Did you know that 70% of Microsoft CVEs between 2006-2018 were memory safety bugs? It was an honour to speak at Cambridge this week on the subject of Secure by Design, along with esteemed professors, security leaders from across Japan, and other industry leaders such as Arm. Cheers to Innovate UK for organizing an eye-opening event.
It was interesting to hear almost every speaker quote the statistic I cited above, which comes from Microsoft’s own analysis. This is why the partnership that is happening across the industry to develop a fundamentally-different type of hardware and software ecosystem, which completely eliminates this class of vulnerability, is so important.
It’s not conceptual, either—they are real systems now being applied to real-world use cases, such as IoT. At the end of 2020 Microsoft reported that their own additional testing in 2019 showed that the Morello/CHERI ecosystem as-is eliminated 2/3rds of all memory-safe vulnerabilities—that includes scenarios where the system software uses C and C++, which are historically memory-unsafe. The kinds of memory-based exploits attackers love to use simply don’t work on these systems.
Of course when you zoom out to the broader vulnerability landscape, there’s still plenty of real estate for attackers to exploit. I did a quick back-of-napkin analysis through the lens of ATT&CK, showing the techniques that would be mitigated by this hardware (the boxes in red on my image). The Secure by Design initiative that UK Innovate are helping to drive is critical, but we need this principle applied everywhere, to everything. There’s still a lot of the ATT&CK framework to address.
We have a challenge in the security industry: we turn principles into products. It can be a good thing, because many ideas seem good on paper, until you try to operationalise them.
But it can also be unhelpful, because once the principles become products, people conflate the product for the principles. We have this problem in Zero Trust, for example: Zero Trust now means buying BeyondCorp, or Conditional Access, or <some other technology solution>, when in actual fact Zero Trust is not a product. It is a strategy, a lens through which you see the world. I like to say it is the one thing you do that changes how you do everything else (including AI, by the way).
It’s the same with Secure by Design. We need to productize the principles for the real world, but we must never lose sight of the “why” behind those products, or we lose sight of the objectives for which they were created. We must also be careful not to zoom in so close to one type of vulnerability that we forget that attackers have many different ways to accomplish their objectives. They do not, for example, need to execute a memory exploit if they can simply log in with a privileged account.