 #ofCVEs Patch Year # of CVEs by patch year
Microsoft cares about security slide courtesy of Matt Miller, Partner Security Engineer, MSRC 32 24 21 22 26 13 4 11 4 1 3 7 8 36 35 43 45 64 30 36 35 28 61 71 104 79 12 16 18 22 44 57 39 113 186 183 87 81 99 4 4 13 30 21 14 7 15 25 25 36 71 81 6 4 8 8 11 6 5 6 9 22 19 82 61 1 1 2 4 9 5 7 13 17 39 76 88 55 44 30 44 41 59 103 61 120 59 159 139 197 221 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Root cause of CVEs by patch year Stack Corruption Heap Corruption Use After Free Type Confusion Uninitialized Use Heap OOB Read Other Top root causes since 2016:
What is Microsoft doing? Remove classes of vulnerabilities ◦ Probabilistic prevention not considered suitable - servicing a vulnerability still required ◦ MemGC - https://msrc-blog.microsoft.com/2016/01/12/triaging-the-exploitability-of-ieedge-crashes/ ◦ Killing Uninitialized Memory: Protecting the OS Without Destroying Performance - https://cppcon2019.sched.com/event/SfYc/killing-uninitialized-memory-protecting-the-os-without-destroying- performance Investing in safe(r) systems programming languages: ◦ Rust investigations, https://msrc-blog.microsoft.com/2019/07/18/we-need-a-safer-systems-programming-language/ ◦ Project Verona, research project ◦ Cannot simply throw away old code!
Our research in Cambridge Mitigations Language design Compartmentalisation
Project Verona A new language for safe infrastructure programming With David Chisnall, Sylvan Clebsch, Manuel Costa, Sophia Drossopoulou, Juliana Franco, Mads Torgersen, …
The application spectrum C# C/C++ Asm Today Boot loader/HAL Core OS components Schedulers/Memory management Exchange/ ASP.NET Azure Storage/ Cosmos/ Data lake Azure functions Desktop Apps Device drivers Systems Programming
The space • Fine grained control • Resource management • Latency sensitive • Close to machine • No abstraction over memory • No type safety Systems Programming
The application spectrum C# C/C++ Asm Today Boot loader/HAL Core OS components Schedulers/Memory management Exchange/ ASP.NET Azure Storage/ Cosmos/ Data lake Azure functions Desktop Apps Device drivers Infrastructure Programming
The space • Fine grained control • Resource management • Latency sensitive • Close to machine • No abstraction over memory • No type safety Inherently unsafe Possible for safe by construction
Core ideas • Give up concurrent mutation, to enable scalable memory management. Data-race freedom • New concurrency model that provides lightweight asynchronous coordination. Concurrent Owners • passing groups of objects • memory management strategies per region (reference counting, tracing, arenas, …) • Compartmentalisation for legacy components Linear Regions
Shared immutable region Linear mutable region Single entry pointRegions are only accessed by one computation at a time
Pervasive sandboxing Verona program C++ runtime library C library C / Assembly library C++ library C/C++ library C++ library TCB, needs careful auditing Sandboxed, scope of vulnerabilities limited
Libraries are special untrusted regions
Project Verona status Production quality runtime Prototype interpreter and type checker Compiler not started Open-sourcing to github soon to enable collaborations Ask me for a demo!
CHERI
CHERI for mitigations Which exploit chains does CHERI break? What gadgets can exist on CHERI? Can temporal safety be achieved? Microsoft Red team (attack) internship analysed security of CHERI – 12 weeks not long enough to be conclusive Need a thorough security analysis before it can be adopted as a mitigation.
CHERI for legacy Lightweight compartmentalisation • Contain existing libraries • Single address space • How can we build application that have hundreds of sandboxed libraries? Low-cost containers • Density important for the cloud • Can CHERI improve density in Cloud applications?
Conclusions Microsoft needs security for legacy! Can we capitalise on CHERI to use existing assets? Can we architect software to integrate safe new code with old unsafe legacy code? Project Verona for compartmentalisation research collaborations
Backup slides
Memory Safety Scalability Global GC Malloc/Free
Regions open up new possibilities • Compartmentalisation • Different regions can be compiled with different trust. • Distributed and heterogenous hardware • Moving collections of objects between devices – can be part of the programming model • Dynamic update of running code • Each object accessed by at most one thread, updates can exploit this in the running system
Memory Safety Scalability Concurrent Mutation Global GC Malloc/Free
Memory Safety Scalability Concurrent Mutation Global GC Malloc/Free Ownership Single mutator
Memory Safety Scalability Concurrent Mutation Global GC Malloc/Free Ownership
Memory Safety Scalability Concurrent Mutation Global GC Malloc/Free Ownership
The Sea of Objects
Region access is single-threaded C#/C++ Region-based ownership Only one thread operating on a region at a time
Region ownership is hierarchical C#/C++ Region-based ownership Regions have a single entry point

Recommended

CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the Application
Sam Bowne
 
Biometrics_ppt.ppt
Biometrics_ppt.pptBiometrics_ppt.ppt
Biometrics_ppt.ppt
VidhiAgarwal80
 
graphical password authentication
graphical password authenticationgraphical password authentication
graphical password authenticationAkhil Kumar
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
Information and network security 38 birthday attacks and security of hash fun...
Information and network security 38 birthday attacks and security of hash fun...Information and network security 38 birthday attacks and security of hash fun...
Information and network security 38 birthday attacks and security of hash fun...
Vaibhav Khanna
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
Rafal Los
 
Graphical User Authentication
Graphical User AuthenticationGraphical User Authentication
Graphical User AuthenticationSarthak Gupta
 
Azure Service Fabric
Azure Service FabricAzure Service Fabric
Azure Service Fabric
WinWire Technologies Inc
 

