Offense & Defense: Notes on the Shape of the Beast - Sergey Bratus

good morning everybody howdy so you might notice that I am NOT Sergei baddest he's hiding out back and he has lots of wrong long Russian stories to tell and if you ask him politely at the bar afterward he'll tell you more long Russian stories and you'll learn all sorts of cool stuff you'll learn that fingerprinting isn't useless you'd be surprised you learn all sorts of fun stuff and at the same time you get these nifty drink tickets when you take them to the bar and you get your free beer this matter of etiquette do you or do you not tip on that beer you do you tip normally or extra graciously because you're not paying for the beer

thank you kindly here's Sergei Broadus thank your neighbor thank you yeah now that we're clear on the protocol we may proceed I'm Sergei it's great to be here I am really pleased to see this thing which I never thought I'd see outside of my basement again yeah at the bar I will tell you a story about how I owned one and how it was worth a monthly salary and how I lent it to a friend and then this friend started avoiding me because he didn't want to give it back and so I had to waylay him while he was saving files onto it and reclaim my precious floppy well yeah I mean this is I believe you

me this is as close as it gets when the closest place you can buy those things is like five 600 miles away so I'm going to rant today on something that's very near and dear to my heart the place of offense in the grand scheme of things so I work for a college right you can see the little well you can't but hey and occasionally I go to academic conferences and the sort of the attitude that you get there is offense you or Oh yet another attack paper and this is a changing luckily but there is still quite a bit of that out there and we might actually you know who said you could you can quote the tweet

let's let's go to tweet right so here's John Lambert of Microsoft who posted a series of tweets that are each worth of paper that's one of them if you're Shaima tech research you misjudge its contribution offense and defense aren't peers defense is offenses child so this is the point that I'm going to argue hopefully with some good stories but then of course immediately it attracted a response from Marcus Ranum who is another great old security guy and he said coevolution is the answer right and the question is stupid and I actually maintain that John Lambert in this one has it because coevolution is the strange thing right when you say coevolution you imply something like

this right so here is this bird with this big completely useless except for a reaching into this flower and so they sort of reshaped each other somehow strangely or maybe this is just some sort of a weird joke right and you know maybe it's coevolution but what is quibbling exactly right and how is it getting there any problems we didn't do adjust the audio for the other track they came here you okay well hey projector dance continues never ends so I so here's the thing how is this I mean there is certainly an arms race there is certainly offense chasing defense chasing offense but are they really as random and meaningless as the birdie and the flower I say no and it's

not just adaptation which just takes you down some weird path while you could have gone in many others again this is what I claim and when you ask me what is coiling and what is going on I would say what is evolving I would say our knowledge of the universe our knowledge of the universe or what computers actually do and how we can actually build one that we could finally trust because obviously we we can trust the current breed and so what's the shape of this problem right it's like the five blind men are philosophers and the elephant right so you know is it what is security right what is the shape of the beast is it pentesting is it the

AppStore you will notice the snake and the apple must be somewhere nearby right or is it the strong foundation the crypto or is it the policy which is just kind of like hanging down on the side or is it firewalls or is it the fancy user experience thing and you know and of course you hear a lot of talks people commenting on the word insecurity what is the security elephant well actually it's kind of sort of like this right so are the whole problem with computing is that we don't actually know what we're dealing with and it's much much bigger than we can imagine and it's much much more complicated and so we're sort of groping around and not even

finding the interesting pieces okay so yeah enjoy the elephant right enjoy the elephant which I blatantly stole from a genius artist so here is oh this little rundown on what offensive computing is according to me the problem is that we are really really bad at predicting the behaviors of the systems that we build and there are good mathematical reasons for that which I will touch upon later but basically the problem is that we build a thing and it turns out to be a completely different thing with emergent programming models which attackers immediately take advantage of and with emergent Trust properties which we know is being pwned and our pensive computing is actually filling out the shape of

