CppCon 2019

Are you interested in what goes in to creating and shipping vulnerability mitigations to over 600 million devices?

Between 2017 to mid-2018, security researchers found and reported over 100 vulnerabilities in Windows resulting from uninitialized memory either leaking across a security boundary or uninitialized memory being used. These types of issues have also been used in several real world exploits. Clearly something needed to be done, but what?

One potential solution to the problem was automatically initializing variables in C/C++ code, however, this comes with potentially significant performance and compatibility problems. In this talk, we’ll walk you through the journey of prototyping, building, and shipping a mitigation named InitAll which does exactly that. Along the way we’ll look at specific vulnerabilities, mitigation implementation details, performance problems, compiler optimizations, application compatibility issues, and more.

We’ll finish up by sharing some cool bugs this mitigation has already killed and share our thoughts on the future of safer C/C++ code.