2. Hello China!
ïŹ
Thank you DEFCON, for supporting me for
almost two decades
ïŹ
Thank you Baidu. Only DEFCON could go to
China, and you helped make that happen.
ïŹ
Thank you for coming :) This is my first time to
your lovely country!
3. SO!
ïŹ
This is a keynote, so Iâm supposed to inspire you
ïŹ
This is a technical talk, so thereâs going to be actual lines
of code on this actual screen (I promise)
ïŹ
The goal: Connect a series of concepts you may never
have thought were linked
ïŹ
Consider this a âSkydiveâ
â Start with a birds eye view
â Dive headfirst into the weeds
â Get ourselves a bugs eye view
4. 60 Frames Per Second
ïŹ
I have a âhobbyâ around human perception
â Ask me about Color Blindness sometime
ïŹ
Thereâs a myth that people see at 60 frames per second
â Works OK for video games, makes people quite sick in VR
ïŹ
Not real
â Obviously mythological, we donât see in frames at all, our eyes jiggle
around a lot and our brain dreams something up
â Itâs why we can dream
â Lots of experiments show the average person seeing well past 60
ïŹ
But why 60?
5. My Traditional Answer,
âWhy 60fps?â
â1940âs television technology, thatâs just how fast
TVâs used to run.â
Correct, but incomplete.
7. Oh.
Iâm used to technology having its own clocks
(quartz crystals).
Turns out you can just use the power lines as a
clock.
(Can != Should)
8. So...
We didnât make TVâs 60fps for human vision
We made TVâs 60fps because there was a 60hz
clock handy
Why was it 60fps?
9. Power was 60hz
Because 1890âs and Physics Were
ïŹ
The induction motor was
found to work well on
frequencies around 50 to 60
Hz, but with the materials
available in the 1890s would
not work well at a frequency
of, say, 133 Hz.
ïŹ
(Wikipedia, Utility
Frequency)
10. So...
So is 60fps nothing to do with human vision, and
everything to do with 1890âs technology?
11. So...
âThere is a fixed relationship between the number
of magnetic poles in the induction motor field, the
frequency of the alternating current, and the
rotation speed.â
60hz wasnât just 1890âs tech.
Itâs also physics.
12. Weâre Made Of Physics Too
ïŹ
Human vision comes from the brain
ïŹ
The brain circulates electromagnetic signals
â
Gamma waves work at 25-100hz
ïŹ
PURE SPECULATION, but itâs sort of cool to go from:
â 60 fps = rate human brain implements human vision
â 60 fps = tricking human vision w/ television
â 60 fps = timing television with spinning magnets
â 60 fps = spinning magnetics at the same rate as the human brain
13. You might be thinking
ïŹ
What could this possibly have to do with bugs?
â We donât necessarily know why things are the way they are
â Usually we do things because weâve been doing them
â Sometimes what weâve been doing is good enough, sometimes
what weâve been doing is bad but nobody realizes where the
bugs are
ïŹ
I like figuring out why
â Stay intellectually honest, and youâll find cool stuff
â Know youâre speculating!
14. No Really, Speculative Execution
Bugs
ïŹ
Spectre and Meltdown
ïŹ
Best explanation:
âDid you go to the coffee shop?â
âNo!â
âDid you go to the bar?â
âNo!â
âDid you go to the club?â
â⊠⊠⊠No!â
ïŹ
Saying the same thing, at a different time, is not always
saying the same thing.
15. What Are These Bugs?
â
There are many variants (which is kind of the idea)
â
Meltdown
â
Try to read data youâre not allowed to
â
Youâre told no, but at the wrong time
â
Spectre
â
Try to run code youâre not allowed to
â
Youâre not allowed to run it, but other things go faster or
slower based on what you werenât allowed to run
â
What went wrong?