that beast of the actual beast and our the diff between that and what we think we built and so there are three major reasons of why this is actually a science right first it reveals the mechanisms this is the most interesting thing about any exploit it's not what kind of a system you compromised it's not you know what the impact on the power grid or something else would be it's if you asked me and Travis its what the mechanism of that thing is what is it that you programmed that wasn't supposed to exist in the first place and then of course from that we get to the point that you think this as a feature

you think this is a bug but actually designers almost never think right and it's offensive computing that shows or what they actually designed and finally we you have this exploit computation it goes through those illegal states that the system is not even supposed to be in these states make up a universe offensive computing discovers that universe and this is actually a very very close to what the grand old mathematics does and the branch of it that became computer science so up top is Hilbert David Hilbert a mathematician who instead of solving grand problems actually formulated them and his contribution through that was much better and bigger and lasted you know it's still lasting for us and one of his

problems was can you build a machine that can prove mathematical theorems you put a theorem in you find out on the other end if it's actually true or not and if it is then you get the proof and that started a gentleman down down on the bottom are Alan Turing and Alonzo Church exploring trivial rewriting systems so think algebra think rewriting formulas what if you could have a thing that would rewrite formulas very precisely very dumbly and very very fast would that thing be able to fill David Hilbert scooter and out of that emerged the fact that we all intuitively know they call it undecidability we call it that you can't automatically find bugs and you can't automatically find all

bugs and ones just because such a program that would go out and for any program find all the bugs in it would be impossible this is proven this is a grand mathematical result again attributed to Turing which actually gave the name to the Turing machine which is our most powerful computing model but again this is something that we know and love every day because that's basically why you can't put a program through a wringer and have all the bugs are sort of distilled out of it and found out exploits are actually proofs so you may have heard me say this before you're all mathematicians because a and exploit is proof that a computation that is not

supposed to exist actually exists you're writing a program for the machine that wasn't supposed to be there but is so sometimes they are as powerful as can ever be we don't care if it's just one memory overwrite that gives you a root shell you don't care that you can write any program and compile it into those combinations of bugs but we don't yet know how to find those things in any large quantity but every one we find is precise because you can't argue with the root shell once the exploit is written it is not evidence it is proof in the mathematical sense that the thing is there and that it there is actually an extra leg or an extra cluster of trunks

on the beast so methods I'm going to tell you are three tails that I think are important in in which they show that this so-called coevolution is not actually a random and it's actually a scientific process that converges to something much larger than just funny shapes matching other funny shapes so the first thing is that the features security measures when introduced are almost always mislabeled so you think it protects against X but it's actually something completely different and again the real meaning of a security measure is only found when it's circumvented and at that point it does not become useless because the sword does not become useless because of a gun but it's just useful it turns out

just exactly when it is useful for what tactics at what quarters then you have that a circumvention or you have that exploit and there is a really good that the thing that you are that you have found is already out there and so again we'll see a story about that and then finally if somebody has designed something which is security critical and put it right in the middle of the system chances are that they did that for power management or remote administration or something else but in fact they just created a huge security hole and eventually that security hole will become a security feature so we'll talk about that as well so here is a

technology that was created by hackers tested by hackers deployed by hackers and then eventually became a part of your standard Windows system and it all goes back to the point that the gist the push EBP move ESP EBP and the RIT and the leave in in front of it these things together are a machine the program for that machine is your stack and people realize that a long long time ago in 1990s lf1 was not the first one to invent it but he was the first one to describe it properly and then what happened next in the next couple of years was non-executable stacks back then of course the NX bit did not exist so people emulated it open wall solar

designer and packs the pack steam pea patch emulated the NX bit so that should give you a pause right the major feature which eventually became a part of the platform was actually deployed by like two guys separately from each other apparently and then people found ways to actually bypass that so you have your return-oriented programming which got that name like eight years after it was invented describe documented and frack so the academic community woke up to this because home of Shyam in a amazing hack in amazing social engineering hack proved that Oh pieces of Lib C could be turing-complete and then academia took notice prior to that they were largely unaware of rope which by then existed well since 2000