Recommended

CNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the ApplicationCNIT 129S Ch 4: Mapping the Application
CNIT 129S Ch 4: Mapping the Application
Sam Bowne
 
Biometrics_ppt.ppt
Biometrics_ppt.pptBiometrics_ppt.ppt
Biometrics_ppt.ppt
VidhiAgarwal80
 
graphical password authentication
graphical password authenticationgraphical password authentication
graphical password authenticationAkhil Kumar
 
API Security in a Microservice Architecture
API Security in a Microservice ArchitectureAPI Security in a Microservice Architecture
API Security in a Microservice Architecture
Matt McLarty
 
Information and network security 38 birthday attacks and security of hash fun...
Information and network security 38 birthday attacks and security of hash fun...Information and network security 38 birthday attacks and security of hash fun...
Information and network security 38 birthday attacks and security of hash fun...
Vaibhav Khanna
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
Rafal Los
 
Graphical User Authentication
Graphical User AuthenticationGraphical User Authentication
Graphical User AuthenticationSarthak Gupta
 
Azure Service Fabric
Azure Service FabricAzure Service Fabric
Azure Service Fabric
WinWire Technologies Inc
 
survival-guide.pptx
survival-guide.pptxsurvival-guide.pptx
survival-guide.pptx
Tony Seale
 
Cross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesCross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesRonan Dunne, CEH, SSCP
 
Palm vein technology ppt
Palm vein technology pptPalm vein technology ppt
Palm vein technology pptDhara k
 
Kuberntes Ingress with Kong
Kuberntes Ingress with KongKuberntes Ingress with Kong
Kuberntes Ingress with Kong
Nebulaworks
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Clare Nelson, CISSP, CIPP-E
 
DETICA INTRODUCTION AND EXPLANATION .
DETICA INTRODUCTION AND EXPLANATION .DETICA INTRODUCTION AND EXPLANATION .
DETICA INTRODUCTION AND EXPLANATION .Sourabh Puri
 
Rest API
Rest APIRest API
Rest API
Phil Aylesworth
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authentication
Suraj Swarnakar
 
Dynamic Pricing for Hotel Revenue Management
Dynamic Pricing for Hotel Revenue ManagementDynamic Pricing for Hotel Revenue Management
Dynamic Pricing for Hotel Revenue Management
Alaeddine Ferjani
 
Image encryption using aes key expansion
Image encryption using aes key expansionImage encryption using aes key expansion
Image encryption using aes key expansionSreeda Perikamana
 
FACE RECOGNITION SYSTEM PPT
FACE RECOGNITION SYSTEM PPTFACE RECOGNITION SYSTEM PPT
FACE RECOGNITION SYSTEM PPT
Saghir Hussain
 
Image encryption and decryption using aes algorithm
Image encryption and decryption using aes algorithmImage encryption and decryption using aes algorithm
Image encryption and decryption using aes algorithm
IAEME Publication
 
Smart cart presentation
Smart cart presentationSmart cart presentation
Smart cart presentationajg08d
 
Web servers for the Internet of Things
Web servers for the Internet of ThingsWeb servers for the Internet of Things
Web servers for the Internet of Things
Alexandru Radovici
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authenticationAsim Kumar Pathak
 
Zigbee based trolley cart access system using rfid
Zigbee based trolley cart access system using rfidZigbee based trolley cart access system using rfid
Zigbee based trolley cart access system using rfid
Sam Joey
 
Text extraction from natural scene image, a survey
Text extraction from natural scene image, a surveyText extraction from natural scene image, a survey
Text extraction from natural scene image, a survey
SOYEON KIM
 
Security
SecuritySecurity
Security
AyushiGupta3123
 
Modes of Operation
Modes of Operation Modes of Operation
Modes of Operation
Showkot Usman
 
License Plate Recognition System using Python and OpenCV
License Plate Recognition System using Python and OpenCVLicense Plate Recognition System using Python and OpenCV
License Plate Recognition System using Python and OpenCV
Vishal Polley
 
System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on Cloud
Tu Pham
 
Starting Azure mobile services
Starting Azure mobile servicesStarting Azure mobile services
Starting Azure mobile services
Amr Abulnaga
 

More Related Content

What's hot

survival-guide.pptx
survival-guide.pptxsurvival-guide.pptx
survival-guide.pptx
Tony Seale
 
Cross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesCross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesRonan Dunne, CEH, SSCP
 
Palm vein technology ppt
Palm vein technology pptPalm vein technology ppt
Palm vein technology pptDhara k
 
Kuberntes Ingress with Kong
Kuberntes Ingress with KongKuberntes Ingress with Kong
Kuberntes Ingress with Kong
Nebulaworks
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Clare Nelson, CISSP, CIPP-E
 
DETICA INTRODUCTION AND EXPLANATION .
DETICA INTRODUCTION AND EXPLANATION .DETICA INTRODUCTION AND EXPLANATION .
DETICA INTRODUCTION AND EXPLANATION .Sourabh Puri
 
Rest API
Rest APIRest API
Rest API
Phil Aylesworth
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authentication
Suraj Swarnakar
 
Dynamic Pricing for Hotel Revenue Management
Dynamic Pricing for Hotel Revenue ManagementDynamic Pricing for Hotel Revenue Management
Dynamic Pricing for Hotel Revenue Management
Alaeddine Ferjani
 
Image encryption using aes key expansion
Image encryption using aes key expansionImage encryption using aes key expansion
Image encryption using aes key expansionSreeda Perikamana
 
FACE RECOGNITION SYSTEM PPT
FACE RECOGNITION SYSTEM PPTFACE RECOGNITION SYSTEM PPT
FACE RECOGNITION SYSTEM PPT
Saghir Hussain
 
