1 00:00:00,000 --> 00:00:09,600 Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, 2 00:00:09,600 --> 00:00:13,360 reliability and compliance on the Microsoft Cloud Platform. 3 00:00:13,360 --> 00:00:15,760 Hey, everybody. 4 00:00:15,760 --> 00:00:18,460 Welcome to episode 98. 5 00:00:18,460 --> 00:00:23,560 This week, it's myself, Michael, with Gladys, Sarah and Mark are both away today. 6 00:00:23,560 --> 00:00:29,560 And our guest this week is David Weston, who's here to talk to us about a whole slew of things, 7 00:00:29,560 --> 00:00:35,840 really from secure future initiative to software development to various other topics that kind 8 00:00:35,840 --> 00:00:37,320 of relate to that. 9 00:00:37,320 --> 00:00:40,880 But before we get to our guest, let's take a little lap around the news. 10 00:00:40,880 --> 00:00:42,840 Gladys, why don't you kick things off? 11 00:00:42,840 --> 00:00:44,440 Hi, everyone. 12 00:00:44,440 --> 00:00:51,400 I have been really busy with many other internal employees at Microsoft working on the secure 13 00:00:51,400 --> 00:00:54,800 future initiative or SFI. 14 00:00:54,800 --> 00:01:00,560 We will talk in a little bit about SFI, but first, let's talk about a public preview on 15 00:01:00,560 --> 00:01:07,000 Microsoft Defender for Cloud Integration with Microsoft Copilot for Security. 16 00:01:07,000 --> 00:01:13,800 This integration was first announced in MSBuild and now launched on June 10th. 17 00:01:13,800 --> 00:01:20,520 Defender for Cloud, as you may know, stands for the first cloud native application protection 18 00:01:20,520 --> 00:01:27,560 platform or CNAP, which is a solution that not only helps address posture related questions, 19 00:01:27,560 --> 00:01:35,120 but also assess security admin in understanding the environment, remediating issues and mitigating 20 00:01:35,120 --> 00:01:39,880 risk with AI generated actions. 21 00:01:39,880 --> 00:01:45,840 It includes a step by step guide with ready to execute scripts and pull requests for fixing 22 00:01:45,840 --> 00:01:48,080 vulnerabilities in code. 23 00:01:48,080 --> 00:01:56,120 There is also an assistant in identifying the appropriate resources, the owners and 24 00:01:56,120 --> 00:01:59,600 a developer for task delegation. 25 00:01:59,600 --> 00:02:07,920 This makes it easier for junior related team members to perform tasks like experience security 26 00:02:07,920 --> 00:02:08,920 administrators. 27 00:02:08,920 --> 00:02:12,600 It's definitely like a teaching tool. 28 00:02:12,600 --> 00:02:19,840 There's several free training videos, so please visit our site to see the links. 29 00:02:19,840 --> 00:02:27,320 Also I want to announce in public preview is a new SKU for Microsoft Azure Bastion Premium. 30 00:02:27,320 --> 00:02:34,440 This service is aimed for customers that handle high sensitivity virtual machines workloads. 31 00:02:34,440 --> 00:02:40,840 It allows customers to perform advanced recording, monitoring and auditing capabilities for sessions. 32 00:02:40,840 --> 00:02:44,240 This is something that many customers have been asking about. 33 00:02:44,240 --> 00:02:50,480 We finally have released this needed capability. 34 00:02:50,480 --> 00:02:51,920 I have one news item. 35 00:02:51,920 --> 00:02:57,440 It's an interesting one, not because of the product that it represents, but because of 36 00:02:57,440 --> 00:03:00,920 the overarching rationale. 37 00:03:00,920 --> 00:03:02,680 I'm going to read this verbatim. 38 00:03:02,680 --> 00:03:09,400 Log search alert rules using link storage will require using a managed identity starting 39 00:03:09,400 --> 00:03:14,880 July 2024, which is not far away. 40 00:03:14,880 --> 00:03:19,760 On the surface, this doesn't sound overly exciting, but in actual fact it's very important. 41 00:03:19,760 --> 00:03:27,480 We, Microsoft and certainly Azure specifically, are moving away from using credentials for 42 00:03:27,480 --> 00:03:29,240 basically anything. 43 00:03:29,240 --> 00:03:35,400 We know it's a long journey, but the point is we need to get credentials out of the environment. 44 00:03:35,400 --> 00:03:39,400 That includes not just us, but also customers of Azure. 45 00:03:39,400 --> 00:03:45,640 We need to move away from using usernames and passwords that get embedded somewhere, 46 00:03:45,640 --> 00:03:47,720 or SAS tokens, those kinds of things. 47 00:03:47,720 --> 00:03:49,000 We need to get away from those. 48 00:03:49,000 --> 00:03:52,440 The reason is because that's what the attackers are doing. 49 00:03:52,440 --> 00:03:56,920 They're getting hold of those credentials and that helps them move laterally in the 50 00:03:56,920 --> 00:03:57,920 environment. 51 00:03:57,920 --> 00:04:02,000 If the credentials are not there, then they can't get them. 52 00:04:02,000 --> 00:04:10,240 The way we solve that, certainly for client authentication in Azure, is to use enter ID. 53 00:04:10,240 --> 00:04:13,520 What that means for processes is managed identities. 54 00:04:13,520 --> 00:04:16,440 You really have two options, system managed identities and user managed identities. 55 00:04:16,440 --> 00:04:20,360 I'm going to provide a link in the notes. 56 00:04:20,360 --> 00:04:24,680 I really think everyone who's listening to this podcast really needs to dig deep and 57 00:04:24,680 --> 00:04:28,080 understand managed identities and why they're so important. 58 00:04:28,080 --> 00:04:32,120 Ultimately, there is no credential there and that's incredibly important from a client 59 00:04:32,120 --> 00:04:36,960 authentication perspective, but also from a, the attackers can't get the credential 60 00:04:36,960 --> 00:04:38,920 because it's not there. 61 00:04:38,920 --> 00:04:40,480 That's the most important part. 62 00:04:40,480 --> 00:04:49,200 Again, this story isn't that exciting, but the overarching rationale is critically important. 63 00:04:49,200 --> 00:04:50,760 That's the news out the way. 64 00:04:50,760 --> 00:04:52,840 Now let's turn our attention to our guest. 65 00:04:52,840 --> 00:04:57,240 As I mentioned at the top, our guest this week is David Weston, who's here to talk to 66 00:04:57,240 --> 00:05:01,200 us about a whole myriad of things, especially developer related stuff. 67 00:05:01,200 --> 00:05:04,120 David, thank you so much for joining us this week. 68 00:05:04,120 --> 00:05:07,080 We'd like to take a moment and introduce yourself to our listeners. 69 00:05:07,080 --> 00:05:08,080 Yeah, absolutely. 70 00:05:08,080 --> 00:05:13,640 I'm Dave Dwizzle Weston, as many of you who follow me on Twitter will know me as. 71 00:05:13,640 --> 00:05:17,840 I'm a vice president of operating system security here at Microsoft. 72 00:05:17,840 --> 00:05:22,680 I actually have two jobs, but I just get one paycheck, but my boss likes to point out it's 73 00:05:22,680 --> 00:05:25,160 a large paycheck, so I don't complain. 