16. We Assumed You Could Only Detect
Cached/Uncached, not Content
â
Wrong because when you read memory, you can say
âGive me this information at (address plus a value
between 0 and 255)â
â
Youâll be told no, but now you can check:
â
âDo you have the value at address+0?â
â
âDo you have the value at address+1?â
â
âDo you have the value at address+2?â
â
Fuzzy, but you can check many, many times on a
gigahertz processor, and you can flush the cache and
start over
â
CLFLUSH
17. We Assumed We Could Make
Computers Faster
â
âWhy do we have these bugs? Isnât this just
math?â
â
Lots of nerd shaming
â
No community in all of technology proves the
mathematical correctness of their work more than
microprocessor designers
â
They are the industrial market for theorem provers and
SAT solvers
â
But you have to prove the right things in the right
context
18. The Same Thing Might Be Predictable or
Random Based On Context
â
A corporation can be relatively predictable
â
Plodding, even
â
An executive at that corporation can be erratic
â
Might quit tomorrow
â
His heartbeat however is relatively predictable
â
An individual heart cell in that heart might not
â
All four scales occupy the same point in time and space
19. NOBUG, MUSTFIX
â
The theorem provers did not fail when they
showed no leakage of information between
contexts
â
The right bits went to the right places
â
The theorem provers werenât being asked to
show there were no timing variations
dependent on secrets
â
Most, if not all timing variation is defined to
not exist at the scale being proven
20. The Great Repurposing
â
We turned a stability boundary, into a security
boundary, and hoped it would work
â
Historically, most code would crash all the time
â
âHistoricallyâ
â
The game was making sure it only corrupted its own
resources
â
The theory was that hackers were just a new source of
misbehavior, letâs just isolate them like we isolate
everything else
â
Even independent of time, that hasnât worked amazingly
well, but in the context of time...
21. Hacker misbehavior
Hackers are better behaved
They change smaller things (from a computerâs
perspective) that are bigger things (from a
humanâs perspective)
Spectre and Meltdown change time, which is
defined as nonexistent to the microprocessor
designer, and made to be information carrying to
everyone else
22. Worth Noting
â
Some of the exploits against
Spectre/Meltdown exploit the system
scheduler timer
â
One tick every 15.6ms on many platforms
â
1000ms/15.6ms == 64fps :)
23. Spectre and Meltdown Leak Bits.
You canât leak bits you do not have.
â
There is a hidden architectural choice behind these bugs
â
Context Switching
â
âWe have one computer that must pretend to be many
computers, with many different security levels.â
â
There is another decision that can be made
â
If you want two security domains, get two computers
â
You know, computers are small now.
26. Yes, we had to write patches for
everybody
â
Yes, weâre putting these patches everywhere, whether
thereâs a security boundary crossing or not
â
But yes, not every individual node has two security
domains
â
Sometimes, the only user really is the administrator
â
Sometimes, the administrator is only not the administrator
when running a web browser
â
We are sort of getting this information down to where it needs
to be in the chip
â
Thereâs a fair amount of âimpedence mismatchâ, and a lot of
microcode patching right now is just trying to get even process
ID into the branch predictor++
27. Explicit Security Domains Will Come
ïŹ
Security domains are not users
ïŹ
Security domains are not processes
ïŹ
Security domains are not even constrained to a single
kernel or a single machine
ïŹ
Theyâre their own space. All the Spectre/Meltdown
goop going on is trying to give the microcode an idea
of whose context theyâre working on. Weâll fake âwhat
security domainâ with that...for a while.
28. Surprising Amount Of Activity Around
OS Design Out There
â
User/kernel is not only not always a real security
boundary
â
User/kernel is actually pretty slow
â
Everything fast gets rid of it
â
DPDK networking running entirely in userspace
â
Kernel Mode Linux from back in the day
â
âRump Kernelsâ arenât kernel-less â they just run full BSD (or
even Linux, w/ LKL) kernels in the same memory space as the
application
â
HPC is actively working here â mOS, Hermitcore, Kitten, etc.