and now of course you have thousands of papers written about Rob and job and you know whatever have you any instruction in x86 can be a basis for oriented programming like new oriented programming how about that except if you look when DEP was introduced it was introduced as a protection about against buffer overflows just think about that this is a quote from Microsoft's own service pack to release notes isn't this weird right so we know that it does absolutely nothing to protect against bother of buffer overflows and in fact rope well or you know the frame chaining technique that frak published in 2000 and era of course security disclosed on backtrack at about a few months earlier

it completely put to rest the misconception that DEP was a protection against buffer overflows no it brought broke one particular technique in which you just took the return address and put the code on the stack and jump to it yet this is my first point when a protective measure is introduced it is most likely mislabeled and we don't know what it does until it is circumvented so how about this story remember stoned I do because I infected my PC with it back in the day with the help of this thing right so back then I your PC would boot from just about anything you forgot in the drive if a friend of yours gave you a disk

with a game and the boot sector contained the stone thing well yeah you peop she was seriously stoned and you know that's how you learned about the Master Boot Record and then that was in like nineteen eighty-something 1985 1987 and then it went away because you could compromise Windows and load things into Windows and absolutely you know at absolute ease using all of the windows programming tools and all of the windows system support and you did not need to monkey around with the MBR except later that thing came back it's like The Return of the King right well the anti King anti-popes something like that so Microsoft started signing their modules and started checking the

signature and so how do you get around that well of course you start your infection before Windows actually starts itself so suddenly this 1987 technique was back with a vengeance and that knowledge of the MBR that that became lost you know once again the sort of Lord of the Rings theme you know you come on the city a ruined tower somewhere and yeah great kingdoms used to be here well so now they're back and this is great if you're playing offense or if you are dissecting those things for a living but how did we actually find out about them how did we find out that it came back well it was a couple of proof

concept presentations at blackhat one of them was even describing a thing called stoned although it should have been called you know stone reloaded or stoned reborn or something like that and if you look at the timeline these things developed into boot kits but basically the first of them were found in the wild when we actually figured to look and that was after the boot kit POC was shown same deal with more interesting x64 things like al Merrick TLD 4 and other boot kits again first you see the proof of concept you have the offensive security do its thing explore yet another part of the beast yet another corner of the universe and then you start looking for these things

in the wild and lo and behold they are there guess what we're discovering a thing that actually exists we are the blind man with the elephant now this is my favorite story SMM and I confirmed it by talking to people who actually hacked it and are working on it for Intel that feature which now we know as the lair -1 or lair - 2 or one of those you know the arcane security cornerstone of the whole system it was introduced as a power management feature so imagine you can hijack any calculation any computation you can have a state in which you can examine your caches even and your memory is weirdly remapped and all of this is

done to make your battery run a little longer yeah people who pay money for that so it was power management admin in mentoring and that kind of thing totally outside of the security domain so attackers figured out its actual execution model and its children to the rest of the system the people who designed it had no idea of these things and then seeing the slaughter that was done to security of platforms with SMM then the designers actually redesigned it and reinvented as a security feature and this is a very very interesting and cautionary story so first things get invented then they get mislabeled then they get actually studied by offensive people then they get redesigned to actually become

security features so here's the timeline alloy - flawed in 2006 used SMM to bypass open BSD secure levels so yeah open BSD people are looking to get them trouble there and just basically you know what is an open BSD secure level right ok yeah it's it's nice to have a paranoid system it's interesting that the paranoid system is actually the first target and the canary because of course you know who doesn't like making fun of that kind of thing I don't know so then as usual we quote frack and the quote frack again and you know you go by the book and verse and this is your BS daemon on the system management mode hacks and then Cherie