74 00:05:25,160 --> 00:05:28,880 I do building of security in the operating system. 75 00:05:28,880 --> 00:05:35,200 Everything from crypto to authentication, code signing, mitigations, you name it. 76 00:05:35,200 --> 00:05:38,880 I work on a team of builders and I lead them. 77 00:05:38,880 --> 00:05:43,720 One of the things that folks may not know is not only do we build many different flavors 78 00:05:43,720 --> 00:05:48,800 of windows from like Xbox to the Windows 11 you know and love to the Azure host, but we 79 00:05:48,800 --> 00:05:52,640 also build Linux distributions. 80 00:05:52,640 --> 00:05:58,040 A good example that is Azure sphere, which is our IOT project, which I hope lead has 81 00:05:58,040 --> 00:06:00,520 some flavor of a Linux distribution. 82 00:06:00,520 --> 00:06:06,720 We also use Linux now directly on Azure host as part of Azure boost, and we actually have 83 00:06:06,720 --> 00:06:12,960 a Linux distribution, RPM based that anyone can download called Azure Linux, and we actually 84 00:06:12,960 --> 00:06:15,560 do a fair bit of work in upstreaming on that. 85 00:06:15,560 --> 00:06:19,920 Besides building the operating systems, I also lead a penetration testing team that 86 00:06:19,920 --> 00:06:26,880 does things like code reviews, implementing the secure future initiative or SFI, SDL, 87 00:06:26,880 --> 00:06:28,440 red teaming, you name it. 88 00:06:28,440 --> 00:06:32,920 So we kind of have this really cool culture of people building security products, but 89 00:06:32,920 --> 00:06:37,400 also a lot of offensive expertise, and I think that really helps to make a better product. 90 00:06:37,400 --> 00:06:43,400 All right, so let's start off with something you mentioned at the top, which is Dwizzle 91 00:06:43,400 --> 00:06:45,160 with three Z's. 92 00:06:45,160 --> 00:06:47,320 So where on earth does Dwizzle come from? 93 00:06:47,320 --> 00:06:52,760 Yeah, you know, when you red team and you find good bugs, you often entertain yourself 94 00:06:52,760 --> 00:06:53,760 with those bugs. 95 00:06:53,760 --> 00:06:56,800 So this is years and years back. 96 00:06:56,800 --> 00:07:00,500 As Michael will know, many of you will know, you know, there's a way to sort of present 97 00:07:00,500 --> 00:07:06,120 a headshot or profile picture in Outlook in the exchange client that actually used to 98 00:07:06,120 --> 00:07:09,240 be held on a SharePoint server way back when. 99 00:07:09,240 --> 00:07:13,560 And we actually found an arbitrary file upload vulnerability years back that would allow 100 00:07:13,560 --> 00:07:19,400 you to if you knew the picture name, you could overwrite anyone's photo. 101 00:07:19,400 --> 00:07:24,800 And so of course, I immediately rather than reporting that bug, used it to draw eye patches 102 00:07:24,800 --> 00:07:28,080 on my red team colleagues back in those days. 103 00:07:28,080 --> 00:07:30,320 And so of course, we got it fixed. 104 00:07:30,320 --> 00:07:34,820 But those eye patches stayed in the Outlook client for a while. 105 00:07:34,820 --> 00:07:41,760 And eventually, some folks found a way to change the presentation name in exchange and 106 00:07:41,760 --> 00:07:45,160 they paid me back by changing my name to Dwizzle. 107 00:07:45,160 --> 00:07:46,880 And I actually found it was kind of cool. 108 00:07:46,880 --> 00:07:49,120 Pretty soon, execs were addressing me by it. 109 00:07:49,120 --> 00:07:51,200 And then I was branded and couldn't get rid of it. 110 00:07:51,200 --> 00:07:54,320 So that's where it stands. 111 00:07:54,320 --> 00:07:56,240 And you know, along the way, there's been some other hijinks. 112 00:07:56,240 --> 00:08:02,160 Like I've done some reports in some pretty prestigious journals where on a dare or a 113 00:08:02,160 --> 00:08:07,000 bet loss, you know, I was attributed to Dwizzle of the M dollar, things like that. 114 00:08:07,000 --> 00:08:09,960 So yeah, the history goes back a long ways. 115 00:08:09,960 --> 00:08:13,880 And most of the red team folks here at Microsoft have pretty similar stories. 116 00:08:13,880 --> 00:08:19,320 M dollar, man, I haven't seen that as an abbreviation for Microsoft for a long time. 117 00:08:19,320 --> 00:08:20,320 That's funny. 118 00:08:20,320 --> 00:08:21,320 That's funny. 119 00:08:21,320 --> 00:08:22,320 The M dollar. 120 00:08:22,320 --> 00:08:23,320 That's right. 121 00:08:23,320 --> 00:08:26,240 I'm dating myself for sure. 122 00:08:26,240 --> 00:08:32,120 Microsoft has been talking about the Secure Future Initiative or SFI. 123 00:08:32,120 --> 00:08:37,920 And many of us have been working intensively in it, as I mentioned earlier. 124 00:08:37,920 --> 00:08:42,320 Can you talk a little bit about it and your role in it? 125 00:08:42,320 --> 00:08:47,480 Yeah, the Secure Future Initiative, the way I generally look at it is, you know, a cultural 126 00:08:47,480 --> 00:08:50,400 change and a prioritization across Microsoft. 127 00:08:50,400 --> 00:08:51,640 Security becomes job one. 128 00:08:51,640 --> 00:08:56,000 You know, I definitely think initiatives like Trustworthy Computing and SDL have certainly 129 00:08:56,000 --> 00:08:57,480 done that in the past. 130 00:08:57,480 --> 00:08:59,880 I look at SFI as even more all encompassing. 131 00:08:59,880 --> 00:09:05,800 You know, SDL and things like that talk specifically about how we're going to be secure by construction. 132 00:09:05,800 --> 00:09:12,240 But SFI includes things like operational security, mindset, training, and I would say a secure 133 00:09:12,240 --> 00:09:14,840 by default ethos. 134 00:09:14,840 --> 00:09:17,800 And so I think that I play sort of two major roles in that. 135 00:09:17,800 --> 00:09:22,960 The first is as someone building the operating system, I think SFI really helps and supports 136 00:09:22,960 --> 00:09:28,200 what I think the security team's objective always is, which is to prioritize security. 137 00:09:28,200 --> 00:09:31,080 You know, there's a lot of talk of that online, especially in the security community, which 138 00:09:31,080 --> 00:09:35,440 is sometimes a little cavalier about how difficult that is. 139 00:09:35,440 --> 00:09:38,360 At the end of the day, when you're building an operating system product, you know, people 140 00:09:38,360 --> 00:09:42,720 are not going to buy that if their software can't run or if it's too slow. 141 00:09:42,720 --> 00:09:47,300 So a lot of what we do is balancing secure by default, but also figuring out from an 142 00:09:47,300 --> 00:09:51,680 engineering perspective, how do we also balance compatibility, which is sometimes, you know, 143 00:09:51,680 --> 00:09:55,260 the enemy of security and also maintaining performance. 