Image encryption and decryption using aes algorithm
Image encryption and decryption using aes algorithmImage encryption and decryption using aes algorithm
Image encryption and decryption using aes algorithm
IAEME Publication
 
Smart cart presentation
Smart cart presentationSmart cart presentation
Smart cart presentationajg08d
 
Web servers for the Internet of Things
Web servers for the Internet of ThingsWeb servers for the Internet of Things
Web servers for the Internet of Things
Alexandru Radovici
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authenticationAsim Kumar Pathak
 
Zigbee based trolley cart access system using rfid
Zigbee based trolley cart access system using rfidZigbee based trolley cart access system using rfid
Zigbee based trolley cart access system using rfid
Sam Joey
 
Text extraction from natural scene image, a survey
Text extraction from natural scene image, a surveyText extraction from natural scene image, a survey
Text extraction from natural scene image, a survey
SOYEON KIM
 
Security
SecuritySecurity
Security
AyushiGupta3123
 
Modes of Operation
Modes of Operation Modes of Operation
Modes of Operation
Showkot Usman
 
License Plate Recognition System using Python and OpenCV
License Plate Recognition System using Python and OpenCVLicense Plate Recognition System using Python and OpenCV
License Plate Recognition System using Python and OpenCV
Vishal Polley
 

What's hot (20)

survival-guide.pptx
survival-guide.pptxsurvival-guide.pptx
survival-guide.pptx
 
Cross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement TechniquesCross Site Scripting - Web Defacement Techniques
Cross Site Scripting - Web Defacement Techniques
 
Palm vein technology ppt
Palm vein technology pptPalm vein technology ppt
Palm vein technology ppt
 
Kuberntes Ingress with Kong
Kuberntes Ingress with KongKuberntes Ingress with Kong
Kuberntes Ingress with Kong
 
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed DragonBiometrics and Multi-Factor Authentication, The Unleashed Dragon
Biometrics and Multi-Factor Authentication, The Unleashed Dragon
 
DETICA INTRODUCTION AND EXPLANATION .
DETICA INTRODUCTION AND EXPLANATION .DETICA INTRODUCTION AND EXPLANATION .
DETICA INTRODUCTION AND EXPLANATION .
 
Rest API
Rest APIRest API
Rest API
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authentication
 
Dynamic Pricing for Hotel Revenue Management
Dynamic Pricing for Hotel Revenue ManagementDynamic Pricing for Hotel Revenue Management
Dynamic Pricing for Hotel Revenue Management
 
Image encryption using aes key expansion
Image encryption using aes key expansionImage encryption using aes key expansion
Image encryption using aes key expansion
 
FACE RECOGNITION SYSTEM PPT
FACE RECOGNITION SYSTEM PPTFACE RECOGNITION SYSTEM PPT
FACE RECOGNITION SYSTEM PPT
 
Image encryption and decryption using aes algorithm
Image encryption and decryption using aes algorithmImage encryption and decryption using aes algorithm
Image encryption and decryption using aes algorithm
 
Smart cart presentation
Smart cart presentationSmart cart presentation
Smart cart presentation
 
Web servers for the Internet of Things
Web servers for the Internet of ThingsWeb servers for the Internet of Things
Web servers for the Internet of Things
 
Graphical password authentication
Graphical password authenticationGraphical password authentication
Graphical password authentication
 
Zigbee based trolley cart access system using rfid
Zigbee based trolley cart access system using rfidZigbee based trolley cart access system using rfid
Zigbee based trolley cart access system using rfid
 
Text extraction from natural scene image, a survey
Text extraction from natural scene image, a surveyText extraction from natural scene image, a survey
Text extraction from natural scene image, a survey
 
Security
SecuritySecurity
Security
 
Modes of Operation
Modes of Operation Modes of Operation
Modes of Operation
 
License Plate Recognition System using Python and OpenCV
License Plate Recognition System using Python and OpenCVLicense Plate Recognition System using Python and OpenCV
License Plate Recognition System using Python and OpenCV
 

Similar to Digital Security by Design: Security and Legacy at Microsoft - Matthew Parkinson, Microsoft

System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on Cloud
Tu Pham
 
Starting Azure mobile services
Starting Azure mobile servicesStarting Azure mobile services
Starting Azure mobile services
Amr Abulnaga
 
infrastructure management at digital ages
infrastructure management at digital agesinfrastructure management at digital ages
infrastructure management at digital ages
Bernard Paques
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
Tao Xie
 
stackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeestackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfee
Gaurav "GP" Pal
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
Ricky Sanders
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
Uchit Vyas ☁
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Amazon Web Services
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz
 
Cloud Native Summit 2019 Summary
Cloud Native Summit 2019 SummaryCloud Native Summit 2019 Summary
Cloud Native Summit 2019 Summary
Everett Toews
 
#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...
#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...
#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...
Paris Open Source Summit
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
GovCloud Network
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
ThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.jsThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.js
Brad Williams
 
Why modern cloud infrastructure require automation
Why modern cloud infrastructure require automationWhy modern cloud infrastructure require automation
Why modern cloud infrastructure require automation
Gerald Crescione
 
Norway VMUG Tour - The Architecture Behind Policy-Driven Data Protection - A ...
Norway VMUG Tour - The Architecture Behind Policy-Driven Data Protection - A ...Norway VMUG Tour - The Architecture Behind Policy-Driven Data Protection - A ...
Norway VMUG Tour - The Architecture Behind Policy-Driven Data Protection - A ...
Chris Wahl
 
Technology radar-may-2013
Technology radar-may-2013Technology radar-may-2013
Technology radar-may-2013Carol Bruno
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container Data
Mirantis
 
Five years of Persistent Threats
Five years of Persistent ThreatsFive years of Persistent Threats
Five years of Persistent Threats
Maarten Van Horenbeeck
 