Sparks writes a first SMM rootkit and then there is another frack article on this and then during the root Kousaka experience on that mightily with a cache trick in which you can talk to the other memory and you can confuse the main computation as you switch back and forth through the caches so this is a very graceful result again out of these results the model of the thing is eventually assembled it's not there when the thing is introduced and then finally you have all of the security architecture that was built on top of that once it was realized just how important this was and how central to securities it was the authentication variables and the trusted

bias and the the other asanam work out of mitre and of course all of the viruses and all of the things like the flea and the tick and other things that Gino Kova quarry collenberg and others showed and so you never get to know the beast until you actually spend a whole lot of time around it and let's hope you just like the feel of you know what you're finding usually you do right that's why you stay in the area so here is my point offense is defenses parent because offense defines the universe in which defense lives so let's look at this from two different angles one angle is the familiar exploit development you have

the programmers model in the programmers model functions never get jumped to in the middle of don't know how to express it better right right and instructions are where you put them and if you didn't put that instruction in memory it's not there wrong because of course you can jump into the middle of an instruction and on x86 and then arm even made it a feature with thumb right so and of course there's the I mean I've talked to some computer science professors who were unaware of arm and thumb being the sort of the good brother and the evil brother right so yeah then there is the binary representation which is what we know and love gadgets over writes out of

type references all of that all of the memory corruption that you can make serve your program that you actually program and chain up the bugs the bits and the features to actually make your exploit and then of course there is the physical representation which is even worse there is crosstalk there are things like row hammer right there are things like packet and packet which I will revisit and it just turns out that the the universe that you thought you plumbed and you thought you knew it just suddenly expands in bursts so offense defines the universe in which defense lives and it not just doesn't just define it it expands it there are no relevant variables in defense that are

not derived from offenses exploration of that universe so think of spelling bee right can you use this word in a sentence this is your best test for what this word actually means which is why it's used in spelling bees because children are really good about remembering gibberish and giving back gibberish and this has been basically the nature of Education for as long as I can remember myself people who are older right you tell me if it was like that before and very very rarely you can actually you're lucky enough to find the teacher who doesn't just wanted you to regurgitate but to understand and then of course for math this is we know this that you don't actually understand the

figure you don't actually understand a fact until you use it in the proof and math without proofs evil is a profanation of math it's like the worst thing that could happen to the civilization and I'm sure it happened before too many other civilizations which is probably why working hypotheses they are former civilizations because regurgitation costs right I posit that you don't understand a bug or a feature until you can use them in an exploit by the same general principle of how things work so our all bugs shallow given sufficient number of eyes he'll know right bugs are not even understood until they are exploited and of course as you know there are problems that are np-hard

np-complete you cannot solve them until you try just about every combination of things our eyes are not really good at doing that no matter how many you bring to the job so this pronouncement that all bugs are shallow given enough eyes may be true when we evolve a separate brain for solving and p-complete and pig heart problems or doing search of infinite space is really really fast otherwise I know right and bugs are just bugs yeah sure and an instruction seek an instruction set architecture is an instruction set architecture and of course your move which can be actually used to write any program in just a bunch of move lookup the move skater well it's the instruction is just an

instruction so you don't understand that until you've actually seen it used in a thing called weird machine I Quinn the term I have to admit to that but however flake Thomas dalian actually gave it the recognition which I do not believe it may have deserved but anyway so I gave a talk at the German conference and after that we talked about how these things are on math and he is of course a better mathematician than I am and in his infiltrate talk he explored this and he said that exploitation is setting up instantiating and programming the weird machine and that's exactly what it is and I should have said that right so you have that state which the system can be in

but shouldn't be in and this is why people who do functional programming say illegal state should be unrepresentable and there is wisdom and that and this is what in the link community my other thing this is what we describe as the state should be explicit or eliminated you should be able to examine it you should be able to understand it or you have to kill it I'm sorry it's just either this or not trusting your computer anymore forevermore and then your exploit is actually a machine a state machine ticking between those illegal states and transitioning between them just like in college they tell you about the finite automata and yeah that's a great model that's exactly what an exploit does it's

