Wednesday, September 18 • 16:45 - 17:45
Killing Uninitialized Memory: Protecting the OS Without Destroying Performance

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Are you interested in what goes in to creating and shipping vulnerability mitigations to over 600 million devices?

Between 2017 to mid-2018, security researchers found and reported over 100 vulnerabilities in Windows resulting from uninitialized memory either leaking across a security boundary or uninitialized memory being used. These types of issues have also been used in several real world exploits. Clearly something needed to be done, but what?

One potential solution to the problem was automatically initializing variables in C/C++ code, however, this comes with potentially significant performance and compatibility problems. In this talk, we’ll walk you through the journey of prototyping, building, and shipping a mitigation named InitAll which does exactly that. Along the way we’ll look at specific vulnerabilities, mitigation implementation details, performance problems, compiler optimizations, application compatibility issues, and more.

We’ll finish up by sharing some cool bugs this mitigation has already killed and share our thoughts on the future of safer C/C++ code.


Joe Bialek

Software Security Engineer, Microsoft
Joe Bialek is a security engineer in the Microsoft Security Response Center's Vulnerability & Mitigations team. Joe spends his time eliminating vulnerability classes, creating exploit mitigations, and finding security bugs.
avatar for Shayne Hiet-Block

Shayne Hiet-Block

Software Engineer, Microsoft
Shayne is a software engineer working on the Microsoft Visual C++ team, where I've worked for over 13 years. Most of my focus has been on C/C++ code generation. I've worked on general feature work for back-end code generation, optimizations and security.

Wednesday September 18, 2019 16:45 - 17:45 MDT
Crest 4/5
  • Security/Safety Critical/Automotive
  • Level Beginner, Intermediate, Advanced
  • Tags security