144 00:09:55,260 --> 00:10:00,200 And so one of the big steps my team has done is taken the step of turning on things like 145 00:10:00,200 --> 00:10:05,520 virtualization based security by default, BitLocker by default, code signing and code integrity 146 00:10:05,520 --> 00:10:08,520 by default with features like smart app control. 147 00:10:08,520 --> 00:10:09,920 And I think, Michael, you'll like this. 148 00:10:09,920 --> 00:10:10,920 We're really close. 149 00:10:10,920 --> 00:10:14,680 Hopefully in the near future, you'll hear more from me on this, but we're really close 150 00:10:14,680 --> 00:10:19,480 to removing admin by default and having just in time admin become the default in Windows. 151 00:10:19,480 --> 00:10:24,360 So I think that's a good, you know, example of where SFI is being put into action. 152 00:10:24,360 --> 00:10:28,440 We're empowered to do things that maybe previously we would have optimized for performance or 153 00:10:28,440 --> 00:10:29,440 compatibility. 154 00:10:29,440 --> 00:10:35,100 But outside of that, my teams do a lot to secure operating system related services as 155 00:10:35,100 --> 00:10:37,000 well as security features. 156 00:10:37,000 --> 00:10:42,520 So of course, implementing the SDL from the SDL you know and love, which is threat modeling, 157 00:10:42,520 --> 00:10:48,920 static analysis, fuzzing, security bug bars and response, but also taking that up a notch, 158 00:10:48,920 --> 00:10:53,200 you know, redesigning, I would say features to take advantage of kind of modern security 159 00:10:53,200 --> 00:10:54,200 boundaries. 160 00:10:54,200 --> 00:10:58,480 So in many cases, we're getting very involved at the design level to use things like the 161 00:10:58,480 --> 00:11:01,760 virtualization based security boundary or hardware. 162 00:11:01,760 --> 00:11:05,480 We also get involved pretty deeply in the operational security. 163 00:11:05,480 --> 00:11:10,320 So things like testing app specific defenses and making sure we're building bespoke detections 164 00:11:10,320 --> 00:11:11,780 through red teaming. 165 00:11:11,780 --> 00:11:17,360 So across the board from design to implementation, you know, my team gets pretty involved there, 166 00:11:17,360 --> 00:11:21,080 which means I spend a lot of time sort of helping guide them towards a strategy that 167 00:11:21,080 --> 00:11:23,760 can execute well on that. 168 00:11:23,760 --> 00:11:27,760 So talking about compatibility, I noticed just recently there was an announcement made 169 00:11:27,760 --> 00:11:33,800 by the Windows Server 2025 team that NTLM was finally going bye bye. 170 00:11:33,800 --> 00:11:37,120 But also mail slots. 171 00:11:37,120 --> 00:11:43,200 I think the last, if I remember correctly, didn't mail slots like first start in landman 172 00:11:43,200 --> 00:11:45,480 in the land manager on OS2? 173 00:11:45,480 --> 00:11:47,280 I think it's all the way back to OS2. 174 00:11:47,280 --> 00:11:48,280 Yes, OS2. 175 00:11:48,280 --> 00:11:49,280 Yeah. 176 00:11:49,280 --> 00:11:51,000 So there's a whole bunch of other stuff that's being deprecated. 177 00:11:51,000 --> 00:11:55,720 I mean, you know, I imagine the code behind that is probably old and crusty and you know, 178 00:11:55,720 --> 00:11:57,840 it's just just time to deprecate it. 179 00:11:57,840 --> 00:12:02,040 Probably very old C, barely C++ code. 180 00:12:02,040 --> 00:12:06,760 And I'm sure it's been reviewed and fuzz tested over the years, but by the same token, it's 181 00:12:06,760 --> 00:12:08,520 probably just just old and crusty, right? 182 00:12:08,520 --> 00:12:14,720 So it's time to sort of, I don't even know, does any feature actually even use mail slots? 183 00:12:14,720 --> 00:12:19,200 I don't know if anything inboxes us, but certainly, you know, you wouldn't be surprised to hear 184 00:12:19,200 --> 00:12:23,200 this, but there's many, many crusty old applications that people rely on Windows. 185 00:12:23,200 --> 00:12:27,720 And so there are certainly third party applications that continue to do that. 186 00:12:27,720 --> 00:12:32,680 You know, but I think attack surface removal is a big sort of implied part of secure by 187 00:12:32,680 --> 00:12:33,680 design. 188 00:12:33,680 --> 00:12:37,880 For example, you know, things like NTLM, we know at the end of the day, there are limitations 189 00:12:37,880 --> 00:12:42,040 to the NTLM as a protocol and as the standard in terms of security. 190 00:12:42,040 --> 00:12:45,600 And so when you talk about security by default in that particular area, I think the best 191 00:12:45,600 --> 00:12:48,200 thing we can do is, you know, disable it. 192 00:12:48,200 --> 00:12:50,160 I think that goes for a lot of attack surface. 193 00:12:50,160 --> 00:12:54,600 There are many, many, I would say perennial features where we've had security challenges 194 00:12:54,600 --> 00:12:56,920 around them that we're really looking at redesigning. 195 00:12:56,920 --> 00:13:04,400 You know, I'd throw Win32k out there, NTLM, and there are many other surfaces that, you 196 00:13:04,400 --> 00:13:10,920 know, we continue to look at to try to either remove or fundamentally redesign. 197 00:13:10,920 --> 00:13:15,400 And that's actually the exciting part of Windows right now, I think, is there's a ton of energy 198 00:13:15,400 --> 00:13:19,620 and a ton of support at the leadership level for really revolutionizing the guarantees 199 00:13:19,620 --> 00:13:20,620 that we can make. 200 00:13:20,620 --> 00:13:22,680 So that's always fun, right? 201 00:13:22,680 --> 00:13:27,160 When you think you kind of know what the limit is, I think we're in the midst of redefining 202 00:13:27,160 --> 00:13:30,920 it, which is an exciting time to work on an operating system at Microsoft. 203 00:13:30,920 --> 00:13:36,500 So why you mentioned redefining, perhaps even redesigning and even mentioned revolutionary 204 00:13:36,500 --> 00:13:37,500 in there. 205 00:13:37,500 --> 00:13:38,500 Rust. 206 00:13:38,500 --> 00:13:42,640 Tell me about, I mean, I'm a huge Rust fan. 207 00:13:42,640 --> 00:13:48,180 And that's coming from someone who's done C and C++ code for a long, long, long time, 208 00:13:48,180 --> 00:13:49,720 but I enjoy doing Rust. 209 00:13:49,720 --> 00:13:52,680 So tell me what's going on at Microsoft around Rust. 210 00:13:52,680 --> 00:13:53,680 Sure. 211 00:13:53,680 --> 00:13:57,280 So the first thing I'll say is I think Microsoft actually has a long history with, I'll call 212 00:13:57,280 --> 00:13:59,040 it type and memory safety. 213 00:13:59,040 --> 00:14:03,360 Michael, you'll remember this, but big parts of Vista were actually originally designed 214 00:14:03,360 --> 00:14:06,240 in C sharp and dot net. 215 00:14:06,240 --> 00:14:10,520 And one of the reasons was to achieve, you know, type and memory safety. 216 00:14:10,520 --> 00:14:16,000 We actually had a pretty long running experimental operating system called Midori that used a 217 00:14:16,000 --> 00:14:22,460 version of dot net that we called system C sharp that had pretty strong security guarantees. 