just that the automaton it is written for is in your code but you don't know about it and this is not really all that different from the CPU and I'm just quoting from those slides because I love them so much like I said I should have written them so it's not different from any CPU you've got a really weird move that moves this thing over there and this thing over here and corrupts that memory over there and then you compensate just like the Rubik's Cube you turn it and you turn it on you turn it and you you think that you completely destroy the order but then you turn it a couple more turns and then suddenly it

turns out that you just swap those two cubes on the different on the opposite ends which is what you wanted to do and so this is how these things work so there is this normal intended functionality and then the there is the unintended the weird the illegal and yet you can program it you can program it either precisely or prove basically so you try this so many times and it works so there is this enormous universe of the state of our computing systems that we have not yet plumbed that we do not yet know that would not yet understand offense is our fleet of discovery think sci-fi think colonizing space think of yourself exploring a

technology as basically boarding one of those ships that takes you away forever so that you could discover a planet and settle it and you know maybe in a thousand years have a war back with earth right right this is what offense does yeah we're a long way away from the Beast but then of course you think Lovecraft you think all those entities existing in space and so the metaphor come kinda comes back together right enormous entities in the center of the universe gibbering madly in assembly code and of course how do we know the universe expands well we can kind of observe it right so in 1990s you had those wonderful tricks solar designer return to Lib C

Tim Newsome how to combine those two things how to chain them then here are and others and then the frack article which is a great article so this is a 2001 by Nergal has great poetry which is what you really appreciate in a science paper which is what you used to find in the great science papers yeah not anymore because science just became the sort of a buttoned-up exercise yeah good luck anyway so then a boom that universe expands and we have the things like a poisoning kernel from user space described by Jer security packs and protected with by UDF and then finally finally we get things like snap snap noticed by the major operating systems hopefully entering

into the main line again after years of being invented and tested out by hackers after who emulated the hardware that should have been doing this because the hardware was just not doing it right one of the best tricks to understand the older x86 MMU before the level 3 TLB cache before the STL be that can that converged the itlp nd TLB lookups is to look up how no exact in pax was implemented it's a wonderful exploration of the extra space in that state space state space machine and this is exactly what it is this is how it's written you know mathematicians come in all walks of exploration not just in math and then are you know these days we have

interesting stuff with weird machines everywhere and the universe is still expanding right so with neighbor Travis we've done our little bit for blowing up the universe of digital radio so imagine if I if we told you if you heard a few years ago that you must have a radio to inject raw frames into a digital radio 5 you would have said yes I would have said yes right I mean radio is this kind of a black box and with modulation and whitening and who knows what else and you just don't you know you need to buy that radio and if that radio is not available for sale then your Phi is secure your Wi-Fi is secure because you

can't just buy a card that can inject an arbitrary frame yeah right the odd that was that became known as the month of kernel when people realize that yeah you can hack up those things and then you can push out a probe request that crashes your Colonel or takes it over going with 60 seconds was the talk that used in the affairs on the Mac but you know many others followed and so this is false here's another one bites can only be received if sent as such so I send you you know an a7 and you receive an a7 and if you receive like an a6 then that's because I sent an a7 right and noise

kind of maybe stepped on it but you'll catch that with the frame control sound ah no you can actually send frames which have absolutely no symbol in common with the frames that the receiver will actually receive so the packet and packet trick which was predicated on the noise always being there and stepping on just a few symbols just a few bytes over transmission and therefore interfering with reception of frames thusly so you've got your bytes in the air and you've got the circuit that's just catching them catching them catching them catching them catching them but you don't know if that's a frame or not because that's just bytes so you have special bytes that mark the start of the

frame and then give the length of the frame and then you know then you know you are in the frame so it's just like a regular expression or sqli so this is exactly like SQL I write in your payload you can include for some Phi's not others a perfectly valid byte for byte image of a frame then if the noise steps on this start of frame delimiter