Similar to Digital Security by Design: Security and Legacy at Microsoft - Matthew Parkinson, Microsoft (20)

System Security on Cloud
System Security on CloudSystem Security on Cloud
System Security on Cloud
 
Starting Azure mobile services
Starting Azure mobile servicesStarting Azure mobile services
Starting Azure mobile services
 
infrastructure management at digital ages
infrastructure management at digital agesinfrastructure management at digital ages
infrastructure management at digital ages
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
 
stackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfeestackArmor - Security MicroSummit - McAfee
stackArmor - Security MicroSummit - McAfee
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Defining DevSecOps
Defining DevSecOpsDefining DevSecOps
Defining DevSecOps
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
 
Cloud Native Summit 2019 Summary
Cloud Native Summit 2019 SummaryCloud Native Summit 2019 Summary
Cloud Native Summit 2019 Summary
 
#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...
#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...
#OSSPARIS19: Construire des applications IoT "secure-by-design" - Thomas Gaza...
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
ThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.jsThatConference 2016 - Highly Available Node.js
ThatConference 2016 - Highly Available Node.js
 
Why modern cloud infrastructure require automation
Why modern cloud infrastructure require automationWhy modern cloud infrastructure require automation
Why modern cloud infrastructure require automation
 
Norway VMUG Tour - The Architecture Behind Policy-Driven Data Protection - A ...
Norway VMUG Tour - The Architecture Behind Policy-Driven Data Protection - A ...Norway VMUG Tour - The Architecture Behind Policy-Driven Data Protection - A ...
Norway VMUG Tour - The Architecture Behind Policy-Driven Data Protection - A ...
 
Technology radar-may-2013
Technology radar-may-2013Technology radar-may-2013
Technology radar-may-2013
 
Securing Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container DataSecuring Your Containers is Not Enough: How to Encrypt Container Data
Securing Your Containers is Not Enough: How to Encrypt Container Data
 
Five years of Persistent Threats
Five years of Persistent ThreatsFive years of Persistent Threats
Five years of Persistent Threats
 

More from KTN

Competition Briefing - Open Digital Solutions for Net Zero Energy
Competition Briefing - Open Digital Solutions for Net Zero Energy Competition Briefing - Open Digital Solutions for Net Zero Energy
Competition Briefing - Open Digital Solutions for Net Zero Energy
KTN
 
An Introduction to Eurostars - an Opportunity for SMEs to Collaborate Interna...
An Introduction to Eurostars - an Opportunity for SMEs to Collaborate Interna...An Introduction to Eurostars - an Opportunity for SMEs to Collaborate Interna...
An Introduction to Eurostars - an Opportunity for SMEs to Collaborate Interna...
KTN
 
Prospering from the Energy Revolution: Six in Sixty - Technology and Infrastr...
Prospering from the Energy Revolution: Six in Sixty - Technology and Infrastr...Prospering from the Energy Revolution: Six in Sixty - Technology and Infrastr...
Prospering from the Energy Revolution: Six in Sixty - Technology and Infrastr...
KTN
 
UK Catalysis: Innovation opportunities for an enabling technology
UK Catalysis: Innovation opportunities for an enabling technologyUK Catalysis: Innovation opportunities for an enabling technology
UK Catalysis: Innovation opportunities for an enabling technology
KTN
 
Industrial Energy Transformational Fund Phase 2 Spring 2022 - Competition Bri...
Industrial Energy Transformational Fund Phase 2 Spring 2022 - Competition Bri...Industrial Energy Transformational Fund Phase 2 Spring 2022 - Competition Bri...
Industrial Energy Transformational Fund Phase 2 Spring 2022 - Competition Bri...
KTN
 
Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...
Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...
Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...
KTN
 
Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...
Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...
Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...
KTN
 
Smart Networks and Services Joint Undertaking (SNS JU) Call Topics
Smart Networks and Services Joint Undertaking (SNS JU) Call TopicsSmart Networks and Services Joint Undertaking (SNS JU) Call Topics
Smart Networks and Services Joint Undertaking (SNS JU) Call Topics
KTN
 
Building Talent for the Future 2 – Expression of Interest Briefing
Building Talent for the Future 2 – Expression of Interest BriefingBuilding Talent for the Future 2 – Expression of Interest Briefing
Building Talent for the Future 2 – Expression of Interest Briefing
KTN
 
Connected and Autonomous Vehicles Cohort Workshop
Connected and Autonomous Vehicles Cohort WorkshopConnected and Autonomous Vehicles Cohort Workshop
Connected and Autonomous Vehicles Cohort Workshop
KTN
 
Biodiversity and Food Production: The Future of the British Landscape
Biodiversity and Food Production: The Future of the British LandscapeBiodiversity and Food Production: The Future of the British Landscape
Biodiversity and Food Production: The Future of the British Landscape
KTN
 
Engage with...Performance Projects
Engage with...Performance ProjectsEngage with...Performance Projects
Engage with...Performance Projects
KTN
 
How to Create a Good Horizon Europe Proposal Webinar
How to Create a Good Horizon Europe Proposal WebinarHow to Create a Good Horizon Europe Proposal Webinar
How to Create a Good Horizon Europe Proposal Webinar
KTN
 
Horizon Europe Tackling Diseases and Antimicrobial Resistance (AMR) Webinar a...
Horizon Europe Tackling Diseases and Antimicrobial Resistance (AMR) Webinar a...Horizon Europe Tackling Diseases and Antimicrobial Resistance (AMR) Webinar a...
Horizon Europe Tackling Diseases and Antimicrobial Resistance (AMR) Webinar a...
KTN
 
Engage with...Custom Interconnect
Engage with...Custom InterconnectEngage with...Custom Interconnect
Engage with...Custom Interconnect
KTN
 