218 00:14:22,460 --> 00:14:30,340 And even in products like Azure sphere, we had a subset of C called safer C that required 219 00:14:30,340 --> 00:14:32,140 some things around spatial safety, et cetera. 220 00:14:32,140 --> 00:14:34,960 So that's been a long running goal. 221 00:14:34,960 --> 00:14:39,380 Traditionally the problem is, well, you know, languages that offer things like temporal 222 00:14:39,380 --> 00:14:44,200 safety and spatial safety and things like garbage collection that come along with that 223 00:14:44,200 --> 00:14:49,600 just usually incongruent with the performance and efficiency needs of a low level operating 224 00:14:49,600 --> 00:14:50,600 system. 225 00:14:50,600 --> 00:14:53,840 You know, having a garbage collector, for example, in your bootloader, things like that, 226 00:14:53,840 --> 00:14:55,080 generally incongruent. 227 00:14:55,080 --> 00:15:01,640 So I think really what Rust did and to an extent Golang and other languages like Swift 228 00:15:01,640 --> 00:15:05,900 have really brought about, I think, a revolution in systems level languages. 229 00:15:05,900 --> 00:15:09,980 So languages that are appropriate from an efficiency and performance standpoint to use 230 00:15:09,980 --> 00:15:14,040 an operating system construction while also having memory safety. 231 00:15:14,040 --> 00:15:18,960 And so I think that people understand the elegance and the approach of that and the 232 00:15:18,960 --> 00:15:24,120 benefits it gives you when this sort of secure by construction, especially deterministically. 233 00:15:24,120 --> 00:15:26,280 And so I think it's caught the eye of folks. 234 00:15:26,280 --> 00:15:30,640 You know, Mozilla originally designed this language as a way to secure their browser. 235 00:15:30,640 --> 00:15:32,240 That makes a lot of sense in that. 236 00:15:32,240 --> 00:15:36,700 But I think the community as a whole has been waiting for something like this. 237 00:15:36,700 --> 00:15:40,520 So we've seen a lot of folks gravitating towards it, including at Microsoft. 238 00:15:40,520 --> 00:15:44,880 And really just we haven't had this opportunity for a very long time to get the performance 239 00:15:44,880 --> 00:15:47,200 we need out of our memory safe language. 240 00:15:47,200 --> 00:15:52,480 The thing I'll say about Rust in particular, why it's moving so fast is while the security 241 00:15:52,480 --> 00:15:57,840 folks you can call us wonks maybe have wanted this for a long time, what we're actually 242 00:15:57,840 --> 00:16:04,760 seeing what I'm observing is kind of a groundswell of support from your average individual contributor 243 00:16:04,760 --> 00:16:05,760 developer. 244 00:16:05,760 --> 00:16:06,820 They love Rust. 245 00:16:06,820 --> 00:16:09,440 They want to write code that's secure by construction. 246 00:16:09,440 --> 00:16:11,220 They're very interested in the language. 247 00:16:11,220 --> 00:16:15,920 So a lot of the changes are less Microsoft strategy, although I'm happy to talk about 248 00:16:15,920 --> 00:16:21,000 why it's on Microsoft strategy and more of the passionate, you know, boots on the ground 249 00:16:21,000 --> 00:16:25,240 devs are just saying, I want to do this and going and building really cool stuff with 250 00:16:25,240 --> 00:16:26,240 it. 251 00:16:26,240 --> 00:16:27,240 That's how we got this far. 252 00:16:27,240 --> 00:16:30,680 And so I want to make sure that those intrepid folks are really the ones that get the credit 253 00:16:30,680 --> 00:16:33,580 because I think that is the truth. 254 00:16:33,580 --> 00:16:39,280 So while while you're on a roll, I mean, why don't you sort of itemize a couple of things 255 00:16:39,280 --> 00:16:43,160 that are currently using rust and talk about some of the strategy. 256 00:16:43,160 --> 00:16:44,160 I think it's important. 257 00:16:44,160 --> 00:16:47,160 I mean, I think rust is an important language. 258 00:16:47,160 --> 00:16:49,320 It's definitely not going away. 259 00:16:49,320 --> 00:16:51,360 It's evolving rapidly. 260 00:16:51,360 --> 00:16:54,160 You could say that's good and bad. 261 00:16:54,160 --> 00:16:58,200 And then we can talk and then let's just talk about, you know, what's the role of C++ here? 262 00:16:58,200 --> 00:16:59,720 In fact, even C sharp as well, right? 263 00:16:59,720 --> 00:17:02,640 Because they're not languages that are going to go away. 264 00:17:02,640 --> 00:17:04,840 But I'm will just leave the button to laser. 265 00:17:04,840 --> 00:17:11,040 Yeah, so I think we got kind of our feet wet with some really important projects. 266 00:17:11,040 --> 00:17:15,960 So the first is I would say the two things that have maybe been the most attacked from 267 00:17:15,960 --> 00:17:19,960 a pure operating system component standpoint in terms of memory safety. 268 00:17:19,960 --> 00:17:25,440 And for those of you don't know, memory safety issues are about 70 to 75 percent of what 269 00:17:25,440 --> 00:17:30,240 we patch via MSRC issues and, you know, the updates you get through Windows updates. 270 00:17:30,240 --> 00:17:34,440 So just to set set expectations, about three quarters of the bugs Microsoft fix are in 271 00:17:34,440 --> 00:17:36,680 that memory safety category. 272 00:17:36,680 --> 00:17:40,740 And maybe the two most attacked components have been our font parsing. 273 00:17:40,740 --> 00:17:44,800 So the things that would parse, you know, TTF or OTF, especially on remote attack services 274 00:17:44,800 --> 00:17:50,720 like the browser or office clients, as well as Win32K. 275 00:17:50,720 --> 00:17:54,240 Win32K is our internal graphics component that has a long, long legacy. 276 00:17:54,240 --> 00:17:57,320 I think it was originally designed in the late 80s. 277 00:17:57,320 --> 00:18:02,440 And it's become frequently attacked because it offers a convenient escalation of privilege 278 00:18:02,440 --> 00:18:03,440 attack. 279 00:18:03,440 --> 00:18:08,200 So if you want to get out of a browser sandbox and Windows, you know, Win32K is often a common 280 00:18:08,200 --> 00:18:09,200 choice. 281 00:18:09,200 --> 00:18:13,200 And so we started Rust right in the place where it would offer the most security value, 282 00:18:13,200 --> 00:18:21,640 which is taking the sort of modern WinApp SDK font parser that we call DirectWrite and 283 00:18:21,640 --> 00:18:23,960 converting that into Rust. 284 00:18:23,960 --> 00:18:25,840 And that gave us an idea. 285 00:18:25,840 --> 00:18:29,880 And so I did a presentation on this about a year ago, but it took roughly two to three 286 00:18:29,880 --> 00:18:32,380 months of a couple of developers time. 287 00:18:32,380 --> 00:18:35,520 And the interesting things that came out of it is that performance actually got better. 288 00:18:35,520 --> 00:18:36,520 Right. 