Presentation is loading. Please wait.

Presentation is loading. Please wait.

Project Springfield Fuzz your code before hackers do

Similar presentations


Presentation on theme: "Project Springfield Fuzz your code before hackers do"— Presentation transcript:

1 Project Springfield Fuzz your code before hackers do
BRK2287 Project Springfield Fuzz your code before hackers do David Molnar

2 https://microsoft.com/springfield
Project Springfield

3 From Research to Customers
“Million dollar” bugs Patrice Godefroid William Blum 2007 : Patrice Godefroid and team invent “whitebox fuzzing” research for finding “million dollar bugs” 2009 : Whitebox fuzzing finds 1/3 of security input validation bugs in Windows 7 development 2013 : Whitebox fuzzing run at scale on multiple Microsoft products in on-premise machine labs 2015 : William Blum joins, leads engineering team for Azure cloud service “Project Springfield” May 2015 : Cloud service live and first customer finds serious bugs with “Project Springfield” 2015 – 2016 : Continuous improvement working closely with under NDA customers and partners September 2016 : “Project Springfield” opens for preview

4 Customer Obsession Working with customers and partners from the beginning Hear who they are and hear their stories now Demo and tech explanation after

5 Mike Lemley, Senior Cyber Security Developer
Westin Kurlancheek, Sr. Software Engineer in Reliability

6

7 Chad Thunberg, Chief Operating Officer
Chad Larsen, Director of Technical Services

8

9 Leviathan 10 Year Old Company
Specialize in Risk Management and Information Security Fortune 10 to Boutique Leviathan clears the path to limitless innovation. We see security as extraordinary opportunity; seeing the unforeseen.

10 Our Passion Mature practices not books of bugs Leave behind enablement

11 Customer Challenges Lack specialized resources and scale
Security is a cost center How do we operationalize security? *

12 Partnership Integration of powerful framework
Solves part of ‘Scarcity’ Distributes workload

13 Results Enablement (2 assessments) Continuous security (case study)
9 of 30 (30%) 3 of 24 (12.5%) Continuous security (case study) 464 bugs in 18 months 21% effort savings

14 OSIsoft and Deschutes Brewery
Perfect example of benefits: Ease of use Speed Coverage

15

16 Chad A. Holmes Principal, Cybersecurity
Ernst & Young LLP Rishi Pande Sr. Manager, Cybersecurity Ernst & Young LLP

17 Demo

18

19 Deeper dive

20 Springfield includes whitebox fuzzing
void top(char input[4]) { int cnt = 0; if (input[0] == ‘b’) cnt++; if (input[1] == ‘a’) cnt++; if (input[2] == ‘d’) cnt++; if (input[3] == ‘!’) cnt++; if (cnt >= 4) crash(); } input = “good” Gen 1 Path constraint: bood I0!=‘b’  I0=‘b’ I1!=‘a’  I1=‘a’ gaod I2!=‘d’  I2=‘d’ godd I3!=‘!’  I3=‘!’ goo! Microsoft constraint solver good Create new constraints to cover new paths Solve new constraints  new inputs

21 Springfield includes whitebox fuzzing
void top(char input[4]) { int cnt = 0; if (input[0] == ‘b’) cnt++; if (input[1] == ‘a’) cnt++; if (input[2] == ‘d’) cnt++; if (input[3] == ‘!’) cnt++; if (cnt >= 4) crash(); } input = “bad!” input = “badd” input = “baod” input = “bood” Gen 1 baod Gen 2 badd Gen 3 bad! Gen 4 Path constraint: bood I0!=‘b’  I0=‘b’ I1!=‘a’  I1=‘a’ gaod I2!=‘d’  I2=‘d’ godd I3!=‘!’  I3=‘!’ goo! Create new constraints to cover new paths Solve new constraints  new inputs Whitebox fuzzing finds the crash!

22 OUR UNIQUE APPROACH PLATFORM INTELLIGENCE PARTNERS 11/20/2018 8:18 AM
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 https://microsoft.com/springfield
Thank you! What’s next? Meet the speakers! Visit Springfield booth in Expo and meet the team! Attend more Security sessions Sign up for Project Springfield Preview at BRK2239 Delight users and IT with modern identity experiences on Windows 10 BRK2130 Protect your business data using Windows Information Protection BRK3138 Monitor actor groups and detect targeted attacks with Microsoft’s Hunter Team BRK3293 Look under the hood: bypassing antimalware tactics and infrastructure response Methods BRK2132 End the game for credential theft with Microsoft Windows 10 BRK4021 Discover Microsoft Windows 10 Internals

24 Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 11/20/2018 8:18 AM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 Please evaluate this session
11/20/2018 8:18 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26 11/20/2018 8:18 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Download ppt "Project Springfield Fuzz your code before hackers do"

Similar presentations


Ads by Google