yeah start the frame delimiter then how does the radio know that the frame begins it doesn't so if you include that kind of a thing in the payload itself then the radio will see ah there is the preamble okay and there is a start of frame delimiter okay so now we're in the frame except we're way in the payload of the frame which you can control without controlling a radio which you could control being miles away without an antenna just by exchanging some traffic with whatever you have in that wireless lab and then it's got the right length in the right frame control and well you know you've received the frame right turns out this is not the end of it you

can actually shift the encoding of those symbols but white by 1/8 of the nibble 1/8 of a nipple neighbor if you were there wave because this is an excellent result right a result that that totally surprised me and then it turns out that here's yet another misconception now if you send the frame loud and clear and there are compatible radios sitting around they should all receive it right if one received it then so should the others right wrong because by varying the length of the preamble you can actually have some chips miss the frame completely regardless of the noise level regardless of the power they could be sitting right there it's just that they're matching little matching

automaton that's sinking on the preamble they're looking for the start of frame delimiter then extracting the bytes out of the air into a buffer rather than discarding them just doesn't grow that and so half of your chips or one manufacturer can get that other half doesn't who you well we kind of had a hunch which is why which is why we started looking at the fingerprinting of those things and when I first met the neighbor he was like fingerprinting is boring and I'm like no it's not and then we'd we drank on it and then we drink some more and then we put in a couple of years of effort and then it turned out

that yes fingerprinting the receiver and matching that receivers world is not boring at all you can see you can have receivers G things that are not there like I see dead frames or maybe I don't see live frames it's just that there are shapeshifter frames they are spoken in a dialect that chip does not understand and all of that came from the this very basic idea that offense is just probing the universe the calculation the computation almost always is more complex than it is than it seems and it was designed and you have to explore it to understand what actually there you never know when you hit an interesting trunk of that meta elephant and so I

have this metaphor for you I don't know if you would agree with it or not but I have to try so people calculated things people computed things since a time immemorial you know ancient babylon which you know was an interesting culture i'm sure i mean they could build things that you know you look at some of the homes today and you wonder well what have we lost of that ancient technology right maybe that's because they used cuneiform and then of course all over the place in the arab world you know this is how many of the old mathematical tracts survived and others were faked as having done so and written by interpreters translators who actually you know pass

them off as the old mathematical tract where's it contained their results so publishing was interesting way way back then and of course this is all over the world great mathematical traditions all over the place but all of those things if you learn them the way they were taught they were interesting properties of specific things say the how do you make the right triangle well you take a triangle with the sides four three and five and you tie those knots on the rope and you make a triangle out of them and lo and behold you've got the right triangle and here that with that piece of rope you've got yourself an angle excellent well now you can build things or you

know design them and there were so many things about the different numbers and the different figures to know until this guy came along and so quadratic equations were considered to be really tough because there were so many partial cases until Francois Liat introduced the language which we know as the language of algebra and you could describe the computation just so-so that which you had to spend your life fasting and practicing wisdom and whatnot now you can actually write it down for you know sixth graders seventh graders it puzzles me to no end how quadratic equations are managed to be made into the bugbear they are for so many people because now that you see this is like science right you really

need a special kind of preparation for this so take an adult who knows how to read and likes it presumably look at adult in the room with children for years so then how come the children emerging after those years still don't know how to read and don't like it like you can't do that with just your garden-variety you know tricks you have to have the pedagogical science for that you have to have degrees in this otherwise it just wouldn't work I mean children would actually learn to read and say thank you and you know rate the bookstore or something same thing with math right we're far far away from the times when different villages basically competed in who would

make up a problem that the other village could not solve actual medieval stuff right yeah so algebra a way of exploring all possible values at the same time and so with the quadratic expression with the quadratic equation of course there are some cases when the values are illegal and the equation does not solve and then you get what you call complex numbers because people explored why and because people explore those cases and actually came up with a more general description of them I pause it this is very much what we do with features and bugs in our systems we explore widen they do not work and then we come up with a generalization of what

