The next WATCH Talk is scheduled for July 17 at noon EDT. Crispin Cowan will reflect on decades of defending imperfect software. Dr. Cowan works for Microsoft adding security to existing operating systems, including the recent Windows 8.1 release. He is especially interested in usable security and effective sandboxing.
Abstract:
“Perfect” (bug-free) software is impractically expensive and slow to produce, and so the vast bulk of consumer and enterprise software products are shipped when they are “good enough” but far from bug-free. As a consequence, there has been a constant struggle to keep attackers from exploiting these chronically inevitable bugs. Much of that attention has been on memory corruption attacks against type-unsafe C/C++ programs, but in recent years has expanded to the web, where most development is done in dynamically typed scripting languages. This talk will review the evolution of increasingly sophisticated memory corruption defenses followed by attackers discovering how to bypass them, and how the mitigations have caused attackers to choose to exploit other, non-memory-corruption threats, and some surprising similarities between the memory corruption issue and the scripting issues.
The talk will be webcast; you can register here.