Engage with...ZF
Engage with...ZFEngage with...ZF
Engage with...ZF
KTN
 
Engage with...FluxSys
Engage with...FluxSysEngage with...FluxSys
Engage with...FluxSys
KTN
 
Made Smarter Innovation: Sustainable Smart Factory Competition Briefing
Made Smarter Innovation: Sustainable Smart Factory Competition BriefingMade Smarter Innovation: Sustainable Smart Factory Competition Briefing
Made Smarter Innovation: Sustainable Smart Factory Competition Briefing
KTN
 
Driving the Electric Revolution – PEMD Skills Hub
Driving the Electric Revolution – PEMD Skills HubDriving the Electric Revolution – PEMD Skills Hub
Driving the Electric Revolution – PEMD Skills Hub
KTN
 
Medicines Manufacturing Challenge EDI Survey Briefing Webinar
Medicines Manufacturing Challenge EDI Survey Briefing WebinarMedicines Manufacturing Challenge EDI Survey Briefing Webinar
Medicines Manufacturing Challenge EDI Survey Briefing Webinar
KTN
 

More from KTN (20)

Competition Briefing - Open Digital Solutions for Net Zero Energy
Competition Briefing - Open Digital Solutions for Net Zero Energy Competition Briefing - Open Digital Solutions for Net Zero Energy
Competition Briefing - Open Digital Solutions for Net Zero Energy
 
An Introduction to Eurostars - an Opportunity for SMEs to Collaborate Interna...
An Introduction to Eurostars - an Opportunity for SMEs to Collaborate Interna...An Introduction to Eurostars - an Opportunity for SMEs to Collaborate Interna...
An Introduction to Eurostars - an Opportunity for SMEs to Collaborate Interna...
 
Prospering from the Energy Revolution: Six in Sixty - Technology and Infrastr...
Prospering from the Energy Revolution: Six in Sixty - Technology and Infrastr...Prospering from the Energy Revolution: Six in Sixty - Technology and Infrastr...
Prospering from the Energy Revolution: Six in Sixty - Technology and Infrastr...
 
UK Catalysis: Innovation opportunities for an enabling technology
UK Catalysis: Innovation opportunities for an enabling technologyUK Catalysis: Innovation opportunities for an enabling technology
UK Catalysis: Innovation opportunities for an enabling technology
 
Industrial Energy Transformational Fund Phase 2 Spring 2022 - Competition Bri...
Industrial Energy Transformational Fund Phase 2 Spring 2022 - Competition Bri...Industrial Energy Transformational Fund Phase 2 Spring 2022 - Competition Bri...
Industrial Energy Transformational Fund Phase 2 Spring 2022 - Competition Bri...
 
Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...
Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...
Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...
 
Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...
Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...
Horizon Europe ‘Culture, Creativity and Inclusive Society’ Consortia Building...
 
Smart Networks and Services Joint Undertaking (SNS JU) Call Topics
Smart Networks and Services Joint Undertaking (SNS JU) Call TopicsSmart Networks and Services Joint Undertaking (SNS JU) Call Topics
Smart Networks and Services Joint Undertaking (SNS JU) Call Topics
 
Building Talent for the Future 2 – Expression of Interest Briefing
Building Talent for the Future 2 – Expression of Interest BriefingBuilding Talent for the Future 2 – Expression of Interest Briefing
Building Talent for the Future 2 – Expression of Interest Briefing
 
Connected and Autonomous Vehicles Cohort Workshop
Connected and Autonomous Vehicles Cohort WorkshopConnected and Autonomous Vehicles Cohort Workshop
Connected and Autonomous Vehicles Cohort Workshop
 
Biodiversity and Food Production: The Future of the British Landscape
Biodiversity and Food Production: The Future of the British LandscapeBiodiversity and Food Production: The Future of the British Landscape
Biodiversity and Food Production: The Future of the British Landscape
 
Engage with...Performance Projects
Engage with...Performance ProjectsEngage with...Performance Projects
Engage with...Performance Projects
 
How to Create a Good Horizon Europe Proposal Webinar
How to Create a Good Horizon Europe Proposal WebinarHow to Create a Good Horizon Europe Proposal Webinar
How to Create a Good Horizon Europe Proposal Webinar
 
Horizon Europe Tackling Diseases and Antimicrobial Resistance (AMR) Webinar a...
Horizon Europe Tackling Diseases and Antimicrobial Resistance (AMR) Webinar a...Horizon Europe Tackling Diseases and Antimicrobial Resistance (AMR) Webinar a...
Horizon Europe Tackling Diseases and Antimicrobial Resistance (AMR) Webinar a...
 
Engage with...Custom Interconnect
Engage with...Custom InterconnectEngage with...Custom Interconnect
Engage with...Custom Interconnect
 
Engage with...ZF
Engage with...ZFEngage with...ZF
Engage with...ZF
 
Engage with...FluxSys
Engage with...FluxSysEngage with...FluxSys
Engage with...FluxSys
 
Made Smarter Innovation: Sustainable Smart Factory Competition Briefing
Made Smarter Innovation: Sustainable Smart Factory Competition BriefingMade Smarter Innovation: Sustainable Smart Factory Competition Briefing
Made Smarter Innovation: Sustainable Smart Factory Competition Briefing
 
Driving the Electric Revolution – PEMD Skills Hub
Driving the Electric Revolution – PEMD Skills HubDriving the Electric Revolution – PEMD Skills Hub
Driving the Electric Revolution – PEMD Skills Hub
 
Medicines Manufacturing Challenge EDI Survey Briefing Webinar
Medicines Manufacturing Challenge EDI Survey Briefing WebinarMedicines Manufacturing Challenge EDI Survey Briefing Webinar
Medicines Manufacturing Challenge EDI Survey Briefing Webinar
 