is actually there and how it does work and so we progress so that we're not bending to you know reach into this strange funnel that is Windows or Linux or Mac OS we are actually discovering the very bits and pieces of the structure of the universe so that art of abstracting a way of dealing with the illegal things and even finding out which ones are illegal you have to have the general procedures you have to have the general formulas for that this is what offense is to defense this is what algebra is to the rest of math certainly to arithmetic and you know how do you represent that illegal state well first you have discovered it then you have to poke

around then you have to try to automate this and then eventually you might actually get complex numbers which give you oh I don't know the best shape of the wing for a plane what that was the application of this that I learned although of course in my case it was not planes it was things that burn their fuel in the first five minutes of their trajectory Soviet stuff space race right we're all like going into space right well no we're actually kind of going up into space and then down on the other side of the ocean yeah we're not from brown the moon race that kind of thing it's interesting to know just what the

arms race got us all things considered so proofs right here is a paper that was written in 1969 which was our last best hope of achieving a reliability documentation and compatibility this is what we know is the software verification how far are we in that okay well we're making progress this is good we found a lot of illegal space we know how to describe it so you know you have a precondition you prove things about the code and then you're guaranteed to get the result and there is a lot of math involved a lot of math involved this is the proof for this program up top doing division I will publish the slides you can look at it later and then

you sort of add 70 men hours of that and then you have a secure microkernel like lse l4 last time I checked it was not quite modeling the x86 mmm you people tell me it kind of sorta does now well maybe another 70 years and we can have a microkernel we can trust right here's this here's what the universe looks like from the offensive point you have proven it it's correct it's probably correct the preconditions P be they so many pages of dense symbolic stuff formulas you know it's done and then of course the question is if you feed it something other than P if you feed it something that is not in those preconditions for which it is proven

what will happen what will that thing compute will it just crash will reject it will happily go and give you a root shell on you know some other part of the beast we don't know so everything is an interpreter and it's actually your data manipulating your program it's a very different it's it's the same it's saying the same thing even if your program is correct what will it do when it sees something that it was not supposed to execute and this can happen because of the physical world this can happen because of leaky abstractions this can happen because of any way that we explore the offensive universe you know we've done our a little bit with my

group looking at this well we've shown that if you look at the relocation entries in just the elf metadata and in PE and in Mecca in Mecca it's actually simpler but you can compile any program into that data forget the code it's just the symbol tables and the relocation tables and your loader will happily execute any program for you this is an assembly and then you know by the time your code actually starts to run it's too late you've actually executed everything else that you wanted to execute same thing with exceptions the exception handler is actually a virtual machine that is carried with any see C++ program certainly one compiled with GCC and again your main program

does not matter it's the exception handling information which is actually byte code which is actually executed by that virtual machine that is going to be present in your address space and then you know my last but not least my most favorite one if you control a bunch of descriptor tables on the x86 CPU you can make it compute things you can compile your program into tables by controlling those tables and nothing else you will never successfully dispatch an instruction you will start with a page fault which will generate a double fault which will fix up just enough for another page fault to kick in and so it will continue ticking because yeah x86 is a complex architecture with a lot of

legacy features and it reads and writes memory and what else do you need of the processor instructions are irrelevant the academic world is actually waking up to this and this automatic exploit generation makes this extremely valuable observation that the verification is exploit is a verification problem that proving of correctness has an evil brother finding where proofs break and that we call an exploit this is a counter proof this is the proof of the counter case so like yeah evolution you've got those beasts and here is an elephant that's another elephant its arch-nemesis of course as everybody who has been into biology medieval biology knows is the dragon because the Dragons eat up elephants eggs for something

right and then you know what is biology to you is weapons to others so you can see a weaponized elephant here poor stunted thing you know caring that that's maybe not so stunted maybe their horses are just way too big right weapons control so I've been ranting about all of this expanding the universe colonizing far worlds and that sort of thing and then of course people who are not very comfortable with that right and here we have something that is called the Wassenaar arrangement this is the thing that controls the sales of nukes and chemical weapons and parts for those two people we do not like like the Soviets I guess well you know well we