289 00:18:36,520 --> 00:18:40,240 So I mentioned sort of at the top of my spiel is that traditional problem with memory safety 290 00:18:40,240 --> 00:18:46,520 is it was thought of as inferior in terms of efficiency and performance to C and C++. 291 00:18:46,520 --> 00:18:52,000 Well, our first experiment, although it's a small number, you know, small value, ultimately 292 00:18:52,000 --> 00:18:55,480 proved that you can write high performance Rust code. 293 00:18:55,480 --> 00:19:00,400 And so our second experiment, which was more learning about interop and less about replacing 294 00:19:00,400 --> 00:19:06,160 the whole component during performance was some GDI surfaces in Win32K. 295 00:19:06,160 --> 00:19:09,140 And there we were trying to learn about what is the extent of interop? 296 00:19:09,140 --> 00:19:14,880 Can we sort of slice out individual components of Win32K and make sure that those can work 297 00:19:14,880 --> 00:19:15,880 well? 298 00:19:15,880 --> 00:19:19,160 This is especially important because, you know, Microsoft Windows is compiled with the 299 00:19:19,160 --> 00:19:26,840 Visual C++ compiler or C compiler, while Rust's backend is actually LLVM and uses that backend. 300 00:19:26,840 --> 00:19:30,680 And so just making sure that we have, you know, ABI's that are going to work together, 301 00:19:30,680 --> 00:19:32,480 et cetera, is really important. 302 00:19:32,480 --> 00:19:35,360 And again, that was successful and is now shipped in Windows. 303 00:19:35,360 --> 00:19:39,000 So those were really the two projects that I don't know that they've gotten us to the 304 00:19:39,000 --> 00:19:42,560 north star in terms of memory safety, but got us to learn a lot. 305 00:19:42,560 --> 00:19:48,120 And so based on that, as part of the SF5, we have made a commitment moving forward to 306 00:19:48,120 --> 00:19:53,720 start to do parts of our trusted computing base or the most security critical new code 307 00:19:53,720 --> 00:19:55,340 will be written in Rust. 308 00:19:55,340 --> 00:19:57,860 And to achieve that goal, we have to do a few things. 309 00:19:57,860 --> 00:20:02,960 The first is we need a stable tool chain with compilers and other things that can kind of 310 00:20:02,960 --> 00:20:07,840 work in that large scale, incredible scale Windows environment. 311 00:20:07,840 --> 00:20:09,640 So you got to be able to debug with WinDebug. 312 00:20:09,640 --> 00:20:11,300 You have to have PDB files. 313 00:20:11,300 --> 00:20:14,540 You have to make sure code generation is stable. 314 00:20:14,540 --> 00:20:20,600 And so we announced that we were spending as a company around $10 million on Rust-based 315 00:20:20,600 --> 00:20:23,440 tools with Azure being the first target. 316 00:20:23,440 --> 00:20:26,920 And I'll talk a little bit about where we're using Rust in Azure to start. 317 00:20:26,920 --> 00:20:32,160 The second thing we did is we have donated a million dollars or in the process of donating 318 00:20:32,160 --> 00:20:36,480 to the Rust Foundation with really a goal of stabilizing those tools. 319 00:20:36,480 --> 00:20:41,440 Ideally, we'd like something equivalent to the Windows or sorry, the Linux long-term 320 00:20:41,440 --> 00:20:42,800 servicing branch. 321 00:20:42,800 --> 00:20:45,440 We want like sort of an LTS version of Rust. 322 00:20:45,440 --> 00:20:50,040 You can imagine calling Rust up in the middle of the Windows build is probably not ideal. 323 00:20:50,040 --> 00:20:56,840 So we want something that has a lifetime support of several years and we can base sort of future 324 00:20:56,840 --> 00:20:57,840 Windows off of that. 325 00:20:57,840 --> 00:21:02,600 So really the major thing that we've got to take care of right now is which is sort of 326 00:21:02,600 --> 00:21:07,680 in front of us writing large scale Rust in both Azure and Windows is getting those tools 327 00:21:07,680 --> 00:21:10,320 in that long-term servicing branch up. 328 00:21:10,320 --> 00:21:11,940 But we're hard at work at that. 329 00:21:11,940 --> 00:21:14,080 And so I expect a lot more announcements on that. 330 00:21:14,080 --> 00:21:18,660 And the other thing I wanted to touch on is Mark Resendovich, our CTO in Azure, he announced 331 00:21:18,660 --> 00:21:25,200 a commitment to moving towards Rust and again, a contingent on this tool chain. 332 00:21:25,200 --> 00:21:28,840 But one of the areas that we're spending a lot of time writing Rust is in a product called 333 00:21:28,840 --> 00:21:30,160 Azure Boost. 334 00:21:30,160 --> 00:21:34,840 Azure Boost is available now, but it's also sort of our future architecture for Azure. 335 00:21:34,840 --> 00:21:41,960 And that's where we are offloading more of the performant aspects of Azure Hosts onto 336 00:21:41,960 --> 00:21:46,880 specialized cards like SmartNICs and our FPGAs for storage. 337 00:21:46,880 --> 00:21:52,640 The goal there is twofold really to reduce jitter in a multi-tenant shared environment 338 00:21:52,640 --> 00:21:54,080 like an Azure Host. 339 00:21:54,080 --> 00:21:58,680 If your neighbor in another VM is taking a lot of IOPS, potentially that can impact your 340 00:21:58,680 --> 00:21:59,680 workload. 341 00:21:59,680 --> 00:22:04,240 So Boost eliminates that by doing more hardware offload, allowing sort of deterministic performance 342 00:22:04,240 --> 00:22:06,960 closer to what people would have on bare metal. 343 00:22:06,960 --> 00:22:09,120 But it also eliminates attack surface. 344 00:22:09,120 --> 00:22:13,520 So a lot of the network surface, a lot of the storage surface moves away from being 345 00:22:13,520 --> 00:22:18,080 software implemented to hardware emulated where you can use more of the hardware verification 346 00:22:18,080 --> 00:22:22,760 technologies, more deterministic secure by construction approaches that you would get 347 00:22:22,760 --> 00:22:26,120 in integrated circuit designs, et cetera. 348 00:22:26,120 --> 00:22:28,080 And so there's a huge benefit to that. 349 00:22:28,080 --> 00:22:33,560 Part of reducing jitter has also been moving more things, more agents that do things like 350 00:22:33,560 --> 00:22:37,880 network routing, et cetera, which are ultimately hypervisor attack surface or cloud critical 351 00:22:37,880 --> 00:22:39,420 attack surface. 352 00:22:39,420 --> 00:22:44,600 Off of sort of DOM 0 and Hyper-V, the traditional host attack surface, and onto what we call 353 00:22:44,600 --> 00:22:51,200 the Azure Boost control plane, which is a small embedded operating system running Linux. 354 00:22:51,200 --> 00:22:55,240 And more of that agentry is being re-implemented in Rust as a standard. 355 00:22:55,240 --> 00:23:01,240 So we are really betting on Rust as our future implementation path. 356 00:23:01,240 --> 00:23:04,660 In fact, if this blog is on reality, I can break some news here. 357 00:23:04,660 --> 00:23:09,840 We have a future VMM that we're using for Azure that will manage sort of Hyper-V, and 358 00:23:09,840 --> 00:23:12,640 that is being re-implemented in Rust and called Underhill. 