Recently uploaded

一比一原版(MMU毕业证书)曼彻斯特城市大学毕业证成绩单如何办理
一比一原版(MMU毕业证书)曼彻斯特城市大学毕业证成绩单如何办理一比一原版(MMU毕业证书)曼彻斯特城市大学毕业证成绩单如何办理
一比一原版(MMU毕业证书)曼彻斯特城市大学毕业证成绩单如何办理
7sd8fier
 
Design Thinking Design thinking Design thinking
Design Thinking Design thinking Design thinkingDesign Thinking Design thinking Design thinking
Design Thinking Design thinking Design thinking
cy0krjxt
 
Expert Accessory Dwelling Unit (ADU) Drafting Services
Expert Accessory Dwelling Unit (ADU) Drafting ServicesExpert Accessory Dwelling Unit (ADU) Drafting Services
Expert Accessory Dwelling Unit (ADU) Drafting Services
ResDraft
 
projectreportnew-170307082323 nnnnnn(1).pdf
projectreportnew-170307082323 nnnnnn(1).pdfprojectreportnew-170307082323 nnnnnn(1).pdf
projectreportnew-170307082323 nnnnnn(1).pdf
farazahmadas6
 
一比一原版(RHUL毕业证书)伦敦大学皇家霍洛威学院毕业证如何办理
一比一原版(RHUL毕业证书)伦敦大学皇家霍洛威学院毕业证如何办理一比一原版(RHUL毕业证书)伦敦大学皇家霍洛威学院毕业证如何办理
一比一原版(RHUL毕业证书)伦敦大学皇家霍洛威学院毕业证如何办理
9a93xvy
 
一比一原版(UCB毕业证书)伯明翰大学学院毕业证成绩单如何办理
一比一原版(UCB毕业证书)伯明翰大学学院毕业证成绩单如何办理一比一原版(UCB毕业证书)伯明翰大学学院毕业证成绩单如何办理
一比一原版(UCB毕业证书)伯明翰大学学院毕业证成绩单如何办理
h7j5io0
 
一比一原版(Columbia毕业证)哥伦比亚大学毕业证如何办理
一比一原版(Columbia毕业证)哥伦比亚大学毕业证如何办理一比一原版(Columbia毕业证)哥伦比亚大学毕业证如何办理
一比一原版(Columbia毕业证)哥伦比亚大学毕业证如何办理
asuzyq
 
White wonder, Work developed by Eva Tschopp
White wonder, Work developed by Eva TschoppWhite wonder, Work developed by Eva Tschopp
White wonder, Work developed by Eva Tschopp
Mansi Shah
 
一比一原版(CITY毕业证书)谢菲尔德哈勒姆大学毕业证如何办理
一比一原版(CITY毕业证书)谢菲尔德哈勒姆大学毕业证如何办理一比一原版(CITY毕业证书)谢菲尔德哈勒姆大学毕业证如何办理
一比一原版(CITY毕业证书)谢菲尔德哈勒姆大学毕业证如何办理
9a93xvy
 
Portfolio.pdf
Portfolio.pdfPortfolio.pdf
Portfolio.pdf
garcese
 
一比一原版(LSE毕业证书)伦敦政治经济学院毕业证成绩单如何办理
一比一原版(LSE毕业证书)伦敦政治经济学院毕业证成绩单如何办理一比一原版(LSE毕业证书)伦敦政治经济学院毕业证成绩单如何办理
一比一原版(LSE毕业证书)伦敦政治经济学院毕业证成绩单如何办理
jyz59f4j
 
20 slides of research movie and artists .pdf
20 slides of research movie and artists .pdf20 slides of research movie and artists .pdf
20 slides of research movie and artists .pdf
ameli25062005
 
Коричневый и Кремовый Деликатный Органический Копирайтер Фрилансер Марке...
Коричневый и Кремовый Деликатный Органический Копирайтер Фрилансер Марке...Коричневый и Кремовый Деликатный Органический Копирайтер Фрилансер Марке...
Коричневый и Кремовый Деликатный Органический Копирайтер Фрилансер Марке...
ameli25062005
 
一比一原版(Bristol毕业证书)布里斯托大学毕业证成绩单如何办理
一比一原版(Bristol毕业证书)布里斯托大学毕业证成绩单如何办理一比一原版(Bristol毕业证书)布里斯托大学毕业证成绩单如何办理
一比一原版(Bristol毕业证书)布里斯托大学毕业证成绩单如何办理
smpc3nvg
 
一比一原版(毕业证)长崎大学毕业证成绩单如何办理
一比一原版(毕业证)长崎大学毕业证成绩单如何办理一比一原版(毕业证)长崎大学毕业证成绩单如何办理
一比一原版(毕业证)长崎大学毕业证成绩单如何办理
taqyed
 
一比一原版(NCL毕业证书)纽卡斯尔大学毕业证成绩单如何办理
一比一原版(NCL毕业证书)纽卡斯尔大学毕业证成绩单如何办理一比一原版(NCL毕业证书)纽卡斯尔大学毕业证成绩单如何办理
一比一原版(NCL毕业证书)纽卡斯尔大学毕业证成绩单如何办理
7sd8fier
 
Borys Sutkowski portfolio interior design
Borys Sutkowski portfolio interior designBorys Sutkowski portfolio interior design
Borys Sutkowski portfolio interior design
boryssutkowski
 
一比一原版(Brunel毕业证书)布鲁内尔大学毕业证成绩单如何办理
一比一原版(Brunel毕业证书)布鲁内尔大学毕业证成绩单如何办理一比一原版(Brunel毕业证书)布鲁内尔大学毕业证成绩单如何办理
一比一原版(Brunel毕业证书)布鲁内尔大学毕业证成绩单如何办理
smpc3nvg
 
Design Thinking Design thinking Design thinking
Design Thinking Design thinking Design thinkingDesign Thinking Design thinking Design thinking
Design Thinking Design thinking Design thinking
cy0krjxt
 