kind of sort of both like them and not like them it's it's quite amazing you know you read history from some very esteemed historians and you have this feeling that the US was somehow just you know going here going there and starting things all over the world and the Soviet Union is not mentioned even once so like who take why is your question and my question is well I actually kind of know how the Soviet Union operated and yes it was trying to take over the world right I learned this in school and you know I learned the methodology for for doing so it was quite interesting but you know then it's kind of being written

out of history and this is really really surprising but anyway so wasn't our arrangement in 2015 has been applied to cyber weapons right intrusion software and you know what intrusion software is intrusion software is what modifies the standard execution path now you've got a debugger right what does it do it modifies the standard execution path it injects those instructions in their external instructions to control the program a hypervisor what does that thing do same thing right an operating system well yeah I mean your your program causes a page fault what happens then it's the under execution path so like let's have an authority on standard execution paths and we're so good at defining what they are we have this

thing antivirus right which detects whenever the standard execution path has left and it's just such a tremendous success so I was making this argument over a phone call to people at the Department of Commerce who were charged by the people from the Department of State who negotiated this monster to implement it and so like hey you know great news right we're protecting activists everywhere we are killing this terrible intrusion software um you know yeah just go and tell Microsoft Google Cisco and others that can they can no longer talk to foreign researchers not even to foreign groups within the organization because of course arms control is a serious thing right it's it's a felony to break it it's a felony

even to talk about these things to unfavored nations and individuals and yeah this this was the text of the actual agreement and the Department of Commerce was not at all happy about implementing that so not without pushback from the industry basically they kind of woke up to it after the first round of public comment came back with things like what are you doing you're you're killing the industry you're basically depriving us of any way of doing meaningful things with computers and you're just destroying any hope of computer security because hey you know some of it is done by foreigners so there was another round of public comment and right now the after all of this and after the pushback it is in

limbo it will be renegotiated by the same people who negotiated it in the first place so there is more fun to come but just so that you know intrusion software so they had this idea that oh you can exchange malware so malware itself is not controlled but things to analyze generate develop things that could be used to serve to modify the standard execution path are now that's fun right so that's all of our reverse engineering and fathers and compilers arguably and all of those things so yeah that's that's what happens when you try to legislate technology for all the good reasons so luckily this is beaten back for the moment but I advise you to keep

your eye on this because this is a clear and present danger and of course Europe has its own thing they are going to control zero day so like as a scientist nominally right everything we publish in physics chemistry any other technical area that's usually novel as in it doesn't get published if it isn't you know you get back your paper and you know about how to make things work and one of the comments is this is not normal IBM systems journal 1960s did that and that's that's it your paper is dead it's not getting published in that conference because it's not novel so all science is actually zero day it's about things that not known before and they're

going to control that good luck so I will close with another favorite tweet of mine a vulnerability is a theorem a supposition that the software flaw is a risk and exploit is a proof of that theorem proofs are important and I've been saying these things in long periods in long Russian sentences which just go on and on and on you know this thing this this idea of a run-on sentence let me assure you in German or Russian writing it doesn't kind exist right read as I was made to read Marx's Das Kapital yeah run-on sentences from the start which is why it worked so well apparently but anyway I was actually parsing up some texts to my students to

give them to you know use their Lisp Fuu won and I downloaded the wind and the Willows and Ellison Wonderland all those children's books what do you know run-on sentences it's just long sentences with many clauses people used to write differently but anyway you know - it's do it and so - Dina goes the props for formulating the so concisely indeed an exploit is a proof of the theorem that a software flaw is at risk proofs are important so imagine what would happen if physics was deprived of its most important to conducting experiments that would not be a nice world and yeah I will let you enjoy this thing about the deemed export it's when you talk to

someone who is not a citizen that would make life in my lab very very interesting so hey but we beat back that attack on offense and we can continue exploring the universe and the shape of the beast for now and I leave you my fellow mathematicians my fellow explorers my fellow arms dealers with that thank you