359 00:23:12,640 --> 00:23:15,860 So if that blog isn't out yet, you'll see it very soon. 360 00:23:15,860 --> 00:23:20,800 So I can say without a doubt that we're betting heavily on Rust in Azure. 361 00:23:20,800 --> 00:23:25,040 It's a big part of our secure future initiative strategy. 362 00:23:25,040 --> 00:23:29,640 And the last thing I'll say is, you know, I've done, and my side sort of as a side project, 363 00:23:29,640 --> 00:23:34,120 I work with CISA, which is part of the DHS that looks after cybersecurity here in the 364 00:23:34,120 --> 00:23:35,360 United States. 365 00:23:35,360 --> 00:23:40,300 And I work on the technical advisory committee led by Jeff Moss, who founded DEF CON and 366 00:23:40,300 --> 00:23:41,560 Black Hat. 367 00:23:41,560 --> 00:23:48,200 And we wrote a paper recently on memory safety that's helped CISA kind of codify their secure 368 00:23:48,200 --> 00:23:50,280 by design portions. 369 00:23:50,280 --> 00:23:57,240 And so we're seeing a lot of momentum both from them as well as the White House's cybersecurity 370 00:23:57,240 --> 00:23:59,400 strategy department around memory safety. 371 00:23:59,400 --> 00:24:05,120 So I think Microsoft is really in line with kind of where the industry momentum is going. 372 00:24:05,120 --> 00:24:09,000 And it's been really exciting to see how fast we're moving with Rust and other memory safety 373 00:24:09,000 --> 00:24:30,040 technologies. 374 00:24:39,000 --> 00:24:49,440 Yeah, actually, Google has an amazing free public training on Rust. 375 00:24:49,440 --> 00:24:52,600 I don't have the link, but I'm sure we could find that to get you in the show notes. 376 00:24:52,600 --> 00:24:54,440 I've run through it and it's pretty awesome. 377 00:24:54,440 --> 00:24:57,640 There are also a number of free books on Rust. 378 00:24:57,640 --> 00:25:03,360 I think Rust documentation right off the rustlang.org is actually sort of a free ebook that you 379 00:25:03,360 --> 00:25:05,000 can print PDF. 380 00:25:05,000 --> 00:25:10,600 And between the course from Google and that book, I think you can get a very long way 381 00:25:10,600 --> 00:25:15,440 to implementing your first Rust programs at high quality. 382 00:25:15,440 --> 00:25:17,120 And both of those are completely free. 383 00:25:17,120 --> 00:25:19,760 Yeah, I want to back that up. 384 00:25:19,760 --> 00:25:24,720 I think the secret, whenever I'm learning a new programming language, one of the first 385 00:25:24,720 --> 00:25:27,840 things I do is set myself a project to build. 386 00:25:27,840 --> 00:25:28,840 Absolutely. 387 00:25:28,840 --> 00:25:31,200 99 times over 100, that's a web server. 388 00:25:31,200 --> 00:25:32,560 So I build a web server. 389 00:25:32,560 --> 00:25:33,560 That's a good idea. 390 00:25:33,560 --> 00:25:35,720 So you're doing network IO, right? 391 00:25:35,720 --> 00:25:43,160 And then you're fetching files and then you're caching and then you're doing multi-threaded 392 00:25:43,160 --> 00:25:47,520 and then for grins and giggles, you add TLS support on top of it. 393 00:25:47,520 --> 00:25:51,600 And don't get me wrong, I just do some of the simple verbs, get, put, post, and that's 394 00:25:51,600 --> 00:25:53,800 about it. 395 00:25:53,800 --> 00:25:59,840 But yeah, Rust is not a difficult language to learn. 396 00:25:59,840 --> 00:26:06,280 The only problem, I hate to say problem, but the only thing that you will, anyone who's 397 00:26:06,280 --> 00:26:10,540 learning Rust will end up pulling their hair out is the borrow checker. 398 00:26:10,540 --> 00:26:15,320 Until you get used to the borrow checker, you're going to be absolutely just punching 399 00:26:15,320 --> 00:26:18,040 your screen with your laptop. 400 00:26:18,040 --> 00:26:21,680 I found that, but once I understood the borrow checker and how it worked and why it was so 401 00:26:21,680 --> 00:26:27,560 useful and frankly unique to Rust, as far as I know, it's actually very- 402 00:26:27,560 --> 00:26:31,840 There's actually a borrow checker implemented in C++ now that's pretty interesting in the 403 00:26:31,840 --> 00:26:34,520 C++ compiler called Circle. 404 00:26:34,520 --> 00:26:35,520 Is that right? 405 00:26:35,520 --> 00:26:38,000 Is it part of a standard or is it just some experimental? 406 00:26:38,000 --> 00:26:40,160 I believe it's not a standard. 407 00:26:40,160 --> 00:26:43,600 There's a fella called Sean Baxter who's got a really interesting Twitter. 408 00:26:43,600 --> 00:26:46,480 If you're interested in memory safety, I recommend following him. 409 00:26:46,480 --> 00:26:52,720 And he's got a very full featured compiler for C++ called Circle that has, I don't want 410 00:26:52,720 --> 00:26:58,840 to take words out of the mouth, but most of the memory safety features in Rust are actually 411 00:26:58,840 --> 00:27:02,520 supported with C++ semantics or the full language. 412 00:27:02,520 --> 00:27:04,840 That's been a pretty interesting thing to watch come together. 413 00:27:04,840 --> 00:27:05,840 Interesting. 414 00:27:05,840 --> 00:27:07,840 While we're on that topic then, so C++. 415 00:27:07,840 --> 00:27:13,400 You and I spoke about this some time ago and I was trying to say, hey, but if you're doing 416 00:27:13,400 --> 00:27:17,400 C++, what about modern C++, blah, blah, blah, blah, blah. 417 00:27:17,400 --> 00:27:21,240 You had a strong objection to that argument. 418 00:27:21,240 --> 00:27:23,760 Which is fine, which is completely fine. 419 00:27:23,760 --> 00:27:27,760 So let's go through that. 420 00:27:27,760 --> 00:27:31,200 Why shouldn't people seriously consider modern C++? 421 00:27:31,200 --> 00:27:37,960 The whole goal of modern C++ is that things like pointers and array offsets and so on 422 00:27:37,960 --> 00:27:41,720 are handled for you as opposed to you doing it by yourself. 423 00:27:41,720 --> 00:27:44,120 What's your opinion there? 424 00:27:44,120 --> 00:27:47,760 I think when we say memory safety, we're talking about completeness. 425 00:27:47,760 --> 00:27:53,400 So I don't have any objection at all to people refactoring and retrofitting for memory safety 426 00:27:53,400 --> 00:28:00,120 existing code bases that they cannot, for reasons of compatibility, resource constraint, 427 00:28:00,120 --> 00:28:01,680 others convert to Rust. 428 00:28:01,680 --> 00:28:08,280 I think we have to be very careful conflating expert level available, or tools available 429 00:28:08,280 --> 00:28:13,600 to expert level C++ developers from something like Rust that is just secure out of the box. 430 00:28:13,600 --> 00:28:17,760 The big thing that we've learned after 30 years of chasing memory safety is just because 431 00:28:17,760 --> 00:28:21,960 there is a way to do things safely doesn't mean people will. 432 00:28:21,960 --> 00:28:27,720 And I think the major, major, major advantage of Rust, Golang, Swift, and other languages 433 00:28:27,720 --> 00:28:30,600 is it's difficult to get wrong. 