To Branch or Not to Branch: Security Implications of x86 Frontend Implementations

This presentation updated for H2HC describes fall-through speculation of conditional branches and speculative type confusion. It also includes PoC code and examples of SLS gadgets, demonstrating the speed of these speculation-based leaks.

The AMD Branch (Mis)predictor: New Types and Methods of Straight-Line Speculation (SLS) Vulnerabilities

In this expanded version of the talk, we discuss a flaw recently discovered in AMD x86 processors of various microarchitectures: Zen1, Zen2 and Zen3, and its role in a speculative execution vulnerability type called straight-line speculation (SLS). The presentation helps visualize how modern branch predictors work, how the side channel attacks involving AMD's branch predictor works, and why proposed mitigations (like those implemented in grsecurity) are effective.

Compilers: The Old New Security Frontier

Nearly gone are the days where defenses with simple implementations like ASLR are able to have widespread many-year impacts on memory corruption exploitation. The rise of speculative execution attacks and the propensity of remaining memory unsafety bug-classes to elude effective defense is necessarily driving the next generation of security defense toward a compiler-based approach. This keynote distills a decade of experience in production-grade compiler-based security, showing what's possible, what roadblocks exist, and what the future holds for this area of security. The Powerpoint version of the slides contains extensive speaker notes.

10 Years of Linux Security - A Report Card

This presentation, delivered virtually at the 2020 Linux Security Summit North America, was a follow-up to an earlier talk in 2010 at the first Linux Security Summit in Boston entitled "Linux Security in 10 Years." It discusses the major security changes in the upstream Linux kernel over the past 10 years, including more detailed discussions of XLTS, KSPP, and Syzkaller. It follows up with a discussion of current exploitation trends and recommendations on improving upstream security processes and attracting today's security talent. The Powerpoint version of the slides contains extensive speaker notes.

SSTIC 2016 Keynote

This keynote gave a recap of our work in grsecurity and PaX since the PaX Team's 2012 SSTIC keynote. It also includes a "state of the infosec union" address, talks about the future of security technically and politically, and provides advice for newcomers to be successful and productive members of the security community. The Powerpoint version of the slides contain extensive speaker notes.

At ARMs Length Yet So Far Away

This presentation, delivered at H2HC 2013, aims to give a more accessible introduction to the ARM work initially performed at the end of 2012 for inclusion in PaX. It covers the details of the kernel self-protection features developed and ends with a discussion of exploit weaponization against the Linux kernel. For more details on the ARM work, see the blog post.

The Case For Grsecurity

This presentation, delivered at H2HC 2012, provides some background on the history and motivations of the grsecurity project. It provides evidence for grsecurity's necessity in a secure Linux environment, summarizes our work during 2012, explains our strategy for responding to exploits, and points toward future improvements.

RBAC Tutorial

This presentation was delivered at Locaweb, a grsecurity sponsor, in October 2012. The purpose of the talk is to introduce users to RBAC as implemented in grsecurity. Freeing from the mind ancient "formal methods" with their associated outdated assumptions, I present the scope and goals of a modern access control system. The presentation also provides a real-life policy for CVS pserver, discussing some security attributes that emerge from the policy, particularly when used in combination with the other features of grsecurity.

Linux Security in 10 Years

In the presentation I touch on a number of topics ranging from exploitation to security model theorizing to prevention. I provide a brief discussion of lessons learned from last year's exploit releases, a discussion of the real-life implications of the kernel being in the TCB, a description of what grsecurity is doing right now in terms of kernel self-protection, and an outline of our ultimate goals for kernel self-protection.

PaX: The Guaranteed End of Arbitrary Code Execution

These slides were presented at G-Con 2 in Mexico City, Mexico in October 2003. They provide an overview of PaX and compare it technically and functionally to OpenBSD's W^X and Redhat's Exec-shield.

Detection, Prevention, and Containment: A Study of grsecurity

These slides were presented at the Libres Software Meeting in Bordeaux, France in July 2002. The presentation gives an overview of grsecurity and PaX. Note that much of the information in the presentation is out of date, especially regarding the performance hit of PaX, which is now negligible. Nearly all of the future plans stated have already been completed. Please refer to the features page for newer information.