29. Why Am I Telling You This?
â
Security that doesnât care about the rest of IT is Security that
grows increasingly irrelevant
â
Computing in 2023 is not going to look like Computing in 2018
â
Computing in 2018 doesnât look like what most people think
computing in 2018 is
â
âThereâs no such thing as the cloud, thereâs just other peopleâs
serversâ
â
...with other peopleâs pagers.
â
The scale of computing has completely changed, how we fix
our security problems is going to require different viewpoints
30. The Flipside
â
If youâre just looking for bugs, look for the things people
think donât matter
â
Attack there.
â
Bugs arenât random because their source isnât random
â
Developers write certain bugs based on what they arenât thinking
about
â
Bug finders find certain bugs based on what they know
developers arenât thinking about
â
This is not always conscious
â
Itâs usually true, at least in anyone Iâve found thatâs good at this
31. Right about now is a good time to
introduce
The Catchy Only Vaguely Correct Catchphrase
Designed To Spark Interest
33. What Do I Mean?
âWe only make the car turn left. Those other guys
handle the car turning right.â
âItâs just my job to get the plane in the air. If when
and how it lands, not my problem.â
Itâs not that there arenât different teams â itâs that if
you donât care if your work affects the other
guys...thingâs gonna crash
34. Thesis
Thereâs no reverse engineering, thereâs no
forward engineering.
Thereâs just engineering.
There are cultural elements in engineering that
block the integration of forward and reverse.
The primary one seems to be...
36. Penetration Testing
ïŹ
âHackersâ like to talk about the former
ïŹ
We are a specific branch of the latter
ïŹ
The latter shouldnât be split off, but it often has
to be
â Everybody always sees their own code for what it
should be doing, not for what it actually is
37. Whatâs Happening
ïŹ
Large amounts of tooling are isolated to the testers
ïŹ
Creates an enormous bias in developer knowledge, they
end up not using tools and patterns that are too âtest-yâ
ïŹ
Ends up biasing the code they think they can write
â More technically: Ends up biasing their transformations in a
particular direction
ïŹ
Compile time influences runtime
ïŹ
Runtime doesnât update the source to be compiled
â Less technically: Like a car that pulls right
38. Concrete Example
ïŹ
Fortran is fast (still).
Python is slow (still).
Except if you use Numba.
â Finally, a practical environment for transforming standard-ish Python
into high perf CPU/GPU code
â Requires, like all optimizers, knowledge of what types of data itâs
supposed to optimize for
â Games of constraints: If I can constrain whatâs coming, I can throw
state away and optimize only for those expectations
ïŹ
What happens if I constrain incorrectly? CVE numbers.
ïŹ
Thatâs why security is involved. Perf and sec are not separate universes.
39. The Problem
ïŹ
Python is dynamically typed, integers or floating
point numbers or strings or whatever are
distinguished at runtime
ïŹ
Developer pain required to declare up front
what types might pass through
40. Another Competitor Enters The
Arena
ïŹ
PyAnnotate by Dropbox
ïŹ
Monitors types used during test or production,
updates the code in-place with annotations
ïŹ
Thus far, this hasnât been extended to numeric
optimization for Numba
ïŹ
Solves the problem that developers donât actually
know the right answers for expected types either
ïŹ
Considered appropriate only for âlegacyâ because
42. The Approach Seems Weird
ïŹ
âIsnât this Profile Guided Optimization?â
â No, this actually changes the source code
â This is also not constrained to performance, i.e. could apply security constraints
(probably been some work here)
ïŹ
Pair programming with a machine?
â I mean, we lean on libraries a lot, to the point a lot of dev is figuring out what
legos to stick together
ïŹ
Developers are supposed to know what the system is supposed to do.
Theyâre not supposed to learn what the system is supposed to do by
watching it fail!
â A) Thatâs totally what they do
â B) Thatâs totally what we do
43. Developer tools usually assume the
developer is right
ïŹ
Optimization throws out information unneeded
by the present system
ïŹ
The present system is wrong, a new system is
needed, the information about how we deviated
from correct to suboptimal may have been
thrown out
ïŹ
So thatâs how test tools â hacker tools â differ
up front. Weâre looking for that developer error.