434 00:28:30,600 --> 00:28:35,480 And I would say that C++ remains inverted, which is it's difficult to get right. 435 00:28:35,480 --> 00:28:40,800 And as long as that's the case, I don't think we should recommend from a pure security perspective, 436 00:28:40,800 --> 00:28:43,400 people writing net new C++. 437 00:28:43,400 --> 00:28:47,760 That doesn't mean I would never discourage someone from improving security. 438 00:28:47,760 --> 00:28:52,960 For example, Herb Sutter and other folks who are awesome in the C++ community for driving 439 00:28:52,960 --> 00:28:59,560 in safety have invented things like GSL span, which does a lot for spatial safety and provides 440 00:28:59,560 --> 00:29:02,760 a container format that is spatially safe. 441 00:29:02,760 --> 00:29:08,800 But then you have things like temporal issues where smart pointers, garbage collectors, 442 00:29:08,800 --> 00:29:09,800 et cetera. 443 00:29:09,800 --> 00:29:14,440 And still, I don't know if there's a perfect standard. 444 00:29:14,440 --> 00:29:16,600 Google has things like Miracle Pointer, et cetera. 445 00:29:16,600 --> 00:29:18,720 But they aren't in standard part of the language. 446 00:29:18,720 --> 00:29:20,160 They aren't standard out of the box. 447 00:29:20,160 --> 00:29:25,400 And so until that's the case, I don't think it's quite comparable as a North Star to Rust. 448 00:29:25,400 --> 00:29:27,240 And I think that's an important point. 449 00:29:27,240 --> 00:29:30,160 The word that you mentioned there is North Star. 450 00:29:30,160 --> 00:29:33,160 And yeah, I do a good look. 451 00:29:33,160 --> 00:29:39,600 I've been developing in Windows, sorry, in C++ forever. 452 00:29:39,600 --> 00:29:40,600 And I love the language. 453 00:29:40,600 --> 00:29:41,600 I actually really do. 454 00:29:41,600 --> 00:29:44,400 And I actually really enjoy using modern C++. 455 00:29:44,400 --> 00:29:48,600 But to be honest with you, when it comes to writing new stuff, my preference is Rust. 456 00:29:48,600 --> 00:29:50,160 The tool chain is good. 457 00:29:50,160 --> 00:29:56,100 The compiler actually emits usable error messages that actually help you. 458 00:29:56,100 --> 00:30:02,360 So yeah, I'm a big fan, even though I brought up on C and C++ for a long, long time. 459 00:30:02,360 --> 00:30:06,040 And I think that's especially important in team environments, Michael. 460 00:30:06,040 --> 00:30:10,200 We know that you're one of the ranking experts in this, but I'm sure you could inform us 461 00:30:10,200 --> 00:30:14,200 like how many projects at Microsoft have you worked on where you're going to be the forever 462 00:30:14,200 --> 00:30:19,540 maintainer or isn't worked on by a team of folks with a variety of experiences? 463 00:30:19,540 --> 00:30:24,440 And so as long as you have to be an expert and know how to use these language tools to 464 00:30:24,440 --> 00:30:29,720 be safe, I think it's really hard to reach our goal, which is ultimately memory safety 465 00:30:29,720 --> 00:30:34,660 and complete eradication of certain classes of memory safety issues. 466 00:30:34,660 --> 00:30:38,480 So you brought up before that Mark Rusinovich said that new projects should be written in 467 00:30:38,480 --> 00:30:39,480 memory safe languages. 468 00:30:39,480 --> 00:30:41,320 I assume that also means C sharp, right? 469 00:30:41,320 --> 00:30:42,320 Where it makes sense. 470 00:30:42,320 --> 00:30:43,400 Yeah, totally. 471 00:30:43,400 --> 00:30:49,760 I think there's a lot of focus on Rust because Rust has been sort of replacing C and C++ 472 00:30:49,760 --> 00:30:51,920 in cases as a systems language. 473 00:30:51,920 --> 00:30:56,880 But let's be clear, like on platforms like Android that has a billion users, I mean, 474 00:30:56,880 --> 00:30:58,760 people have been writing Java. 475 00:30:58,760 --> 00:31:02,320 Most web-based services don't have a ton of memory safety issues. 476 00:31:02,320 --> 00:31:08,920 They suffer from logic issues because they're built in things like Python, C sharp, Golang, 477 00:31:08,920 --> 00:31:09,920 et cetera. 478 00:31:09,920 --> 00:31:14,240 And so, you know, and even JavaScript is memory safe. 479 00:31:14,240 --> 00:31:18,200 And so I think if you were to take sort of the, I forget who doesn't maybe stack overflow 480 00:31:18,200 --> 00:31:23,160 is to take the top languages every year that are written or most popular languages, I think 481 00:31:23,160 --> 00:31:26,880 probably six or seven out of 10 are probably memory safe. 482 00:31:26,880 --> 00:31:30,800 So what Rust is really filling in is that systems level high performance language and 483 00:31:30,800 --> 00:31:31,800 providing memory safety. 484 00:31:31,800 --> 00:31:32,800 All right. 485 00:31:32,800 --> 00:31:37,800 Hey, Gladys, is there anything else you want to ask? 486 00:31:37,800 --> 00:31:40,200 I think we're kind of done. 487 00:31:40,200 --> 00:31:41,200 If not. 488 00:31:41,200 --> 00:31:43,760 There is one thing I wanted to add that I think we haven't touched on that would be 489 00:31:43,760 --> 00:31:50,960 pretty cool is, you know, we talked about how to retrofit C and C++ with, you know, 490 00:31:50,960 --> 00:31:56,420 safer pointers or, you know, spatially safe containers like GSL span. 491 00:31:56,420 --> 00:32:00,640 But there's actually a really set of exciting technologies that I think can make this quite 492 00:32:00,640 --> 00:32:02,600 a bit easier at the operating system level. 493 00:32:02,600 --> 00:32:04,440 And that's memory tagging. 494 00:32:04,440 --> 00:32:13,040 So ARM has a standard called MTE that's actually available widespread on Pixel 8 phones and 495 00:32:13,040 --> 00:32:17,160 Intel, AMD and others, I think are looking into these technologies. 496 00:32:17,160 --> 00:32:22,360 But in a nutshell, what these memory tagging technologies do is allow an allocator at the 497 00:32:22,360 --> 00:32:23,360 system level. 498 00:32:23,360 --> 00:32:30,920 So, effectively, malloc to provide to the CPU the ranges of memory when memory is allocated 499 00:32:30,920 --> 00:32:32,560 to a pointer. 500 00:32:32,560 --> 00:32:37,400 And then what is really exciting is depending on variety of schemes from a coding the pointer 501 00:32:37,400 --> 00:32:44,400 to having, you know, bitmaps, the CPU can actually go and check every memory access 502 00:32:44,400 --> 00:32:48,180 and make sure it's within the expected boundaries of the allocation. 503 00:32:48,180 --> 00:32:54,520 And that is almost like sprinkling, you know, software checks all throughout the operating 504 00:32:54,520 --> 00:32:55,520 system. 