Chris Palmer
Dec 2, 2016 at 12:30 PM in 380 Soda Hall
Title:Exploit Mitigations vs. True Solutions
Abstract: I'll discuss the costs and benefits of exploit mitigations (ASLR, stack canaries, control flow integrity, et c.) and what I consider true solutions (automatic memory management, type checking, bounds checking, et c.). I will discuss the perhaps surprising practical concerns that make true solutions less obviously the way to go for some classes of software. Discussing as a group, I'd like to see if we can refine our intuitions about how to distinguish a 'mitigation' from a 'solution', and how to decide when we have to merely mitigate vs. when we can truly solve.
Bio: I work at Google as a software security engineer on Chrome, where I work on hardening Chrome's underpinnings and securing the web platform runtime. (I used to focus on secure usability and duct-taping over the foibles of the web PKI.) I used to be on the Android team at Google. Previously, I was the Technology Director at the Electronic Frontier Foundation, a security engineering consultant at iSEC Partners (now NCC Group), and a web developer. Majoring in linguistics and in French literature prepared me well for these careers, weirdly.