Between Filth and Fortune- Urban Cattle Foraging Realities by Devi S Nair, An...
Between Filth and Fortune- Urban Cattle Foraging Realities by Devi S Nair, An...Between Filth and Fortune- Urban Cattle Foraging Realities by Devi S Nair, An...
Between Filth and Fortune- Urban Cattle Foraging Realities by Devi S Nair, An...
Mansi Shah
 

Recently uploaded (20)

一比一原版(MMU毕业证书)曼彻斯特城市大学毕业证成绩单如何办理
一比一原版(MMU毕业证书)曼彻斯特城市大学毕业证成绩单如何办理一比一原版(MMU毕业证书)曼彻斯特城市大学毕业证成绩单如何办理
一比一原版(MMU毕业证书)曼彻斯特城市大学毕业证成绩单如何办理
 
Design Thinking Design thinking Design thinking
Design Thinking Design thinking Design thinkingDesign Thinking Design thinking Design thinking
Design Thinking Design thinking Design thinking
 
Expert Accessory Dwelling Unit (ADU) Drafting Services
Expert Accessory Dwelling Unit (ADU) Drafting ServicesExpert Accessory Dwelling Unit (ADU) Drafting Services
Expert Accessory Dwelling Unit (ADU) Drafting Services
 
projectreportnew-170307082323 nnnnnn(1).pdf
projectreportnew-170307082323 nnnnnn(1).pdfprojectreportnew-170307082323 nnnnnn(1).pdf
projectreportnew-170307082323 nnnnnn(1).pdf
 
一比一原版(RHUL毕业证书)伦敦大学皇家霍洛威学院毕业证如何办理
一比一原版(RHUL毕业证书)伦敦大学皇家霍洛威学院毕业证如何办理一比一原版(RHUL毕业证书)伦敦大学皇家霍洛威学院毕业证如何办理
一比一原版(RHUL毕业证书)伦敦大学皇家霍洛威学院毕业证如何办理
 
一比一原版(UCB毕业证书)伯明翰大学学院毕业证成绩单如何办理
一比一原版(UCB毕业证书)伯明翰大学学院毕业证成绩单如何办理一比一原版(UCB毕业证书)伯明翰大学学院毕业证成绩单如何办理
一比一原版(UCB毕业证书)伯明翰大学学院毕业证成绩单如何办理
 
一比一原版(Columbia毕业证)哥伦比亚大学毕业证如何办理
一比一原版(Columbia毕业证)哥伦比亚大学毕业证如何办理一比一原版(Columbia毕业证)哥伦比亚大学毕业证如何办理
一比一原版(Columbia毕业证)哥伦比亚大学毕业证如何办理
 
White wonder, Work developed by Eva Tschopp
White wonder, Work developed by Eva TschoppWhite wonder, Work developed by Eva Tschopp
White wonder, Work developed by Eva Tschopp
 
一比一原版(CITY毕业证书)谢菲尔德哈勒姆大学毕业证如何办理
一比一原版(CITY毕业证书)谢菲尔德哈勒姆大学毕业证如何办理一比一原版(CITY毕业证书)谢菲尔德哈勒姆大学毕业证如何办理
一比一原版(CITY毕业证书)谢菲尔德哈勒姆大学毕业证如何办理
 
Portfolio.pdf
Portfolio.pdfPortfolio.pdf
Portfolio.pdf
 
一比一原版(LSE毕业证书)伦敦政治经济学院毕业证成绩单如何办理
一比一原版(LSE毕业证书)伦敦政治经济学院毕业证成绩单如何办理一比一原版(LSE毕业证书)伦敦政治经济学院毕业证成绩单如何办理
一比一原版(LSE毕业证书)伦敦政治经济学院毕业证成绩单如何办理
 
20 slides of research movie and artists .pdf
20 slides of research movie and artists .pdf20 slides of research movie and artists .pdf
20 slides of research movie and artists .pdf
 
Коричневый и Кремовый Деликатный Органический Копирайтер Фрилансер Марке...
Коричневый и Кремовый Деликатный Органический Копирайтер Фрилансер Марке...Коричневый и Кремовый Деликатный Органический Копирайтер Фрилансер Марке...
Коричневый и Кремовый Деликатный Органический Копирайтер Фрилансер Марке...
 
一比一原版(Bristol毕业证书)布里斯托大学毕业证成绩单如何办理
一比一原版(Bristol毕业证书)布里斯托大学毕业证成绩单如何办理一比一原版(Bristol毕业证书)布里斯托大学毕业证成绩单如何办理
一比一原版(Bristol毕业证书)布里斯托大学毕业证成绩单如何办理
 
一比一原版(毕业证)长崎大学毕业证成绩单如何办理
一比一原版(毕业证)长崎大学毕业证成绩单如何办理一比一原版(毕业证)长崎大学毕业证成绩单如何办理
一比一原版(毕业证)长崎大学毕业证成绩单如何办理
 
一比一原版(NCL毕业证书)纽卡斯尔大学毕业证成绩单如何办理
一比一原版(NCL毕业证书)纽卡斯尔大学毕业证成绩单如何办理一比一原版(NCL毕业证书)纽卡斯尔大学毕业证成绩单如何办理
一比一原版(NCL毕业证书)纽卡斯尔大学毕业证成绩单如何办理
 
Borys Sutkowski portfolio interior design
Borys Sutkowski portfolio interior designBorys Sutkowski portfolio interior design
Borys Sutkowski portfolio interior design
 
一比一原版(Brunel毕业证书)布鲁内尔大学毕业证成绩单如何办理
一比一原版(Brunel毕业证书)布鲁内尔大学毕业证成绩单如何办理一比一原版(Brunel毕业证书)布鲁内尔大学毕业证成绩单如何办理
一比一原版(Brunel毕业证书)布鲁内尔大学毕业证成绩单如何办理
 
Design Thinking Design thinking Design thinking
Design Thinking Design thinking Design thinkingDesign Thinking Design thinking Design thinking
Design Thinking Design thinking Design thinking
 
Between Filth and Fortune- Urban Cattle Foraging Realities by Devi S Nair, An...
Between Filth and Fortune- Urban Cattle Foraging Realities by Devi S Nair, An...Between Filth and Fortune- Urban Cattle Foraging Realities by Devi S Nair, An...
Between Filth and Fortune- Urban Cattle Foraging Realities by Devi S Nair, An...
 