505 00:32:55,520 --> 00:32:57,340 But it comes at, you know, you don't have to remember to do it. 506 00:32:57,340 --> 00:32:59,920 And it's done in a very high performance manner. 507 00:32:59,920 --> 00:33:02,720 So we've actually published several papers on that. 508 00:33:02,720 --> 00:33:05,020 Again, I can link in the show notes at the Microsoft level. 509 00:33:05,020 --> 00:33:09,080 But there's also been, you know, Google Project Zero and many folks have looked at this. 510 00:33:09,080 --> 00:33:13,360 But what you find, depending on the scheme, is that we get pretty close to the spatial 511 00:33:13,360 --> 00:33:19,480 safety of retrofitting C and C++ code without doing anything other than enlightening the 512 00:33:19,480 --> 00:33:20,920 allocator. 513 00:33:20,920 --> 00:33:24,400 And so I'm a big fan of this, especially as we're going through this transition to the 514 00:33:24,400 --> 00:33:29,240 Rust North Star of not only retrofitting your own code, but then code bases where we, you 515 00:33:29,240 --> 00:33:34,240 know, lost the source code or just, you know, don't have the experts to retrofit them. 516 00:33:34,240 --> 00:33:39,120 We can actually at least provide spatial safety with these architectures. 517 00:33:39,120 --> 00:33:44,680 And maybe even a step further is there is an exciting architecture based on ARM. 518 00:33:44,680 --> 00:33:50,920 And in fact, ARM shipped some experimental devices called Morello, which include what's 519 00:33:50,920 --> 00:33:55,120 called Cherry or a capabilities hardware language. 520 00:33:55,120 --> 00:33:59,120 And Cherry goes a step further than memory tagging in that every pointer actually has 521 00:33:59,120 --> 00:34:03,240 encoded into it things like, you know, what type of memory it is, whether it's code or 522 00:34:03,240 --> 00:34:06,320 data, whether it's a pointer, et cetera. 523 00:34:06,320 --> 00:34:10,600 And those capabilities that can be checked on every memory access. 524 00:34:10,600 --> 00:34:18,200 And so Cherry gives you a lot of primitives for building a memory safe operating system, 525 00:34:18,200 --> 00:34:20,560 regardless of the language you build in. 526 00:34:20,560 --> 00:34:27,960 And so Microsoft has even worked directly with the RISC-V community to build an ISA 527 00:34:27,960 --> 00:34:33,160 or instruction set that provides Cherry in RISC-V. 528 00:34:33,160 --> 00:34:38,960 So ARM's got Morello and has been, I think, promoting this and looking for a big technology 529 00:34:38,960 --> 00:34:44,020 partner to take on Cherry, which would provide more comprehensive memory safety for existing 530 00:34:44,020 --> 00:34:45,540 operating systems. 531 00:34:45,540 --> 00:34:52,120 And then I know the RISC-V and Cherry foundations, Low Risk is actually the name of the organization, 532 00:34:52,120 --> 00:34:56,920 has been providing a bunch of, you know, basic developer boards and ships that people can 533 00:34:56,920 --> 00:34:58,320 go and hack on. 534 00:34:58,320 --> 00:35:02,280 So if you're interested in memory safety at all, beyond Rust, I think looking at these 535 00:35:02,280 --> 00:35:06,480 architectures as another tool in the toolbox to get to that North Star is really, really 536 00:35:06,480 --> 00:35:07,560 important. 537 00:35:07,560 --> 00:35:11,800 And I expect those to be hugely important as we transition towards a Rust-based or a 538 00:35:11,800 --> 00:35:12,800 memory safe feature. 539 00:35:12,800 --> 00:35:13,800 All right. 540 00:35:13,800 --> 00:35:16,800 Is there anything else you want to add Gladys? 541 00:35:16,800 --> 00:35:20,480 Because if not, I'll just move to the, you know, if you have one final thought. 542 00:35:20,480 --> 00:35:21,480 Okay. 543 00:35:21,480 --> 00:35:22,480 All right. 544 00:35:22,480 --> 00:35:23,480 All right. 545 00:35:23,480 --> 00:35:25,880 So David, you know about this, right? 546 00:35:25,880 --> 00:35:28,880 We asked for a final thought, just a simple single thought. 547 00:35:28,880 --> 00:35:30,440 You're okay with that? 548 00:35:30,440 --> 00:35:31,440 Sure. 549 00:35:31,440 --> 00:35:32,440 All right. 550 00:35:32,440 --> 00:35:37,360 So one thing we always ask our guests is if you had one final thought to leave our listeners 551 00:35:37,360 --> 00:35:40,200 with, what would it be? 552 00:35:40,200 --> 00:35:46,400 Yeah, I think thinking about how software is now running the base infrastructure for 553 00:35:46,400 --> 00:35:52,440 the world from everything from healthcare to food to industry is really important. 554 00:35:52,440 --> 00:35:57,040 The decisions we make as developers will be around much longer than probably any of us 555 00:35:57,040 --> 00:35:59,560 are alive and have larger consequences than we think. 556 00:35:59,560 --> 00:36:05,120 So thinking safety first and thinking like a car engineer does in the software space 557 00:36:05,120 --> 00:36:07,440 is something I really like encourage everyone to do. 558 00:36:07,440 --> 00:36:08,440 All right. 559 00:36:08,440 --> 00:36:11,160 Well, thank you so much for joining us this week. 560 00:36:11,160 --> 00:36:14,840 I'm always excited to nerd out about programming languages a little bit. 561 00:36:14,840 --> 00:36:15,840 Absolutely. 562 00:36:15,840 --> 00:36:16,840 It's always my thing. 563 00:36:16,840 --> 00:36:18,560 But yeah, again, thank you so much for joining us. 564 00:36:18,560 --> 00:36:22,400 I know you're ridiculously busy, especially with just everything that's going on with 565 00:36:22,400 --> 00:36:23,400 SFI. 566 00:36:23,400 --> 00:36:26,520 You can't keep me away from a memory safety conversation. 567 00:36:26,520 --> 00:36:27,520 Yeah, I know. 568 00:36:27,520 --> 00:36:28,520 I know. 569 00:36:28,520 --> 00:36:32,800 Yeah, we didn't even talk about analysis stuff, but we can do that for another day. 570 00:36:32,800 --> 00:36:33,800 We could get further. 571 00:36:33,800 --> 00:36:34,800 Yeah, let's do it again. 572 00:36:34,800 --> 00:36:35,800 All right. 573 00:36:35,800 --> 00:36:39,280 And yeah, so thanks again for joining us and to all our listeners out there. 574 00:36:39,280 --> 00:36:43,560 We hope you found this episode useful, nerdy, but hopefully useful. 575 00:36:43,560 --> 00:36:49,520 If you have any questions, you can just post it on our Twitter account and we'll happily 576 00:36:49,520 --> 00:36:50,600 get back to you. 577 00:36:50,600 --> 00:36:53,120 So stay safe and we'll see you next time. 578 00:36:53,120 --> 00:36:56,120 Thanks for listening to the Azure Security Podcast. 579 00:36:56,120 --> 00:37:02,960 You can find show notes and other resources at our website, azsecuritypodcast.net. 580 00:37:02,960 --> 00:37:07,800 If you have any questions, please find us on Twitter at Azure Setpod. 581 00:37:07,800 --> 00:37:31,680 Background music is from ccmixtor.com and licensed under the Creative Commons license.