44. But everyoneâs tools are kind of bad
ïŹ
âThe difference between reverse and ânormalâ engineering is
whether you have the source codeâ
â Assumes the source code is more comprehensible or predictable than
the compiled form
â I knew a guy (who will laugh when I send him this slide) who audited C++
from the compiled binary, because âwho can dig through that mess, just
give me the binary and Iâll walk through the table myselfâ.
ïŹ
Ultimately the more we can monitor the operation of running code,
in the context of the source code generating it â the faster the loop
between misconception and correction can be â the better
software (or the more bugs) weâll find.
45. Where Iâm Going With This
ïŹ
1) Full system source debugging
ïŹ
If things are so open source, whereâs the source? Why am I
specifically recompiling things I happen to be interested in, one
library at a time, including the kernel?
â Questions actually do have answers: Debugging tools donât want to
take a hard dependency on source being available
â Went to an SSD developer some years ago, I donât think there is a
single company on the planet with all source to one of those
â But I can compile Gentoo from sourceâŠ
â Yes, itâs very nice.
â Apt-build on ubuntu also âkind of worksâ â good for individual targets
46.
47.
48. ADB is old and busted
ABD is the new hotness
â
Always Be Debugging :)
â
âBut what about security boundaries? Am
I going to have to type sudo all the time?â
49. The Problem
Ever get the feeling itâs easier to be root onâŠ
someone elseâs machine? :(
50. Alas
â
Attackers get root for years
â
You get root, one line at a time
â
Itâs still me!
â
No really, still me.
â
And you get such a variety of software
behaviors, too.
55. This is just as silly as
sudosudosudosudosudosudo
ïŹ
One quirk
âCanât just switch effective user all the time, thatâs part of why sudo is
a mess
âPresent plan: Make permission checks pass, but otherwise keep
users what they are
âUse the switches to control precise parameters (they glow!)
ïŹ
This is actually common behavior, we just donât notice it
âVMâs are fake roots
âContainers are fake roots
â
HUGE reason Docker succeeded
âKali Linux is a real root
56. Jupyter is almost great
ïŹ
Web based reboot of interactive programming
ïŹ
No internal interface for adding packages
â
That would depend on root access!
â
(But VirtualEnv) SMACK Itâs a polyglot environment,
supports lots of languages
â
Whatâs going on?
57. As usual, thereâs actually a reason
ïŹ
There is an answer to why weâre moderately careful doling out root
access, and itâs actually not really âweâre afraid of hackersâ
ïŹ
Users can actually break their machines pretty easily, and then come to
us complaining
ïŹ
One class of fixes involves applying a talent bar, to be able to break the
machine, or making as much software as possible not put the machine
at risk by rewarding it with being immune to The Prompt
ïŹ
Another class involves...just making it easy to fix the thing
58. VIMCEPTION
â
AKA âFork The Universeâ
â
Boot the running system, into a VM, with
the full existing configuation, knowing we
canât break anything
â
Possible?
65. A Hard Question
ïŹ
Why are we vulnerable to ransomware?
ïŹ
âBecause the attackers can delete our dataâ
ïŹ
Why can attackers delete our data? Why can we? Isnât storage cheap now?
ïŹ
Equivalent for ephemeral installs: Why do I have these difficult to protect,
expensive to replace persistent installations?
ïŹ
As debugging didnât want to take a dependency on source, security may not
have wanted to take a dependency on zero persistent storage.
â But that might be the right design to work with, to allow arbitrary âdamageâ to be done
and always be able to return to a known safe state.
66. Closing Thoughts
â
We should not separate development and testing
â
Our hardest problems in security require alignment
between how we build and how we verify
â
Our best solutions in technology will understand the past
to see the future
â
All that matters is how well we protect users, and provide the
services that they need.
â
Our personal development cultures are not as important as
actually getting the job done :)