Digital Security by Design: Security and Legacy at Microsoft - Matthew Parkinson, Microsoft

  • 1. Security and Legacy at Microsoft MATTHEW PARKINSON PRINCIPAL RESEARCHER, CONFIDENTIAL COMPUTING, MICROSOFT RESEARCH
  • 2. Motivation Microsoft cares about security Microsoft cares about legacy
  • 3. Fixing individual bugs not scaling 130 109 141 163 234 224 155 305 317 474 417 603 600 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 #ofCVEs Patch Year # of CVEs by patch year
  • 4. Microsoft cares about security slide courtesy of Matt Miller, Partner Security Engineer, MSRC 32 24 21 22 26 13 4 11 4 1 3 7 8 36 35 43 45 64 30 36 35 28 61 71 104 79 12 16 18 22 44 57 39 113 186 183 87 81 99 4 4 13 30 21 14 7 15 25 25 36 71 81 6 4 8 8 11 6 5 6 9 22 19 82 61 1 1 2 4 9 5 7 13 17 39 76 88 55 44 30 44 41 59 103 61 120 59 159 139 197 221 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 Root cause of CVEs by patch year Stack Corruption Heap Corruption Use After Free Type Confusion Uninitialized Use Heap OOB Read Other Top root causes since 2016:
  • 5. What is Microsoft doing? Remove classes of vulnerabilities ◦ Probabilistic prevention not considered suitable - servicing a vulnerability still required ◦ MemGC - https://msrc-blog.microsoft.com/2016/01/12/triaging-the-exploitability-of-ieedge-crashes/ ◦ Killing Uninitialized Memory: Protecting the OS Without Destroying Performance - https://cppcon2019.sched.com/event/SfYc/killing-uninitialized-memory-protecting-the-os-without-destroying- performance Investing in safe(r) systems programming languages: ◦ Rust investigations, https://msrc-blog.microsoft.com/2019/07/18/we-need-a-safer-systems-programming-language/ ◦ Project Verona, research project ◦ Cannot simply throw away old code!
  • 6. Our research in Cambridge Mitigations Language design Compartmentalisation
  • 7. Project Verona A new language for safe infrastructure programming With David Chisnall, Sylvan Clebsch, Manuel Costa, Sophia Drossopoulou, Juliana Franco, Mads Torgersen, …
  • 8. The application spectrum C# C/C++ Asm Today Boot loader/HAL Core OS components Schedulers/Memory management Exchange/ ASP.NET Azure Storage/ Cosmos/ Data lake Azure functions Desktop Apps Device drivers Systems Programming
  • 9. The space • Fine grained control • Resource management • Latency sensitive • Close to machine • No abstraction over memory • No type safety Systems Programming
  • 10. The application spectrum C# C/C++ Asm Today Boot loader/HAL Core OS components Schedulers/Memory management Exchange/ ASP.NET Azure Storage/ Cosmos/ Data lake Azure functions Desktop Apps Device drivers Infrastructure Programming
  • 11. The space • Fine grained control • Resource management • Latency sensitive • Close to machine • No abstraction over memory • No type safety Inherently unsafe Possible for safe by construction
  • 12. Core ideas • Give up concurrent mutation, to enable scalable memory management. Data-race freedom • New concurrency model that provides lightweight asynchronous coordination. Concurrent Owners • passing groups of objects • memory management strategies per region (reference counting, tracing, arenas, …) • Compartmentalisation for legacy components Linear Regions
  • 13. Shared immutable region Linear mutable region Single entry pointRegions are only accessed by one computation at a time
  • 14. Pervasive sandboxing Verona program C++ runtime library C library C / Assembly library C++ library C/C++ library C++ library TCB, needs careful auditing Sandboxed, scope of vulnerabilities limited
  • 16. Project Verona status Production quality runtime Prototype interpreter and type checker Compiler not started Open-sourcing to github soon to enable collaborations Ask me for a demo!
  • 17. CHERI
  • 18. CHERI for mitigations Which exploit chains does CHERI break? What gadgets can exist on CHERI? Can temporal safety be achieved? Microsoft Red team (attack) internship analysed security of CHERI – 12 weeks not long enough to be conclusive Need a thorough security analysis before it can be adopted as a mitigation.
  • 19. CHERI for legacy Lightweight compartmentalisation • Contain existing libraries • Single address space • How can we build application that have hundreds of sandboxed libraries? Low-cost containers • Density important for the cloud • Can CHERI improve density in Cloud applications?
  • 20. Conclusions Microsoft needs security for legacy! Can we capitalise on CHERI to use existing assets? Can we architect software to integrate safe new code with old unsafe legacy code? Project Verona for compartmentalisation research collaborations
  • 23. Regions open up new possibilities • Compartmentalisation • Different regions can be compiled with different trust. • Distributed and heterogenous hardware • Moving collections of objects between devices – can be part of the programming model • Dynamic update of running code • Each object accessed by at most one thread, updates can exploit this in the running system
  • 29. Region access is single-threaded C#/C++ Region-based ownership Only one thread operating on a region at a time
  • 30. Region ownership is hierarchical C#/C++ Region-based ownership Regions have a single entry point